A (2:44)

All right. And some sci fi and a lot of good stuff coming up. I'm excited.

B (2:50)

I got lots of interesting news stuff.

A (2:53)

All right, so we will get to that and the world's greatest toy, our picture of the week in just a bit. But first A word from our sponsor, if you don't mind. And the good folks at Acronis, and we certainly talk about the Acronis Threat Research Unit from time to time. They do such good work. You deserve UIT professional. You, you deserve fewer headaches in your life, right? Who doesn't? Nowadays, even something as simple as watching TV can be a headache. When your favorite shows are scattered across all the different streaming services and they keep moving it around, it's impossible to find the one place where it has everything you need. And that kind of is true with cybersecurity. Or is it? Acronis is taking the headache out of cybersecurity with a natively integrated platform that offers comprehensive cyber protection in a single console. And if you want to know what's happening in cyber security, nobody better than the Acronis Threat Research Unit or, or TRU. That's the place to go. It's your one stop source for cybersecurity research. TRU also helps MSPs stop threats before they can damage you or your client's organization. And that's kind of part of your job. That's a good thing to have some help with, right? Acronis Threat Research Unit the TRU is a dedicated unit composed of experienced cybersecurity experts. Imagine a team of Steve Gibsons, including cross functional experts in cybersecurity and AI and threat intelligence. TRU conducts deep intelligence driven research into emerging cyber threats, proactively manages cyber risks and responds to incidents, and provides security best practices to assist IT teams in building robust security frameworks. It's like having the A team backing you up. They also offer threat intelligence reports, custom security recommendations, even educational workshops. Whether you're an MSP looking to protect your clients or you need to safeguard data in your own organization, Acronis has what you need and it's all there. In Acronis Cyber Protect Cloud, you get edr, xdr, remote monitoring and managing, managed detection and Response, email security, Microsoft 365 security, even security awareness training. And it's all available in a single platform with a single point of control for everything, which makes it easy to deploy and manage. If managing cybersecurity gives you a headache, it's time to check out Acronis. Now you can know what's going on in the cybersecurity world by visiting go.acronis.com twit and take the headache out of cybersecurity. That's go.acronis.com Twit A C R O N I S go.acronis.com TWITT we thank him so much for their support of security. Now time for a toy.

B (5:43)

And I realized that what I normally do I've skipped over which is to sort of run through a quick enumeration. Well that's of coming attraction.

A (5:51)

That's okay. I mean I, I, I was ready, I, I was ready to jump to the ad. Do you want to do it now?

B (5:58)

Well I just, I was, I was thinking okay. Our listeners might want to know that we've got going to talk about the enforcement of the shaken and stir telecom protocols, the inherent dangers of consolidating authentication. Look at the question of whether AI can even be controlled and that Vivaldi says a big no to AI enhanced web browsers. We now know how WhatsApp figured into Apple's recent zero day attacks. That we talked about. You know we talked about the update, the emergency update last week. Also we've had an instance now of leveraging AI as an attack aid and it's creepy. Also news on the latest TransUnion breach. Two scummy websites sue the UK good luck with that over age requirement that they are enforcing with their online safety act Open SSH has decided to remind its users to adopt post Quantum crypto. The DoD. The DoD. The U.S. department of Defense was found to be using open source which is being maintained by a Russian. What could possibly go wrong with that? And after as you mentioned a bunch of great feedback from our listeners. We've got a little bit of sci fi news from one of our favorite authors the the the Frontiers saga and how his relationship Leo and has with Amazon has soured much as yours apparently.

A (7:29)

Oh.

B (7:30)

So anyway, I think as I said a great podcast for our listeners which brings us to our toy. Our first topic, our favorite toy and it probably is at this point especially as you get older the, our picture of the week is I, I gave this the topic 50 years ago. Literally it was 50 years ago this month. Now that we're In September of 2025, issue number one of Byte magazine declares computers the world's greatest toy.

A (8:04)

Yes.

B (8:05)

And I got a kick out of the fact that it was a $50.

A (8:08)

For you know that was probably expensive in 1970.

B (8:11)

Probably was. Yeah, you were, you were paying your dues.

A (8:14)

Mad magazine was 35 cents. So I think it was. Yeah.

B (8:17)

Although when you consider the quality of the information anyway, 1975. So I was two years out of high school at that point.

A (8:28)

I was just going into college myself.

B (8:30)

I was the COVID Yes, right. The COVID says which microprocessor for you because back then no one had really, you know, settled on any particular thing. Cassette interface, your key to inexpensive bulk memory. Assembling your assembler. Can you use surplus keyboards? Parent you bet you can. And then finally I have a whole.

A (8:55)

Drawer now of surplus keyboards.

B (8:57)

Well, and by these we mean like, like some weird keyboard from a radar.

A (9:02)

Terminals and stuff.

B (9:03)

Yeah, exactly, for like that. Like what the hell, this doesn't even have all the ASCII characters on it. And then it finishes by saying by declaring computers in all caps the world's greatest toy.

A (9:17)

So you gotta remember 75. This is before the Apple II. This is before anything. This is when microcomputers are first starting.

B (9:25)

Yes, in fact that it just. It's such an interesting walk for those of us who are around our age. Leo, I think it's really worth taking a look inside the inaugural issue which we're able to thanks to the Internet's archive.

A (9:42)

Well, there's. I wanted to show you there's many places you can get by magazines including the Internet Archive. But my favorite now is somebody's put these online. Let me go back to the website. This is a visual archive of all the bike covers. If you zoom in, you can actually see the covers, the contents resolving themselves. But what I like about it is it has a regular expression search. So for instance, I can look for Leo Laporte.

B (10:16)

Wow.

A (10:16)

And it says no matches. Well, let me try that again because I know there's a match. Oh well, maybe not. There was a match the last time I did this.

B (10:23)

What happens if you look for Spinrite?

A (10:25)

Oh yeah, let's see. I wrote my. The first article I wrote for a byte was in 1984. There's something wrong with this site because I know Spinrite. Let's try it again. Spinrite. Yeah, there's something wrong with the site, unfortunately. But I know Spinrite's in there and you probably could search through Internet Archive and find it faster as well. It's pretty cool. This is really. Anybody who's interested in the history of technology should absolutely take advantage of these various archives.

B (10:58)

So even in this first issue you'll find, among other tips, tips for desoldering multi legged integrated circuits from a circuit board. Because you know, they were back then. That happens. You might need to repurpose that 2102 Intel 1K Dynamic RAM chip. Chip 1K bit. Sorry, not even bytes. They talk about how to decipher the wiring of a random surplus keyboard to use it for the computer. That of course you are building around 1975. How to choose the right microprocessor family for that computer. They've got a kit for building a working system. A tutorial on how asynchronous serial data communications is formatted the fundamentals of assemblers and how to take the first steps toward writing your own assembler for the chip that you chose. Two pages earlier in the book, we find an article even back then on coding strategies for implementing John Horton Conway's famous Game of Life.

A (12:11)

Game of Life, Yeah.

B (12:14)

There's also some great material titled what is Byte? I mean, this is the inaugural issue. So like they're saying, you know, basically that. That talks about what is a byte and why they named themselves Byte and how it started along with a request for contrib for. For contributions to the. This, you know, nascent magazine. I mean, it's just happening.

A (12:37)

This is so long ago. Jerry Pornell wasn't even writing for it yet. Eventually the Chaos Manor column became a must read. Steve, CRC is Circuit library. And you. Did you write for Byte as well?

B (12:51)

Did not write for Byte.

A (12:52)

Yeah.

B (12:52)

You wrote for. In fact then, for example, hobbyist mass storage. Mass storage was pure fantasy. So, you know, you gotta love the inaugural issues description of a. Of implementing your own cassette interface where it talks about frequency shift keying in order to store differing tones on an.

A (13:15)

Audio cassette tape because it was an audio medium, so you had to turn bits into.

B (13:20)

It was basically you were b. Basically you were creating a modem for that you would use to dump your program out of your solid state memory. Because, you know, I mean, core existed, but hobbyists didn't have core memory. No, you know, we had only a little bit of. Of. Of.

A (13:40)

Well, there was ram. I mean, these devices had RAM in them, like the MITS Altair. That's.

B (13:45)

Anyway, it says describing it as your key to inexpensive bulk memory. And of course, the early kit machines of the time often sported cassette IO and that was also built into the Apple II machines. So.

A (13:59)

And the Atari. I used a cassette interface to load and save programs from my old Atari.

B (14:05)

Now, of course, the. The lack of mass storage did not stay that way for long. Thirteen years later, we all owned PCs with hard drives. I know that because after launching that first issue, Byte grew into the PC Industries magazine of record. I mean, it was the that one. So. So when 13 years later, Bytes, November 1988 issue reviewed spin right with frankly gushing praise, it. It ended the. The review ended with the sentence spin right is what the word must was invented for. I mean, and then two months later, it they awarded Bite, awarded Spinrite the 1989 Award of Distinction. And of course it because of what Byte magazine was. And it really put Spinrite on the map. Anyway, by its perfectly timed inception in 1975, which again, 50 years ago this month, it was triggered by the realization that individuals, not only huge corporations, could own and use their own stored program computers. And I think it's astonishing Today, Leo, 50 years later, we're now holding conversational dialogues with these machines that are virtually indistinguishable from living human beings. And it is easy to forget that it is all still just a big pile of transistors.

A (15:49)

You know what's amazing is that the spinray interface looks exactly the same. Yes.

B (15:56)

Just as GRC's website looks exactly.

A (16:00)

I'm just teasing you, but yeah, we've come a long, a long, long way. Rich Grand's review of Spin Right says, I ran Spin right on an Everx 386 20s internal 30 megabyte hard disk drive. Wow. He was pretty wealthy to have a 30 megabyte drive back then. That was something. That was a fan.

B (16:22)

Well, and, and remember we, we were taking 20, there was a 20 megabyte drive which could actually handle RLL, so you got 50% more storage. And that was part of Steve's dream machine that I had developed over on at Infoworld.

A (16:35)

Wow.

B (16:36)

At the same time, anyway, I created a GRC shortcut for our listeners to that first inaugural issue, which is again, it is really worth flipping through the pages. If you go to GRC SC/ byte B Y T E, that will bounce your browser to the Internet archives page turning display where it's easy just to flip through the pages of that first bite. You know, the ads are interesting. You know, they've got an open frame power supply on page four or something for, you know, because you got to have one of those. I mean it's just, it's just great. And I thought, wow, 50 years, Leo.

A (17:17)

Amazing.

B (17:18)

You know, the podcast has been here for 20 of those 50.

A (17:22)

So yeah, kind of you put it that way. It's a good point. Holy cow. Yeah, yeah.

B (17:30)

So, wow. And for you youngsters who weren't born in 75, take a look at what your elders were doing because GRC SC byte will take you to that first issue.

A (17:44)

Very cool. Very cool. It is. I think it's good for young people to read these stories. It really is.

B (17:51)

And here, you know, here's asynchronous serial communications. Nothing has changed. That's the other kind of spooky thing is that it's odd how like the, the assembling your own assembler, the, the, you know, you still. Sometimes you have to desolder a chip. Well, here's how to do that back in 1970. That hasn't changed. Yeah, yeah, but asynchronous communications has not changed since then. That's the way RS232 still operates. And it's one of the points that I've wanted to make about the early episodes of this podcast when we talk about how processors work, how the Internet works. All of those early episodes where we were doing a lot of tutorial stuff, it's 100% relevant today. Anyway, several years ago we spent some time examining the development and presence of the so called SHAKEN and STIR protocols. The obvious naming follows from Ian Fleming's James Bond character who preferred to have the preparers of his martinis shake them and not stir them. I, I'm a neophyte on the martini front, so I can't tell you what the difference might be. But. But the STIR protocol existed first as a means of authenticating the originators of VoIP voiceover IP connections. STIR stands for Secure Telephone Identity Revisited. Again, they were, you know, stretching to get these acronyms to work. So stir, Secure Telephone Identity Revisited. It's specified in a series of four RFC standards documents by an IETF working group and it functions by attaching a digital certificate, and we all know what those are now, to the sip, the session Initiation protocol. And boy, I wonder if SIP is meant to be like part of this martini.

A (19:58)

Oh, I never thought of that.

B (20:00)

I never did either until I was just looking at that.

A (20:03)

Maybe they're trying. Wow, that's going back.

B (20:07)

Anyway, so it. So the STR attaches a digital certificate to the SIP Session Initiation Protocol information, which is used to initiate and route calls in VoIP systems. The problem for authentication is that not everyone, or not everything is VoIP specifically, the bulk of, of especially early telephony, was all just switched network, which, you know, stayed within the the telephone system network, which had nothing to do with ip, at least at the subscriber interface. So if authentication of a caller was desired, it would be necessary to somehow retrofit something like the str protocol for VoIP onto non VoIP connections. Already having stir and knowing of James Bond, the designers of the second protocol had little choice other than to somehow arrange to name it shaken. Unfortunately, not all acronyms go willingly, and this one put up a fight. The designers figured that SHAKEN had to stand for Something. So what we got was secure base. I'm sorry, signature based. There's the S handling H of asserted. We got the A now. Now we have a problem with the Ken. So we're going to go signature based handling of asserted information using tokens.

A (21:44)

Oh.

B (21:50)

Yeah. It's not inspired, but it works.

A (21:52)

Oh my.

B (21:53)

Okay, so together, Shaken and Stir add something our telephony system has never what was never designed to provide, which is a practical mechanism to provide verified information about the calling party as well as the origin of the call. Giving service providers the tools needed to sign and verify calling numbers makes it possible for businesses and consumers to know before answering what the calls, you know, that that the calls that they're receiving are coming from legitimate parties. However, everyone familiar with the subject of this podcast knows the difficulties that arise when we attempt to retrofit security onto a system that wasn't designed to accommodate it. And which works even if you don't. Creating the specifications and the implementation is only the start of the battle, right? Getting everyone to adopt it generally turns out to be the much heavier lift. And so it has been for the adoption of these caller identifying standards. There's no benefit to the carrier because the ultimate consequence of strong caller authentication will be the end of call spoofing and robo calling, which are sources of revenue for the carriers. So they're not in a big hurry to shut all that down, although it's driving their subscribers bonkers. You know, I finally had to suspend my two landlines because no one ever called me that. I knew it was all just garbage calls, which was just infuriating because I knew that didn't have to be that way. After many years of waiting for the adoption of stir and shaken, four years ago, in June of 2021, the U.S. federal Communications Commission, RFCC, began requiring large carriers to use the protocols. And Canada's Canadian Radio, Television and Telecommunications Commission, their equivalent, which is the CRTC, has required the use of the protocols ever since November 30th of 2021. So a few months later, what was the result? Not much. No one seemed to care. It's always a pain to make any changes. And no one in the Biden administration's FCC appeared to care enough to force the issue. We're talking about this today because perhaps not surprisingly, the Trump administration's FCC is taking a somewhat different approach. Last Thursday, the FCC, get this. Terminated more than 1200 voice service providers from the US telephone network for their failure to deploy robocall mitigations. Perhaps you know, that order from 2021, which is now more than four years old, should have been taken a little more seriously. The text of the order, which I found and reviewed is quite clear. At one point it states, removal of a company's certification requires all intermediate providers and voice service providers to cease accepting all calls directly from the company. No television, no. No tele telephone network for you. That 1200 number is nearly half of the 2411 voice providers the FCC notified and ordered last year to become compliant. So again, they've like, had several warnings and like, this is it. Or else we're serious this time. No, really, we mean it now. No, like this is it. Please take us seriously. That was in the summer of 2021. Nothing happened back then and they renewed that last year. So I imagine that last year's refresh of the requirement was just as ignored as the previous ones and considered to be just more saber rattling. But not today's fcc. There's a new sheriff in town. So since last Thursday, I would imagine that any companies of those 1200 that don't just want to give up and go away, maybe like all of their business is about crap that nobody wants to receive. They're scurrying to implement the, you know, stir and shaken protocols, scrambling to add the required support to their network so that they can get back on with, you know, into the rest of the phone network. But in the meantime, since they are unable to provide service into the US Telephony networks, any legitimate customers they may have are likely abandoning them in droves and switching to providers that have remained connected, those that responsibly implemented this protocol so that these unwanted calls can be identified and controlled. The near term upshot of the fact that Trump's FCC is willing to do what's necessary is that the US Telephone network may finally get itself cleaned up. And that will be a huge win for all of its users. I think this has been long overdue. So. Bravo.

