B (2:37)

Oh, I think it was like a library sale.

A (2:40)

Oh, good. Okay.

B (2:41)

When they were liquidating old stuff. Yeah, yeah, yeah.

A (2:43)

I'm very aware of it because I'm reading a book right now. I'm listening to an audiobook from the Libra Libby and it's only got eight days and I don't think I'm going to make it. And that's a bad feeling. I don't know if you can extend audiobooks.

B (2:56)

You got to get back on that list.

A (2:58)

I know it was, it was four people ahead of me. So yeah, it's going to be a while. All right, so it's 5am in Laos, but it could be 4am but you live in a country, a wise country, a thoughtful country where they don't change the clock twice a year. People who have been here for an hour waiting us for to start the show maybe didn't notice. We are now in standard time, which means we start an hour later. But that's good for you.

B (3:31)

For me today. It's good for me, yes.

A (3:33)

It's good for you.

B (3:34)

Yeah. You know, the closer you get to the equator, the less it matters.

A (3:37)

It doesn't matter. That's right.

B (3:38)

Because the sun rises and sets nearly the same time all year round.

A (3:43)

It's the people who are farthest from the equator who I think benefit the most from saving time. Ironically, the person who blocked it in the United States is from Arkansas. We were this close, this close in the United States to have permanent Daylight Saving Time. In fact, even the president said that changing the clocks is quote and he said this, of course, on truth, social, a big inconvenience and for our government, all in caps, a very costly event. Yeah, you got all those people going around winding the climb. What do you mean? Anyway, there was a bill to fix this that could have passed in time to keep the change from happening. Last night, Sheldon, White House Democrat of Rhode island, you couldn't get farther left than Sheldon and farther right than. Tommy Tuberville, Republican of Alabama, called for the Senate to pass the bill on Tuesday, the Sunshine Protection Act. But Tom Cotton of Arkansas single handedly blocked it.

B (4:55)

There has been a bill like this every year. I'm gonna say every year for at least the last 10 years, maybe longer than, probably longer than that. And every year Americans get their hopes up and it never happens.

A (5:07)

It's not controversial. Well, you know, it's controversial. I think one of the reasons it stops is the controversy is, well, should we do Daylight Saving time or standard time? And it's about 50, 50. And that's probably part of the controversy. Cotton says if permanent Daylight Savings time becomes the law of the land, it will again make winter a dark and dismal time for millions of Americans. The sun wouldn't rise till after 8 or even 8:30 during the dead of winter in Arkansas. Try Alaska. It'll be like 10 in the morning before the sun comes up. I could, you know. Why isn't Alaska fighting this? I don't know. Anyway, the darkness of permanent savings time would be especially harmful for school children and working Americans. Another year lost.

C (5:54)

I think there is a. The biggest issue is kids waiting for the bus in the dark. Did we want to introduce Alex?

A (6:00)

Did I not introduce Alex? Son of a gun.

D (6:04)

I just. I'm just gonna hack my way in here at some point.

A (6:07)

Oh, sorry. God. I just. It's not that I didn't know you were here. I was just so upset about this. Alex Stamos is here. You know, we get Alex, like twice a year. I'm thrilled to have him on his newest job. He's the chief security officer@corridor.dev. very timely because corridor.dev is designed to protect people using AI to code.

D (6:33)

Yeah.

A (6:34)

The security layer for AI coding. You couldn't be more timely on this. We're going to talk a little bit about agentic browsers because more and more problems with them.

D (6:45)

Yeah.

A (6:46)

Alex Stamos's name, though, is legend. He. He founded the Stanford Internet Observatory, which is now, sad to say, defunct. But that was watching for disinformation. And of course, we know there's no disinformation, so you didn't really. We didn't need it. CSO @Facebook. Yahoo Zoom called him in to fix their problems during COVID He's legend in the business. Alex, it's so great to have you on the show. I appreciate it. Thank you for being here and congratulations on the relatively new gig.

