Security Now 1037: Chinese Participation in MAPP

Leo Laporte

It's time for Security Now. Steve Gibson, he's mad as heck and he's not going to take it anymore. He's pretty upset about how Microsoft did its patches for the SharePoint server fiasco. You might be upset too when you hear about it. A warning about a signal leaving Australia rather than help the Australian government spy on people. Plus a solution to verify your age that might not be too bad. Or is it all that and a whole lot more? Coming up next on Security Now. Podcasts you love from people you trust. This is Twit. This is Security now with Steve Gibson. Episode 1037 recorded Tuesday, August 5, 2025. Chinese participation in MAP. It's time for Security now, the show. We cover the latest in security, privacy and home computing and like that. I don't know, all sorts of stuff. It's really up to this guy over here. This cat. Steve Gibson is the king of security now. Hi, Steve.

Steve Gibson

Yo, Leo. Here we are. We have entered August, which is our birth month.

Leo Laporte

The show's birth month. Yeah. We're approaching our 20th anniversary in just a few days.

Steve Gibson

That's right. Yeah, I got that wrong one year and Elaine corrected me because of course she's been trans, she's transcribing for almost 20 years now.

Leo Laporte

Has she been doing all the shows, really?

Steve Gibson

Yeah, we. We got her like a ways in and then I went back and I said, let's get, let's catch up, let's do them all. So she said, oh, I'd be happy to.

Leo Laporte

If you go to our twit. Twit TV SN1, you can, you can actually see the very first episode, which was August 9th, 2000. August 18th. I'm sorry, 2005. So that will be our birthday.

Steve Gibson

It will.

Leo Laporte

The 18 minute version of the show.

Steve Gibson

So what happened this week, Steve? Not really anything.

Leo Laporte

There was nothing to talk about back in the day.

Steve Gibson

Ingrown toenail.

Leo Laporte

No, it. It didn't stay 18 minutes very long. We found there was a lot to talk about. You were worried at first there wouldn't be.

Steve Gibson

I thought we're just gonna run out of stuff to say.

Leo Laporte

Yeah, it's like 20 years. There's no way either of us thought we'd be doing this 20 years later though, that's for sure. But here we are.

Steve Gibson

Nope, we're going strong and in fact, we're going to talk this week. We got China on our mind after the SharePoint fiasco. There's two different aspects of the unfortunate tension that our two countries, China and the US are continuing to manifest and arguably increase. So we're going to look at both of those. Some things that have come to light since last week we'll start with. But we're going to end up talking about Microsoft's deliberate sharing weeks in advance of their release to, you know, legitimate, accredited, great Chinese security companies. But China's got the possibility of influencing them. So anyway, we're going to look at that. There were, there were some really, really I, I think very fair analysis that I want to share about where that is and we'll see where we come down on that afterwards. But first we're going to, as I said, we're going to follow up on a different aspect of what's come to light about the SharePoint server patch mess. We're going to look at how Russia arranges to spy on other countries embassies within its borders. It turns out that Dropbox has a password manager who knew, but not for much longer. I just wanted to give our listeners a heads up in case they might have stumbled into that at some point. Signal is going to leave Australia rather than spy. YouTube deploys viewing history age estimation heuristics which we're going to touch on. Chrome has added a very clever lightweight extension signing option which will help its developers to prevent the abuse of their own reputations for extensions. And a domain registrar is coming right up to the line of losing its rights to be a registrar. That's something we've never talked about before. We've looked at it on certificate authorities, but not registrars. So there's some fun stuff there. TP links router There's a particular model that our listeners, if anyone happens to have one, I say I I really get inertia, right? Unless there's a reason to stop doing something the industry doesn't. We see this at every end of the spectrum, all, all across the spectrum. So here's another instance. Also we're going to look at what is true age and might it be useful for age verification? We've got I have my own brief update on Artemis, a few comments and then with us, China, tensions on the rise. Should Chinese security companies even having signed Microsoft's NDA their non disclosure agreement, continue receiving weeks of advance notice for forthcoming Microsoft flaw patches? You know, can can they really be expected to honor their commitment not to let something that might be really juicy come along when you know their own nation seems hell bent on attacking ours? So interesting questions and of course we've got a great picture of the week that I've already had the email with notes. And the picture of the week went out yesterday, early afternoon. I got a lot of work done on Sunday and Monday and I got a lot of great feedback about this. When Leo, this is. This one will, you know, you want to center yourself over your ball before.

Leo Laporte

I haven't looked at it. I haven't looked at it.

Steve Gibson

And our listeners are. They're all saying, oh, I can't wait to hear what. What happens when Leo sees this.

Leo Laporte

I try to save it for the show. So if not always easy, but that I always go like this when I open your door.

Steve Gibson

My mother would have once said, hold your horses. I'm not sure that. Keep your powder dry. Maybe, you know, it's like, yeah, all of the above. It. Yeah.

Leo Laporte

All right. A great show ahead, as always with security now, and we're thrilled to have Steve here and even more thrilled to have you here. Now, I have to tell you before we go any farther about our sponsor, Bitwarden, they've just done something that I needed badly a couple of weeks ago. Bit Warden is, of course, as you know, the trusted leader in password, passkey and secrets management. It's the password manager I use. Steve uses. Actually, many of you use for good reason. Bitwarden's consistently ranked number one in user satisfaction by both G2 and software reviews. More than 10 million users across 180 countries, 50,000 businesses. But they just added something that a lot of coders will be very happy to learn about. I will be very happy to learn about. Bitwarden just launched their own MCP server. It's now available on Bitwarden's GitHub. Now, what this does, it enables secure integration between your AI agent and your credential workflows. How often have you used. In fact. So I was working on Vibe coding a client for the TWiT API, and my biggest concern was not putting the API key into the code and then pushing it up to GitHub. Well, now there's a way to do it securely. The documentation is maybe a little scant right now. Don't worry, they're expanding the documentation. They're also going to expand how it's distributed. But right now you can go. I wanted to give you a heads up because you can go get it at GitHub right now. The MCP server is a secure, standardized way for AI agents to communicate with Bit Warden. Okay, so you've got your Claude code or whatever you're using. You tell it about the Bitwarden MCP agent. It can even fetch it and then say now use that to store those secrets you'll benefit from. First of all, local first architecture for security, right? The Bitwarden MCP server runs on your local machine. It keeps all client interactions within the local environment, minimizing exposure to external threats. You're not sending passwords or API keys or secrets across the Internet. It integrates with the Bitwarden command line interface too. This is another great thing about Bitwarden. They have a clique users. You know, I use the GUI most of the time, but occasionally, especially when I'm on Linux, I like having the command line. Users can also opt for self hosted deployments for greater control over system configuration and data residency. It's an open protocol for AI assistance. MCP servers enable AI systems, as you probably know, but if you don't to interact with commonly used applications that could be content repositories, business platforms, developer environments. It's nice because it's a standardized, consistent, open interface driving secure integration with agentic AI. The Bit Warden MCP server represents a foundational step towards secure agentic AI adoption ultimately. Right? We're going to have an agent doing all the work going out and now you can tell the agent and by the way, the passwords, the keys, whatever you need stored securely in my Bit Warden and you can use their MCP server to get a hold of it. Isn't that awesome? Infotech's research group has a paper streamline security and protect your organization. This report highlights how enterprises in the Forbes Global 2000 are turning to Bitwarden to secure identity and access at scale. The report emphasizes growing security complexity. If you listen to the show, you know all about that. With globally distributed teams, fragmented infrastructure credentials dispersed across teams. You've got contractors, you've got devices, some of them BYOD enterprises are addressing credential management gaps and strengthening their security posture by investing in scalable enterprise grade solutions like of course Bitwarden. We love Bitwarden. The setup is easy, it supports importing for most password management solutions. And because it's open source, there's always something new happening with Bit Warden like this MCP server. It's so cool. The Bit and Warden open source code of course is regularly audited by third party experts and you don't have to worry about security. Bitwarden meets SoC2 type 2 GDPR HIPAA CCPA compliant ISO 2700-12002 certification. Another thing I want to let you know about, their sixth Open Source Security Summit is coming up next month, September 25th. It's virtual, so you don't have to travel. Everybody can go and it's free. But you have to register for this virtual free industry event@open sourcesecuritysummit.com open sourcesecuritysummit.com to explore advancements in open source security and to see how using open source tools can build trust with customers and consumers. We love Bitwardens. Get started today with Bitwarden's free trial of a teams or or an enterprise plan. Or get started for free across all devices and individual user@bitwarden.com TWIT that's bitwarden.com TWIT I just, I love being able to tell you the news. Bitwarden just keeps getting better and better. Bitwarden.com TWIT thank you Bitwarden, for supporting the important security work Steve does here and for supporting the security of all of our listeners. Bitwarden.com TWIT okay, shall I scroll up, Steve?

Steve Gibson

Well, I gave this picture of the week the caption. Not every solution that works should be recommended.

Leo Laporte

Yeah, that could be the caption to a lot of your pictures of the week.

Steve Gibson

This one, this one will hit you. Not every.

Leo Laporte

You want to explain this?

Steve Gibson

Okay, so what we have is a, it's a very simple device.

Leo Laporte

Oh, yes.

Steve Gibson

It's an AC plug.

Leo Laporte

Yes.

Steve Gibson

With wires coming out maybe five inches or so that have been stripped and wrapped together and stuck and a wire nut stuck on the end shorted out. In other words, it is a, it is the definition of a deliberate short circuit. What makes this funny is, is that it's got a tag on it just in case someone wasn't sure what this was for. It's labeled breaker finder. Yeah. And of course, the idea here, we fill in the gaps, is that if you're trying to figure out which is the circuit breaker for that plug because you'd like to turn the power off. Actually, this does both features. It does both jobs at once. You really, it's, you know, finding the breaker is then secondary. Normally you want to turn off the breaker because you're going to do some, you know, electrical rewiring and you want the power off on the circuit that you're using. So here you just plug this handy dandy little plug into the plug, which creates a dead short circuit, certainly more than the 15amps of your typical residential breaker that'll snap off immediately.

Leo Laporte

Now, one hopes it'll snap off before things start getting exciting.

Steve Gibson

Well, melting your hand or the wires or the interior house.

Leo Laporte

I hope he threw this out after he made this obviously joke tool.

Steve Gibson

Well, one of our listeners wrote and said look at the prongs on that plug. I don't see any black scorch marks.

Leo Laporte

Yeah.

Steve Gibson

So it's questionable whether this was actually ever used.

Leo Laporte

Certainly hope not. Certainly can't recommend it.

Steve Gibson

And just so people know, there are neat little tools that homeowners can use where you plug a little transmitter into an outlet and it sends a signal out the wires and then you're over by the breaker box, you're able to use a probe in order just to get it near the, near the handle of the breaker and you'll hear the sound increase when you're over the breaker that's associated with that particular plug.

Leo Laporte

So perfect.

Steve Gibson

There are, there are actually recommendable solutions.

Leo Laporte

This, this will not, not hurt anybody in a pinch.