A (27:26)

Yeah, it was scheduled as a slow rollout, so they initially did it for companies of the largest companies and then it was a stepped rollout for the smallest companies. And now we're at that final stage where these are the very smallest of, as you could see. I mean, there's 2,411 voice providers. Exactly.

B (27:44)

It's not like AT&T.

A (27:46)

Yeah, ATT went along with it early on, but obviously you have to get, get all of them because the spammers will just move to whoever still can get away without the verification. So I'm glad this has finally happened. I was wondering how you know when this was going to finally take place? I don't want to interrupt, but there is a breaking story that we probably should cover. It's been nearly a year since Judge Mehta ruled that Google was a monopoly. He said at that time that he was going to put out his judgment on the penalties by the end of August. Well, it's a little past the end of August. But today a judge Meta did rule the penalty phase of the Google versus the US Department of Justice lawsuit that Google lost last year, and the news is, I think, fairly good for Google. One of the Justice Department was asking for, as you remember, things like Google being forced to sell its browser or even Android. The judge said Google will not be required to divest Chrome, nor will the court include a contingent divestiture of the Android operating system. In the final judgment, Judge Amit Mehta said plaintiffs overreached. That's the Department of Justice, in seeking forced divestiture of these key assets, which Google did not use to affect any illegal restraints. Furthermore, they can continue to pay the estimated $20 billion a year they spend to Apple and many millions to Mozilla and to Samsung to preload products or to preload the Google search engine. But in fact, the only thing Google has to stop is the practice of compelled syndication, which is making deals with companies to ensure the search engine is the default choice. I don't, I'm unclear on this. And we'll have to get more details whether that means they stop paying Apple. I don't think it does because I don't think it's compelled.

B (29:45)

Right.

A (29:45)

I think it's just a payment. The real issue was Android handset manufacturers who were using the free operating system. But then Google said, but if you want to have the Google Store on there, you've got to be. Put Chrome on there and you've got to use our search engine.

B (30:01)

So they were tying search.

A (30:03)

They were tying. Exactly, exactly.

B (30:05)

I see. Right.

A (30:05)

I think that that's, I suspect, but I'll have to get more details. This just, literally just came in 20 minutes ago. So this is. Or not even that long.

B (30:14)

15 breaking news on security now.

A (30:16)

We've been waiting. We knew that this, this, this penalty phase had to end. And now Google has said that they would appeal. But I, I think based on their success in this, it seems that they may just settle. In fact, the stock market is given them a big reward, a 4% increase in Alphabet's stock. Google will not. Okay, here's the further information. Google would not be barred from making payments or offering other consideration to distribution partners for preloading or placement of Google Search, Chrome or its Gen AI products. The judge said cutting off payments from Google would impose substantial, in some case crippling downstream harms to distribution partners. That's true. Firefox Mozilla says if we don't get that payment, we've got no company. So that he made the right decision. In fact it sounds like he did the right things. No, Google says we're going to appeal anyway because as long as it's being appealed nothing will happen and that probably is what they want. So I think really a successful.

B (31:15)

Oh, you mean as long as it's in appeal then no change will happen.

A (31:19)

Right. So they figure well we might as well continue to appeal this. So in a sense I think a victory for Google given that was ruled a monopoly. The limitations there that the judge decided to put on Google were as minimal as they could possibly be. Anyway, sorry to interrupt, but I know that everybody's been watching with interest on this story and so the other shoe has dropped on we go.

B (31:45)

So last week we learned that a firm we've not talked about before called Sales Loft, which is a sales AI and automation platform, was breached by hackers. Unfortunately, the breach of Sales Loft created an opportunity for hackers to pivot to its customers Salesforce accounts. This enabled the attackers to harvest Salesforce data from those accounts and other credentials and to then pivot to other cloud platforms. Google says the attackers pivoted to Salesforce to using OAuth tokens from the Sales Loft AI chat agent, after which Sales Loft revoked all drift Salesforce connections and asked their customers to re authenticate and reconnect their apps. The industry subsequently learned that the hack was larger than was initially believed with the attackers who pivoted from Sales Lofts network into Salesforce accounts, also pivoting to Google Workspace, Slack and Pardot integrations. One of the consequences of the convenience of centralized authentication and credential reuse is, you know, and, and what do we preach here with our browser extensions? Our our password managers is do not reuse your credentials. Right. Unique password for every site. That's the whole point. But we're not really following our own advice here because of the way we're using OAuth today? As I said, one of the consequences of the convenience of centralized authentication and credential reuse is all of this so called pivoting that winds up being immediately enabled. When I went over to the Pardot website, for example, I was presented with a login with Salesforce screen. So when attackers obtained sales lofts customers Salesforce oauth tokens, they were immediately able to reuse those stolen tokens to log into many other services that would accept Salesforce's authentication. Anytime we're being presented with the convenience of login with Google or login with Facebook or any of the other major identity providers, it's worth remembering that a compromise of that single credential potentially compromises our authentication at all of the other sites that know us that way.

A (34:29)

That's a problem.

B (34:30)

Yes. Again, it's a, it's a, you know, you know, this is not the first time we've talked about that, but it's worth of, it's worth a refresh. I think. It is, it is. It's nearly always the case that convenience brings some non obvious risks. And, and here's another one. You know, it's yeah, it's convenient to be able to just reuse my Google authentication or my Facebook identity, but if that's ever compromised, it's not just Facebook that you lose control of. It's everybody who knows you through your Facebook id. And that's what happened here.

A (35:04)

Wow.

B (35:06)

So after our next break, Leo, we're going to look at the question of can we control AI? And I have an interesting perspective that I think might be useful.

A (35:16)

Good, I look forward to it. You're watching security now with Mr. Steve Gibson, our show. This portion of our show brought to you by Threat Locker. If you listen to this show at all, you know we need help out there in the real world. Ransomware is killing businesses worldwide. Threat Locker can prevent you from becoming the next victim. Threat Locker's Zero trust platform. That's the key. Takes a proactive. And here are the three words you want to hear. Deny by default approach. Deny by default blocks every unauthorized action, every action you have not explicitly authorized, protecting you for both known and unknown threats. Zero Days can't get through because you didn't authorize that. Trusted by Global enterprises like JetBlue and the Port of Vancouver, Threat Locker shields you from zero day exploits and supply chain attacks while providing complete audit trails for compliance. As more cybercriminals turn to malvertising, you're going to need more than just traditional security tools. Attackers are creating convincing fake websites, impersonating popular brands like AI tools and software applications distributed through social media ads and hijacked accounts. Then they use legitimate ad networks to deliver malware affecting anyone who browses on work systems. Traditional security tools often miss these attacks because they use fileless payloads that run in memory and exploit trusted services that ByPass Typical filters. ThreatLocker's innovative ring fencing technology strengthens endpoint defense by controlling what applications and scripts can access or or execute, containing potential threats even if malicious ads successfully reach the device. Threat Locker works across all industries. It supports Mac, PCs and more, provides 24.7us based support, and enables comprehensive visibility and control. Just ask Jack Senisap, Director of IT Infrastructure and Security at Rednor's Market. Jack says quote when it comes to Threat Locker, the team stands by their product. Threat Locker's onboarding phase was very good, a very good experience and they were very hands on. Threatlocker was able to help me and guide me to where I am in our environment today, end quote. Get unprecedented protection quickly and easily and cost effectively with ThreatLocker. Visit threatlocker.com TWIT to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT I have to warn you though, you're going to install this and you're not going to want to ever uninstall it. It's that good. So give it a try. Threatlocker.com TWIT threatlocker.com TWIT we thank him so much for supporting Steve's work here at Security. Now Steve's a guy who told me about Zero Trust first before anyone else. On we go, sir.

B (38:08)

Okay, so I first want to share we're going to talk about the question can we control AI? And I first want to share the opening of a much longer Reuters News Agency piece they published last Friday that.

A (38:24)

I want to so mad.

B (38:26)

Yes. Then I want to return to one of my thoughts about AI. So Reuters wrote Aug 29. Reuters Meta has appropriated the names and likenesses of celebrities including Taylor Swift, Scarlett Johansson, Anne Hathaway and Selena Gomez to create dozens of flirty social media chatbots without their permission, Reuters has found. While many were created by users with a Meta tool for building chatbots, Reuters discovered that a Meta employee had produced at least three, including two Taylor Swift parody bots. Reuters also found that Meta had allowed users to create publicly available chatbots of child celebrities, including Walker Showbell. A 16 year old film star asked for a picture of the teen actor at the beach. The bot produced a lifelike shirtless image writing beneath the picture. Pretty cute, huh? All of the virtual celebrities have been shared on Meta's Facebook, Instagram and WhatsApp platforms. In several weeks of Reuters testing. To observe the bot's behavior, the avatars often insisted they were the real actors and artists. The bots routinely made sexual advances, often inviting a test user for meetups. Some of the AI generated celebrity content was particularly risque. Asked for intimate pictures of themselves, the adult chatbots produced photorealistic images of their namesakes posing in bathtubs or or dressed in lingerie with their legs spread. Meta spokesman Andy Stone told Reuters that Meta's AI tools should not have created intimate images of the famous adults or any pictures of child celebrities. He also blamed Meta's production of images of female celebrities wearing lingerie on failures of the company's enforcement of its own policies, which prohibit such content anyway, the article goes on at much greater length, but everyone gets the idea over the course of the past year, I've invested some time studying the operation of large language model generative conversational AI, and I've been using them continuously while watching and marveling at their output, which to me remains astonishing. That Reuters piece brings me back to a feeling I've expressed here before, which is that the nature of the way AI generates its output to me means that it is inherently uncontrollable, which explains why the AI industry is having so much difficulty controlling it. The information that is acquired, stored, and modeled within a large language model is almost stored holographically, with no single fact residing in any one place, so it's not possible to pluck it out from the whole. In struggling to find a useful analogy, the classic photographic hologram came to mind. What I recall about a hologram is that it's not possible to readily edit its image contents, because every part of the image is stored everywhere else. Each small region of a hologram contains information about the entire scene, though with proportionally less detail. So if, for example, we were to cut a hologram in half, each half would still depict the entire scene, albeit with lower resolution and with a reduced field of view, like looking through only part of a window. This is very much the way large language models store their information. The other inherent problem with what we want when we say that we want to control an AI, is that the boundaries between what we would consider acceptable and unacceptable are beyond blurry and fuzzy. We may be able to make a go no go determination, but how do we describe it? U.S. supreme Court Justice Potter Stewart was unable to define what was and was not pornographic, and was finally reduced to saying, I may not be able to define it, but I know it when I see it. So on the one hand, it's unclear how we even describe to an AI what it is and is not allowed to produce. And even if we could, it's not at all clear to me how we edit a hologram, which is, I think, a very good analogy for what, you know, the way information is stored inside of a large language model. Having, you know, taken some time to, to look at the, at the way they're, at the way they are trained. I just think, Leo, that it is, you know, I've talked about like, maybe having another AI look at the output of the main AI before its output is made public. I, I, it's like, it just seems so difficult to me. I mean, I get how, how hard a problem it is to, to, to edit it. It's very much like, like telling the AI, okay, don't say anything that's wrong. Well, it's been trained on a whole bunch of wrong stuff. So it doesn't know what's right or wrong. I mean, it doesn't know, you know, anything. It's just producing content based on the way it's been trained. So I, I mean, I agree with you. What, what, what Reuters uncovered is, it's, frankly, it's not surprising, but it is very disturbing. And speaking of AI, last Thursday, the Vivaldi browser folks took an interesting stand on the issue of AI permeating the web browsing space and their feelings about that. Their post was titled Vivaldi Takes a Stand. Keep browsing human. And that was followed by their teaser intro, which read, browsing should push you to explore, chase ideas and make your own decisions. It should light up your brain. Vivaldi is taking a stand. We choose humans over hype, and we will not turn the joy of exploring into inactive spectatorship. Whoa. No AI for you. So here's what they wrote. They said, just like society, the web moves forward when people think, compare, and discover for themselves. Vivaldi believes the act of browsing is an active one. It is about seeking, questioning, and making up your own mind. Across the industry, artificial assistants are being embedded directly into browsers and pitched as a quicker path to answers. Google is bringing Gemini into Chrome to summarize pages and in future, work across tabs and navigate sites on a user's behalf. Microsoft is promoting Edge as an AI browser, including new modes that scan what's on screen and anticipate user actions. These moves are reshaping the address bar into an assistant prompt, turning the joy of exploring into inactive spectatorship. This shift has major consequences for the web as we know it. Independent research shows users are less likely to click through to original sources when an AI summary is present, which means fewer visits for publishers, creators, and communities that keep the web vibrant. A recent study by Pew Research found users clicked traditional results roughly half as often when AI summaries appeared. Publishers warn of dramatic traffic losses when AI overviews sit above links and I'll just interrupt to say, as far as we know, that's all true, and we've been exploring the various consequences of that for the past several weeks, vivolvi continues. The stakes are high. New AI, native browsers, and agent platforms are arriving, while regulators debate remedies that could reshape how people reach information online. The next phase of the browser wars is not about tab speed. It's about who intermediates knowledge, who benefits from attention, who controls the pathway to information, and who gets to monetize you. Today, as other browsers race to build AI that controls how you experience the web, we are making a clear promise. We're taking a stand, choosing humans over hype, and we will not turn the joy of exploring into inactive spectatorship. Without exploration, the web becomes far less interesting, our curiosity loses oxygen, and the diversity of the web dies. The field of machine learning in general remains an exciting one and may lead to features that may or that are actually useful. But right now there is enough misinformation going around to risk adding more to the pile. We will not use an LLM to add a chatbot, a summarization solution, or a suggestion engine to fill up forms for you until more rigorous ways to do these things are available. Vivaldi is the haven for people who still want to explore. We will continue building a browser for curious minds, power users, researchers, and anyone who values autonomy. If AI contributes to that goal without stealing intellectual property, compromising piracy I'm sorry, privacy or the open Web, we will use it. If it turns people into passive consumers, we will not. We will stay true to our identity, giving users control and enabling people to use the browser in combination with whatever tools they wish to use. Our focus is on building a powerful personal and private browser for you to explore the web on your own terms. We will not turn exploration into passive consumption. We're fighting for a better web. Okay, so I guess there will be a web browser for anyone who hates AI. I certainly am not an AI hater. I think it's a marvelous and amazing emergent phenomenon, and I make great use of it as a quick reference source while I'm coding. I actually feel a bit guilty now, asking it dumb things that I could easily go look up for myself and would have had to a couple of years ago. But if OpenAI wants to lose money allowing me to ask it why the sky is blue, I'll happily pay them 20 bucks a month for the privilege. Today, I'm still using Google and I check out its AI overview to see whether that's all I need, while never forgetting that it could be wrong. You know, the other day, Chat GPT produced a snippet of Windows code for me, and it just made up a Windows message that never existed. I immediately knew it was wrong, but the way it was wrong was interesting and it made sense to me since, you know, there's nothing in there that actually understands what. What it's spewing out. It's just language. And that's what makes, you know, what it's able to do so miraculous. So my feeling is it is certainly way more useful than not. And that's why I tend to think that Vivaldi's anti AI stance is probably a mistake.