D (7:20)

Yeah, just jumped a couple months ago. Seemed a lot more fun than being a CISO at a big public company. It's.

A (7:27)

Yeah, is. Is quarter. It's a startup, I would guess, right.

D (7:30)

Startup, like eight people right now. Started by two of my former Stanford students, actually.

A (7:34)

Oh, nice.

D (7:35)

I was. I was one of their first seed funders and they seem to be having a lot more fun than I was, you know, cing at a public company, so decided to make the jump.

A (7:45)

You don't have all those pesky shareholders to think about. Just do your job.

D (7:50)

Yeah. Sec 8Ks and.

A (7:53)

Yeah, yeah, yeah. Well, I'm sorry about the Stanford Internet Observatory. That's, again, another fine act of Congress.

D (8:02)

Yeah, well, yeah, because, I mean, our two big things are disinformation. We actually did a ton of work on online child safety and AI. And child safety Stuff that's totally true.

A (8:11)

We care about.

D (8:11)

Right? So gosh darn it.

A (8:15)

Well, that's probably a little more important than the clocks changing twice a year.

C (8:19)

So.

D (8:21)

This is also. People keep on bringing up the idea this would be the time for us to go to just two time zones in the US Just in East and west. Right. Get rid of Central and Mountain.

A (8:30)

Well, there are even people who say we should just go to UTC worldwide and forget about it. And you just figure out when the sun's up in your neck of the woods.

C (8:39)

Right.

A (8:39)

And schools could, you know, start at whatever 1400 UTC. Then we'd have the whole issue. But I guess that's a little. That's a bridge too far. It's really silly to be moving the clocks, but you know, you can't even.

C (8:52)

Use the metric system.

D (8:54)

I mean.

A (8:54)

I know, I know, I know. You know, it's funny, Alex, I was vibe coding this morning. I got up early because my, my, my biological clock thought it was 7am, but it was 6am So I thought, well, I got, for some free time I'll sit down with Claude code, clean up my Emacs configuration in time for a couple of coding challenges coming up this month and next. And three hours gone by and it did it, by the way. It's mind boggling what it did. I mean, I thought, oh, it's not going to really know Emacs. That's kind of obscure. It's not going to Common Lisp because that's what I code in. No, it's great. In fact, the older the language probably the better, right?

D (9:37)

I mean, what it needs is lots of examples. And there's tons of examples of people have their Emacs configs out there. There's lots of Lisp, I think structure and interpretation. Computer programs. You know the famous computer program. That's what I learned. CS61A, I think that's actually completely open source. So it's been trained on the whole.

A (9:54)

That's right. And how to design programs, which is racket, but it's similar. Both are Scheme.

C (9:59)

Yeah.

A (9:59)

Which are lisps. Yeah, I mean, that's what got me into Common Lisp. I followed that path. And scheme was a little restrictive, but Common Lisp, you know, it's as old as I am. I like a language, it's as old as I am. Anyway, enough of that. But vibe coding is amazing.

D (10:20)

It is.

A (10:20)

And it's just mind boggling what I use Claude code, but Codex from OpenAI cursor. I mean, there's so many of these tools now lovable. And I think companies more and more. Is there a risk to companies adopting Vibe coding? I mean, it does seem like.

D (10:39)

You.

A (10:39)

Kind of risk not really understanding what the AI has done.

D (10:43)

So first off, I think we have to separate these two things. There's two totally different uses. Right. So there's the Vibe coding, which is like amateurs using these tools to do fun things, to do amateur projects.

A (10:55)

Me, hobbyists.

D (10:56)

Yes. Right. And that's great. I mean, I think this is actually a wonderful thing. Over the next couple of years, we're going to see really positive impacts from normal people being able to use computers for the first time ever as they really should be used. Right. Like it used to be if you were just a normie and you had to parse through, you know, megabytes and megabytes of data, you had to either have a data scientist or you had to, you know, get it in Excel and try to, you know, work your way through it. And now you can go into cloud code and it will, if it can't load it into its, into its own context window, it will write Python to do it for you. Right.