Steve Gibson

I mean if you had no choice but no, don't do that. Probably better to just to shut the whole house down if that's, you know, you're, if you're unable to find the specific breaker. But you know, anyone who's been in a house for long has probably encountered this problem and one person had an enterprising not recommended solution. Okay, so a bit of additional interesting information surfaced about the Microsoft SharePoint zero day remote code execution vulnerability. After our coverage of this last week. I'm glad I was skeptical of the Registers allegation that someone within Microsoft's MAPP program had leaked the information. We're going to be talking about the MAPP program at the end of the show, of course, but we don't have any evidence of that. I believe the Register picked this idea up however legitimately from someone at Trend Micro's Zero Day initiative. And that was unfortunate because speculation really doesn't have a role here. But first, remember that even so the, that initial pre release of the SharePoint was, was not the big issue. You know, it's true that somebody was found to be exploiting this vulnerability on July 7, the day before, you know, one day before the official patch was released on July's patch Tuesday. But the big mess did not occur until after Microsoft's botched patch was made public. At that point everyone was able to compare the modified new code against the original old code to immediately zero in on the location of the problem and design a workaround for it. But it was still troubling that someone did exploit the original completely unpatched vulnerability the day before. And anyone was supposed to know about it. All supposed to be, you know, non disclosure agreement secret. Nobody knows until the patches come out. So how that happen Propublica offered an interesting theory that did not require any of Microsoft's MAPP program participants to leak anything. ProPublica's headline was Microsoft get this Used China based engineers to support product recently hacked by China. In other words, whoops. ProPublica subhead noted Microsoft announced that Chinese state sponsored hackers had exploited vulnerabilities in its popular SharePoint software, but did not mention that it has long used China based engineers to maintain the product. Okay, that's news, they wrote. Last month, Microsoft announced that Chinese state sponsored hackers had exploited vulnerabilities in SharePoint, the company's widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security. The company did not include in its announcement, however, that support for SharePoint, meaning patches, is handled by China based engineering team that has been responsible for maintaining the software for years. ProPublica, they wrote, viewed screenshots of Microsoft's internal work tracking system that showed China based employees recently fixing bugs for SharePoint on prem, the version of the software involved in last month's attacks. Microsoft said the China based team, quote, is supervised by a US Based engineer and subject to all security requirements and manager code review. Then they also said, well, work is already underway to shift this work to another location. Unquote. Yeah. It's unclear, they wrote, if Microsoft's China based staff had any role in the SharePoint hack, but experts have said allowing China based personnel to perform technical support and maintenance on US Government systems can pose major security risks. Laws in China grant the country's officials broad authority to collect data, and experts say it's difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the most active and persistent cyber threat to US government, private sector and critical infrastructure networks, ProPublica revealed. They wrote in a story published last month that Microsoft has for a decade relied on foreign workers, including those based in China, to maintain the Defense Department's cloud systems, with oversight coming from US Based personnel known as digital escorts. But those escorts often don't have the advanced technical expertise to police foreign counterparts with four with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed. Okay, now I'll just note also that, you know, this escort service Microsoft runs would not prevent foreign coders from learning about vulnerabilities. They must know about vulnerabilities in order to fix them. So this entire digital escort concept seems like a crock at least as regards controlling leakage of information. ProPublica continued writing. ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company's foreign employees and to meet the department's requirements that people handling sensitive data be US Citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives, quote, substantial revenue from government contracts, unquote. ProPublica also found that Microsoft uses its China based engineers to maintain the cloud systems of other federal departments including parts of justice, treasury and Commerce. So this of course is where we march out our favorite byline or slogan. What could possibly go wrong? In response to the reporting, Microsoft said that it had halted its use of China based engineers to support Defense Department cloud computing systems and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Kedseth launched a review of tech companies reliance on foreign based engineers to support the department. Senators Tom Cotton, an Arkansas Republican and Jeanine Shaheen, a New Hampshire Democrat, have written letters to Hegseth citing ProPublica's investigation to demand more information about Microsoft's China based support. And they ended their coverage of this by writing Microsoft has said that beginning next July it will next July it will no longer support on premises versions of SharePoint. It has a year. Yeah. It has urged customers to switch to and this is the problem is nobody wants to switch and I actually I've got some great feedback from one of our listeners who that I'll share next week who explains in some detail what what enterprises really do face. I mean and it is such a mess, Leo. I mean. Oh you know it's it.

Leo Laporte

You know you'd rather solution fix your software. Microsoft.

Steve Gibson

Yes, exactly. That's that ultimately that's the problem. Exactly right. They wrote it is or it Microsoft has urged customers to switch to the online version version of the product which generates more revenue. This is ProPublica. This. I know it sounds like me, but no generates more revenue because it involves an ongoing software subscription as well as usage of Microsoft's Azure cloud computing platform. The strength of the Azure cloud computing business has propelled Microsoft share price in recent years. On Thursday it became the second company in history to be valued at more than $4 trillion. Wow. And that's because subscriptions baby. If you can get those. Yeah, yeah, yeah. Okay so now it might be Leo that the call was coming from inside the house. Microsoft's own China based coders were the maintainers of of the SharePoint code base.

Leo Laporte

Oh no.

Steve Gibson

This means, oh my God, that they were the ones who directly received the early information about the SharePoint vulnerability from the PWN to own competition by way of Trend Micro Zero Day Initiative. It was Chinese coders who prepared the patch. But knowing this begs another even greater and frankly far more worrisome question. Could the patch whose initially defective design caused the majority of the damage, been deliberately botched by these Chinese developers? I'm not saying that that happened, but the circumstances at least present the question, and I think it at least needs to be asked. We would always assume that any botched patch from Microsoft could only be a mistake. What could Microsoft possibly have to gain from fumbling a patch of a critical CVSS 9.8 vulnerability in their own widely deployed enterprise file sharing server? At the very least, it's significant reputational damage. The tech press is now comparing the SharePoint fiasco to the similar 2021 Exchange Server debacle that's widely viewed as having been a catastrophe. But now we learn that the flawed patch didn't really come from Microsoft, at least not directly. The bad patch actually came from China, apparently subject only to some low level oversight by a Microsoft escort.

Leo Laporte

Well, by the way, did you read who these escorts are? They're not technical, they're military. They're just some guys.

Steve Gibson

That the DoD said okay, we're gonna, you know, give you a chair. Yeah. And, and you, you just sort of, you know, talk.

Leo Laporte

They're not sufficiently technical to for instance, notice that the patch fixes the symptom, not the cause.

Steve Gibson

Right. And so then we learned that Microsoft has decided to change now, has now decided to change that development process to move it away from China. You know, I hate the China and the US are entering into a cyber cold war. But when Chinese state sponsored attackers are actively attacking US assets, there's no denying the fact. And we know from backtracking the IP addresses that were found to be attacking Microsoft's on prem SharePoint servers, it was those same well known Chinese state sponsored attackers who jumped on this vulnerability with a vengeance. There's one other aspect that's been missing from all the reporting and that's to note that the fact that the first attack on SharePoint servers was detected on July 7, the day before July's Patch Tuesday, does not mean that July 7 was the first day of any attack. We've talked about this many times before and we've seen it in practice. The optimal strategy for anyone who's in possession of an unpatched critical unknown zero day remote code execution exploit is to Use that unique advantage with extreme care so as to remain off the radar and prevent the raising of any alarm for as long as possible. You want to carefully choose your targets, remain quiet and infiltrate the most valuable networks first before the rest of the world wakes up to the fact that on premises SharePoint servers can be remotely compromised. The implementation of this strategy suggests that that widespread exploitation of the flaw, which would have quickly become evident, may have been deliberately held back until just the day before the patch Tuesday release, at which point it was unleashed with full automation so as to rapidly penetrate as many remaining SharePoint servers as possible just before the patch was made available. What we now know is that Chinese developers working for Microsoft would have been informed of this shortly after Mei's pwn to own competition. And now even Microsoft appears to be uncertain of where their loyalties lie. And now we also know that the patch did not completely work. Whether or not this occurred deliberately in this instance, it seems the height of recklessness for Microsoft to be outsourcing its software development to China while China is actively and successfully attacking the same software systems it's developing for Microsoft. What's wrong with this picture?

Leo Laporte

It's really suspicious now that you say this.

Steve Gibson

This is.

Leo Laporte

I mean, it was a bad patch. It didn't work.

Steve Gibson

Right. And, and that. And as a consequence, the US suffered tremendous damage.

Leo Laporte

Yeah. All the damage was subsequent to the first patch. Right.

Steve Gibson

And who did that benefit?

Leo Laporte

Yeah.

Steve Gibson

And who did that hurt?

Leo Laporte

Yeah. Microsoft wouldn't have done it on purpose.

Steve Gibson

No, no. It would have been reputational damage for them. But by making it a bad patch use. Okay.

Leo Laporte

Oops.

Steve Gibson

And we've seen it before. It's not like it's the first time this has happened. And so even Microsoft now appears to have reached a similar conclusion and has said they'll be moving this activity elsewhere. Well, not a moment too soon. Microsoft. Ouch.

Leo Laporte

Unbelievable.

Steve Gibson

Yeah. And.

Leo Laporte

And you couldn't make this up. This is like fiction.

Steve Gibson

I know. It's amazing, but nobody would believe it.

Leo Laporte

Nobody said, well, of course they're not going to use China to fix the, the, the bug. Oh boy. Jeez Louise.

Steve Gibson

Yeah. And Leo, they have an escort. What could possibly go wrong?

Leo Laporte

A babysitter who doesn't know anything about coding.

Steve Gibson

Yeah.

Leo Laporte

Well, good. Good reporting from ProPublica. They're really good. I'm very impressive.

Steve Gibson

Yeah. They did a. They did a great job on saying, you know, you might want to think about this.

Leo Laporte

Yeah. Somebody made a point in the discord that even if you did the patchwork in the United States, we're so compromised at this point, you don't even know if that would be good enough. I mean I, they are, they needed clearly wherever they're doing it, a, a chain of command of competent people reviewing the code. Yeah, multiple people. Why wouldn't they have that? Reviewing the patch? Why wouldn't they have that?

Steve Gibson

Well, and, and you know, we've talked about this too. It, it, it's been, Remember those printer flaws where it took, it was month after month after. I mean they kept trying to fix it and they're just like seemed unable to get it right.

Leo Laporte

You said they probably have an intern working, a summer intern working on it.

Steve Gibson

Yeah, I mean, so it's not only can they not get it right initially, but when, when someone says look over, I mean the, the, the people finding the flaws were pointing at it and said, here's the problem, here's what you need to fix. And they didn't, they, they, they said, oh, I mean it's like, it's like the guy that it was assigned to, to, to, to fix it said, oh look, here's the symptom. We, I've got to keep this from happening.

Leo Laporte

Right?

Steve Gibson

No, fix the underlying flaw.

Leo Laporte

Isn't that what the AI did? We were talking about that vibe coding.

Steve Gibson

Yes.

Leo Laporte

And that was Microsoft too, by the way.

Steve Gibson

Yes, it was, it was over on, on, on, on GitHub. There was a, a flaw and the guy who was doing the oversight pointed to the AI and said, aren't you just. It was like it was a regular expression that had a bad. When it was backtracking, it underflowed the stack. And so the question was why is the algorithm causing the stack to underflow instead? It put a test on it to prevent the underflow. We didn't find it without fixing the problem.

Leo Laporte

So yeah, by the way, I was talking to Paul Thurat, that guy is a very senior guy at Microsoft and he caught it. But this is the problem. You have non senior people looking at these patches who don't have the skills to say, hey, at least fix the symptom.

Steve Gibson

And when you think about it, having a highly skilled person overseeing AI doesn't help. What's going to happen is that AI is going to end up getting one of these dod, you know, escorts. Let's give the AI an escort.

Leo Laporte

Well, but in this first, in that case though, you had this senior guy caught it and blocked it. It's pretty clear that you didn't have anybody senior looking at this patch.

Steve Gibson

Right. You know, you know, does it fix the problem? Yep. Doesn't happen anymore. Okay, good.

Leo Laporte

They got to start taking this stuff more seriously. That's terrible. Yeah.

Steve Gibson

Again, you know, China is the one attacking us and they're, they're create, they're writing the software which they're attacking.

Leo Laporte

I'm sure they're very adept coders.

Steve Gibson

Oh yeah, they're as good as we are, of course.

Leo Laporte

Yeah. Better in many cases.

Steve Gibson

Everybody's, everybody's got great coders. That's, you know. Yeah, that, that's a thing. Now let's take a break and we're going to talk about Russia attacking the their own embassies within their borders and how that happens.

Leo Laporte

What a day, what a life, what a world. What I don't know how we got in this timeline.

Steve Gibson

It's just not running out of things to talk about.

Leo Laporte

We're not so not running out of stuff. Well, I tell you one thing, we have the sponsors to help your business if you are facing these kinds of issues. This episode of security now brought to you by Big ID, the next generation AI powered data security and compliance solution. BigID is the first and only leading data security and compliance solution that can uncover dark data through AI classification, that can identify and manage risk, that can remediate just the way you want it to remediate, that can map and monitor access controls, that can scale your data security strategy. This is such a great tool. Along with unmatched coverage for cloud and on prem data sources, BigID also seamlessly integrates with your existing tech stack. So yeah, you already have great stuff, we're not going to make you throw it out. But now you can coordinate security and remediation workflows from all your tools. BigID lets you take action on data risks to protect against breaches, to annotate, delete, quarantine and more based on the data. All while maintaining an audit trail. So important for compliance. Right? And it works with everything. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google, AWS and on and on and on. All the tools. With Big ID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Intuit named it the number one platform for data classification and accuracy, speed and scalability. But you know, maybe the best way to tell you how great this is is by a testimonial. If you think about it, from some, from a group that has more data in more different places than anybody, the United States Army. Big ID equipped the US army to illuminate dark data to accelerate their cloud migration has been a Big priority for the service, right, to minimize redundancy and to automate data retention. And they got this great testimonial from U.S. army Training and Doctrine Command. They said, quote, the first wow moment with BigID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data across emails and zip files, SharePoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings us together like Big ID does. That is the U.S. army training and doctor in command talking. CNBC recognized Big ID as one of the top 25 startups for the enterprise. They were named to the Inc 5000 and the Deloitte 500 not once but four years in a row. The publisher of Cyber Defense magazine says Big ID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that can both mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives@bigid.com now get a free demo to see how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's B I G I D.com security now. Oh, when you get there, by the way, there's a free white paper that provides valuable insights for a new framework. You might have heard about this AI trism T R I S M that's AI Trust, Risk and Security Management. This will help you harness the full potential of AI responsibly. Responsibly. @bigid.com SecurityNow BigID.com SecurityNow we thank him so much for supporting the so important work that Steve does here, helping you understand what's going on out there. So can BigID, Steve.