A (51:06)

I think it's just marketing.

B (51:08)

You think so?

A (51:08)

I mean, notice they have a lot of things, like, until it's good, when it's good, we're going to use it. As soon as it's okay, we'll start. They left a lot of space for them to change their minds.

B (51:19)

True. And you think that, like, there will be people attracted to the lack of, really?

A (51:26)

Oh, yeah.

B (51:26)

To the, to the lack of, like, AI overview.

A (51:29)

Absolutely. There. It's. You know, last poll I saw said 71% of people don't trust AI. I think that there is. Look, Vivaldi's got a tough road to hoe. They're like fourth or fifth. No, they're not even that. Opera's fourth. They're way down the list of popular browsers. Chrome is like 80%. Then it's edge, Then it's, you know, Safari, Firefox, Opera. I don't even see Vivaldi on that list. So having something that differentiates them is a good thing.

B (51:59)

So, like, say we're the anti AI browser.

A (52:03)

If you don't want AI, we got something for you. But they noticed, they didn't rule it out forever. They just said, until it's good, until it's safe, until it's okay, then we might use it, you know, good, good on them. And there are definitely people who don't want it. You know, I don't blame them. I'm with you, though. I'm your camp. I. I've, you know, I. There's also. I saw somebody said this is like the invention of electricity. This is, you know, you gotta, you know, there are people who over hype it as well. So you kind of kind of walk down the middle, I think.

B (52:36)

I wonder if I can find really quickly this. I sent this to two friends of mine this morning. This was. I was just astonished by this again. I just. So, so here's the kind of. Here's the kind of way I use chat GPT. I was puzzled by something. So here's here. Here was my prompt.

A (53:01)

Yeah.

B (53:01)

I have the vscroll style specified on a Windows static control. The scroll bar displays and its scroll thumb scales and works. I have subclassed the control in order to manage its messages. But I'm not receiving any of the WMVSCROLL messaging for mouse or keyboard actions on the static Windows control. I dislike asking leading questions of LLM AI since it tends to bias your reply.

A (53:31)

Right.

B (53:31)

But the only thing I can think is that perhaps the staticness. And I put that in quotes, the staticness of the control prevents its responding to the system's mouse and keyboard. What do you think? So this.

A (53:49)

That's a great prompt.

B (53:51)

That's the way I write these things. I mean, I.

A (53:53)

You're having a conversation.

B (53:55)

Yes. Yeah.

A (53:56)

The point. What's interesting is you would have done this as a search in many, many steps. You know, you narrowed it down. Narrowed it down and you would have done the same basic kind of thing as a search.

B (54:05)

Yes. So, and so that's why I say if they wanted, if they want to let me, you know, ask why is the sky is blue and it, you know. So.

A (54:13)

Okay, get a good answer.

B (54:15)

Oh my God. Now just listen to the nuance. Leo. It thought for 52 seconds. Wow. Then it said, you've got it colon. The static hyphen is the issue static. Which it highlighted because that, that, that, that, that's a token.

A (54:34)

It's immutable.

B (54:35)

Static doesn't implement scrolling. Yeah, just listen to the words though. You can stick WS V scroll on it and. And user GDI will happily. It used the word happily paint and track a scroll bar in the non client area parens. Hence the thumb moves and sizes correctly when you call setscrollinfo close parens. But the static class never routes the user's interactions to your window proclamation as WMVscroll. In other words, colon. The visual is there. The messages aren't subclassing. The static won't help because the window class proc simply doesn't generate those scroll notifications. I mean it is like how can this exist?

A (55:37)

That's what an expert would tell you. That's like if you had a professor in a coding class or something. That's exactly the answer you wanted. It was very nicely explained. It was very good.

B (55:46)

Astonishing.

A (55:47)

Yeah. Yeah.

B (55:48)

And it's just language. It doesn't know what it's saying.

A (55:51)

It has no idea what it's saying.

B (55:52)

No, but it's like, and, and that's why a couple like last week it made up a, a WM underscore NC scroll, which is non client, non client scroll. The moment I saw that I thought there's no WM non client scroll message that doesn't exist. But, but because it's language, it, and it doesn't understand what it's doing.

A (56:19)

There's no idea.

B (56:20)

It doesn't know. So it, yes, it can make mistakes, but listen to that. I mean, just the language, you know, oh my God. You know, it will happily paint and track a scroll bar. It's Windows is happily doing that. It's. And I've noticed that, you know, it also remembers who I am. It's maintaining long term awareness. So like it asks me if you'd like some MASAM slash Winter to code.

A (56:49)

It knows.

B (56:50)

That's what I, that's what I want.

A (56:52)

Yeah. Wow. Oh, I know. It's pretty.

B (56:55)

It is just I'm realizing, I think.

A (56:58)

Part of the problem is that it's trained on so much stuff. It's trained on as much incorrect stuff as correct stuff because that's true of humans, which is to say the web.

B (57:06)

Yeah.

A (57:07)

So I've, when I do see errors like that, I, I can almost always attribute it to either misunderst.

B (57:14)

Somewhere.

A (57:15)

Yeah, it appeared somewhere and either the AI misinterpreted it or misapplied it or the guy who was answering the question was just made the same mistake, was dumb and the AI doesn't know any better, repeats it. So it's actually not surprising that it's making mistakes. Think about how much the Internet, how much crap there is on the Internet.

B (57:33)

Well, Reddit is now charging people, charging AI to train. Well, I've read Reddit and boy, we.

A (57:42)

Just interviewed yesterday for intelligent machines. It's going to appear on tomorrow's show. Karen Howe, who wrote an incredible book about the history of OpenAI called Empire of AI and she points out in the early days they were training almost entirely on Reddit. Reddit was a very valuable resource for them. Well, yeah, so guess what? There's gonna be a lot of crap in that training data. They, they. That's the part of the problem that they faced is, is trying to find quality information. And you can.

B (58:11)

And Leo, imagine when we're looking back on this as like the old days. Imagine when this is working right, like, like when it's, like when it's factually.

A (58:23)

Correct, you know, a lot of people think it never will get there. I'm kind of with you. I feel like we've seen so much progress and such a kind of surprising progress in a year. And it's unexpected. It's like there's some almost something magical about it that I would not be the first person to say, oh, you'll never make it. I think it's a good chance that it's going to be pretty amazing in.

B (58:47)

A few years already again, already I, I, I ask it these sorts of questions. It saves me 15 minutes of digging around looking for if nothing else, if.

A (58:59)

Nothing else, that's hugely valuable. That's been my point all along. But Ms. How had some very interesting things to say. I encourage you to, if you get a chance, read the book. Otherwise, listen to the interview tomorrow on intelligent machines.

B (59:13)

I'll read the book.

A (59:14)

I'm a book reader. Oh, and you will like it because there's a lot of detail, a lot of interesting. She has a, a Bachelor of Science in Mechanical Engineering from MIT and worked as a coder for Google. So she has an engineering background. Oh, yay. Yeah. So she knows what she's talking about then. Wrote at the MIT Technology Review, wrote for the Wall Street Journal. She's both.

B (59:33)

What is the book?

A (59:34)

It's called Empire of AI by Karen Howe. H A O And it's the, it's really the, it's interesting because she said, I started writing this book to kind of critique the colonialism of OpenAI. Halfway through my writing of it, they fired Sam Altman and suddenly, you know, her whole focus had, had to change. She said the good news is all the people that I, hundreds of people that I had made connections with in the research for the book were very willing to tell me what really happened behind the scenes. They were like, anxious to get the story out. So she's got the story. It's quite good. It's really interesting. Anyway, sorry, we are, you know, sometimes.

B (60:22)

When I look at Byte magazine, I think, yeah, how much I enjoy working within constrained environments. I mean, I write an assembler. I like having, you know, a, a limit to, to in which to craft my solution. So I've, I've sometimes wondered if I wouldn't have really loved like when computers were relays and it was, you know, like there was even, even less, you know, even more constraint.

A (60:50)

Right.

B (60:51)

But then that would have meant I was older than I am and I might be missing now. And now is an amazing time.

A (61:00)

I agree.

B (61:01)

I mean we get to finish off our lives, Leo, watching this emergence of maybe consciousness.

A (61:08)

Yeah.

B (61:08)

From, from this technology.

A (61:11)

Yeah.

B (61:12)

You know, where we used to be like desoldering chips from it because we were needing to reuse them.

A (61:18)

That's something you said very early on. I asked you, well, do you think there's something special humans do in the consciousness reflects that is different? And you said, no, we're just machines like anything else. And I think that that's this, that's the thing that really means maybe it is possible you throw enough compute at it, enough memory at it.

B (61:38)

I think it's an emergent property.

A (61:39)

You get an complexity. Maybe an emergent property of complexity. Exactly. Yep. We'll see. I think we're going to be here to see.

B (61:48)

I think so. Because it's certainly, it's certainly not waiting for us. It's happening, it's moving. Wow. Okay, so we got some more detail about the exploit chain that wound up leveraging that recently patched Apple Zero Day. Remember that was CD 2025 43300. We talked about this last week. Clever bad guys had discovered that Apple's implementation of the JPEG lossless decompression, an interpreter that would be called upon to display an image in Adobe's DNG file format, contained a critical flaw. If the provided image data did not match what was described in the file's metadata header, an out of bounds right could be triggered, which could lead to a compromise of the user's device. But how do you get the image to the user? What we now know is that an unrelated flaw in Meta's WhatsApp was also implicated as the carrier of the image. Last week, Meta updated their WhatsApp messenger to cure what their number CVE2025 551 77. And about this, they wrote incomplete authorization of linked device synchronization messages in WhatsApp for iOS, WhatsApp Business for iOS and WhatsApp for Mac, could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device. We assess that this vulnerability, in combination with an OS level vulnerability on Apple platforms, and that's the 43300 CVE, may have been exploited in a sophisticated attack against specific targeted users. And as always, we know to immediately replace the phrase may have been exploited with. Was definitely found to be exploited, certainly without any doubt, because I presume that every corporate attorney has made abundantly clear that vulnerability advisories are not the place to admit responsibility for anything.

A (64:19)

Yeah.

B (64:20)

So what we know is that representatives of Amnesty International tweeted last Friday morning that both of those two zero days apples and metas had been employed in, quote, an advanced spyware campaign over the last 90 days. So that also suggests that tells us something we didn't know before, and that is the consequence of the exploitation of those two critical vulnerabilities was the installation of spyware into targeted phones. So again, you know, I mean, that's the holy grail, right? Is, is, you know, all of these, these, these companies are selling their technology to governments that are wanting to install spyware into, you know, journalists and, and political activists and so forth. Phones. I also saw one interesting story. I didn't put it in the show notes, Leo, but I, I got, I thought you'd get a kick out of. It turns out that, that Israel has been very effective in, in locating Iranian officials because their bodyguards are not exercising good cell phone, good smartphone hygiene.

A (65:50)

Yeah.

B (65:51)

And of course the bodyguards are always going to be physically in proximity, right. To. To, to the people that, whose, whose bodies they're guarding. And unfortunately that doesn't help them if the bodyguard can be targeted. So.

A (66:04)

Well, I'll give you one more story related that broke this morning. Apparently we didn't know this, but the Biden administration had ordered the US Law enforcement to not use Paragon's spyware. But apparently the Trump administration has reversed that and ICE will now have access to. To Paragon's zero click exploits in the United States. And that's somewhat concerning. Although frankly, I didn't realize that they were not allowed to use it. I just assumed they were. Yeah, yeah, yeah.

B (66:45)

Wow.

A (66:46)

So now we know they are. Or will. Yep.

B (66:49)

We're at an hour. Let's take another break and then we're going to look at this next piece, which I said at the top of the show is very spooky. This is the far first example, as far as I know, of AI having been actively leveraged in an attack in a way that will give you some chills.

A (67:10)

Oh, okay. Coming up on security now, our show brought to you this portion of our show brought to you today by our good friends at Bitwarden. We love Bit Warden, the trusted leader in password, passkey and secrets management. Frankly, it's the password manager I use. In fact, every time I do this ad, almost universally our Hosts say, yeah, I use that, I use that. Yeah, I use it too. Everybody does. Bitwarden is consistently ranked number one in user satisfaction by G2 and by software reviews. More than 10 million users across 180 countries and over 50,000 businesses. Now if you're interested in AI, you might be interested in this news. I think this is fantastic. Bit Warden has just launched an MCP server. If you don't think about AI or know anything about AI, that may not be meaningful, but if you do, this is really interesting. It's now available on the bit warden GitHub. What it means is you, you have an AI agent. Many browsers now have AI agents built in. They are going out and doing stuff on your behalf, maybe logging into websites. Bit Warden, because they now have an MCP server, will integrate with those AI agents to provide secure credential workflows. This is huge, you know, it's a big problem. People are often hard coding their API secrets or their passwords into their code. It often gets pushed up to GitHub because they don't know of any other way to do this securely. Well now with Bit Warden's MCP server there is a way. They also, it's brand new, just happened, they want you to know the document. They're working on expanded documentation. They're also working on a way of distributing this. But right now you can go to the GitHub and see it and download it if you want. It's a secure, standardized way for AI agents to communicate with Bitwarden. And you know, for credential purposes, users benefit from a local first architecture for security because the Bitwarden MCP server runs on your local machine, which means all those client interactions with are kept within the local environment. Very important to minimize exposure to external threats. It integrates with the Bit Warden command line interface. By the way, another reason I love Bit Warden, they've got a command line interface. So if you're, if you're using Claude code, something like that, very simple to integrate the MCP server. And users can also opt for a self hosted deployment for greater control over system configuration and data residency. This is so important to the idea of agentic AI, an open protocol for AI assistance. MCP servers enable AI systems to interact with commonly used applications and that can be a variety of things. Content repositories, business platforms, developer environments through a consistent open interface. But now it can integrate with your credential management in Bitwarden, driving secure integration with agentic AI. The Bitwarden MCP server represents a Foundational steps towards secure agentic AI adoption. Very important. Anyway, I wanted to, I like to in these ads talk about new stuff from Bitwarden. They're always adding new features. This is where open source really benefits them. Infotech's research group published a report called Streamline Security and Protect yout Organization. It highlights how enterprises in the Forbes Global 2000 are turning to Bitwarden to secure identity and access at scale. A report emphasizes, you know, the problems we all know about growing security complexity, especially with globally distributed teams and fragmented infrastructure. Credentials are dispersed across teams, contractors and devices. This is a challenge for enterprises. They're starting to address these credential management gaps and strengthening their security posture by investing in scalable enterprise grade solutions like our sponsor Bitwarden. If you want to set up Bitwarden in your enterprise, it's easy. Bitwarden supports importing from most password management solutions. Steve and I both moved to Bitwarden just in a minute or two was a very quick and easy move. And by the way, I don't know about you Steve, but I never looked back. This is incredible. The Bit Warden open source code regularly audited by third party experts. It's right there on GitHub. You can see it for yourself. And of course Bitwarden meets SoC2 type 2 GDPR HIPAA CCPA compliance. It's ISO 270012002 certified. They're getting, they do this every year, their big Open Source Security Summit. This is their sixth annual Open Source Security Summits coming up September 25th. And it's virtual and it's free. So you can go, you should go register now. This virtual free industry event at Open Source Security Summit. It's all one word. Open sourcesecuritysummit.com to explore advancements in open source security and see how open source tools can help you build your trust with consumers. Get started today with Bitwarden's free trial of a teams or enterprise plan or get started for free across all devices as an individual user. Bitwarden.com Twitter bitwarden.com TWIT we thank him so much for supporting security. Now back to you Steve.