A (11:33)

Like, yeah, that's what it does.

D (11:34)

Yeah, yeah. That's the kind of thing that, you know, a lot CS folks took for granted and now billions of people have access to that level of capability over the next couple of years. That's amazing. That's a positive thing. That is different than software. Professional software engineers utilizing AI enabled tools to help them speed up, which is also a really positive thing, but does have some interesting challenges. And that's what we're doing at quarter is basically building the frameworks that if you're a bank, if you're an aerospace company, if you have to live up to existing frameworks, to privacy rules, to safety and security rules, these tools are really cool, but they don't understand those things. They don't understand architecture very well and they certainly don't understand the rules we've had to live before. They make things really fast, but they're still human beings who will go to jail if you break those rules. Right.

A (12:27)

So you want to customers whose Social Security numbers will be leaked.

C (12:32)

There was actually, I'm sure Alex, you saw it. Jenn Easterly wrote something in, I think it was Foreign affairs, maybe she had a really good article or op ed about basically Vibe coding allowing for better cybersecurity on the development side because it'll be cheap and easy. And that's what you need to embed security into things. Because people don't really pay for it. So I don't know.

D (12:59)

Yeah, I think it cuts both ways.

C (13:01)

I think exactly.

D (13:02)

The AI tools are going to make fewer of the individual mistakes, but we're also ending up with adversaries being able to find bugs faster. I think we're going to talk about that in some of our stories.

A (13:13)

Yes, yes.

D (13:16)

Also, the other crazy thing is adversaries are using Vibe coding tools as well. That's actually been a big change the last 6 months. If you look at both OpenAI anthropic have threat intel reports. It's kind of a model they took from the big social media companies of these quarterly Threat intel reports. This is how we see people abusing our platforms. And they've always said folks have done spear phishing and spam and this kind of stuff in the last six months. These reports have really changed that. Now all of the steps of the traditional intrusion kill chain are now being automated on top of OpenAI and Anthropic, including tool creation, exploit creation and such. And this is a big deal because one of the dirty little secrets of the attacker world is traditionally only a relatively small number of adversary teams have had the ability to do true O day creation and exploit development. Right. You've got obviously the five eyes, the US and our Anglophone allies, the France and Germany, a couple of the European countries, Israel obviously Russia, China, some of the best Iranian groups. Most of the Iranian groups don't do. Right. Like, they get away with like really good password sprays and social engineering and such. India and Pakistan do terrible things to each other, mostly without O day and with. Without new exploits.

A (14:29)

You're saying, oh, day. You mean zero day.

D (14:32)

Zero day. Right. Like without actually creating new exploits or new vulnerabilities.

A (14:36)

I'm sure in your. In your. In your group. I'm sure O day. I just want to make sure everybody understands because I've always called a zero day. And.

D (14:43)

Yeah, sorry.

A (14:44)

No, no, no. If I'm going to call it O day from now on, if Alex Stamos calls it O day, it's O day.

D (14:49)

Zero day. I'm sorry, but like, meaning like, I.

C (14:52)

Had that same issue.

D (14:53)

Leo. My. My apologies.

A (14:56)

I was thinking od. Is this. Is this a. I'm still thinking about the cringe thing over here.

D (15:03)

Right. ODE is not the SI unit. My apologies. Of exploitation. But yeah. So very few adversaries have ever actually been able to do that. And with Vibe coding, which will mostly not be an open anthropic, it's mostly going to be open source tools that are specifically retuned for this and you actually find some of this stuff. If you go to hugging phase, people have built models, open source models specifically do things like write exploit code. That is how people build these exploits going forward. And that's.

A (15:35)

Can they innovate or is it just rehashing existing exploit code?

D (15:40)

It's rehashing, but that's good enough. Right. If you use these tools and you take some off the shelf open source thing that's super widely used and you scan through it and you find a use after free bug. Use after free is use after free, right? AMD 64's AMD 64. And so if you use something that's been trained on 5000AMD 64 exploits in the past, then knows where to look. Yeah, exactly.