Steve Gibson

So Microsoft's threat Intelligence Group posted a report detailing one way Russia has arranged to intercept and monitor the Internet traffic of the foreign embassies operating within its borders. It was so diabolical that I wanted to share it with our listeners. Russian ISPs all have something called SORM S O R M which is the system for operative investigative activities. That's this equipment installed on their premises that gives the Russian government the the ability to tap and intercept access to any of the ISPs customers. But of course all communications are encrypted and authenticated. Right? Well, that's what Russia somehow needed to get around what Microsoft discovered has been going on for at least a year. The company attributed the attacks to a group it tracks as Secret Blizzard. And it's a group we've talked about before. They're also known as Turla. Previous reporting has linked the group to something known as Center 16 of the Russian FSB Intelligence Agency, which manages most of the FSB's signal intelligence units. So all that tracks and makes sense. The group first selects specific targets and redirects them to an ISP captive portal, which, you know, happens when you're sometimes connecting through ISPs. That portal explains to the, to the person wanting to get, you know, connect to the Internet that they need to update their Kaspersky antivirus. Of course, Kaspersky is a Russian brand, so it's trusted within Russia. The alleged AV update package actually installs a new root certificate into the victim's computer, along with a malware strain known as Apollo Shadow. The malware relaxes the victim's firewall rules, while the new root certificate, as we know, serves to legitimize malicious traffic, or at least to accept malicious certificate signatures. So from that point on, Russia is able to freely impersonate any remote site the compromised target may visit. They perform an adversary in the middle attack, synthesizing a certificate for a remote website on the fly for the target to obtain fully unencrypted and visible plain text traffic. So they get to see everything that's going on. Anyone using an SSL tls, even, you know, an SSL TLS style VPN whose server certificates chain down to standard local root certs, will have all of their VPN network decrypted and inspected. So I hope that env. That that internal embassy IT staff are routinely checking for the appearance of any extra certs or any change to the root stores of the machines that they're responsible for, since otherwise this would be a tricky attack to catch. Because we know as users, routine users of remote HTTPs sites, there's no visibility unless we go deliberately looking into which certificate we've received and who has signed that certificate. You've got to, you know, look, you know, got to bring up the certificate, view the certificate, look at the certificate's chain of trust and see who the signer is. And that can be spoofed as well. So it's a mess. Microsoft didn't say which embassies Turla had attacked. But taking into account that Turla uses a fake Kaspersky update, their assumption is that it may be Russian friendly countries from Africa, the Middle east and Latin America that still use Software that's been largely banned from official government use across most Western democracies. One would hope that no one in a US Embassy in Russia, if we even still have one that's open. I think I remember that we pull all, everybody out of there a long time ago. But you know, any Western democracies embassy hopefully is saying, I don't think we want to update our Kaspersky av, because after all, we're not using Casper Ski av, so why would we be updating what we're not using? So hopefully, you know, a little bit of caution would go a long way, but for Russian friendly countries, maybe not so much. And this gives Russia complete access to all of their embassy traffic. I was unaware that Dropbox offered their own password manager. You know, and obviously, Leo, you and I are not using it, and I probably never have. But if any of our listeners might have ever used it, inertia being what it is, who knows, some may still be. So I just wanted to mention that Dropbox Passwords, which is the name of this password manager, is being discontinued this coming October 28th. So get ready to switch. I would make the switch now. And of course we recommend one of our sponsors, Bit Warden, as a. As a terrific alternative. Getting better all the time. Good old Meredith Whitaker is once again threatening to leave another country. Signal Foundation's president has been pushed to once again threaten to withdraw all availability of their Signal app, their Signal messenger app, this time from Australia. She recently proclaimed that Signal would leave Australia if the government attempted to force it to backdoor its encryption or demand unencrypted user data through any means. As we know, she's voiced similar threats to pull Signal from other countries that explored encryption backdoors in the past. We've seen that happen in France, Sweden and the uk and as we noted last week, the European Union's newest head plans to once again push forward on legislation this coming October. October is going to be a busy month for the security world, Leo. We got all of, you know, Microsoft stuff is ending and, and the uk, the, the EU is going to begin, you know, moving forward and lots of things happening that month anyway, as was noted by last week's coverage here on the podcast, the EU is now planning to leave the encryption itself alone and to instead attempt to perform surveillance outside of the encrypted channel, so both before data enters and after it exits from the encrypted channel. Since this might not involve Signal, which accepts incoming data from the underlying OS and ask for its display by the os, you know, I I wonder what Signals position would be in that case. Because it's not Signal that is being in any way changed or compromised. And of course, that begs the equally interesting question, which is why? What would Apple's position be? Since this would make the design of iOS complicit in turning everyone's iPhone into known surveillance devices. Everything we know about Apple suggests that they would never be willing to turn their idevices into state surveillance tools. Some sort of reckoning appears to be on the horizon in the present case. The signal uproar the publication Information Age added a little bit of background. They said laws enabling government access to encrypted private messaging platforms would make Signals Australian operations a gangrenous foot that would have to be cut off by shutting, by shutting down all local operations. And this is gangrenous foot. That's what Meredith called it. That was her term.

Leo Laporte

Sounds like another Chinese ransomware gang, but okay, that's right.

Steve Gibson

Ongoing demands from the likes of asio, who's whose director Mike Burgess, has been trying for more than five years to get more power to monitor encrypted messages, have maintained friction between the two communities that has yet to be resolved. Citing the importance of human rights and secure communications as key privacy rights, Signals President Meredith Whitaker told the Australian that, quote, for many people, private communication is the difference between life and death. Even if it were technically possible to snoop on signal messages, which it is not due to the platform's zero knowledge encryption design, she warned that Australian laws mandating access via engineered backdoors would risk user security worldwide. With millions of Australians using Signal, Whitaker said withdrawing from the country would hurt the people who rely on us. Those are in quotes, but added that she would not hesitate because, quote, if you let the gangrene spread, you poison the body, unquote. Among the users affected by such a move, they wrote, would be the government itself, which despite police bans on the use of the apps, has allowed Signal and its disappearing messages to be used by Home affairs, which is an official office, and other agencies. Since COVID began a Recent review of 22 Australian government agencies by the Office of the Australian Information Commissioner, the OAIC found widespread use of secure messaging apps, even though many lacked appropriate policies for security and transparency. Individuals grilled over their use of signal included Foreign Affairs Minister Penny Wong and Burgess himself, even as he continues to agitate for access to apps he says are go to platforms for extremists and, quote, aggressive and experienced spies targeting Australia. Whitaker's comments come from reports the government, whose Encryption act stops short of requiring backdoors has been intensifying pressure on Signal amidst an escalating campaign to strengthen investigation, interrogation and other powers. The focus on Signal is notable, they wrote, given that it has only 40 million users worldwide, a fraction of WhatsApp's 2.5 billion, WeChat's 1.37 billion and messengers 1.36 billion, and accounts for just 0.85%. So less than 1, less than 1% of the US messaging app market last year. Yet its user base skews towards government executives, journalists, whistleblowers and other highly security aware individuals. We know why, right? Because it's the best attracted to perceptions that it offers higher security that cannot be compromised by court orders. And of course that's the reputation it's got due to Meredith's continual proclamations. They, they, they finish writing. Concern about laws compromising that security have grown so much that media outlet the Guardian recently tapped the University of Cambridge to develop an open source tool enabling end to end secure messaging for whistleblowers inside of its own news app. Inside of the Guardian's own news app. So it's interesting that the Australian government is targeting Signal and I wonder whether they might be deliberately aiming at a smaller fish first to see whether they can get capitulation from them, then use that to climb the ladder to larger targets, saying well, Signal did it for us, so why can't you too? Of course one problem is that it seems very clear that Signal is never going to do anything for them. You know. The other is that politicians who have no understanding of the technology are making these requests. The entire industry, the entire industry keeps telling all the politicians no and they keep insisting that the industry is just being stubborn and just doesn't want to do it for them. They assume they can ask for any feature they may want and the techies will somehow figure out how to deliver it. In the case of Signal, they may be failing to appreciate that Signals entire existence surrounds their refusal to capitulate. Meredith's repeated, clear and well publicized public refusals to compromise on Signals integrity is of significant marketing value to Signal. It just, you know, as Information Ages article said, that's why the government is using Signal is they're the ones the government trusts to be safe and secure for their own internal messaging. Given the well publicized moves that the EU may soon be making that is that stuff coming in October, I would be surprised if Australia increases its pressure further. I expect that the world will now be waiting and watching the eu. I know that everybody on this podcast will be. And of course we'll be covering that as it happens. I gave this next piece the title YouTube deploys age estimation Heuristics. We've spoken about heuristics solutions broadly in the past. I generally dislike them because they're inherently fuzzy, touchy feely rules. You know, they're rules of thumb that don't always do what we intend, but there are times when they're all that's available. Last week the official YouTube blog posted under the headline Extending our Built In Protections to more teens on YouTube with the subhead we're extending our existing built in Protections to more teens on YouTube using machine learning Age Estimation. So here's what they wanted the world to know, they wrote. People coming to YouTube to learn. People come to YouTube to learn and be entertained. This is true even for the youngest audiences and it's why we remain laser focused. And Leo, every time I see that phrase I think, well, you don't have to focus a laser. So I'm not really sure.

Leo Laporte

But okay, focus like a laser.

Steve Gibson

Maybe focus like a laser. That's good on making sure they have a safe and age appropriate experience over 10 years ago we launched YouTube Kids and four years ago implemented supervised accounts for preteens and teens. Back in February, we shared that we would soon introduce technology that would distinguish between younger viewers and adults to help provide the best and most age appropriate experiences and protections over the next few weeks. And this was their in their blog last week. So they said over the next few weeks we'll begin to roll out machine learning to a small set a small set of users in the US to estimate their age so that teens are treated as teens and adults as adults. We'll closely monitor this before we roll it out more widely. This technology will allow us to infer a user's age and then use that signal regardless of the birthday in the account to deliver our age appropriate product experiences and protections. We've used this approach in other markets for some time, meaning non US markets where it is working well. We're now bringing it to the US and as we make progress, we'll roll it out to other markets. We will closely monitor the user experience and partner with creators to ensure that the entire ecosystem benefits from this update. Here's how it works. We will use AI to interpret a variety of signals that help us to determine whether a user is over or under 18. The signals include the types of videos a user is searching for, the categories of videos they have watched in the past, or the longevity of the account when the User identifies. When the system identifies a teen, user will automatically apply our age appropriate experiences and protections, including disabling personalized advertising, turning on digital well being tools and adding safeguards to recommendations, including limiting repetitive views of some kinds of content. If the system incorrectly estimates a user to be under 18, they will have the option to verify that they are 18 or over, such as using a credit card or a government id. We will only allow users who have either been inferred or verified as over 18 to view age restricted content that may be inappropriate for younger users. So I, I presume that the experience of a YouTube viewer who is, who is, who is deemed to be under 18 is that what, as this rolls out, they will lose access to content that they may have had access to before because, because YouTube will decide, okay, based on the history of your viewing experience, we think you're under 18. So now that the over 18 content is no longer, you know, showing up in, in your search results, you don't have access to it, it's not being selected for you, and the behavior of the platform changes in, in age appropriate ways. So I think until we obtain, you know, proper online age verification solutions, heuristics are probably the best we can do at this point. And it's more responsible than doing nothing. And I think it's, I think it's, it's reasonable for YouTube to examine a user's viewing history and if they're clear, if they clearly appear to be a younger viewer, modify the platform's behavior to better suit that viewer. And you know, they do offer a path for, for optionally allowing people to assert that you've made a, you know, a mistake. In my case, I'm not under 18 and you know, I'm willing to prove it to you, so. And Leah, when they talk about the longevity of the account, I assume they mean that if an account is newly created, they'll be much more skeptical. Right. Because they don't have a history yet.