B (72:32)

It's interesting. I heard you use the phrase get it at the GitHub. I've.

A (72:39)

You know, maybe that's just me.

B (72:41)

Kind of like I never thought of it that way. I mean it's a hub of, it's.

A (72:45)

A hub of gifts, hub of gits.

B (72:46)

Yeah, it's sort of like the Ukraine versus Ukraine.

A (72:49)

Well, you're not supposed to say the Ukraine apparently that's a, that's kind of a colonial, colonialist way of talking about like it's a province of the Soviet Union. Right. It's not.

B (72:59)

Yeah.

A (73:00)

So, but the GitHub is a. Yeah.

B (73:02)

That kind of works. It's a hub of gits. I like that. So we all knew, we talked about this at like day one, that I would almost naturally somehow wind up being used by bad guys. Oh yeah, to further their evil ends. So get a load of this one, which just happened last week. It took the form of a supply chain attack against the users of the popular NX tool, which is used to automate CI CD development flow. You know, cicd, for those who don't know, stands for Continuous Integration, Continuous Delivery and Deployment. So it's about software deployment automation. Last Tuesday, an unknown threat actor compromised the NPM identity authentication token of one of the NX developers and used their then authenticated access to release malicious updates for several of the NX tools to the NPM package repository. Now that alone is horrifying. The NX tools are very popular, seeing around 4.6 million weekly downloads. So that was a serious breach of a trusted NPM developer, which allowed malicious code to flow out of the trusted repository. But listen to what the malware did. The altered NPM packages contained a malicious script that attempted to run a prompt on a local AI command line tool like Claude, Gemini or Q. And the prompt instructed the local AI agents on that machine to search the local file system which it had access to, for text based files that might contain GitHub tokens, NPM tokens, SSH keys, env secrets, and wallet files. And all the data discovered locally was then encrypted and written to a file. The subsequent command then used the GitHub API to create a new public repository on the infected user's GitHub account and upload the file with all the stolen data. So, you know, you get your local trusted AI agent to scan your own machine for its secrets, then encrypt them before posting them publicly. And since they're encrypted, no one else is able to decrypt them and get a hold of the secrets. So talk about diabolical. All of the public GitHub repos which were created containing stolen data use the same prefix, which was singularity with a numeral one for the I of in, in, in singular, singularity, hyphen, repository. Hyphen was the prefix that made them easy to find on GitHub, which is probably how the attacker collected the stolen data. According to a GitHub search. There were around 1400 GitHub repositories with that prefix, which was roughly the same number of users the attacker had infected before the malicious NX libraries were taken off npm. So around 1400 developers had their local machines scoured by their own local AI agents for any juicy tidbit secrets, with everything found posted back to their GitHub accounts, where they were collected and then decrypted by the bad guys.

A (77:06)

Wow, that is a very clever pack. That is really interesting. Wow.

B (77:12)

Yeah. Yeah. Not that it really matters anymore, since all of everyone's data has probably long ago leaked onto the Internet and been vacuumed up into a growing dark web database. But for the record, TransUnion had all of the data of their 4.4 million customers stolen by the prolific Shiny Hunters hacking group, which as we know was recently. Which they've recently been succeeding so well using phishing attacks. So we can now add transunion to the likes of Google Farmers, Insurance Alliance, Life Workday, Pandora, Cisco, Chanel and qantas.

A (77:56)

Of course, TransUnion has everything, right? Because they're credit reporting.

B (78:00)

They're like the Galactic. Exactly. The vault of all of our secrets. Great. All those companies have reported breaches linked to Salesforce connected applications.

A (78:10)

Oh, this was another Salesforce breach. Yeah, yeah, yeah.

B (78:15)

Okay, now here's a weird one. Two rather disreputable websites, 4chan, and Kiwi Farms, have brought a lawsuit against the United Kingdom's Office of communications, often abbreviated Ofcom. I'd heard of 4chan, I had never heard of Kiwi Farms, so I asked the Internet and now I wish I hadn't. Yeah, the little blurb summary that I received read Kiwi Farms, established in 2013 by Joshua Connor Moon, functions as an online forum for discussion and harassment, initially targeting webcomic artist Christine Weston Chandler. The site is known for organized group trolling, stalking, doxing and real life harassment often directed at transgender individuals, those with disabilities and neurodivergent people. The platform has been connected to several suicides and has received criticism and service terminations due to its controversial content and association with harassment. Yuck. So these two disreputable websites, 4chan and this Kiwi Farms, are suing the UK's Ofcom. Good luck over their Online Safety act, which requires websites and social media platforms to perform age verification checks on their users. As we've been discussing, because the web industry has not yet solved this problem in a way that would be possible and practical, users are currently being required to upload an id have their face scanned or otherwise give away their personal information in order to access large portions of the Internet. Any sites that do not comply are subject to significant fines under the UK's law now, regardless of where they're based, including in the United States where we enjoy strong First Amendment speech protections. However, as we also know, our own Supreme Court recently decided that asking for the same sort of proof of age would not unduly encumber our First Amendment protections. Many people disagree. Opponents of the UK's Online Safety act note that this is resulting in an Internet where users must provide scans of their faces to access, for example certain music videos on Spotify. The lawsuit brought by 4chan and Kiwi Farms calls Ofcom and quote, industry funded Global Censorship Bureau saying Ofcom's ambitions are are to regulate Internet communications for the entire world regardless of where these websites are based or whether they have any connection to the UK on its website. Ofcom states that over now. So they're saying that Ofcom's website states that over 100,000 online services are likely to be in scope of the Online Safety act from the largest social media platforms to the smallest community forum, unquote from Ofcom. So I doubt that the Electronic Frontier foundation would choose to have anything to do with helping these two sites in their lawsuit. But the EFF has said that the Online Safety act, quote is a threat to the privacy of users, restricts free expression by arbitrating speech online, exposes users to algorithmic discrimination through face check, and leaves millions of people without a personal device or form of ID excluded from accessing the Internet. In my research for today's podcast, I also ran across some other news which was that not surprisingly, those websites that were obeying these new laws by replacing their you betcha I'm 18 buttons with full strict unspoofable age verification technology had seen are seeing an astounding drop off in their site traffic. Not surprisingly, nearly everyone who is being hit with that is simply going elsewhere. And there's an elsewhere to go to. The same reporting noted that other famous porn sites are experiencing a doubling or tripling in their traffic. So as I've been noting, we're, we're very nearly having all of the pieces that we need in place. We just need to get our act together as an industry. I assume that the folks who are working on this for the World Wide Web consortium, the W3C which is where the standard needs to emerge from, I hope they are staying up late at night and working through the weekends. You know that true age system that we, that we looked at is, is very close to what we need, but it needs to have all of its trackability removed. And we heard that True Age had contributed its technology to the W3C. I don't. Okay, that's good. I guess even though this is not a difficult problem to solve, it just needs someone in the right place to do it. So, you know, quite suddenly, nearly overnight, thanks to this legislation which has been, you know, it's been pending and it's been percolating, the world has suddenly become in very desperate need of privacy preserving solutions for online age verification. And you know, we need it yesterday. So I really hope that, that this is getting the attention that it needs. It must be because there's just. Leo, there's so much of this in the news now, you know, with like, you know, blue sky, dark in Mississippi.

A (84:35)

Well, I think there's some real question of if it's even possible to, to do that.

B (84:40)

I mean, I guess, well, somebody needs to know who you are. For example, in my case, California, I have a driver's license. California knows who I am. But it is possible to blind anybody else to an assertion of my age. So with this California digital id, it would be entirely possible to design a system where my phone scans a QR code and California then asserts to that site that I am of a certain age. And so I mean, utterly possible. It is. Absolutely.

A (85:22)

Then you have to require everybody to have a California id.

B (85:26)

I mean, I'm not saying it's simple. I'm just saying not even.

A (85:30)

It's not even. Ok. I mean, there are plenty of people who will not have a California ID. Especially there are people between 16 and 18 who will not have a California ID. I mean, right.

B (85:40)

Then they're not able to assert that they're. That they are over 18.

A (85:44)

Well, see, different jurisdictions have different age limits.

B (85:47)

Right.

A (85:47)

Not all 18.

B (85:49)

Right.

A (85:51)

Yeah. Okay, so we're going to set up a state system that will know everybody's identity and age. I don't think that's going to happen, so I certainly wouldn't advocate for it in that case.

B (86:03)

Well, I mean, I guess what I'm saying is that, that the way to solve this is for, for someone to know your age and then for that someone to anonymously assert that.

A (86:17)

I understand the technical solution.

B (86:20)

Yeah.

A (86:20)

I'm saying politically there, who would that someone be? I'm not. I mean, okay, I guess you could say you have to have a driver's license in order to go to a porn site.

B (86:34)

Does everyone have a Social Security card?

A (86:38)

Yeah, almost everybody does. Yeah.

B (86:42)

But I got mine when I was pretty young.

A (86:43)

They're laws against using. There's good reason for. There's laws against using that for identification.

B (86:48)

But this is not for identification. The idea would be that, that, that would allow the government to make an assertion on your behalf of your age and to do so anonymously. I mean, again, what is the choice?

A (87:01)

I mean, the choice is not to do this, period. So it's like saying, oh, there's got to be a backdoor to crypto somehow, because what's the choice is not to have age verification.

B (87:14)

Okay. I mean, I hear you. I, I would like, I would wish that these laws were not happening, but we know what our Supreme Court just did, so I don't know where we go.

A (87:25)

Although, interestingly, and we talked about this on Sunday, of course, Cory Doctorow was on and very strong advocate on this. He pointed out the Supreme Court did not, in fact say the Mississippi law was okay with the fourth or First Amendment. They just said, they just said net choices opposition was improperly formed and they threw it out on that basis. They said, in fact, it's very likely if this were brought to us properly, we would have to uphold the plaintiffs because it is a violation of the First Amendment.

B (87:57)

Yay.

A (87:58)

Yeah, good. I. I don't know if there's a good way out of it. And you're right. Governments are going to want to do this. But, you know, historically in the United States, we've resisted these kinds of national attempts at identification. Yeah.

B (88:11)

And you know, like, why all of a sudden, it's not like anything got worse. Right. I mean, this is. No, this has had this around for decades.

A (88:20)

What did get worse is the Internet's put it in every. Everybody's home. Right. It used to be if you went into the drugstore and you tried to read the Playboy, the guy would say, get out of here, you kid. You're too young now. Now it's everywhere. It's in everybody's house. And I think that's what's really irritating parents. Yeah. I don't blame them. Yeah.

B (88:40)