A (16:06)

That's, that's really interesting. Would you. It, is it your, I mean, script kitties have always been a problem. These are people who don't have the skills perhaps to create good hacking tools, but can use other people's hacking tools. Is it your sense that if somebody's good enough to write these tools from scratch, they're less likely to be evil? And, and, and so making it accessible to script kiddies makes it worse, or is that just a nutty premise?

D (16:31)

Well, it's, I mean, even among the adversaries who've had this capability, very few of them have. Right?

A (16:38)

Yeah. So you're making it more widespread. I mean, that's bad enough all by itself.

D (16:43)

You look at the Russian adversaries, right? You've got the difference in quality between the top hacking teams at the SVR versus the not as good hacking teams at the GRU versus the monetarily focused ransomware teams is humongous. Right. The people who did the SolarWinds hack, they built a custom in kernel Windows rootkit which swapped out SolarWinds source code in memory. It swapped out the page in memory without touching disk. It decrypted it swapped it out just for the moment it was compiled and linked and then swapped it back in.

A (17:20)

Oh my God.

D (17:21)

Not try to create a trace on disk. So I got to work on the investigation and the response at Sorwin's.

C (17:26)

Right.

D (17:26)

This is the first project Chris Krebs and I did for a consulting firm and they did an incredibly good job because they have probably the best, you know, engineers who work on hacking in Russia working for them. That is a completely svr, right?

A (17:41)

Yes.

D (17:41)

So it's the worst than the GRU svr. Much worse. I mean, much, much more capable than the.

A (17:47)

This is the government. This is the Russian government, basically.

D (17:50)

Yeah. SVR is part of. When the KGB split up, the Foreign Intelligence Service component of the KGB became the svr. The domestic and kind of near abroad part became the fsb. No, GRU has always been gru. GRBU is military intelligence. So they're part of.

C (18:08)

They're the thugs, right?

D (18:10)

They're the thugs, yes. And so the gru, when they break in, they don't, mind you, they're the ones who literally, like, will break in people's apartments and then like leave a crap in the toilet. So they're there, like, they do stuff like that.

A (18:20)

So if you're going to be thrown out of a window. So it's probably the GRU or fsb.

D (18:25)

Right. FSB is like the KGB part that, like, terrorized Russian, but if your memory.

A (18:29)

Is going to be swapped in vitro, that's going to be the svr.

D (18:33)

Yeah. Right. Because what, they never want to get sophisticated. Yes.

C (18:37)

Ah.

A (18:37)

They don't want to get caught.

D (18:39)

Yes. It's quite different. And so my fear with all the AI tools is that it's kind of, you know how like the Premier League, you can get sent down, you can go back up. Right. If you do well, that everybody's going to step up to the next league with AI tools. Right. And. And that's going to be really terrifying. So on the defensive side, we all have to do the same thing. We all have to take a step up because the attackers are all going to be able to go to the next league up with the kinds of things that they're going to be able to build that they. They've never been able to build before.

A (19:06)

So, Jen Easterly, former director of cisa, and you're right, Stacey was Foreign affairs, great read, a great reference. She wrote an article, says, the end of cyber security, America's digital defenses are failing. And this is primarily because of the effectiveness of these AI coding.

C (19:26)

It's because. No, it's because we don't invest in security vulnerability.

A (19:30)

Yeah. Because we've basically shut CISO down. Yeah, CISO down. Yeah. But AI can save them, she says. So what's the good news?

C (19:39)

Well, the good news is that because firms don't invest in cyber security until they have to. Right. And we don't have a really great regime for forcing that. Her argument is that we can use AI to make it easier to build secure software. She also makes the same point that Alex made, which is we have to do it anyway because everybody's going to use AI to attack us.

A (20:06)

Yeah.

C (20:06)

So we should be leveling up anyway and AI will just help us level up. But she's making kind of an economic argument here, which is that it will be cheaper and easier, presumably to build more secure software.