Leo Laporte

To, or if it's 18 years old, then they know you're at least 18.

Steve Gibson

That's a very good point, isn't it?

Leo Laporte

Yeah, I mean, YouTube hasn't been around that long, but it's getting there. You know, if you've had it for 10 years, you're probably not a 12 year old.

Steve Gibson

Right? That's a very good point.

Leo Laporte

Yeah. Yeah.

Steve Gibson

Google has just rolled out an optional feature they're calling Verified CRX Upload. Now we've talked about the danger presented by the compromise of high profile extension developer accounts and it's happened, right? If bad guys are able to somehow get into a developer's account until now, nothing would prevent them from maliciously modifying the extension, uploading it to the Chrome Store, and causing all instances of Chrome to update and begin using the malicious code. Now, Google allows developers to create a 2048 bit, you know, a 2048 bit RSA Public Private Key pair and to provide the public key to Google for use in verifying the signature of any Chrome extension that's subsequently offered by the developer. Google's instructions to developers make very clear that they must not in any way store their private key in any of their Google assets. Right? Because you don't want to put the key where it could be compromised. It, you know, it should never be uploaded. And in fact, they provide the OpenSSL one liner, the open SSL command one liner to generate the key pair in a console session outside of any browser. You know, open SSL space gen P key hyphen algorithm RSA P key opt RSA key gen bits 2048 and then they set the output to, to private key PEM and so once the public key has been provided to Google, no Chrome extension that is not properly signed by its matching private key, which Google, no, no, no aspect of Google will ever touch that private key. No Chrome extension not properly signed by the matching private key will be accepted for publication. So I love this. It's, you know, it's very clear, it's very clean and as lightweight as, as could be. You just you. They're adding another completely independent layer of authentication to the process. The onus is on the developer to not misplace their private key, as well as to keep it out of the hands of any attackers, you know, but, but the flip side is the developer gets absolute protection that if anything, should ever compromise their account. The fact that they have an offline private key and know that Google will be checking it against the public key they gave them previously, that protects the developer. So, yeah, the developer's got some responsibility, but they're getting a tremendous benefit in return. Google's instructions say don't upload the private key to any public repository or other place. Don't store your private key in your Google account. This means someone with access to the developer Dashboard through your Google account could publish on your behalf. Consider storing your private key securely using a key store like pkcs12 or Java key Store, and then warning, don't lose your private key. Otherwise you must reach out to CWS support and replacement can take up to one week because of course they're going to want to make sure that you're you and not a bad guy trying to, you know, compromise the. This protection. So anyway, this is terrific. Minimal, sufficient and bulletproof. No need for any certificate rigamarole since the authenticated developer is creating the key pair and uploading only the public key to Google, where it cannot be changed once it's been set. So it is a perfect free and lightweight solution. And, you know, this is the kind of, this is like, like, why did it take them so long? But I'm glad it's there now. It's just a, a, a perfect way to solve this problem. Okay, Leo, we're going to take a break. Then we're going to look at the interesting case of a domain registrar that's on the ropes right now. We've not talked about this before, but wait till you hear what these clowns have not been doing and. And what the consequences are. Wow.

Leo Laporte

Yeah.

Steve Gibson

Good.

Leo Laporte

Coming up. But first, a word from Delete Me, our sponsor for this segment of security. Now, if you've ever, ever wondered how much of your personal data is on the Internet for anyone to see, how would you find that out? How would you figure that out? Oh, how about Googling your name? Oh, I don't recommend this. There's a lot more than you think. Not just your name, contact info, your Social Security number. Steve and I found ours on the darknet from a breach. What did they breach, by the way? A data broker, home addresses, even information about your family members. All of this data is being compiled, and by the way, completely legally, by data brokers who then sell it online to anyone who wants it, including foreign governments, our government, law enforcement, hackers. Anyone on the web can buy your private details. And I mean, the consequences range from identity theft to phishing attempts to doxxing harassment. We've had all of that happen. In fact, I think every business should be protecting their privacy with Delete Me, especially for your managers. That's why we started using Deleteme, because people impersonating my wife and our CEO and using it to kind of try to hack our employees. Look, I am a public personage. I share my opinions online. I think about safety and security all the time. But for me, because I'm a public person, I don't expect privacy. But if you're a private individual, a manager in a company, if you are somebody whose personal information can be used against you, you should do what we did and hire Deleteme. It's so easy to find personal information about people online, and until we have a federal privacy law, which I don't think is ever going to happen. I recommend, and by the way, use DeleteMe. DeleteMe is a subscription service. It removes your personal info from hundreds of data brokers. It starts by signing up for Delete Me obviously, and then giving them like there's a questionnaire, what information you want deleted, what you don't want on the Internet, what's okay to keep on the Internet Internet, and you get to control that by the way. Then their experts take over. Delete Me will send you regular personalized privacy reports. We just got another one for Lisa the other day showing what they found, where they found it, what they removed. The point is, it's not a one time service. Delete Me is always out there working for you, constantly monitoring, removing personal information you don't want on the Internet. It's not enough just to take it down once it repopulates. New data brokers spring up all the time. The worst thing is many data brokers, once they get some scrutiny, change their name, they go out of business and then start the business under a new name with all the data. So you've got to constantly be vigilant. Fortunately, you don't have to do it for yourself. Delete Me will do it for you. To put it as simply as possible, Delete Me does all the hard work of erasing you and your family's personal data from those data broker websites and they keep doing it. Take control of your data. Keep your private life private by signing up for Delete Me at a special discount just for our listeners Today, you get 20% off your delete Me plan For individuals. When you go to joindeleteme.com twit and you use the promo code Twitter checkout. Now that's the only way to get 20% off. Go to JoinDeleteMe.com TWIT and enter TWIT at the checkout. JoinDeleteMe.com TWIT offer code TWIT for 20% off. This really works. Well, I know it works because Lisa's stuff is not on the Internet. Mine is, Steve says, but not Lisa's. Join deleteme.com TWiT we thank them so much for their supportive security. Now back to you, Steve.

Steve Gibson

Okay, sue. Through the past 20 years, we've looked at many instances where a certificate authority was repeatedly found, documented and proven to be acting irresponsibly, either by design or through carelessness. In those instances when that behavior did not change, those certificate signers had their signing Privileges revoked and their businesses were effectively ended. You know, it's a privilege to be able to charge people for a digital signature and with that privilege comes the responsibility to do so properly. There's another somewhat related privilege that the Internet offers which is the privilege to charge people for domain names they wish to use and to have those domain names registered with the Internet's DNS servers so that traffic addressed to those domains will be able to find its way to the registrants domain based servers and services. I don't recall that we've ever encountered a story of misconduct on the part of a domain name registrar where their continued right to register domain names and charge a nice fee for the privilege was close to being lost. Today we have such a story. Last Wednesday the publication Domain Name Wire, There actually is such a thing posted some news under their headline ICANN sends breach notice to Domain Registrar webnick. And Leo, you should bring up webnick cc. Okay, it, it looks like a going concern. I mean it's like who wouldn't trust these people? Yeah, but just wait till you hear, you know, wow. The subhead of, of domain name wires coverage was Domain Industry Overseer, which you know would be ICANN says Domain Registrar is lax and boy are they when investigating and responding to DNS abuse complaints. Here's how the story as was told by Domain Name Wire and, and we've got it here on the screen, Leo. I mean it looks like a, like a sure legitimate, like who would not trust these guys, right? Oh, look at that. Digicert. Wow, wonderful. And you know they're name dropping and they've got logos for everybody. Turns out they're doing something wrong with the ICANN's logo which is, is part of this.

Leo Laporte

Yeah, the ICANN logo is on here.

Steve Gibson

Yeah, yeah. And apparently it's not supposed to be in the way that they did it. Anyway, the guys wrote icann, you know, ICANN has sent a breach notice to Web Commerce Communications Limited dba, you know, doing business as webnick cc, a fairly large domain name registrar in Asia. WebNIC has about 500,000.com domain names under management in addition to domains in other extensions. ICANN says the registrar is not complying with section 3.18.2 of the Registrar Accreditation Agreement. That's RAA. We'll be hearing that that abbreviation a lot. The Registrar Accreditation Agreement which addresses DNS abuse mitigation. In other words, people who have registered domains there are abusing their domain names egregiously without any consequences. They wrote the organization said webnick failed to follow appropriate steps when receiving DNS abuse complaints, ICANN's notice said and then now they're quoting ICANN. ICANN has observed a concerning pattern regarding DNS abuse mitigation requirements in cases involving Webnic in multiple instances reviewed by icann. Contractual Compliance that's an official department. ICANN Contractual Compliance Actionable evidence of DNS abuse was provided to the registrar through abuse reports. However, mitigation actions were repeatedly delayed and in some instances only taken after the abuse reporter escalated the matter by submitting a complaint to icann. The Registrar frequently issued repeated requests for evidence to abuse reporters, even when the abuse reports appeared already to be actionable and failed to fully consider information or clarifications provided by the abuse reporter I can or otherwise reasonably accessible to the registrar. In other cases, the registrar requested evidence from the abuse reporters that did not appear to be relevant to the reported activity, causing additional delays. In other words, this registrar is just not doing their job, not no, not holding up their end of the agreement, literally, the reporting said. ICANN said the registrar frequently responds to ICANN contractual compliance notifications on the last day of the deadline or after it has passed and those responses are incomplete. Additionally, ICANN says the registrar is not displaying information on its website that is required, including the details of the Registrar's deletion and auto renewal policies, the registrar's renewal and redemption restore fees, the methods used to deliver pre and post expiration notifications, the name and positions of the Registrar's officers, and the name of the ultimate parent entity. ICANN Compliance has been contacting the registrar about issues since at least February of this year. Finally, webnic has until August 19th, that's two weeks from today to cure the violations or ICANN will begin the termination process. So once again this just makes me shake my head. More than 500,000 dot com domains in in addition to many others. You know that enterprise is probably generating at least 10 to 15, probably much more, many, many more million dollars per year for basically just setting up an e commerce website, taking registration information and maintaining accounts. And apparently, just as we've seen several times in the past with the certificate authority business, the owners and managers appear to have lost sight of the fact that this ability, this, this ability to print money is a privilege. It's not a right and it's a privilege that can be withdrawn and lost. And we have seen that happen over on the CA side. So this made me curious to know what these Webnik people had and had not done. So I tracked down the notification that I can had sent to Webnick and once again we see that ICANN is falling all over themselves to give these apparent cretins every, every benefit of the, of the doubt and, and chance and opportunity to save their own skins. The notice that I found indicated that it had been sent on July 29th. That's exactly a week ago. And it was transmitted. Finally, after months of communication failures via electronic mail, facsimile and courier, here's what ICANN sent with the title re Notice of Breach of Registrar Accreditation Agreement. They wrote, please be advised that as of 29 July 2025, Web Commerce Communications Limited DBA Webnick CC here and after referred to as Webnick or Registrar is in breach of its 2013 Registrar Accreditation Agreement with the Internet Corporation for Assigned Names and Numbers ICANN dated 25th October 2023, the RAA. This breach results from Webnick's failure to comply with section 3.18.2 of its RAA concerning domain name system abuse mitigation. So under apparent concerns in this notice it then lists those website documentation issues that were mentioned in the news report that I already shared. The notice also states that quote, the ICANN logo on Webnick's website does not appear to conform with the requirements in the logo license specification of the raa. The notice gets into some interesting bits writing to cure the breach, Webnick must take the following actions by 19 August 2025, 21 days from the date of this letter and since that was one week ago, that's two week hints. So that's exactly, you know, here's what they have. Here are the steps that I can requires of Webnick by two weeks from today. First they wrote explain all steps the registrar took to reasonably investigate and reach a determination regarding the use of the domain names. US hyphen ledger.com uni stores info.com tronlink. Trading troninc.net the uni swap.com the ballen-er.com radiumx.org Kodiak finance.org app uni-infos.com and Kepler apps.net for DNS abuse before and after being contacted by ICANN contractual compliance regarding these cases. The explanation must include evidence of each step taken and the date each step was taken. Now so there's a a list of domains that have been under significant abuse such that the registrar was contacted, told what was going on, given evidence of what was going on by probably legitimate security firms, you know, CrowdStrike, Palo Alto Networks, you know, we, we, we know them all, we report on their actions. They, they're the guys who sees, see bots and spam and phishing and all this, and, and say to the registrar, hey, you've got some bad guys who registered domains with you and you need to take them down. Silence, static, nothing. When nothing happens, then these security firms contact ICANN and say, hey, we've reported to this webnick CC gang that, you know, bad guys are abusing their domain name privileges. And we've never heard anything from them. They're just ignoring us. So ICANN tries to do it and they ignore them, too. Second thing on the list. Explain why the evidence that the registrar possessed regarding the use of the domain names listed in item one, at the time the registrar investigated the initial abuse reports submitted by the reporters was deemed insufficient to compel webnick to reasonably investigate and determine whether the domain names were being used for the specific type of DNS abuse reported, if applicable. In other words, we're going to assume you, like, are honoring your agreement. So we're confused. Why? Explain to us in each case why the why after investigating these reports, as we. We assume you did. Because after all, you're a, you know, you're a domain registrar in good standing. Well, how the evidence that you obtain from your investigations failed to motivate you to take action, we need, you know, we need to understand that, and you need to provide evidence that convinces us. Right? Good luck. 3. Explain the process the Registrar has implemented to enable Webnick to fully and promptly assess and act on reports of DNS abuse in the terms prescribed by section 3.18 of the RAA. And this description must include A each step of the process and the date the step was implemented, B the target response and mitigation timelines at each stage of the process and how unnecessary delays are prevented and tracked. 3. The criteria that the registrar will generally use for evaluating the sufficiency and relevance of evidence submitted in DNS abuse reports and D an explanation of how and how often the registrar will monitor and measure the effectiveness of this process to ensure continued compliance with DNS abuse mitigation requirements. Requirements. In other words, you guys are so deeply dug into this doghouse that you're gonna have to really shape up here. Number four. Provide a link to the location on the registrar's website where webnick displays the following information. Its renewal and redemption restore fees because, you know, we've been not able to find it so far. A description of the methods used to deliver the registrar's renewal notifications, the registrar's deletion and auto renewal policies, the names and positions of the Registrar's officers, the names of the Registrar's ultimate parent entity, the correct ICANN logo in accordance with the logo license specification of the RAA or remove the ICANN logo From Where Webnics website. 5 Provide evidence that the Registrar's registration agreement includes a link to the fees and descriptions referenced in items 4a and 4b above and 6 provide the remediation measures the Registrar has implemented, including the dates of implementation, to ensure that Webnic provides full and timely responses to ICANN Contractual compliance matters. If Webnick fails to timely cure the violations explained in this notice of breach and provide the information requested by 19 August 2025, I can may commence the RAA termination process. In other words, oh, we have finally run out of patience with you. You have exactly three weeks to explain your past flagrant lack of compliance with the agreement under which you are being allowed to print money to bring yourself into compliance and to prove it. If you once again fail to heed these warnings, as you repeatedly have all year, you will find that all of the domains you have had the privilege of renting to your customers will cease to function. They will be de registered from the Internet's DNS and you can deal with the fallout from that. Have a nice day. No, it was all.