Okay, so an announcement on the Open SSH site was refreshing. It said Open SSH supports a number of cryptographic key agreement algorithms considered to be safe against attacks from quantum computers. We recommend that all SSH connections use these algorithms. Open SSH has offered post Quantum key agreement the KEX algorithms by default since release 9. That was in April of 2022. More recently, in open SSH 9.9, we added a second post quantum key agreement, and it was made the new default scheme in open SSH10 April 2025 to encourage migration to these stronger algorithms. Remember that both ends of the connection the open SSH client and the server need to support. They negotiate the strongest algorithm that they can. So it's, it's what you know, if you upgrade one, it doesn't do any good if you don't upgrade the other end. So they said to encourage migration to these stronger algorithms, open SSH 10.1 will warn the user when a non post quantum key agreement scheme has been selected with the following message Warning Connection is not using a post quantum key exchange algorithm this session may be vulnerable to store now decrypt later attacks the server may need to be upgraded C and then they give a URL for openssh.compq.HTML then they and they finish saying this warning is displayed by default but may be disabled via the Warn weak crypto option in SSH underscore config. So it occurs to me that as an industry, we're beginning to learn how to do this after Pete Gutman's recent revelations regarding the truth of how far away we still are from anything even approaching practical quantum factorization. We almost certainly have plenty of time. But now that we've developed practical post quantum solutions, there's no reason not to get them deployed. You know, why not? We know that this will never happen without a bit of deliberate urging. So adding a little reminder notice when connecting with old style pre quantum crypto will serve to provide the nudge that's needed. So I thought that was a, you know, a neat thing that they were doing. Just a little reminder. And it's not like you're like your current session is going to be decrypted. No, it's the store now, decrypt later. And that's, that's something that should give people, you know, second thoughts and some chill. So for this week's what could possibly go Wrong segment we have Next Gov reporting. Under their headline Russia based Yandex employee Overseas Open Source software approved. And not just approved, but widely in use. But they didn't say that Software approved for DoD use. Here's what, here's what Nextgov shared a Russia based Yandex employee is the sole maintainer of a widely used open source tool embedded in in at least 30 pre built software packages in the Department of Defense, raising potential risks of COVID data exfiltration through sensitive digital tools used by the US Military. According to research first seen by nextgov, the tool, dubbed Fast Glob, helps software developers operate on groups of files globs without having to write extra code, making it the preferred method for quickly searching and organizing project files. It's used in over 5,000 projects worldwide and has downloaded some 7,070 million times per week, according to findings published Wednesday by software supply chain security firm Hunted Labs. The maintainer is listed as Dennis Malachicken. As As a publishing time, there's no known malicious code inside Fast Glob, according to Hayden Smith, Hunted Labs co founder, who added that Mellow Chicken appears innocuous. Though his standing as the only maintainer of the popular software package raises red flags. And they're red, hayden said. A project that is popular should not be maintained by just one person. Even if you remove all of the geolocation and geopolitical atmospherics, having a solo maintainer for any project you critically depend upon is extremely risky. Unquote. The DOD's Office of the Chief Information Officer, which advises the Defense Secretary on information technology, was alerted to the matter about three weeks ago, Smith added. Nextgov has reached out to the dod, the Defense Information Systems Agency, and Defense Counterintelligence and Security Agency for comment. The Fast Glob package is listed inside Platform 1's Iron bank the Pentagon's vetted repository of I know, Leo. That's exactly my reaction when I when I read the the Pentagon's vetted repository of software building blocks used by the U S military software publishers and contractors to craft digital tools and applications, according to multiple people familiar with the matter. The people were granted anonymity to be candid about its use inside DoD software systems. Okay, now wait. What's wrong with the phrase Pentagon's vetted repository of software building blocks used by the US Military software developers? Then follow that up by explaining that some of this Pentagon vetted software also happens to be open source and being updated at will by some random Yandex employee in Russia. Do we see any problem here? Jeez, then we see what nextgov reminds of us of Next as we continue with their reporting writing. Yandex is a major Russian technology company that has been found to have extensive ties to the Kremlin and has promoted misinformation about Russia's war in Ukraine. The setup as is could allow the Kremlin to carry out a state sponsored intrusion into multiple projects that rely on Fast Glob and force Malachikan to make malicious, surreptitious changes without oversight from any other users. The report states that Malo Chicken is, quote, more likely to encounter Russia's Federal security Service or State security individuals in their day to day duties and could be susceptible to coercion. Unquote in an email sent to NexGov, Mallow Chicken said that he has been developing and maintaining Fast Glob for over seven years, which began prior to his employment at Yandex. He said the tool source code is fully open and audible by potential users, and that his development or support has never been a part of his professional duties. At his current job, he wrote, quote, nobody has ever asked me to manipulate Fast Glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity, unquote. Now I have zero doubt that all of that's true, and I don't imagine that anyone doubts Dennis's sincerity and integrity. But Fast Glob's future may not be entirely in his hands. What he's going to do, you know? Or what is he going to do if scary Russian state security knocks on his door? I'm sure that's not a position he would want to be in, but default here does not lie one bit with Dennis. The fault is entirely ours. The Pentagon and the U.S. department of Defense is using open source code libraries, presumably in mission critical applications over which it does not have absolute control. The fact that in this case one of those libraries is being maintained by a developer located in a country with which the US Currently has strained political relations is beside the point, but it does help to capture everyone's attention. Nextgov story provides some additional intriguing reporting. They wrote in July, Secretary of Defense Pete Hegseth signed a memorandum directing the Defense Department to, quote, not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishments and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the department, unquote. That memo came after ProPublica reported Microsoft had relied on China based engineers to support its cloud services for the DoD. Microsoft has since severed those those arrangements and of course we covered that Microsoft China connection thoroughly at the time. Nextgov writes, open source projects rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers. Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed Gia Town tried to quietly plant a backdoor into X Z Utils, a file transfer tool used in several Linux builds that power software in leading global companies. George Barnes, the former deputy director of the National Security Agency said, quote, if you're a nation state, you have a bunch of stuff that you're doing fast, but you have other stuff that you're doing very methodically, slowly, or positioning strategically. So I think his intention was to creep us out about the potential for, you know, sleeper installation of software. Russia's state centered economy rights. Nextgov also allows the Kremlin to compel firms to act on behalf of the nation's interest, including the use of hacking and disinformation campaigns. Yandex is one of several major domestic Hitlers tech companies that the Russian government can rely heavily on. Barnes said this piece of code has no known vulnerabilities, it's ubiquitously leveraged and used globally. And it happens to have one maintainer sitting in Russia. And the maintainer might be totally fine, but that situation subordinates him to a legal framework that's not under his control. Chinese, Russian and North Korean affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers and governments around the world. According to findings from Strider Technologies released earlier this month. Russia has continued broader cyber activities despite recent US efforts to bring the Kremlin to the negotiating table with Ukraine. An FSB linked group has attempted to spy on foreign embassies in Moscow by targeting local Internet and telecom infrastructure used by diplomatic personnel, Microsoft said in late July. And of course we covered that at the time too. That was that, that tricking embassy staff to install malicious root certificates into their machines through a web portal attack. So I hope this news gets the attention of the right cyber people in the U. S. Government. As we know, supply chain attacks present a very serious attack vector. And it sure appears as though this is a vector that's been grossly overlooked, Leo, because you know, we're all relying on open source libraries and you know, they're in US DoD software.

A (102:42)

I have to. I mean first of all, you'd think that this iron bank would only include software written by the defense department, but since it doesn't, it is open source. And I would think Fast glob isn't so complicated that somebody can't keep an eye on it and make sure that Mr. Mallow Chicken, which I think, I don't think is how he says his name, but I like it, I like it. I think it's probably Malinochi, but anyway, thank you.

B (103:09)

You're much better with the Russian accent.

A (103:12)

But I like the Mallow Chicken. I mean that's a guy you really don't want working on your Defense Department software. That's what I have to say about that. Would you like me to take a break?

B (103:23)

Yes, we're going to take a break. Then it's time for listener feedback like Mr. Mellow Chicken.

A (103:29)

Watch out Mellow Chicken. I got my eye on you. This episode of Security now brought to you by BigID, the next generation AI powered data security and compliance solution. BigID is the first and only leading data security and compliance solution to uncover dark data using AI classification to identify and manage risk, to remediate and remediate the way you want to. You get to choose to map and monitor access controls and to scale your data security security strategy. It's really amazing what BigID does. Along with unmatched coverage for cloud and on prem data sources, Bigid also seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can take action on data risks to protect against breaches, annotate, delete, quarantine and more based on the data, all while maintaining an audit trail. And it works with everything you use. Partners include ServiceNow, Palo Alto Networks, Microsoft, Google AWS and more. You don't have to change anything. With Big ID's advanced AI models, you can reduce risk, accelerate time to insight, and gain visibility and control over all your data. That's probably why Intuit named it the number one platform for data classification and accuracy, speed and scalability. And I love this, this customer testimonial because it comes from a group that probably has more dark data than anybody else. After 250 years, you can imagine the US army has collected data in every nook and cranny from, you know, the quartermaster's closet to the cloud and everywhere in between. Big ID equipped the US army to illuminate dark data, to accelerate their mandated cloud migration, to minimize redundancy and to automate data retention. And it worked so well. They actually got this testimonial. This is from US Army Training and Doctoring Command. Quote, the first wow moment with BigID came with being able to have that single interface that inventories a variety of data holdings, including unstructured and structured Data across emails, zip files, SharePoint databases, and more. To see that mass and to be able to correlate across those is completely novel. U.S. army training and Doctrine Command said this. I've never seen a capability that brings us together like Big ID does. And you can imagine I can't think of another place that might be better able to use BigID right CNBC recognized BigID as one of the top 25 startups for the enterprise. They were named to the Inc. 5000 and Deloitte 500 not just once, but for four years in a row. The publisher of Cyber Defense magazine says BigID embodies the three major features we judges look for to become winners understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that it can help mitigate cyber risk and get one step ahead of the next breach, end quote. Start protecting your sensitive data wherever your data lives@bigid.com SecurityNow Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. Again, that's B I G I D.com SecurityNow also get an exclusive invite to BigID's Virtual.com Summit on October 9th, where you can hear a keynote featuring Forrester Research. Plus panels with experts from JP Morgan, Manulife and Nokia tackle the most urgent challenges in AI, security and risk@bigid.com security now bigid.com/security now. We thank them so much for their support of Security Now.

B (107:26)

Now back to Steve, an anonymous listener. I don't know why he wanted to be anonymous, but I know okay, I always honor those requests. Of course, he said, hey Steve, thought you and your listeners would appreciate this. There's a new Apple device backup solution called Parachute Backup Mobile. Simply put, it's a fantastic tool if you're one that has gigs of photos or files that you'd rather backup locally versus iCloud. I have it backing up to my NAS on a schedule. You should check it out on the App Store. It's for Mac OS, iOS and iPados. Oh, and the best part? He writes $3.99 for Life. This app developer gets it. He says, P.S. if you read this, I'd like to stay anonymous. So I checked it out. As an iPhone user myself, I love the idea of being able to clone my massive and growing icloud library, mostly photos, to another storage location under my own control. Just because, you know, we all have lots of storage these days, so why not? Apple provides an export option from icloud. So if someone had an iPhone for years, collected a library of photos, and wished to switch over to Android, for example, and Google Photos, it is possible to schedule their transfer from Apple to Google. But I'm remaining with Apple and I still like the idea of having another copy under my own control. So as I said, I checked out Parachute Backup and I like it. I maintain a very low volume transaction Amazon S3 account where for example all of this podcast's audio is archived just to have one, you know, master off site source. It turns out that Amazon mostly charges for transfer bandwidth and nearly nothing for storage, so it's perfect for external hands off redundant archival storage. And this Parachute backup supports Amazon's S3 backup. It can also back up to the user's own local NAS or external storage. In the case of NAS backup, I never realized that it's possible to use the iPhone's built in files app to connect to network storage. So you do that first to create a folder on your iPhone that's connected to a shared folder on your nas. Then you instruct Parachute to maintain a synchronized backup of your icloud and other iPhone, iPad or Mac OS goodies with that folder. It looks like a terrific It's a terrific little six megabyte app. It was released at version 1.0 just two and a half weeks ago on August 14th, and it's been evolving rapidly ever since, adding features and fixing bugs. So you might want to wait, let it mature for another couple months. Microsoft OneDrive support was added the day after its release. Amazon S3 support was added on August 23rd and then further refined at the time of this writing. It's at version 1.3.3 and our listener is correct about the price. It's $3.99 one time and you own it for as long as it's around. So anyway, just wanted to make a pointer to that app because it looks like it's a great solution for iPhone, you know, iOS devices, and for Mac OS too. Stephen Adams wrote Steve, you mentioned in your selection on your section about data brokers that nobody authorized the credit bureaus to collect our information. That's incorrect. You expressly gave your permission when you applied for or continued to use credit or receive service from a utility, electric phone, mobile, gas, etc.

A (111:33)

Or a credit card for that matter.

B (111:34)

Yes, each and every application or terms of service document states this will be done and when you sign the application you agree to sharing your information with the credit bureaus. He said, here's the language from my latest JP Morgan Chase credit agreement and it reads, we may obtain and review your credit history from credit reporting agencies and others. We may from time to time obtain employment and income data from third parties to assist us in the ongoing administration of your account. We may also provide information about you and your credit and your account to credit reporting agencies and others. We may provide information to credit reporting agencies about this account in the name of an authorized user. If you think we provided incorrect information, write to us and we will investigate. So he finishes saying, there is no opt out for reporting your information to the credit bureau. The only way to clear your credit report is to have no credit and wait seven plus years for everything to age off. As long as you have credit, you've authorized collection of that data. Signed Stephen. So, Stephen, I stand corrected and I am glad to be so. Thank you very much for that. This is certainly an important part of the whole credit bureau story, you know, in the fine print of the credit agreements we voluntarily signed with all of the many various sources of credit we use and take for granted in our modern lives. And as you said, Leo, who doesn't have at least a credit card these days? You know, we gave these credit granters our permission to disclose and share what they learned of us. So, you know, they need to learn about us by asking these aggregators what's known, and in return they report about us under our contractually granted consent. So unfortunately, as we know, they're not good at keeping it to themselves. Yeah, which is another problem. Vladimir. I don't know how to pronounce his last name. Leo. E L I S E E V.

A (113:40)

Am I gonna be the Russian?

B (113:42)

You're my Russian interpreter.

A (113:43)

I'm going to say it's Vladimir. Elusive, Nice.

B (113:48)

I'll just do Vladimir from now on.

A (113:50)

Just call him Vlad.

B (113:51)

Vlad, I like that. Hi, Steve, my name is Vladimir, I live in Russia. And here we were just talking about last week how we have listeners in Russia and China, right?

A (114:01)

Oh yeah.

B (114:02)

He says, I live in Russia and I really enjoy listening to Security. Now I'd like to add to your comment in episode 1040 about the problems with Google Meet. The reason for the blocking of Google Meet is the launch of the Max messenger, which is under state control. In this way, Russia continues down the path of Internet isolation, a process that Russians themselves call creating the Chebernet. He said a blend of Chebraska and Internet.

A (114:40)

I don't know what Chebarashka is, but.

B (114:42)

So yeah, you should look it up. I did. It's a little furry bear creature. So, Vladimir, thank you so much for your note. Just as I feel self conscious talking negatively about China, while we have so many Chinese listeners, I feel equally awkward talking about Russia in derogatory terms and for the same reasons. But my own US government's hands are also certainly not clean. So I think we can all assume that whatever we're talking about, or whenever we're talking about the actions of Russia, China or the U.S. we're never talking about the actions of a country's people. Whether or not we may have voted for our various government's representatives, and regardless of how we may feel about their actions, they are not us. So I also very much appreciate hearing from our listeners in other countries to obtain their perspectives. I poked around a bit looking for Chebraska, which appears to be a fictional character from Russian literature.

A (115:42)

Yeah, there's a picture of it with the big ears.

B (115:45)

Yeah. Sit next to an alligator.

A (115:48)

That's actually a crocodile. A rush official Russian 20 ruble coin. So he is. Chebarashka is beloved in Russia.

B (115:59)

Okay, comrade.

A (116:01)

It comes from the word for tumble off the table. And it's a roly poly toy. There it is.

B (116:08)

So the Chebbernet is not regarded.

A (116:11)

It's the Internet that tumbled off the table.

B (116:14)

That's right.

A (116:16)

Oh, I see. Soviet censors tried to stifle the Cheburashka films because they made fun of nitpicking bureaucrats, factory directors and the Young Pioneers. Ah, all right. So it was kind of a subversive piece.

B (116:31)

So, Vladimir, thank you for bringing that little bit of Russian history background to the podcast. We appreciate it. Hans Bornich said. Hi, Steve, regular listener and club Twit member here. Thank you for all your hard work on the show and everything else you do. I especially look forward to an UEFI native version of Spinrite that'll be coming for Windows, which I will be purchasing on day one. Anyway, I stumbled upon a link I thought you might find interesting. I thought I knew what a valid email. Oh, Leo, you're going to have fun with this. What a valid email address was. But boy, was I wrong. If this site is right, and I can say now that it is, he said, I wonder what your score will be. No cheating, he said. I scored a measly 12.

A (117:21)

Yeah, I took this a couple of weeks ago when I first saw it and I didn't do well at all. I'm amazed at some of the things the RFC allows. I am too dress.

B (117:30)

Yeah. So Hans is correct. It is a difficult test and I did not do much better than his 12. I scored 15 out of a total possible of 21. And I've written more than my share of email address parsers in my time, so you should know there are some very worthwhile and tricky examples on the test. So for anyone who's listening, it's e mail, wtf, E hyphen mail, wtf. It is a great site.

A (118:06)

So you can't have spaces in the first part of an email address, but you could have spaces before and after.

B (118:12)

Who would have thunk?

A (118:13)

The spaces get ignored. But I think email clients may not behave.

B (118:18)

We know about dots, but it turns out there's a subtlety there.

A (118:22)

Also, you can't have a dot at the end.

B (118:24)

It's one that I missed. Nor success. This is hard, but we're also giving it away, Leo, so we have to be.

A (118:31)

Oh yeah, okay, I'll stop now. Question nine and let everybody fail on the rest of them.

B (118:36)

Yes, E hyphen mail. Wtf.

A (118:39)

It's very good. Yeah.

B (118:40)

Anyway. And they've got another one. When you're done with that, there's a link to something else. They have another test. I didn't. I don't remember now what it was.

A (118:50)

But you have to get to the end. Huh?

B (118:52)

I think so. Unless you scroll. Is there something at the bottom of.