A (20:19)

Cheaper is always, you know, more likely to happen, sad to say. She says AI systems can autonomously find and patch software flaws. Has that been your experience, Alex? Is that the case?

D (20:31)

It is to a certain extent. I mean, they certainly can find it. Patching is a little bit harder. But the. I think for the first time ever, we're in a place where it is economical to refactor code. And we're getting to the point where it's becoming more economical to actually refactor large amounts of code than to just fix bugs. That we might get to a place where rewriting your old C code to be on a new C21 with a secure templating library is better than trying to find all the memory management problems. Or we're not quite there yet, but in a couple years, converting your C code to Rust is actually going to be economical. That was insane two years ago, right? That would have cost. It would have been cheaper just to rebuild from scratch.

A (21:17)

It's not automated, though. You still need engineers to supervise.

D (21:20)

Yes, to supervise. Yeah, but like, the amount of code they're writing, I mean, human engineers are basically becoming really technical product managers, right? They're doing architecture, they're doing design. Again, the coding tools are quite bad at architecture. The only one that does a reasonably good job here is Amazon Hero, which is still in beta, which is an IDE based coding tool that makes you do a prd, it makes you do an architecture, it makes you write tests. So it forces you through the steps that you have to do as a professional engineer. The rest of them, like cloud code. You say, I want to build an incredibly complicated client server architecture that is going to take 17 different components on AWS. It's like, yep, let's get going. You're like, no, no, no, wait, wait, wait.

A (22:07)

And you see the code scrolling off the screen.

D (22:10)

Yeah, yeah, yeah. It just goes, right? And so I think that's, I mean that's like part of our thesis at Corridor is like, hey, we got to build frameworks around these things. If you're an enterprise. And to their credit, OpenAI and Anthropic in particular, and Cursor understand this, right? Like Cursor in particular is a company that's like trying to target enterprises. It's quite different than like Lovable and Vercel where they're building Stacks that are in particular targeted for the hobbyist consumer and to make it easy for them. So I think you're going to see more bifurcation quantum code get stuck in the middle.

A (22:47)

Even Claude has started, Claud code has started to say things like, you know, it'd be good if you, if you made a little to do list here and if you did some things, set some structure around it instead of letting me just go like crazy. Although you can still hit Shift tab. You can still hit Shift tab and let it just go. Which I did this morning, I must say.

D (23:03)

Right. I think what you're going to have is professional engineers are not going to use the clis. They're going to use a tool like Cursor and then Cursor is going to use, you know, sonnet 4.5. They'll use anthropics models. But you'll be using it through a professional tool that forces you through some kind of engineering plan.

A (23:21)

Well, I didn't anticipate getting in this, but you know what? When Alex Samos is in the house, I think it's pretty important we do no. And it does segue into the next story which we're going to get to in a minute, which is Amazon firing 30,000 people. Did they do it because of AI? Well, maybe, maybe not. Not exactly. We'll talk about that in just a bit. Jill Duffy is here. She's spending the morning with us. So nice to have you. I hope you have a nice cup of tea.

B (23:47)

Thank you. I have some strong coffee. Yes, I do.

A (23:50)

That's. What is this? Vigilante. I like your mug, it says vigilante.

B (23:53)

Oh, this is a great roastery in Maryland.

A (23:56)

Nice. What a good name.

B (23:58)

Makes coffee. Yeah, you know, it's the lead roaster's.

A (24:01)

Last name and it's got the evolution of coffee drinkers on the back, which I like.

B (24:08)

Early man age coffee drinkers.

A (24:11)

It looks like fisherman. Oh no, Spear carrying to coffee drinks.

D (24:14)

That's good.