Leo Laporte

Did they write have a nice day or did you add.

Steve Gibson

No, no, no, that's it. Okay, that's going to be a very bad day. Yes.

Leo Laporte

What happens to somebody who has a domain registered with them if they get.

Steve Gibson

Ah, we're going to get to that.

Leo Laporte

Okay, good.

Steve Gibson

Second, yes, there was also an attachment to this which was interesting. It was titled Failure to comply with DNS Abuse Mitigation Requirements and it read section 3.18.2 of the RAA requires registrars to take prompt mitigation actions when they reasonably determine that a registered. So this is also. This was an attachment to this notice which. Which is also what they received by email, fax and courier a week ago. So just like no excuse for not knowing what agreement you signed a few years ago, which you're no longer. Which you're in blatant, you know, breach of. They said Section 3.18.2 of the RAA requires registrars to take prompt mitigation actions when they reasonably determine that a registered domain name sponsored by the relevant registrar is. Is being used for DNS abuse, which for the purposes of the RAA is defined as malware, botnets, phishing, farming and spam friends. When spam serves as a delivery mechanism for the other four forms of DNS abuse as Those terms are defined in section 2.1 of SAC 115. The registrar did not demonstrate compliance with these requirements with respect to the reports addressed in the compliance cases in the chronologies below. I'm not going to go into those. We then have the paragraph that was originally cited in that article, you know, and that was, you know, about ICANN having observed continued pattern of, of, of. Of neglect and abuse regarding, you know, these issues. And they also, they, they said this pattern was observed in multiple cases beyond those referenced in this notice of breach, including compliance cases. And we got four serial numbers. So I mean they've, they've just documented the crap out of, you know, the fact that this registrar is basically completely ignoring the, the, the, the work side of their money printing business and just taking people's money and, and getting up the, the domain set up for them. So they, so, so this, so the attachment said. On 25 July 2025, the Registrar informed ICANN Contractual Compliance that Webnick had implemented certain improvements to its DNS abuse mitigation processes as of 11 June 2025. However, a review of case records and communications after 11 June 2025 demonstrates that the Registrar remains out of compliance. In other words, you lied to us and we know you lied to us, so we're just writing it down here so that you don't try to say you didn't, they wrote. The Registrar has also developed a pattern of responding to ICANN Contractual Compliance notifications either on the last day of the specified deadline or after the deadline has passed, often providing incomplete responses and causing further delays and escalations. Moreover, ICANN continues to receive new complaints exhibiting similar allegations and patterns of non compliance involving a large number of domain names registered with Webnic. This ongoing behavior constitutes repeated violations of section 3.18.2 of the RAA and facilitates the prolonged exposure of DNS abuse to potential victims. In other words, people are being hurt, actively being hurt by this. So then they have chronologies stating day by day, week by week, by dating back from February of all the back and forth and basically nothing has happened, they said. In the compliance cases detailed in the chronologies below, ICANN notify the Registrar of the violations, including the relevant ICAM policies, agreements and processes. Each communication requested the evidence, information and actions needed from Webnic to become compliant. Each subsequent communication to the compliance notifications constituted an additional attempt by ICANN to obtain evidence of compliance from the Registrar. The telephone call details below described further attempts from ICANN to communicate to the Registrar the details of the cases and to make an ICANN contractual compliance staff member available to address any questions in order to assist webnick in becoming compliant. All efforts were unsuccessful. Basically ICANN had just been blown off, as they say. So the bottom line is that the bad guys are using this Asian domain name registrar. The bad guys, you know, malware authors using this Asian domain name registrar that's probably become known as a safe haven for registering malicious domain domain names that will never be taken down because these guys want to take their money, their registration money and don't and just ignore all the complaints that come in. So they're using this registrar to establish domain names that are being used for various malicious purposes. And when the abuse of these domain names, with ample evidence is brought to this registrar's attention, they blow it off. Eventually, those reporting the abusive domain names, you know, as I said, probably well known and respected security organizations decide they need to escalate this to and involve icann. At this point we see the same sort of falling all over themselves attempts from ICANN to not abuse their ultimate power of pulling the plug. And you know, we've seen the same thing repeatedly from the CA browser forum members who really don't want to put a certificate authority out of business. But they're really left with no choice here. ICANN is giving these webnick CC guys every possible chance to save themselves and to not be kicked off of the gravy train. I went over to their website as I said, and Leo, you, you brought it up. Www.webnick.cc and it looks fantastic. It's got every bell and whistle you could ever want. Stuff is sliding in from off stage, it fades in and out and it spins around as I scroll. There are photos of happy people working and children playing in the sun. Life is grand and everything looks great. But apparently that's all just surface glitz created by some fancy web designer and a bunch of JavaScript. We know that underneath this fancy facade, this registrar is behaving so irresponsibly that they may soon be out of business. This of course begs the question, as you said Leo, what then happens to all of their hundreds of thousands of customers who were seduced by the glitzy website into entrusting the their cherished domains to this registrar. ICANN has a procedure for handling that. ICAN asks around, among other domain registrars in good standing to determine who would like to take over, in this case webnicks domains and their customers. I can appoint what's known as a gaining registrar and you bet they're going to gain to take over the affected domain names. There's even an acronym for this. BTAT stands for Bulk Transfer after termination. All of the terminating registrars domains are assigned to the gaining registrar with the current domain registrants not needing to take any action. There's no discontinuity of service. They don't even know anything happened. ICANN then notifies the domain holders via email and public announcement. And importantly, the current domain holders rights are retained. Their domain registrations remain valid with their expiration dates and other settings preserved. And the new registrar has agreed to honor the remaining registration term. And existing registrants are then given the option to transfer their domain elsewhere if they prefer. So yes, down in the mess, down in the trenches. It's a mess. But it's the best that can be done under the circumstances. It's difficult to imagine that these guys are not going to come up with some, you know, some sort of face saving attempt to hold on to their registrant status. Maybe this final notification will come to somebody's attention. They've got two weeks to somehow cook up a bunch of cockamamie excuses and stories to explain their previous negligence or to somehow convince ICANN that they, they'll deal with all of the past and, and do right going forward. It's going to be interesting to see what happens in two weeks. But boy, what a, what a sad thing to happen to a registrar. I mean, you know, it'll, they'll simply be out of.

Leo Laporte

Do you want to take a break here?

Steve Gibson

Let's take a break. Yeah.

Leo Laporte

Okay.

Steve Gibson

Because then we got, we got some feedback and, and, and we're at about an hour and a half, so that's.

Leo Laporte

A big time to do it. All righty. You're watching Security now with the inestimable Steve Gibson. I don't know what that word means, but I think you are inestimable.

Steve Gibson

Sounds good.

Leo Laporte

This episode of Security now brought to you by the inestimable Melissa, the trusted data quality expert since 1985. Longer than we've been doing this show practically, actually, literally. Melissa's address validation app is available for merchants in the Shopify app store now, which is awesome. Makes it so easy to use, enhance your business's fulfillment and keep your customers happy with Melissa enhanced address correction, for instance, certified by leading postal authorities or worldwide. It corrects and standardizes addresses in, get this, more than 240 countries and territories. That's pretty much all of them. Smart alerts allow customers to update their information before the Order is processed. How many times have you seen that happen? You're probably using Melissa. If you're on a shop pay site, you're entering the address, you mistype something, hit return and then it pops up. It says, you mean, do you mean this With a business of any size? You can really benefit from Melissa because their data quality expert goes far beyond just address validation. It's not just e commerce. You get data cleansing, data validation. It's vital in so many fields. Think of like well healthcare. For instance, in healthcare, 2 to 4% of contact data gets out of date every single month. Millions of patient records in motion demand precision which Melissa delivers. And it's a life or death situation in healthcare. By using Melissa's enrichment as part of their data management strategy, healthcare organizations build a more comprehensive view of every patient. This also adds in things like predictive analytics, allowing providers to identify patterns in patients behavior or medical needs. And that can inform preventative care. Etoro's vision was to open up global markets for everyone, to trade and invest simply and transparently. But global means now you got to handle everybody worldwide. To do this they needed a streamlined system because they're in finance, right? They needed it for identity verification. Know your customer. After partnering with Melissa for electronic identity verification, Etoro received the additional benefit of Melissa's auditor report containing details and an explanation of how each user was verified. The Etoro business analyst shared this great quote with us. Quote we find electronic verification is the way to go because it makes a user's life easier. Users register faster and can start using our platform right away. Development of the auditor report was an added benefit of working with Melissa. They knew we needed an audit trail and devised a simple means for us to generate it for whomever needs it, whenever they need it. If you're global, you've got KYC regulations of all kinds, right? Melissa can handle it. Melissa can handle it. Data is safe, compliant and secure with Melissa. Melissa's solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC2 and HIPAA Hitrust standards for information security management. So get started today with 1000 records cleaned for free at melissa.com TWIT that's melissa.com TWIT we thank him so much for being supporters of this show and all our shows for many years now. Not, not since 1985, but for quite a while. Thank you Melissa.

Steve Gibson

Melissa.com TWIT Steve okay, so if any of our listeners might still have an old TP link Archer C50 I think.

Leo Laporte

A lot do that was recommended by Wirecutter for years as the best router.

Steve Gibson

Unfortunately, it turns out it's got a problem. It's got a CVE 20, 25, 6982. TP Link made the mistake of encrypting its settings using DES. Not triple, just one DES in the least secure of all cipher modes, which is ECB electronic code book where there's no chaining among successive blocks. You just independently encrypt each block. What this means is that it's possible for attackers to obtain all of the settings in the router, including the admin credentials, the WI FI passwords and everything else that the router knows. So the routers are end of life and TP Link is strongly advising that people, you know, just say goodbye router, it's time for a new one. It's not an emergency, it's not a remote code execution vulnerability, but it, but there's, you know, this is a serious concern for these routers and newer routers offer much better security. A router is the kind of thing that I, you know, I would give it a five year life and then it's probably time just to, to rotate the router out of service and, and put in a new one.