A (118:55)

No, you have to get to. You have to finish it to see it.

B (118:57)

Yeah, I did. I did see a link to yet another test you can take. Matthew Turner shared the thinking that I'm sure we've all had. He wrote, so would recording a TV program and fast forwarding through the ads be illegal? What about stepping out of the room during an ad? Or what about watching live TV and muting the ads because they're so much louder than the program? Although charging AI for content would likely make the AI much more accurate. So I wish charging AI for content would make it more accurate. But as we noted, Reddit has been licensing its content now for AI modeling, and it's not as if AI is only being trained on the Encyclopedia Britannica, which is, you know, a highly credible source of actual information. And as for the whole question of any implied obligation to be exposed to a show's advertising, I think Matthew's examples help to highlight the dilemma. You know, we may have signed a contract with a lender to allow them to obtain our credit data and return anything more they learn about us to the credit bureau. But no one watching live TV ever agreed not to get up and pee during commercials.

A (120:24)

That's what they're for, isn't it?

B (120:26)

That's exactly. Not only do we have no obligation to sit still during commercials, but they're widely regarded as conveniently placed opportunities to transfer the clothes from the washer to the dryer, to feed the dog, to make sure the front door is locked, you know, and to take care of numerous other things that make up our evenings. You know, when I use a web browser I'm rarely confronted with a site that notices my browser is not displaying all of its advertising and asks me to please disable my ad blocker. But it has happened. When it does happen, I'm more than likely to just leave and go somewhere else. So I suspect that most sites that may have tried that for a while noticed that the practice resulted in a drop in their revenue rather than the reverse. So they decided to take the high road and accept what revenue they can get without attempting to force the issue anyway. Yes, Matthew, it is a mess and again, it's unresolved at this point. Tom Apelinek said. Hi Steve, great show as always. A couple of observations on copyright and ad blockers or AIs. He said the ad blockers are modified. He has in quotes code and display of a web page is only being displayed to the person who bought or is using the ad blocker. It is not being republished to anyone else. Books are also protected by copyright law. By the German court's logic, highlighting or underlining passages in a book that you own and the purchase of pens or highlighters for that purpose should also be illegal. I had. Okay, so I had to reread that and think about, you know that a bit to obtain all of Tom's logic. But I could see his point. It would be illegal to make a few changes to a copyrighted novel, for example, and to then resell it as one's own work. But it certainly not against the law to rewrite a novel, tear out pages, or do whatever you wish to a copyrighted work that you own. So Tom is suggesting that having a web page displayed is the delivery of a copyrighted work that its recipient has every right then to change however they may wish. What they cannot do is capture and republish that modified work for their own benefit. And of course no one's doing that. We're just choosing to modify that web page which we received for our own consumption. That feels like a pretty sound argument to me.

A (123:23)

Yeah, it does.

B (123:25)

Yeah.

A (123:26)

Well, somebody should write to the German court.

B (123:29)

Yeah, his email continues. Also, you described AIs as the ultimate super ad blockers. Given their need to eventually show a profit, I fear this is probably short lived. I suspect that AI dialogues will start changing in the near future to something like this. The prompt says how can I get my WI FI to reach to the end of my backyard? The answer from the AI There are several options including WI fi extenders, long range routers, blah blah blah. By the way, did you know that Best Buy has the Model XYZ router on sale this week for $69. Would you like me to provide you a link to the ad on their website? He says, or maybe it will just show you the ad directly at the end of the answer. In any case, it will be interesting, if not disappointing, to see how this all shakes out. Thanks to all you and Leo. Thanks to you and Leo for a great show and for keeping us all up to date on the latest security news. Tom. And he signs off Leo with WA2IVD.

A (124:41)

His call sign 73W2I V D WA2.

B (124:47)

And so that made me remember, remember how super clean and simple and straightforward and frankly beautiful Google's original search results were in the beginning. Just a white page with wonderful links to exactly what we were looking for. But those days are long gone. Now the page is encrusted with sponsorship barnacles and the link you'd love to have, instead of being right there at the top of the page, is buried beneath AI Overview, a bunch of sponsored and not always on point tangential references that are trying to take you somewhere else. And eventually you may find the link you're seeking. Sadly. I would bet, I would bet some money on Tom's vision of the future of AI chatbots turning into a massive advertising revenue generator. Or maybe the free version will be that and we're going to have to pay probably more than we are right now in order to get one that isn't, you know, advertising. Barnacle encumbered. I probably would do that, I think, because I, I'm finding this so useful. But yeah, I do imagine, I mean, Leo, can you imagine a better, more potent vehicle for ad delivery than an AI chatbot?

A (126:11)

I'm convinced that this is just around the world corner. I think complexity will do it. I, I'm surprised they haven't done it yet, to be honest.

B (126:18)

Yeah.

A (126:19)

Because it's exactly what advertisers would love.

B (126:22)

Yes. Because you get all the context of the user, you know, what the person is asking about. I mean it's made, nothing has ever been more made for, for, for delivering, you know, context aware advertising.

A (126:37)

Yeah, yeah.

B (126:37)

I, I, I do think it's inescapably our future. Someone calling himself Zafod. Zafod.

A (126:47)

Zaphod Beeblebrox.

B (126:48)

Zaphod Beeblebrox. Yes.

A (126:50)

This is Hitchhiker's Guide to the Galaxy.

B (126:53)

Yeah. He's Zaphod Beeblebrox, the first. Yes. So just to be clear, not a.

A (126:59)

Amazing pan galactic gargle blaster and was the coolest fruit in the universe. So just so you see, it's not.

B (127:06)

Fair, Leo, because you listen to audio books so you know how these things are pronounced.

A (127:10)

Oh, you knew it was a 5be Brock. You just didn't know how to pronounce it. I get it.

B (127:14)

Correct. Oh, I knew exactly who this was. You bet you baby.

A (127:18)

President.

B (127:19)

So he says, hey Steve. He says, hey Steve. Re ads on websites as you switched to brave their bat. BAT idea may interest you. It stands for basic attention token. Basically a crypto mind with attention. Something like this could make sense. It was also used years ago, but called crypto jacking and now most browsers block it. Asic resistant coins like Monero, which you may like for its privacy features, can be CPU mined and therefore paid directly to the websites with no tracking. AI companies could also do something similar and pay every time their AI uses data scraping from that site. The economics could be tricky and Beanie Babies aren't the best example. But if people really want bat, the price will go up. Same way if people want US dollars, the value goes up. It could be a good way to pay without. To pay with. To pay without paying. I don't think they could require a specific amount to go to a site though, because phones could generate minimal amounts. Okay, so to take his concept, we've touched on this before. It's truly, if nothing else, academically interesting. Cryptocurrency is here and it's not going away anytime soon, if ever. Any cryptocurrency that can now be mined can be exchanged for actual government backed, non cryptocurrency, you know, fiat currency. So imagine that while visiting a website, the visiting user's PC is tasked with performing mining work that directly yields value to the site. Viewed from the perspective of a website, all of the potentially tens of thousands of visitors who are currently there looking at a site's content are also collectively mining crypto for the site. No single browser mines much, but collectively and continuously, it adds up. From the standpoint of the user, what's going on is that some of their electricity is being inefficiently converted through the process of micro mining into currency that serves to reimburse the site for the cost of the visitor's presence and for the information they obtain. So this forms an interesting channel for moving some money. Web surfers pay for electricity by using that electricity to spin up more cores inside their CPUs, which is used to perform work on behalf of the site, which that site is then able to liquidate back into fungible cache. I haven't examined the economics of the idea to see whether it actually might make sense. But Zafod tells us that the Brave browser folks have done the math. So if nothing else, it's kind of interesting. Leo, we're at two hours. Let's take our last break and then we will continue with feedback from our listeners.

A (130:34)

Yes, indeed, gladly. Our show today. This is our last break, brought to you by, and it's a very appropriate sponsor. Delete me. Hello, friends. Are you concerned about all the data breaches going on right now? No doubt you are. We just talked about the new TransUnion breach. But here's an interesting point. Those data breaches by themselves really aren't as harmful as they as they could be. What it takes is a distribution network. Companies that are willing to take that information and then sell it on to the highest bidder in this country, it's legal. We call them data brokers. If you've ever wondered how much of your personal data is out there on the Internet, I think we now know it's all out there, right? Your name, your contact info, your Social Security number, even things like your home address, information about your family members. It's not only is it out there, it's compiled by data brokers from all those sources and then sold online to the highest bidder, which can be anybody. Advertisers, marketers, sure, but also governments, law enforcement. Anyone on the web can buy your private details. This can lead to all sorts of nasty consequences. Identity theft, phishing attempts, doxing harassment. But now you can protect your privacy with delete me. Well, look, I live in public. I share my opinions online. I definitely want to keep some personal information, like where I live private. And I think it's really important if you have a company, even if you're not a public figure, if you think about it, because your managers are the first line of defense and the first line of attack for bad guys. For phishing attacks, we got phished. This was really an eye opener for us. A couple of years ago, people impersonated our CEO, sent text messages from her phone number to her direct reports phone numbers saying, hey, I've been stuck in a meeting, I need you to go out and buy a hundred Amazon gift cards and send them this address, pronto. Fortunately, we have smart employees. But when I saw that, it really, it concerned me. I thought, how do they know who Lisa is, what her phone number is, her personal phone number, what her who her direct reports are, what their phone numbers are. Then I realized it's easy. This is the problem. That information is widely available for pennies. It's easier than ever to find personal information about people online. And this is why we use at TWiT and we recommend Delete Me. We immediately sign up for Deleteme for Lisa and she still gets notifications, emails every few months from Delete Me saying, hey, we found this. We're deleting it now. It's a subscription service. It removes your personal info from hundreds of data brokers. We know there are. What was it, Steve? 499 data brokers in California.

B (133:37)

California alone. Alone.

A (133:40)

And that was last month. You know, there's probably a hundred more because it's a very lucrative business and it's an easy business to get in. So what you do is you sign up, you provide Delete Me with exactly the information you want deleted. Because you may not want everything deleted, but just what you want deleted. Their experts take it from there. They will send you as we, you know, know, because we get them regular personalized privacy reports showing what info they found, where they found it and what they removed. Because Delete Me isn't just a one time service. It's always working for you. It has to because there's always new data brokers that that information gets repopulated constantly. Delete Me constantly monitors and removes that information you don't want on the Internet. To put it simply, Delete Me does all the hard work. Yeah, I guess you could do it if you wanted to, if you knew who all those data brokers were and you wanted to keep track of them all and you wanted to visit them on a regular basis. Delete Me does this for you. Wiping you and your family's personal information and your company's and your manager's personal information from data broker websites. Take control of your data. Keep your private life private by signing up for Delete Me, a special discount just for our listeners right now. Get 20% off your delete me plan when you go to joindeleteme.com twit and use the promo code TWIT at checkout. And the only way to get it 20% off is to go to JoinDeleteMe.com TWiT and enter the code TWiT at checkout. Join DeleteMe.com TWiT and use the offer code TWiT. Now, I got an email from a listener who said, I went to deleteme.com and they don't delete. That's a different company. So it's really important you do this right. There's a European company with the same name. I don't know how they get away with this. I don't know how long they'll be in business. But they do GDPR takedown requests. That is not enough. That does not stop data brokers and it doesn't work in the us. Delete me. Our delete me does. But you have to go to the right website. Joindeleteme.com, go to the right one. Sign up. Take advantage of this. It's a must. It's a must. All right Steve, your turn.

B (135:46)

Ian in Ottawa, Canada says hi Steve. He's referring to a feedback from last week. He said Just like Joshua, I too have had some AI realizations, but I reached two opposite conclusions. From what I've heard, we have a few low traffic WordPress sites hosted with a correspondingly small hosting plan, but recently many AI crawlers have been ingesting 20 plus years of blog posts with many dozens of page loads per second. Of course this periodically maxes out our CPU quota as the pages are dynamically assembled by the WordPress site and also consumes our bandwidth quota. If it were just one crawler, fine, but there now seems to be a continual parade of crawlers sucking up everything they can find. So opposite conclusion number one, AI is not good for small sites, he said. Parens I'd be more inclined to move to a simple static site on AWS with their cloudflant CDN for publishing content info and self aggrandizement, he said. On the topic of AI summaries taking over, I see a silver lining if I have a product or service that I want people to be able to understand. Perhaps now I can just write one big pure text authoritative document, hopefully with a way to draw attention of the AI crawlers. No need for high res images of happy people or acres of white space or a designer to tell me to use all lowercase headings with an exotic downloaded font displaying in medium gray on a light gray background or any of the other fluff that a good page needs nowadays. Which leads us to opposite conclusion number two AI summaries can free many of us from the burden of visual site design. At this point I imagine that some of our listeners are thinking that GRC site was never very much burdened by the exigencies of visual site design and they would be correct. I very much like solid red and blue on white with lots of rule lines and boxes.

A (138:01)

And you use Google fonts right?

B (138:02)

For all your fonts and I just use like you say I think it is.

A (138:07)

Yeah, just whatever font they got whatever it is. Yeah.

B (138:11)

Ian finishes. Am I just being provocative or could that be in our future? I'm not sure. Thanks for all the work you and Leo do. Best regards, Ian in Ottawa, Canada. So, Leo, you guys had a guy from Common Crawl.

A (138:27)

Oh, yes, Rich Scrinta. Yeah.

B (138:29)

On your Thinking Machines podcast. Their mission is to deal with exactly the problem that Ian is having. While the web is operating, as you know, every bot for themselves, our websites are being redundantly visited by every bot of every company in single file. The idea of Common Crawl is to crawl all that data into a series of online Internet web snapshots that anyone is able to obtain.

A (139:02)

It's kind of like Internet Archive, but it's for AI, right. So it's for researchers.

B (139:08)

Yeah. Common crawl.org so their homepage explains. They said Common Crawl maintains a free open repository of web crawl data that can be used by anyone. Common Crawl is a 501c3 nonprofit founded in 2007. We make wholesale extraction, transformation and analysis of open Web data accessible to researchers. Over 300 billion pages spanning 18 years. Free and open corpus since 2007. Cited in over 10,000 research paper and 3 to 5 billion new pages added each month. They said the corpus contains raw web page data, metadata extracts and text extracts. Common Crawl data is stored on Amazon Web Services public data sets and on multiple academic cloud platforms across the world. Access to the corpus hosted by Amazon is free. You may use Amazon's cloud platform to run analysis jobs directly against it, or you can download it whole, or in part, you can search for pages in our corpus using the Common Crawl URL index. So in this era of big data, data storage is so plentiful and vast that there's no longer any need for individual companies to redundantly crawl the web. Doing so oneself is not simple, and it requires the assembly and maintenance of a sophisticated web crawling infrastructure to pull all of that widely distributed data from across the globe. And as we've noted, having everyone rolling their own separately is expensive, it's time consuming, and it's redundant. It makes so much sense to have a single centralized nonprofit that everyone can easily reference as a single stored database. I think it's kind of brilliant. So I. I wanted to.

A (141:22)

Yes, I agree. Yeah.

B (141:24)

To note Ian's observation and. And also to note that, you know, the guy you had on last week was, you know, Rich is really cool.

A (141:33)

Yeah.

B (141:34)

A neat solution for this.