A (24:14)

Yeah, yeah, I like it. Vigilante. Good. I'm going to try some. Nice to have you, Jill. Alex Stamos is also here. His new company, corridor.dev helps devs do it securely so you're in the right place at the right time. And Stacy Higginbotham from Consumer Reports where she's a policy fellow. It's great to have all three of you. We will get back to the news in just a second but first a word from our sponsor. Our show today brought to you by ZipRecruiter. We use ZipRecruiter what if you could consistently find whatever it is you're looking for right away? We're talking about everything from parking spots to something on my mind right now. Holiday gifts, jackets or jeans that fit perfectly. Imagine how much time you would save. Well, you may never instantly find those things, but if you're hiring, you can find qualified candidates right away time and time again with ZipRecruiter. And today you could try it for free at ZipRecruiter.com TWIT this is their secret sauce. ZipRecruiter's powerful matching technology works fast to find top talent. With ZipRecruiter's advanced resume database, you can unlock top candidates contact info instantly. No wonder ZipRecruiter is the number one rated hiring site based on G2. If you want to know right away how many qualified candidates are in your area, look no farther than ZipRecruiter. Four out of five employers who post on ZipRecruiter get a quality candidate within the first day. Right now you can try it for free. Ziprecruiter.com TWIT Again, that's ziprecruiter.com TWDzipRecruiter the smartest way to hire. I'm glad some people are hiring, because some people are firing. Amazon, according to Reuters, is preparing to fire as many as 30,000 corporate jobs starting Tuesday. Now they have one and a half million employees, but that's, that's almost 10% total. And Amazon says it's, it's not because of money, it's because of. And this, this is the quote, culture, according to cnn. This is from Andy Jassy, CEO. It's not really financially driven, not even really AI driven. Not right now. It's culture. Amazon added headcount, of course, in recent years. A lot of companies did. Jassy says, quote, you end up with a lot more people than what you had before. He's so folksy, that Andy Jassy. And you end up with a lot more layers sometimes without realizing that you can weaken the ownership of the people that you have who are doing the actual work. Okay, I know it's not AI Although, you know, a lot of tech companies are kind of claiming, oh yeah, we're replacing people with AI. I think the truth is maybe a little closer to the fact, yes, AI is very, very expensive and our burn rate is insane. Buying all those Nvidia GPUs, and how are we going to fund that? What if we fire 30,000 people? Would that help? Does that make sense? If you look at the quarterly. Yes. If you look at the quarterly results, yes. Thank you for that. Affirmative.

C (27:42)

It's like. Are you. Are you waiting for your comment?

A (27:44)

Sure, yeah. Just jump right in anytime. I will talk until somebody else says something. That's an old radio habit. I don't know. Dead air on this show. No dead air. Go ahead, Stacy.

B (27:56)

You know, I'm old.

C (27:57)

I've been through a couple downturns. And what we're seeing is everybody prepping for things to get tight. And I will say that if you can get rid of people, it's not. I mean, sure, it's easy to be like, oh, it's AI. But they're also slowing down on their hiring front. If you can get rid of some expensive workers, great. So I think this is part of the beginning of a hunker down kind of mentality. And I think we're seeing it across the board. I mean, we're seeing it in other firms, not just tech.

A (28:25)

Microsoft did it last quarter after a record profitable quarter. They fired a bunch of people, which looked kind of unseemly. Alphabet, which announced its quarterly results this week. Unbelievable revenue. Over $100 billion in revenue for one quarter. That's a growth in the cloud of 34%. Their profits are phenomenal. Amazon's very similar. I mean, everybody. The tech sector is doing pretty well right now.

C (29:01)

Yeah, I mean, we're seeing it. I mean, UPS announced layoffs, Target announced layoffs right ahead of Christmas. I mean, this is. I mean, it's not good news.

A (29:11)

Yeah. I mean, I. That's the other thing. And you know, when we talk about this stuff, I sometimes I forget to say, this is terrible for the people who get laid off. That's 30,000 people who will have a terrible Christmas.

C (29:23)

It's only 14 so far.

A (29:25)

So far.

D (29:26)

Right. It's still a lot.

A (29:29)

Only 14.

C (29:30)

Being in Seattle is pretty grim right now.

A (29:32)

I bet it is. I bet it is.