Leo Laporte

New ones are better, faster, et cetera, et cetera.

Steve Gibson

Right, yeah, yeah. And they'll, you know, support the latest WI FI standards and so forth. So anyway, I just wanted to give everybody a heads up. If there happens to be an Archer C50 around, you might want to go to TP Link. You'll probably find some information there saying you want to get rid of it. Yeah, I think even CISA said, you know, stop using these because they're just not secure any longer. Okay. Before we examine specific listener feedback, I got one neat piece of feedback I want to share which, which launched me on an interesting journey. I wanted to note that many listeners said they're now going to give the BRAVE browser another try and many others sort of asked rhetorically in, in email that I received. What took you so long, Gibson? You know, some said that they looked at Brave in the past and they're gonna, and they were not impressed. But they looked at it again and it seemed like it had gotten better. I've never really looked, looked at it before. I, I like it from a privacy enforcing standpoint. So anyway, I just wanted to, I didn't, I, I got so many pieces of email from our listeners about brave, I wanted to, to discuss it all at once from everyone and thank everybody for their feedback, which I appreciated. Aaron Schaefer wrote saying Steve, you seem to be entirely unaware of Apples.

Leo Laporte

I I never finish emails that begin that way.

Steve Gibson

I know you seem to be entirely unaware of Apple's State ID program for Apple Wallet. Several states already have it deployed. A digital version of my Ohio's Ohio driver's license has been in my wallet for the last year. For example, the state of Ohio has a free app that someone else can use for me to tap my phone to their phone to verify age from my from that digital id. Correct me if I'm wrong, but it seems that all we need is some kind of API call to do the same validation for websites. Thank you for all your good work. I've been a listener since episode one. Aaron okay, so Aaron was completely correct in concluding that I had not been keeping up with the state of smartphone wallets and existing efforts. So I spent some time since seeing this note looking into what's been going on in that space. In California, as in Ohio, we have a digital driver's license program. It goes by the abbreviation M lowercase M capital DL MDL for Mobile Driver's license and it looks like that's going to be a US Wide abbreviation. There's a California DMV wallet app for both Apple and Android phones and it offers a system known as TrueAge. I installed the apps under both platforms into my iPhone and into that $39 Samsung A15 smartphone that I had just purchased that I talked about a couple weeks ago for Android and I configured it. The app setup was quick and easy. The apps required me to show them the front and back of my California driver's license and to then pose for facial recognition while it brightly illuminated the screen in various colors which were reflected off my face. Once that was done, the apps were satisfied and I had effectively installed a biometrically locked digital driver's license into my phones. Next up was figuring out what True Age was all about. The True Age system was developed by nacs, the national association of Convenience Stores, together with a non profit entity known as conexus. C O N E X X U S connexus is a retail focused technology standards developer. Today NACS and Connexus or together NACS and Connexus developed the True Age technology for retail for the retail convenience store industry, you know, to support the purchase of age restricted consumables such as alcohol and tobacco. In bragging about True Age, they explain, they say quote, true Age verifies only age, not identity. It does not Store, name, address, eye color, etc. Unlike many legacy ID scanners that may capture over 30 personal fields, the encrypted token cannot be linked back to you and data is not sold or shared. Unfortunately, however, the cannot be linked back to you portion is not entirely true. I was immediately suspicious when I saw that the token presented was described as a single use encrypted composite consisting of the presenter's driver's license number, whoops, the issuing state, the license expiration date and the presenter's date of birth. And sure enough, the ca.govfaq page says in answering the question what happens to the data you do capture? They answer, True Age encrypts your data points and then protects them even further by creating anonymous tokens. These anonymous tokens cannot be traced back to you without legal authorization. Oh, from a, from a court ordered subpoena.

Leo Laporte

So they can be traced back to you as a matter of fact.

Steve Gibson

Exactly.

Leo Laporte

Oh, but you have to have a court order.

Steve Gibson

Yeah, they they they they they finished saying Neither retailers nor cashiers retain any of the extracted information. Okay, so it's true that in a retail convenience store setting, True Age will be far more privacy preserving than the traditional requirement of revealing a driver's license which discloses the individual's entire identity with their name, home address, exact date of birth and, and you know, everything else in the clear. But unfortunately, True Age also fails the minimal information sharing test when the only thing being required is a proof of biological age. However, less than three months ago this past May 15, the NACS association that that association of convenience stores proudly published a press release with the headline True Ages Technology named the de facto standard for digital age verification with the subhead the World Wide Web consortium, that's the W3C has incorporated true Age's underlying technology into its new verifiable credentials. Okay, now that suggests that at least some aspects of the True Age verification system will be coming soon to a web browser near us. So here's what they wrote. They said True Age, you know, and again, I'm going to do a little patting on the back. The innovative universally accepted age verification system that makes it easier to more accurately verify an adult customer's age when purchasing age restricted products and its core technology have been incorporated into the latest W3C verified credentials, verifiable credentials 2.0 that were introduced today. The World Wide Web Consortium is an international council created in 1994 to create and publish web standards to ensure the growth and development of the web. The new W3C verified credentials, which were ratified in late April by its governing body are a comprehensive update to web standards and affirm that True Age technology is the centralized standard for digital personhood, making True Age the accepted standard for all applications that involve age verification. Paul Ziv, TrueAge's vice president of Technology and operations, said, quote, trueage was developed to address strong consumer interest in using a trusted and reliable digital ID that combined consumer privacy and ease of use with the potential for mass retail integration, and it has delivered on that promise. It is very gratifying the W3C agrees with our vision and solution, unquote Then back to the press release from True Age Verifiable credentials are increasingly important as communications and commerce continues to go digital because they can contain all the same information as physical credentials similar to driver's licenses and other identification cards. Importantly, by adding technologies such as digital signatures, verifiable credentials can be tamper proof and seen as more trusted than their physical counterparts. True age scans all U.S. driver's licenses and is also incorporated into the state of California's mobile driver's license and digital wallet. The W3C announcement makes true Age the de facto standard for age verification that could be incorporated into all relevant code for pertinent products developed by companies including Microsoft and Apple. While Verifiable Credentials 2.0 was approved to improve the ease of expressing digital credentials, there were also several privacy preserving goals that were important. Both of these objectives are central to the core of TrueAge. Anyway, the article continues to elaborate and congratulate itself at some additional length, and it goes again to assert that it also provides admissible proof of age verification appended to retailers transaction logs that can be unlocked under subpoena and submitted as evidence. So because True Age explicitly and deliberately binds the credentialed user's identity into their age assertion, it does not do what we want for general purpose online age assertion. So we're left with the question of how much of True Age's over identification is actually part, you know, actually survived that the W3C's new Verifiable Credentials 2.0 specification since things like driver's license number and issuing State are explicitly US identifiers and the W3C's specifications need to be global and country agnostic. I assume that what the W3C may have inherited from True Age is just its broad single use encrypting token technology without there being any requirement for what's encrypted within that token. We'll see. You know, Aaron's note started me looking into this with his Mention of Ohio. But Ohio and California are not alone. The U. S. States currently offering some form of smartphone wallet storable digital driver's licenses include Arizona, California, Colorado, Delaware, Georgia, Hawaii, Iowa, Louisiana, Maryland, Mississippi, Missouri, New York, Ohio, Utah and Puerto Rico. Additionally, Montana, New Jersey, Pennsylvania and Texas have pending mobile driver's license legislation underway. And 10 other states, including or and Washington D.C. have announced their intentions to adopt mobile mobile driver's licenses. So at the moment, you know, we're on the way as an, as a country in the U.S. toward the, you know, toward creating biometrically locked driver's licenses that are secure enough to be honored and carried around in our phones. I have, in my little Android, you know, there's the, you know, California mobile driver's license app.

Leo Laporte

I have yet to have any occasion to use that after several years.

Steve Gibson

Unfortunately, I do regret the goofy picture that I.

Leo Laporte

That's the actual picture though, isn't it?

Steve Gibson

Yeah.

Leo Laporte

That is from your driver's license.

Steve Gibson

Yeah. And that is from, you know, it's the original digital storage that California made when I last updated my, my driver's license. But in the show notes, I have a picture of one of the panels that's available where under age check, you're able to open up a set of brackets where one of them is over 18, over 21, over 25, over 62 and over 65. Unfortunately, I qualify for all of those. Yes, check them all.

Leo Laporte

Okay.

Steve Gibson

And I don't know yet anything more about that. I. I've not taken the time to dig into the underlying technology, so it's unclear how all of this is going to shake out and fit together. But for what it's worth, my experience with, with setting things up, at least in California, was surprisingly quick, easy and streamlined. You know, I now have. For what it's worth, I just did it, you know, in the way Jerry Pornell used to do things, just to see what it looked like so I could talk about it a bit. I've got iOS and Android apps in my phones that are able to scan, you know, to look at my face, decide that's me, scan a website's QR code to in some fashion assert my full identity if I wish, or presumably whether I am only above a given age. And while we know that the true age system itself is asserting more than just our ages, it's still, you know, early days. And my guess is that what the W3C will wind up with will be a minimal information disclosure solution, because that's that. That is all most people are going to be willing to put up with none of this. You know, I mean sure, if, maybe if you're buying tobacco or alcohol at a retail point, you know, at, at a retail purchase location, this is better than revealing your, your full driver's license and you know, but it's not, it does, it doesn't do what we want for minimal information disclosure. Before we leave the topic, I should also mention that as I had hoped and I mentioned this last week, YO's Stina Aaron Fard is all over this. Last Wednesday, after last week's podcast, she sent me a note which read, hi Steve, hope all is well. Please find our white paper on age verification at Internet scale. She attached a short five page position paper authored by the Siros S I R O S Foundation. Its title is Deployability First Making Age Verification Work at Internet Scale. It has the subhead a position paper for the 2025 joint W3C IAB workshop on Age Based Content Restrictions. Now we couldn't ask for anything more on point than that. And Stina is the founder of the Siros Foundation. She's putting the money she made from first founding Yubico to very good use. And Leo, you and I both know Stina, you know, God help anyone who stands in her way. You know, she, she has a way of obtaining the results that she's after. So with Stina on the case, the world's needs for online privacy, respecting age based content restrictions are in the best hands possible.

Leo Laporte

Yeah, I'm really glad that she's taking this on. That's great.

Steve Gibson

Yeah, she is and she won't, she will not settle for anything less than what we know is technically possible, which is no assertion other than a person is above a given stated age that they are wishing to assert. So you know, and as Yubico's founder, she has earned her sway. I mean people will listen to, to her. So, and, and I mean she knows everybody in the business. I mean again, we couldn't ask for this to be in better hands. So I was certainly uninformed when I recently commented that nothing was happening on the age verification front. A great deal is happening and the best possible people are at work on this problem. You know, in the meantime, you know, I looked for any sort of true age demo site but I was unable to find anything. It looks like it's locked up in, in proprietary technology at this point. They're having to unlock whatever this encrypted token stuff is in order to have it be put into the W3C because that's going to be all open standards and open source and open and open implementation. So, you know, and besides, this is not a hard problem to solve. These guys just did it for, you know, a cash register where you sell vape products. So fine. You know, I'm sure that what we end up with will be fully privacy enforcing. And before we take our last break and talk about China, I wanted to take a moment to say that Andy Weir's second novel, Artemis is, in a word, wonderful. The synopsis that I saw of it being without, you know, being about it's some form of lunar heist doesn't begin to do it justice. I'm at 60% and the book is just pure pleasure. It, it occurs to me that Andy is very good at creating anti heroes. Project Hail Mary's Dr. Grace was certainly no one's hero and neither is Artemis's Jasmine.

Leo Laporte

But she's great though, isn't she?

Steve Gibson

Yes, she is.

Leo Laporte

She's a real character. Yeah.

Steve Gibson

Yeah. And if you consider the words science and fiction, you would be hard pressed to find any book that better satisfied those terms. You know, there are no neural implants, superhuman augmentation, anti gravity repeller rays or trans dimensional space force holding utilizing energy tapped and funneled down from the 12th dimension. There's none of that. What there is, however, is a very satisfying, entirely plausible story penned by someone who's very comfortable with actual science and who writes very enjoyable prose. You know, at 60 of the way through, I am fully engaged. I'm on pins and needles. I can't wait to get back to it. And I have no idea what's going to happen next.