A (141:35)

Yeah.

B (141:37)

Ed Hands said. Hello, Steve. As an IT Manager, security is always our top priority. I recently listened to security now podcast 1040 last week and found the discussion about Germany possibly banning ad blockers particularly compelling. I share your concerns regarding privacy and third party cookies. However, my primary concern extends beyond those issues. In managing approximately 2,000 endpoints and users, our network has been hit by ransomware twice. Thanks to comprehensive policies, procedures and security software, we were able to prevent significant damage. What concerns me most, get this, is that the ransomware was introduced through advertising delivery networks.

A (142:26)

Malvertizing. We're just talking about that.

B (142:28)

Yep. He said, you may have heard me yelling at the radio in the car about this. That was probably while he was listening to last week's episode. He said, given this context, if Germany passes legislation banning ad blockers, it seems to me the case could be made that the advertising networks could or should be held financially liable for any malware distributed through their platforms. It seems that such accountability would be appropriate. Thank you, Steve and Leo, for all you do with security. Now, here's to the next 20 years of security now. Oh boy. Best regards, Ed H. So, yes, malvertising, we've certain we've talked about it, its possibilities and dangers, but it's still sobering to hear from a listener who has actually had firsthand field experience and not. And now, now more than just once. With advertising being used as the entry vector for a ransomware scale compromise, it doesn't seem as though that's something that receives sufficient attention. Accountability, however, you know, the. The accountability chains essentially are difficult to manage, and they become near to impossible to litigate when it's possible for multiple parties to point fingers at each other. I've served as an expert witness in a few technical jury trials, and it's been quite disheartening to see clever opposing counsel spin a jury and leave them unsure of their own names. In these, you know, he said, she said cases, juries often choose not to award damages since they're unable to determine fault. So I don't have much faith in the practical ability to hold an advertiser accountable, though I love the idea. You know, they'll just say, well, we're just the conduit. We're not responsible for the ads we show. You know, we get those from someone else. It's like, okay, yeah, great.

A (144:28)

Yeah.

B (144:28)

Tom Herman said, hello, Steve. As probably others already said, sync thing supports encryption of the data on untrusted peers already. He said, I've been using this for many years for syncthing to my own NAS and other peers as I'm a bit paranoid and want to prevent any unencrypted data at rest. You can see it in the settings of every folder when selecting the sync peers, peers can be marked as untrusted and then a strong password needs to be set. Untrusted peers can even sync encrypted data among them if the same password is used with all untrusted peers. Also, peers themselves can be marked untrusted in the settings, and then the UI forces a password to be set when you want to share any folder with those peers. Regards Tom Listener since day one and Tom is absolutely correct, I went and looked the option to set a password is right there staring us in the face at any syncthing user. At the same time, our previous listener may have been referring to the fact that at the top of the syncthing documentation page it states warning this feature should still be considered beta slash testing only. And what that untrusted peers documentation page says is exactly what Tom just explained and it's what the UI shows. So okay, so first of all the operation is quite cool and in fact I sat down first thing I did this morning I looked at my Windows 7 sync thing whose version I froze because it's Windows 7 back in July of 2021. So it is more than four years old it is at version 1.18.1 and it has this so this, this ability to encrypt the the peer has been around for more than four years. I suspect they just nobody's taken that warning message down from the documentation page because it got old and it didn't expire. So anyway this is very cool. What happens is the sync thing always uses a folder ID which is a little it's a short little random token. It's not cryptographically strong, but it does provide uniqueness for every folder name instead of human folder names. It's the way syncthing knows the folder, your password and that little blurch of pseudo random stuff are combined and hashed into a symmetric key which is used by your client to pre encrypt the data that goes to the peer that it's syncing with. In this case probably a NAS or in Joshua's use case from last week, his friends storage where he wants to back up all of his data at home but not worry about it might getting out of control over there. So that store never has the key, all it's storing is complete pseudo random noise and it's his his sinking peer that knows the the that holds the the access password and the sync thing name of the of the folder which is it's syncing with which then allows it to always recreate the the static symmetric key which is used to encrypt and decrypt the data and multiple clients can all peer to that common store as long as they have the same password and you're even allowed to have, for example in my use case 2 NASA synchronizing this pseudo random data without ever knowing what it is and peers then peering to those two NASA so this is completely supported. It has been for more than four years and it works wonderfully so Just another reason that syncthing is as they used to say and I'm sure they don't anymore. Leo they the cat's meow.

A (149:06)

Really? That was their slogan?

B (149:07)

The cats? No, but, oh, you know, like I don't know, Beach Baby Barbara or Bingo.

A (149:14)

Or whatever that I didn't know that was. I just, I thought maybe you say that was their slogan. I believe everything you say, Steve. I just, you know. The cat's meow.

B (149:22)

Try for accuracy where I can. Yes, and clarity Dave in Seattle said hi Steve, thanks for the tip and the free gig upgrade on sync.com I've been looking for just such a solution, wanting to avoid the big cloud and cloud services plus Canada what's not to love? I thought you'd like to know that Opt out of email based Forgotten password recovery resets is the default and a visible choice on the account creation section of their top landing page. That's so cool, so smart and something I've not seen anywhere else. And Dave attached a screenshot to his note showing that the option to enable email based password recovery is set to off by default. I didn't recall that. I just knew that they offered it as an option. And I agree that, you know, having that off is just the way to do it. You know you're gonna if you're syncing to the cloud, you take your security seriously. You can set up multi factor authentication as I have on my sync.com account, you know, on my device, which is not sharing its data anywhere else. So it's a fully separate device and you've got the best security you can. Along with a super strong password of course. Finally, Dan Dapkas wants to defend Microsoft, and I'm all for hearing his defense. He said, hi Steve and Leo, I've been a software engineer, database administrator, dev team manager, director of App Dev for over 30 years and a fan of your show for about 10. I hadn't heard of it before then. I think yours is the only podcast to which I've consistently listened for such a long period of time. I'm not sure where I'd begin if I were to go on complimenting both of you. Steve, your deep technical mathematical knowledge is remarkable, and Leo, your broad industry knowledge and experience are a perfect complement. I look forward to the show every week, including the commercials, because they are they are too often interesting and informative. I've been thinking about writing this email no this criticism for years and episode 1038 finally knocked me over the edge and so I'm writing. Cutting to the chase, you both qualify as Microsoft bashers. Throughout my career I've observed this phenomenon of IT pros who take various opportunities to rant and rave about all the deficiencies of Microsoft without acknowledging the blatantly obvious Essential Exculpatory Context the following is the exculpatory context to which I refer to he has in all caps for the first one Microsoft creates and supports multiple business and personal operating systems and software for much of the world, and has done so successfully for decades. Okay, that was all caps. Then he turned his CAPS lock off for the following points Monthly Microsoft Rule and First of all, of course he's right about that. Monthly Microsoft rolls out cumulative updates to over 1.5 billion Windows 10 and 11 endpoints worldwide. There are roughly 1.65 billion Windows servers installed around the world, and Microsoft also patches those every month. Over 3 million websites use Microsoft IIS, mine included, as their web server. Hundreds of thousands or millions more host their websites on Azure. Microsoft Net, which is now cross platform, is used by millions of developers worldwide, 34% of all websites run on. Net technologies, and Microsoft patches it monthly. Microsoft secures one of the world's premier database systems, SQL Server, and its PaaS version, Azure SQL Database. There are an estimated 8 to 10 million instances worldwide. Microsoft secures one of the World's dominant office productivity suites, Microsoft Three Hundred and Sixty Five. There are 345 million paid subscribers. Microsoft has an act, a uniquely large attack surface, and they diligently patch it. It's inconvenient for everyone involved. No one forces anyone to use Microsoft products. If some perfectly secure, inexpensive, wonderful alternatives exist, companies and individuals are free to adopt them and then shall be liberated of the need to complain about Microsoft.

A (154:18)

Well, I will say that not everyone who uses Microsoft products has a choice because they work for companies that mandate what they use. True, the vast majority of people who use Microsoft Windows and Microsoft products are not given the choice.

B (154:36)

It's just there. Yeah, and then he said, Steve, one tangential tidbit you mentioned SonicWall's GOIP filtering from the transcript, you said, quote so I mean it is the way to do this, but no one's doing it yet. And he said Microsoft, however, has been doing it and more for years in Azure with its web app firewall, which supports not only geo filtering but also OWASP threat detection and blocking at the network perimeter. Read about it here. And just for the record, what I was referring to was requiring it, not having it available somewhere in the background, like putting it on the UI and asking for, you know, making developers do something about it. So he finishes saying Microsoft's task is Herculean. And I think they're generally they generally do a good job. Can you think of another company that you'd trust and would expect to behave more responsibly and competently and less greedily with Microsoft's responsibilities? Thanks again for your hard work and for many more episodes of security now. Best Damn Duckus so Dan, I think makes some valid points which I wanted to share with everyone on the podcast. I know.

A (155:58)

Very fair man.

B (156:00)

I'm I know I am hard on Microsoft, and I do acknowledge that GRC runs on Microsoft servers with one FreeBSD Unix exception. And we all know that I'm exclusively a Microsoft software developer, so I'm very aware that I beat up on them weekly and that's W E E K L Y while at the same time choosing to use their solutions for my company and for myself. That said, there are decisions, not mistakes, which anyone can make that I have great difficulty swallowing which are their choice. We're told that Windows 11 will run faster than Windows 10 on the same hardware because it's more efficient, but that Windows 11 won't run on all of the same machines that are handily running Windows 10 today. And that TPM 1.2 versus 2.0 requirement is pure nonsense, TPM 1.2 has always been just fine, and it still is. And we all know that Windows 11 can be tricked into running on older, incompatible hardware. This promises to create a huge problem for the next few years for many people who would just like to keep using Windows 10. But Microsoft says no, that's by design, and the idea of charging some users to receive patches for flaws for which perfectly well working patches have been created is just wrong. If a patch exists to repair a product defect, Microsoft's product defect that they created, it should be provided to that product's users.

A (157:51)

Period.

B (157:52)

Full stop. Charging anyone extra to fix product defects is never going to sit well with me. So I suppose my overall complaint is that while Microsoft has every right to be self Interested. They are so ridiculously massive that for most companies there really is not any effective alternative. And I'm certain that's something that our listener appreciates. Given that and the nature of capitalism, Microsoft will not, may, will abuse the power they have for their own self interest. They're going to do it just because they can. I'm not leaving Microsoft and Windows. I can't and I don't want to. But I'm very glad to see that large European countries are becoming fed up with Microsoft shenanigans. I mean, just as Dan said, people can leave and are beginning to pull away. Perhaps if enough of that happens, Microsoft will have a bit of the wind taken out of its sails and might consider perhaps not pissing off so much of the rest of the world that has no effective alternative. Microsoft is in an enviable position. They've earned it. But it takes a great deal of institutional ethics to resist abusing it. They're walking a fine line.

A (159:18)

And I would defend the fact that it's our job to, to talk about the issues that occur. And I. Everybody recognizes that Microsoft has a massive job, but are you saying we should just give them a pass because of that and not mention anything that they do wrong or we think they could do better? I think that's part of our job is to say what they could do better. And unlike you, Steve, I refuse to use Microsoft products. So I do not. I think I've found better alternatives, but I'm not required to by my company. I used to be. I also used to have to use Lotus 1, 2, 3 or no Lotus Notes when I worked at Ziff Davis. That was a nightmare. I think this is our job is to say when something's good and to say when something's bad. The fact that billions of people use it is not persuasive. Billions of people eat McDonald's hamburgers. Doesn't mean it's the best beef out there.

B (160:14)

Or Starbucks is the best coffee or.

A (160:17)

Well, you think it is. I made decisions.

B (160:18)

No, no, I, it's, it's whatever drink. But everyone tells me how bad it is.

A (160:23)

It's like, okay, it's perfectly fine, Steve, as is Windows.

B (160:29)

And I often compliment Microsoft when they do the right thing.

A (160:34)

Actually, you're much nicer than. Well, maybe you're not. I have to say our Windows Weekly team. But again, I think that that's appropriate.

B (160:45)

Yes. And, and frankly, Leo, sometimes I listen to Paul and I think, okay, I'm not so far out because, yeah, it's.

A (160:54)

But we're Not. This is not a. I think maybe sometimes people, certainly on the max side, wish this was a fan zine, a fan operation. We're not fanboys. That's not our job here. We're, we're users and we represent users, not these companies. And so when a company could do better, we, we'd say, you could do better. That's. I don't think that's unfair. I think that's our job.

B (161:15)

I really took them to task when they, when XP was going to be shipped with RAW sockets. I mean, I went nuts trying to prevent that disaster. And it wasn't until Service Pack 3 that they finally turned it off after they got attacked by their own raw sockets.

A (161:29)

And you got roasted for that.

B (161:30)

I got raped by, by the Register and Microsoft themselves.

A (161:35)

You were right. You were absolutely right, as Microsoft ultimately had to admit. Yeah. So look, you don't want us to sit here constantly praising everything, certainly not in security. Now this is a show about things that aren't going well.

B (161:48)

We talk about mistakes here.

A (161:50)

Yes. Yeah.

B (161:51)

And Microsoft makes their fair share because they're, they're, they're like the platform to.

A (161:55)

Make, what to do.

B (161:57)

They're what everybody uses.

A (161:58)

It's non trivial to make a perfect platform for such a heterogeneous bunch of hardware. I completely acknowledge that. It's very hard thing to do.

B (162:08)

Yeah, I don't want that job. I couldn't do it.

A (162:11)

No.

B (162:13)

Okay, and our last piece, an update. And I'll be interested to hear about you and Amazon here in a second, Leo. But first, on Sunday, while I was assembling today's podcast, two days ago, the iPhone that I have resting on a stand next to me alerted me to a Facebook posting by Rick Brown. And by the way, Leo, we need to get Jeff some meds, I think. Why? Because his postings, I mean, I'm afraid he's gonna give himself an aneurysm or.

A (162:42)

I mean, he has a bad ticker. He has a bad ticker and yet he.

B (162:47)

Tell him, just turn off the tv, Stop watching Morning Joe.

A (162:52)

And I know, I know, I know.

B (162:55)

But because I see, I get little notices of his Facebook postings and I think, oh, Jeff, you're gonna hurt yourself.

A (163:01)

Stop. Tell him, Be nice to yourself, Jeff.

B (163:06)

I don't.

A (163:07)

Look, I gave up on watching the news. Unfortunately, it's kind of part of my job and it bleeds over into the news, the tech news that I have to research and cover. But yeah, it's, it's hard.