Leo Laporte

So I think it was good probably that I warned you that it's not the Martian. Right. It's very different.

Steve Gibson

Yeah.

Leo Laporte

I, if you were expecting another Martian or maybe another Hail Mary, you might have been disappointed. I don't know.

Steve Gibson

I don't know. I guess maybe I'm easy. I just think it's, I, it's a good story. Great. I think it's great. I like we know that I'm a sucker for good writing and he's a good writer. Yeah. And, and it's so, and there's nothing that's like annoying or that bothers me. I, I, it's just, just very pleasant. So.

Leo Laporte

Yeah. Good.

Steve Gibson

You know, I guess the only downside is it's not free, but we're pretty spoiled by, you know, free books on, on King Kindle Unlimited. And the fact is you often get what you pay for.

Leo Laporte

Yeah. And so I don't use A lot of AI crap now on Kinbo.

Steve Gibson

Yeah. And for nine bucks, this is. I'm having a ball.

Leo Laporte

By the way, I think I have a much better picture of my California id. There you go. I look happy there.

Steve Gibson

Yeah, you do. Well, I deliberately went like this. No, I did. I was happy. I was just having. No, I was being goofy.

Leo Laporte

You look crazy.

Steve Gibson

The guy who is looking through the camera did like a double take and like, jerked back from it from his viewfinder because he's like, whoa, is that a zombie? Anyway, I, you know, I thought.

Leo Laporte

I'm trying to do the true age thing, so that's. I didn't realize that California directly supports true age. I mean, they actually mention it in the.

Steve Gibson

Yeah, it's right.

Leo Laporte

Yes.

Steve Gibson

In their app.

Leo Laporte

Yeah. Okay.

Steve Gibson

And I don't quite understand the Apple wallet integration. I don't think my. My California driver's license is over in the Apple Wallet. I have like, credit cards in there, but I don't have my driver's license.

Leo Laporte

Because I do have that, don't I? I thought I did. Let me look. I thought I put it in there.

Steve Gibson

Well, I don't know how to put it in there. I didn't find that.

Leo Laporte

Okay. Anyway.

Steve Gibson

Yeah, but, but if, if, if you check if, if you click on the. On that button. See a finger.

Leo Laporte

Age verification button.

Steve Gibson

No, the. The center one, the reader. And there, there you will see the. The minor check. Oh, mine's changed now. How did it change? Huh?

Leo Laporte

Well, it's minor.

Steve Gibson

Check over 18, over 21, over 25. Oh, Senior. Check over 62 or over 65. I mean, so. So you get to choose what you want to share. You can share your entire identity. Your name, dob, sex issues.

Leo Laporte

I think that's good. And you're.

Steve Gibson

You're able to share something that law enforcement wants. Identity, address, driving privileges, or then something called custom, which is coming soon, where you. You can probably select which items you want to share.

Leo Laporte

Yeah. And you get a QR code that you can give the. The checker at the convenience store.

Steve Gibson

Yeah, I think it's.

Leo Laporte

By the way, I am over 21, so there you go.

Steve Gibson

Oh, and here's getting a permission request. Allow ca. DMV wallet. Define, connect to and determine the relative position of nearby devices. Oh, I don't know what that's for the scan.

Leo Laporte

There's a scanner, right. See?

Steve Gibson

Oh, it's for mapping while using the app. I guess it wants to know where I am.

Leo Laporte

You still, you know, if you get pulled over.

Steve Gibson

Oh, and you still have to give.

Leo Laporte

Me A real driver's license. In fact they say specifically you. You can't stop carrying your driver's license because of this.

Steve Gibson

Yeah. Oh and the re. The reason it asked me for that was that this. But the Android will do NFC. But iOS won't let you do NFC. It forces you to do QR code.

Leo Laporte

Ah okay.

Steve Gibson

So I'm able to switch to the QR code scanner.

Leo Laporte

I guess when they say wallet it's not the Apple wallet. I remember that they were that some states you can put it in your Apple Wallet wallet. And I remember California I think decided not to make that possible. Not. Not sure why you would need that.

Steve Gibson

Except yeah there is an explore add ons but it doesn't and it's got. I've got the true age add on but there's no like that's the only.

Leo Laporte

Add on I could see too.

Steve Gibson

Yeah.

Leo Laporte

All right.

Steve Gibson

Anyway we're getting there.

Leo Laporte

I am ready to last do the last commercial and we're going to talk.

Steve Gibson

Talk about the wisdom of China's participation in Microsoft's MAPP program. What could possibly go wrong?

Leo Laporte

I also will refer you to something our Club Twit members have just put in the discord about a critical security flaw in the Broadcom chips used in more than 100 models of Dell computers, allowing attackers to take over tens of millions millions of user devices. Five vulnerabilities, CVE 24311 through 152 2. Quite a few all in the Broadcom chip. Oh boy. Cisco at it again. Thank you, Paul. Paul Holder put that in our Club Twit discord. Appreciate, appreciate that update. Well, I'm sure that next week posted.

Steve Gibson

Over in the GRTC news.

Leo Laporte

Yes, he's a regular on your forums too. That's right.

Steve Gibson

Yeah, yeah, yeah, big help.

Leo Laporte

Yeah, I know. He's a big help in our forums too. We, we appreciate. Paul. This episode of security now brought to you by Threat Locker. We appreciate them. Zero Trust done right Ransomware is just killing businesses worldwide. Not just businesses. City government, schools, hospitals, you name it. But Threat Locker can prevent you from becoming the next victim. Threat Locker's zero trust platform takes a proactive deny by default. That's the key deny by default approach. It blocks every unauthorized action, protecting you from both known and unknown threats. Trusted by global enterprises like JetBlue. You know, they can't afford to be down. You see what happens if an airline's down for a minute or. Or infrastructure plays like the Port of Vancouver. They use Threat Locker. Threat Locker shields them and can shield you from zero Day exploits something nobody's ever seen before, supply chain attacks, while providing complete audit trails for compliance. As more cyber criminals turn to malvertizing. Oh boy, we've talked about this before. You need more than just traditional security tools. Attackers are creating convincing fake websites that impersonate popular brands like AI tools or software applications. Then they distribute those links through social media ads and hijacked accounts. Then they use legitimate ad networks to deliver malware right to your doorstep, affecting anyone who browses on work systems. Oh. Traditional security tools often miss these attacks because they use fileless payloads that run in memory and exploit trusted services that ByPass Typical filters. ThreatLocker's innovative ring fencing technology strengthens endpoint defense by controlling what applications and scripts can access or execute, containing potential threats even if malicious ads successfully reach the device and deliver the payload. Threat Locker works across all industries. It supports Mac environments, provides 24.7us based support, and enables comprehensive visibility and control. Just ask Jack Senisap. He's director of IT Infrastructure and Security at Redner's Markets. He says, quote, when it comes to Threat Locker, the team stands by their product. Threat Locker's onboarding phase was very good experience and they were very hands on. Threat Locker was able to help me and guide me to where I am in our environment today. Get unprecedented protection quickly, easily and cost effectively with ThreatLocker, visit threadlocker.com TWIT you can get a free 30 day trial. To learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Threatlocker.com TWIT threatlocker.com/twitter We thank them so much for their support of security. Now, now let's get to this shocking story about.

Steve Gibson

Okay, so I want to share what I feel is a very fair and balanced assessment of the consequences of the unfortunate but nevertheless very real geopolitical tensions that have been growing between the US and China and the consequences of China's long standing early access to Microsoft's serious security vulnerabilities. And Leo, you're gonna love the the the name of these guys. This was posted to the Natto Thoughts substack last Thursday.

Leo Laporte

I read that one. Yeah.

Steve Gibson

In the wake of the SharePoint, you are amazingly well read.

Leo Laporte

Well, I do. I have fees galore. I mean, I read as much as I can. Yeah.

Steve Gibson

So this was. They posted this last Thursday in the wake of the SharePoint driven global network breaches they described themselves. For our listeners who are not aware, writing Natto Thoughts explores the intersection of culture, technology and security with stories, analysis and insights into the humans of the information age. Whether decision makers, criminals or ordinary users, we probe the language, culture, institutions, political systems, and unwritten social rules that constrain and inspire their actions. Natto is a sticky Japanese fermented soybean dish. It's very good with an acquired taste, they said. Fermented foods are slow foods. It helps keep your microbiome, that complex ecosystem that helps you digest healthy. Like Natto, our thoughts have had time to ferment. We're a group of experts with decades of experience in geopolitical analysis and cyber threat intelligence. Between us, we do research in a variety of European and Asian languages. So last Thursday, having fermented on this for some time, they posted under the headline When Privileged Access falls into the Wrong hands Chinese Companies in Microsoft's MAPP program and they added the subhead Chinese companies face conflicting pressures between maps, non disclosure requirements and domestic policies that incentivize or mandate vulnerability disclosure to the state. Since we've touched on the Chinese government's disclosure requirements for their Chinese enterprises in the past, and since it's so relevant today, having having read what these guys have to say, I felt that this audience needed to hear it too. So they wrote on July 25, 2025, Bloomberg reported that Microsoft is investigating whether a leak from its Microsoft active protections program that's the map Mapp allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Now we know from the first topic we covered, which is that Chinese programmers wrote the patch, that maybe there was another way, another exit path for those details. But that doesn't mean that this is not an issue too. Microsoft attributed they wrote the campaign dubbed Tool Shell after the custom Remote Access Trojan used to was to three China linked threat actors, Linen Typhoon, Violet Typhoon and Storm 2603. The attackers reportedly comprised compromised over 400 organizations worldwide, including the U S National Nuclear Security administration. Launched in 2008. Okay, so that's when this program began 2008 quite a while ago. MAP is designed before tensions with China were as they are today. MAP is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, Microsoft enables them to release protections such as antivirus signatures and intrusion detection rules in sync with its monthly updates. The program, however, relies on strict compliance with non disclosure agreements and the secure handling of pre release data. Concerns about whether some Chinese companies violating MAP requirements are violated MAP requirements are long standing. In 2012, Microsoft removed Chinese company Hangzhou DP Czech Tech Technologies Co. Ltd. From the program for violating its non disclosure agreement. According to Bloomberg. In 2021 Microsoft now that was in 2012 and according to Bloomberg in 2021, Microsoft suspected that at least two other Chinese map partners leaked details of unpatched Exchange server vulnerabilities, enabling a global cyber espionage campaign linked to the Chinese threat group Hafnium. So this is serious business. The Microsoft Exchange hack affected tens of thousands of servers, including systems at the European Banking Authority and the Norwegian Parliament, and was met with global condemnation. Although Microsoft said it would review MAP following the incident, it remains unclear whether any reforms were implemented or whether a leak was ever confirmed. In light of the SharePoint case, today's piece examines how MAP operates, the risks posed by Chinese firms in the program, and which companies are currently involved. The core purpose of MAP is to minimize the window of risk between patch rollout and deployment. Simply releasing a patch doesn't mean systems are protected. Many organizations delay patching and attackers often exploit known vulnerabilities during this lag. By giving trusted vendors early access to vulnerability details, Microsoft ensures they can build and distribute the detection signatures and other defensive measures in advance. You know, like CrowdStrike, for example, so these protections are already active when the patch is published. Without map, vendors will only begin creating protections after public disclosure, leaving many systems globally, including in China, exposed for critical hours or days. To participate in MAP security vendors must meet criteria that demonstrate their ability to protect a broad customer base. You know, and they must demonstrate that they're worth disclosing these details to. Applicants must be willing to sign a non disclosure agreement, commit to coordinated vulnerability disclosure practices, share threat information and actively create in house security protections such as signatures or indicators of compromise compromise based on Microsoft's data. Microsoft retains discretion over admission and may suspend or expel members who fail to meet participation standards. According to the MAP website, members are divided into three tiers based on the amount of time they receive vulnerability information before its public release and other criteria entry level, which is 24 hours in advance Ans, which is up to five days in advance and validate, which is invite only and focused on testing detection guidance. However, recently admitted MAP partners and recognized experts have observed that Microsoft may provide critical vulnerability and threat intelligence as early as two weeks prior to public disclosure criteria for determining the criticality which warrants such early releases and to whom the intelligence flows is unclear. These companies operated within MAP present a unique risk due to national regulations mandating the disclosure of vulnerabilities to the state. In September 2021, China implemented the Regulations on the Management of Network Product Security Vulnerabilities, the rmsv, which require any organization doing business in China to report newly discovered zero day vulnerabilities to the government authorities within 48 hours. This gives Chinese state agencies early access to to high impact vulnerabilities, often before patches are available. Microsoft acknowledged the implications of this policy in its 2022 Digital Defense Report, noting that, quote, this new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them, unquote. While the RMSV serves as the primary legal pathway for the state to acquire zero days, it is not the only mechanism. In 2023, cybersecurity analyst Dakota Carey and he's one of the authors of this paper by the way, and Kristen Del Rosso uncovered a parallel, more opaque process involving the China National Vulnerability Database of Information Security, cnnvd which is overseen by the Ministry of State Security, the mss. Under this framework, Chinese cybersecurity firms voluntarily partner with the CNNVD to report vulnerabilities. Get this. In exchange for financial compensation and prestige. These firms, known as TSS. Sorry. TSUs technical support units are stratified into three tiers based upon the number of vulnerabilities they submit each year. Tier 1 TSUs must submit at least 20 common vulnerabilities annually, including a minimum of three classified as critical risk in order to qualify for their Tier one status. So, yikes. I imagine that everyone listening appreciates how traditional Chinese culture could factor into both the financial compensation and the prestige aspects of this and how these minimal annual submission requirements to achieve and maintain tier status would tend to, in, you know, introduce unhealthy incentives. China's CNNVD handbook provides a requirements chart for the three participation tiers where you have level one, level two and level three, requiring, you know, higher and more frequent and more plentiful turnover of vulnerabilities in order to obtain that tier. Who knows where they're getting them? The the report continues. As early as 2017, the U. S Threat intelligence firm recorded future who we've often quoted here, demonstrated that vulnerabilities reported to CNNVD are assessed by China's Ministry of State Security for their potential use in intelligence operations. As of this writing, 38 companies are classified as Tier 1 contributors to CNNVD, 61 as Tier 2 and 247 as Tier 3. Of these 10 Tier 1 companies, one Tier 2 and one Tier 3, okay. Of these, that is those that are particip, that are turning things over to China's Ministry of State Security for their potential use as intelligence operations. Here's the the number of those that are currently Microsoft map members 10 in tier one, one in tier two and one in tier three. So they are receiving the intelligence from Microsoft in advance of its release and they're being paid and obtain prestige for upturning some vulnerabilities over to the Ministry of State Security. What could possibly go wrong? In addition to providing new vulnerabilities to the cnnvd, these technical support units are also required to provide vulnerability early warning support to the Ministry of State security at least five critical alerts annually for tiers one and two and at least three for tier three. As cybersecurity and tech companies, many of these TSUs likely provide this early warning support by reporting newly observed attacks on their customers or systems. Nothing other than Microsoft's non disclosure agreement precludes TSUs from sharing map data with CNNVD, which may view such submissions as fulfilling this vulnerability or early warning support requirement and not be unhappy about it, they wrote. Our analysis of the MAP main page via the Wayback Machine shows that the number of Chinese companies listed in map increased from 13 in December. So this is the number of companies that Microsoft is disclosing this stuff to increased from 13 in December of 2018, which was the early available snapshot they could find with the wayback machine, to 19 out of a total of 104 member companies globally. As of this writing, China has the largest national representation after the US so they're 19 Chinese firms currently as map partners, they wrote. Since 2018, several Chinese companies have appeared and disappeared from the map list. Companies that have since disappeared include Beijing's lead SEC, Huawei and New Soft, which were removed between December 2018 and November 2019, Kihu 360 between November 2019 and October 2020, Hangzhou H3C technology between December 21 and October 22 and Sang 4 between October 22 and September 23. The reasons for a company's removal from the MAP list are not always clear. In the case of Huawei and Kihu360, the timing aligns with their addition to the US entity list in 2019 and 2020 respectively. For others, they wrote, we could not locate any public explanation from Microsoft, unlike the 2012 public notice from the Microsoft Security Response center regarding DPT text removal for violating MAPS NDA requirements. Of the 19 Chinese companies currently participating in Map 12 are classified as CNNVD TSUs based on previous research into their vulnerability submissions to Microsoft's bug Bounty Program Tier 1 TSUs such as Tencent Cyber Kunlun Sang 4 Tianxen and Venus Tech operate dedicated labs with varying levels of focus on identifying vulnerabilities in Microsoft software products. It's also possible that individuals working at MAP companies in China individually decide to pass along or sell information to offensive teams. With access to valuable information and a clear market for buyers. Insider risk at MAP partners themselves cannot be ruled out. Regardless of the specific mechanism for information diffusion, it is clear that China's incentives for reporting such vulnerabilities, both economic and reputational, as companies seek to meet CNN VD quotas and maintain TSU status for potential business opportunities, create an environment which incentivizes abuse. Vulnerabilities reported to the Ministry of State Security run CNNVD may be evaluated for potential operational use before being disclosed to the public. Chinese APT groups are known for their speed and coordination in exploiting such vulnerabilities. According to advisories from multiple national cybersecurity agencies and threat intelligence firms, groups such as APT40 and 41 have exploited vulnerabilities within hours of of their public disclosure. Chinese APTs are also effective in sharing exploits across groups. Once a vulnerability has been successfully weaponized, it often circulates rapidly among operators. Both these dynamics were on display during the 2021 Microsoft Exchange campaign. On February 23, 2021, MAP distributed proof of concept code to its members so they could engineer detections. Five days later, mass exploitation of the vulnerabilities with similar code to that distributed via MAP blanketed the web. According to threat intelligence firm eset, exploitation began with a China Linked Threat Group group ticket and was quickly followed by other China linked groups including Lucky Mouse, Calypso, and the Winty group. Microsoft made patches available for customers shortly thereafter. On March 2, 2021, seven days after distributing proof of concept code to MAP members, a similar pattern emerged with the exploitation of the SharePoint vulnerabilities first disclosed at PWN to Own Berlin in May. The winning submission was reported to Microsoft shortly after the event. As per standard MAP procedures, Microsoft distributed vulnerability details to selected partners up to two weeks before the public patch scheduled for July 8th. Yet CrowdStrike observed exploitation as early as July 7th, again suggesting that threat groups may have gained access to vulnerability details before protections were made widely available. Microsoft attributed the activity to no fewer than three China linked groups on July 22. Microsoft's stated mission is to, quote, empower every person, every organization on the planet to achieve more. In line with this mission, and given Microsoft's strong global presence, including a vast user base in China, initiatives like MAP play a critical role in protecting users from malicious actors. However, such programs require strong safeguards and clear accountability, and ensuring full compliance can be difficult in unique contexts such as China's centralized vulnerability disclosure system. The inclusion of Chinese companies warrants special scrutiny, especially those participating in domestic programs that incentivize reporting vulnerabilities to the state. And they conclude, unfortunately for Microsoft's user base in China, the government incentivizes behavior which should jeopardize the continuing participation of legitimately defensive companies. In map. It is the role of the PRC government to enforce laws on companies operating within its jurisdiction and responding to its policies. In consideration of Microsoft's pursuit of adequate defense and support of its users and in line with the company's mission statement, it may be appropriate for Microsoft to temporarily suspend PRC based companies from MAP pending an investigation by the PRC government into the potential violation of Microsoft's NDA with local companies. Microsoft has the systemic importance to request such an investigation as the behavior clearly jeopardizes the safe operation of critical information infrastructure under the PRC cybersecurity law. So, given all of the facts that these guys lay out and the future, if not the past, potential for the rapid abuse of a critical global flaw in widespread Microsoft networking systems, I for one sincerely hope that Microsoft is seriously at this point reconsidering the trusting relationship they have long enjoyed with China's security firms. You know, in paraphrasing Khan, if we were all one big happy planet, then I'd say that Microsoft's historical position makes sense. Why not share these discovered vulnerabilities before they're patched and remediated? But the sad truth is tensions are escalating and there doesn't appear to be any reasonable end in sight. Given that U. S Intelligence agencies have firmly concluded that U. S interests are under constant cyber attack from Chinese threat actor groups which are being actively supported by the People's Republic of China, how can it possibly remain rational for Microsoft to be willfully providing Chinese researchers and indirectly the Chinese government with the very means to attack us, perhaps devastatingly.

Leo Laporte

From your lips to Microsoft's ears? Well, that sounds kind of creepy, but I hope they listen and pay attention.

Steve Gibson

Yeah, I mean, I, I'm, I get it. It's, it's valuable. But Leo, we just. I mean, Exchange Server is An example and SharePoint here is another.

Leo Laporte

It's happening too much.

Steve Gibson

There are defects. Serious critical remote code execution defects in Microsoft's products. Yeah, and, and that when they're discovered, they need to be fixed without them. Without them being at risk of being weaponized against us before they can be patched. Yeah. And unfortunately they're, they're willfully giving advance notice to a hostile foreign entity.

Leo Laporte

Well, Microsoft says they're going to eventually move it out of China. They don't say they're going to move it back to the U.S. no, they were.

Steve Gibson

And actually what they said they would move out was the, the fact that it's even worse. They have Chinese people writing the patches at the moment. Yeah. But then also they have the map participants that are different than, than that. So they have two different means by which, you know, they're like deliberately having knowledge of these problems in China before the patches are released.

Leo Laporte

I'm surprised they're even allowed to do this, frankly.

Steve Gibson

I, I, I think it's only because Microsoft is so strong and, and our politicians don't really understand what's going on.

Leo Laporte

Yeah. Steve Gibson, he's@grc.com he understands what's going on. That's why we listen to the show every Tuesday. You can get a copy of the show from him. He's got 100, sorry, 64 kilobit audio, 16 kilobit audio transcripts written by an actual human being, Elaine Ferris. And of course the show notes all of that@grc.com While you're there, take a look. You might want to pick up a copy of spinrite. The world's best mass storage maintenance recovery and performance enhancing utility. 6.1 is the current version. If you have mass storage, you really should have a copy of Spin. Right. There's also lots of other great stuff there. GRC.com including a way to get a hold of Steve. People are always asking me, can you send an email to Steve? It's easy. Go to GRC.com Email Submit your email address. He'll whitelist it. From that point on you'll also have the opportunity. There's Steve. Two unchecked checkboxes right below it. One is for his weekly newsletter. That's the show notes for this show. And the other is for much less frequent emailing about new products. And I think you'd want to know about those too.

Steve Gibson

There's only ever been one. That's how infrequent it is.

Leo Laporte

Every 12 years he sends an email@grc.com email. You can also get this show at our website, Twitter. We have 128 kilobit audio plus video on our site. There's also video on the YouTube channel. You'll see a link at that page which is a great way to share Little clips with your boss or your IT department or just whoever you think might be interested help us spread the word about the show. You can also subscribe in your favorite podcast client. That's an easy way to get it. Audio or video, your choice. That's free, but there are ad free versions of the show available. If you're a member of Club Twit and I do want to encourage you to join the club. Club members are able to join us in the Discord chat along with us. They're they get a lot of special programming. Friday we're going to do Stacy's book club. A great science fiction book called how to Win the Time War. In fact, it's short enough you could probably still read it before Friday. Highly recommend it. Right after that it's going to be Chris Marquardt's photo show. So we got a busy week this week. We also have coming up and if you're a member of the club, I want you to go to the club Twit Discord and vote. Micah wants to put together a Dungeons and Dragons one shot but he's trying to figure out what would be the best way to do this, like who do you want participating. So he's got a little poll right there at the bottom of the events page. We want all the club members to vote on that. This page is a good page to know about. This is all the things that happen in the club, like the AI users group. Micah's crafting corner. We're going to Stream the Pixel 10 announcement. Home theater geeks. This is going to be a good one this week. Actually that was. Oh, it's next Monday. Okay, good. August 11th. He'll be talking about the Value Shootout or maybe Thursday, I'm not sure. Anyway, all of that is in the club Twit Discord. And the most important reason from my point of view to subscribe is you support the the work we do here at TWIT. 25% of our operating revenue now comes from the club. Very important. If you're not a member, please join. We'd love to have you. Twit TV Club Twit. We do this show live by the way, every Tuesday right after Mac break weekly. 1:30 Pacific, 4:30 Eastern. That's 20:30 UTC. You can stream it live if you're in the club in the Discord, but you can also stream on YouTube, Twitch TV, TikTok, Facebook, LinkedIn, X.com and Kick. So pick your your poison. But watch live if you want, but still subscribe so you get a copy of it because you want to have the full archive of 1000. What is it? 35 shows some huge number. It's amazing. Steve's gonna keep doing it as long as you keep listening. So keep listening. Thank you, Steve. Have a wonderful week, and we'll see you next time on Security Now.

Steve Gibson

Thanks, buddy. Till then.

Leo Laporte

Security Now.