B (163:18)

Anyways, my phone, my phone lit up with A Facebook posting by Rick Brown Yes, I've I've spoken of Rick and remember his spelling is Ryk many times before since he's the pro the prolific author of one of my most favorite long running science fiction series known as the Frontiers Saga. That's plural. Frontiers Saga. When he embarked upon his writing, he conceived of five long story arcs. Arcs where each one would receive a 15 novel treatment. He's currently one novel away from finishing the third story arc which would make that next novel his 45th. And he's near to finishing novel 45. I've read them all waiting for the 45th one and what? Because I've had to wait in through some periods I've read much of them three or four times. I mean the they're just great stories and it's the characters that he's created that makes this so fun. They are absolutely character driven sci fi. So once that last book of his third series is finished, he will have two story arcs remaining. And there have been strong hints that our intrepid group of explorers may be encountering their first non human aliens. So far, each ark's nemesis have been various groups of power hungry humans. But I have the feeling that may be changing next. And I cannot wait to see Rick throw our group of now very well known, well developed and wonderful characters into confrontations with non humans. That's going to be something. So I know that Rick has many fans among our listeners because I often hear from many of you who are enjoying the many characters he's created every bit as much as I am. So I wanted to share Rick's Facebook posting from two days ago since he's soured on Amazon's Kindle Unlimited service. And things will be changing for the two final story arcs Rick wrote. When Amazon first started Kindle Unlimited, I was still being compensated for reads through Kindle Unlimited at a rate of about 70% of what I would make on a purchase. The entire system is rather arbitrary and has become so polluted and gamed over the years as to be laughable. The amount of compensation for reads through Kindle Unlimited is now down to a mere 30%, which means that every time someone reads one of my books through Kindle Unlimited instead of buying it, and they're not expensive, I'm losing on average about 60 to 70% in sales revenue. While I do not begrudge anyone for using the least expensive way to satiate their need to read, in the end, I'm running a business and my family depends on me to pay the bills. Therefore Starting with port with Part four of the Saga, my books will no longer be available in Kindle Unlimited. I'm hoping that if you read this far in my series, you won't mind spending a few bucks. And that's all they are every three to four months for a new episode. If you've been reading Part three through Kindle Unlimited and are not up to date, I would suggest you download them as soon as possible, as they will begin dropping out of Kindle Unlimited as soon as September 2nd. That's today, by the way, I will put the final episode of Part 3 in Kindle Unlimited for three months after publishing, so that those of you who must use Kindle Unlimited in order to afford reading my stories will at least be able to finish through part three. But by the end of 2025, all parts two and three will no longer be available through unlimited. Although I will be leaving all of Part 1 in Unlimited for now in order to attract new readers. Eventually, most, if not all of those titles will also be taken out. This is not without risk. As Amazon unfairly waits, unlimited reads towards sales rankings, even though a Kindle Unlimited read is not a sale and it could cause my rankings to tank and for me to lose revenue. But it has to be done. Amazon is ripping us off, and the only other way I can combat this is to write faster, which means poorer quality and or to raise prices. Now is the best time for me. With my new Astra Nullis project and a small inheritance from my late mother, I had the best chance of weathering the storm that will without doubt be created by removing my books from Unlimited. However, if I can successfully reach calmer waters, I can then publish my works on other platforms, as many of you have asked me to do. To those of you who purchase my books, even though you could read them through Kindle Unlimited, I thank you. Without you, I would not have made it this far. Rick.

A (168:46)

Yeah.

B (168:47)

So, Leo, I know that you've soured on Amazon and you're no longer wanting to support them.

A (168:53)

We knew this would happen. We knew that the. And this is what Cory Doctorow talks about in his book Inshittification. We knew that Amazon, which, you know, in the early days said our entire focus is on customer happiness, and they really did seem to act that way. But as soon as they lock in customers, then they turn the screws and it's all about milking the customers and they become such a monopoly. They're an absolute monopoly in audiobooks. And, you know, so it's funny because one of the People we love. Dennis E. Taylor, the Bobaverse guy is an Amazon exclusive. And he says, you know, that's one of the problems with Kindle Unlimited is you have to agree you won't be anywhere else. Kindle is your exclusive.

B (169:39)

Oh, that's okay.

A (169:41)

Well, but interestingly, he said, so I tried. He said, when I self published Outland, I went, I went wide. Kobo, ePub, Google Play, he says, but I didn't make any money. I made money with Amazon exclusivity and Kindle Unlimited. And this is the issue is it's a monopoly and it's not good for us as users. I prefer to use Kobo. I buy my audiobooks from Libro FM instead of Audible, even though the Babiverse is not available anywhere but Audible. Same thing. It's an Audible exclusive. I wanted to read Dungeon Crawler Carl, which is a very popular sci fi series right now. And it's only on Audible because Amazon insists on these exclusives. And I think those authors maybe are well compensated. But in the long run, it's bad for users because I like to buy them on Libro FM because it supports our local bookstore and it's the same price as Audible. The problem is the monopoly. And Amazon is squeezing really hard to make sure that they're the only place you can buy these books or listen to these books. And I don't think in the long run that's good. And as soon as they do have that monopoly, of course the price goes up and the author payments go down. The other problem a lot of people reported with Kindle Unlimited is the amount of AI stuff that's on there and even non Kindle. And Rick's going to experience this. Even if you're not a Kindle Unlimited author, your royalties are tied to the royalties paid on Kindle Unlimited to other authors. And when there's a lot of AI slop on there, it hurts you even as a non Kindle Unlimited author.

B (171:20)

By AI slop, you mean AI writing garbage books?

A (171:23)

Yeah. If you look at Kindle Unlimited, I don't know what the percentage is. Many of the books are not. Oh yeah. And Amazon does nothing to, you know, to stop that. I mean, there's a human behind it. It's not. The AI is not doing it on its own.

B (171:42)

Go, baby, go.

A (171:44)

But the writing, it. It's not good. It's not good. They're not good books. That's going to become more and more of a problem too as we search for books to read about topics. I've run into this I've been looking for stuff to read about the Mississippi River. There's a lot of nonsense that's not real history, but it's hard to distinguish it.

B (172:04)

Wow.

A (172:05)

So, and this is, I think this is my biggest problem is that is just the sheer power, the sheer market power that Amazon wields.

B (172:11)

Well, I'm. As we know, I believe in capitalism, but I also maturely understand that our system is not stable because big companies tend to get bigger. And you know, as I finished when I was just there talking about Microsoft, I said, you know, Microsoft is in an enviable position, they've earned it. But it takes a great deal of institutional ethics to resist abusing it.

A (172:37)

Right.

B (172:37)

And that's what ends up not happening. And when you've got a board of directors and C level officers and stakeholders, it's no one's fault.

A (172:48)

Shareholders are pushing you.

B (172:50)

Yeah, right, exactly.

A (172:51)

They want their profits, their quarterly payouts, they want their dividends, they want their stock buybacks. But in the long run, all of this is bad. And this is, I mean we've known this for 100 years, since the Sherman Antitrust act, that capitalism is good until it becomes a monopoly and then it needs to be regulated. Regulated.

B (173:09)

Right.

A (173:10)

And unfortunately it's competition.

B (173:12)

It's competition that makes capitalism good.

A (173:15)

Exactly.

B (173:15)

And a monopoly kills cap, it kills competition.

A (173:18)

It's the one bad side of capitalism, unfortunately. Anyway, yeah. You can't wean yourself off of Amazon despite the, you know, as much as I can. But there's stuff I can't, for instance.

B (173:32)

Because the things you need are only there.

A (173:34)

Yeah. Or it's very convenient. So you mentioned I should be taking this lithium orotate and it would have been very easy to get it on Amazon and have it arrive the next day. But I decided, no, I'm going to go to someone else. I'm going to go to a vitamin shop and order my vitamins from them. Moved everything off, subscribe and safe as best I can. But I acknowledge it's very difficult because they're so dominant. It's very hard. Now they're offering same day grocery deliveries in 2,300 markets in the United States. What do you think that's going to do to grocery stores? Wow. And how are you going to feel if you can't go to a grocery store?

B (174:09)

And it is astonishing. Sometimes we'll need something, Lori or I and our, we joke now saying that you, you, you look it up on Amazon and then you just go to the front door. I mean, exactly. I don't know how they do it, it's, it is exactly, it is amazing. And so it spoils you. It spoils, you know, I need, I.

A (174:30)

Don'T want to get in the car, drive to Target.

B (174:33)

I need a left handed, you know, slime widget. And there it is in a bag, you know, would you like it in an hour or two hours?

A (174:41)

Like what, how, what the slime witch is two hours? It's a little, it takes a longer, it has to come from China. Yeah, yeah. I feel for Rick. I wish him well. I hope so. I hope everybody who is like Rick Brown, these great authors like Dennis Taylor and Rick Brown are able to create and get paid properly for the stuff they create. We work really hard to make sure that, you know, our, our hosts get compensated and our, our employees get compensated. We pay a living wage. We try very hard to do it. It's not easy.

B (175:12)

For what it's worth, Rick Brown's Frontiers saga. I, I, it's one of my favorite favorite series. I mean, we've done Honor Harrington and the Lost Fleet series. We've done a bunch of, you know, fleets. And if you'd like to consume a lot of sci fi, there's 45 books now. I, I'm, I always tell myself I'm not going to start until this, until one of his arcs is finished because I always outpace him, of course, so.

A (175:42)

But we're still waiting for Peter F. Hamilton's second volume.

B (175:45)

Yes. And I don't really care. That was so complicated with all those weird creatures and far future. And I have a problem when it's, it's like so far in the future that like, like they're like, they're not even human trans humans and they're still using contemporary idioms. It's like, come on. Like, it throws me out.

A (176:10)

It's hard to identify with. Yeah, yeah, it's, it's so different. Well, that's all right. You know, some people like it. We get to choose. We do indeed.

B (176:19)

And we will, we will recommend what we love and warn people away from what we have.

A (176:25)

It's just our opinion. We're, we're just some guys with a microphone.

B (176:29)

Yep.

A (176:31)

Steve Gibson is@grc.com and if you like what he does, there's a couple of ways you can support him. Of course, his bread and butter is his fabulous Spin Right program, which is now in version 6.6.1. If you go to GRC.com buy yourself a copy, you will make Steve go.

B (176:48)

Yabba Dabadoo and 1989 Bite magazine. Award of distinction and it looks exactly.

A (176:58)

The same and it works even better.

B (177:00)

That's haven't changed a bite since.

A (177:02)

Was that version 1.0? What version was that?

B (177:04)

That was. I, I looked it was 1.1 so. Which I didn't. Or 01. I didn't even know I had that. But I must have had a bug in the, in the. In the first release so I wow. I fixed it. Things were a little tricky back then though because controllers were storing their configuration information in a pseudo sector on track zero and when I low level formatted that that the outcome was not good. So I had to fix that quickly. But anyway, yeah, those were good days.

A (177:32)

That's great. While you're there, by the way, GRC.com there's a couple other things you can do if you want to get the. I got it yesterday. It's great to see it. Get the show notes the day before often Steve will email him to you. He's got a little newsletter but the way you do this is interesting because Steve is a privacy focused guy. You go to GRC.com first thing you can do there is validate your email address. This is his anti spam solution. It's brilliant. He validates the address, then you could send him email otherwise he's not going to see it. So go there, get your email address validated and when you're there on that page you'll see two checkboxes boxes below, unchecked by default. One for the weekly email for the shows notes. Nice to get them ahead of time and they're very complete. Does the best show notes on Twitt. All the details, links, everything, images. Also though he's got a. He's only sent out one email on this mailing list. There might be another soon though. This is his announcement mailing list. We're waiting for announcement for his DNS benchmark Pro which should come out any day now. So if you, if you check those two boxes you'll get those emails. Nothing else Steve promises. You can also get a copy of the show there. Steve has unique versions of the show because. Well of course he's got a 16 kilobit audio version for people who really want the smallest possible version of the show. He also has a 64 kilobit audio. That's full fidelity. That's.

B (178:57)

It's really the assembly language version of the show.

A (178:59)

Yeah, it is. Just the bits. Nothing else. Just the bits. Not even all the bits. Most of the bits. It's not all of them. He also has really well written Transcripts by Elaine Ferrissy. An actual human being, a court reporter in fact, who does a great job transcribing every bit of this show in a. In a beautiful way. And you can download that. Those are all free and it's easy to get all three of them if you want. Or get the. Get the show and the notes or get the show and the transcript. The transcript's good to read along, but it's also useful for searching. We have the show on our website, Twitter, tv sn. Now our versions are different. We have a. The audio version is a little bigger, 128 kilobits. That's because of the way Apple does transcoding. We have to do that. We also do a video version and you can get that at twit. There's a YouTube channel dedicated to the video version which is extremely useful if you want to clip something. You know, you heard a story and thought, I got to send this to the IT department. They need to know about this or whatever. It's easy to do that in YouTube and everybody has the capability of watching a YouTube video. That's kind of universal. Best way to get the show though, in my opinion, is to subscribe. It's a podcast. That means you can get the rss, get it automatically downloaded as soon as it's available on a Tuesday. Just look at any podcast client, you'll see it. Leave us a good review. Leave us a five star review. Help spread the word. Everybody should know about security now. Very important. You can even watch us live if you're really like anxious to get them freshest version of the show with breaking news and all. We stream live right after Mac break weekly and Tuesday afternoon. 1:30 Pacific, 4:30 Eastern, 20:30 UTC. Those times are approximate. In fact next week we might be a little late Steve, because we're going to be doing the Apple Phone event that probably push Mac Break weekly back. We might have to start at 2 or 2:30 Pacific next week. Just a heads up. But you can watch us live if you're in the club and I hope you are because that really supports us. It supports Steve. It's 25% of our operating income right now. It's very important to us. You get ad free versions of the show. You get access to the Club Twit Discord, which I am from now. I'm going to call the Club Twittisco. Although Mallow Chicken is close, it's right in there. It's a possible runner up. If you are in the club, you can watch us Live in the club to discord. Chat along with us as you watch. But we're also available to the public at that time on YouTube, TikTok, Facebook, LinkedIn, X.com kick. And I'm missing one. Anyway, many other places, anywhere that streams you can find us Facebook, LinkedIn, X dot com, TikTok, anyway, YouTube, Twitch, TV. Anyway, all of those places. I think that does it for the. The business end of this show. I think it's time to say goodnight to our family and you, Steve Gibson. We'll see you next week on Security now.

B (181:52)

Right. Oh, and we have you until.

A (181:56)

Let's see, I will be here. I'm leaving the 20th, so I'll be here through the. What is that? The 18th. No, the 17th.

B (182:03)

Okay, two weeks. Yeah. Cool. And then. Then you're three. Three year gone for three.

A (182:09)

16Th. I guess it is.

B (182:10)

And did you. And the. The stucco is dry and painted.

A (182:15)

Oh, no, no. Right now what we're in the midst of is we're waiting to find out. It's possible Lisa will say I have to stick around. Which case I will be searching for the source of the Mississippi River. I was gonna get my piss helmet. I will be searching a source of the Mississippi river all on my own looking for Dr. Livingston. Otherwise Lisa will accompany me and the stucco be damned. And that's what I'm trying to persuade her.

B (182:44)

You might go solo.

A (182:45)

Well, I decided I. Even if I have to go solo, I really want to do this, so.

B (182:50)

Oh, okay.

A (182:50)

Somebody's got to find the source of this river. I mean, it's just driving me crazy.

B (182:54)

You know, because it moves around.

A (182:56)

Yeah. Hot in that piss helmet. I thought it was supposed to be cool in the piss helmet.

B (183:01)

Steve, we want you to have a nice vacation and to return refreshed and rejuvenated and recharged.

A (183:07)

And I think Micah's filling in for me when I'm gone, so you'll still have a wonderful, wonderful time. And we will see. I'll be for two more weeks through the 16th.

B (183:16)

Good.

A (183:17)

Take care, Steve.

B (183:18)

Okay, buddy. Bye.

A (183:22)

Security Now.