D (29:35)

So, I mean, you talk about it's not financials, but you look at their results, and their operating income's great. Right. So, I mean, if you look at aws, their net income went. It technically held steady, but that's with them taking two charges. Right. They had an FTC settlement and they took a severance charge as part of this. Right. 1.8 billion. So those two things. Their quarterly income for AWS was up to 21 billion from 14 billion quarterly. But what's interesting, free cash flow is down to 14 billion, and that's down from 47 billion. Trailing 12 months. So that is a huge difference. And he points out that's driven from a year over year increase of 50 billion for property. So they have been massively investing in AWS and that has taken up a ton of their free cash flow. That doesn't hit their net income because they amortize that. Right. That's capex that gets amortized over the depreciation schedule of that stuff. So I think it might be they are reading the tea leaves like Stacy said, on a downturn, Amazon has more data than probably any other organization other than maybe JPMorgan Chase on the position of our economy. Right. Like they see all consumer sentiment, they see all business sentiment via aws and they are more exposed than any other organization to both the business world and the consumer world. Right. And so if there's a downturn and they have been spending $50 billion, 60 billion of their free cash flow just on increase in capex, then it's not a crazy thing for them to start to tight early.

A (31:22)

What about Meta?

C (31:23)

Interesting to look at actually. So Azure, Microsoft, Amazon and Google. Google, sorry, it was like the other.

A (31:33)

One, the big three cloud data because.

C (31:35)

They have the CapEx. It's a really good point, especially with the costs of Nvidia chips looking at that versus companies that are buying that from them. Because that was the beauty of the cloud is it switched all of your original CapEx to OpEx. So I wonder if there should be like a new classification for some of these companies just for this particular element. I like that subtlety.

A (31:56)

And you know who's doing great. Nvidia crossed the $4 trillion valuation mark this week.

D (32:03)

Yeah. Does that mean that that $50 billion charge goes straight to Nvidia?

A (32:07)

It's all Nvidia.

C (32:08)

I'm sure there's some Amazon, Amazon, AMD in there.

A (32:11)

Well, everybody's working as fast, Amazon, Google and everybody else to create chips because they don't want to spend all this money with Nvidia. But Nvidia is in the catbird seat right now.

D (32:21)

Yeah. Although they do talk about their number one bullet of like for strong highlights is continued strong adoption of their custom AI chip. So they are talking very aggressively about.

A (32:31)

How they're looking to Samsung. Everybody, everybody's working hard. Yeah. Google's got the TPUs so they don't have to worry quite so much, but.

C (32:39)

Right.

D (32:39)

And they highlight that Anthropic is doing trained a lot of their new models on Amazon's custom chips. So a lot of that was not on.

A (32:46)

That is one of the issues, isn't it? Nvidia has a proprietary system, cuda, which no one else can duplicate because it's proprietary. And a lot of this stuff is based on cuda. Right. It needs cuda.

D (33:00)

No, I mean, you can. You can. You could build on other libraries. I mean, yes, for consumers, it's a little bit of logic, but if you. If you're anthropic, that's not a lock in.

A (33:11)

Okay. If you're big enough, you don't care.

D (33:14)

Yes.

A (33:14)

Yeah. Now, Meta, I think mark Zuckerberg lost $29 billion or something last week because Meta's stock tanked because they had a $16 billion tax income tax charge. But I think the market's also a little jumpy because Mark's been spending like crazy on AI, bringing in, paying as much as a billion dollars for talent.

C (33:42)

Well, how many times can Mark be wrong and. Or late and acquire his way to success? And I'm not being.

A (33:48)

No, that's a good question. That's what the market's asking, isn't it?

B (33:55)

There was a great story in the Atlantic that I really liked that sort of zoomed out and said, how is the AI bubble going to crash?

A (34:04)

Charlie Wurtzel. Yeah, that's.

D (34:06)

Yeah, yeah.

B (34:07)

And Matteo Wong, I think, was the other writer on the story.

A (34:10)

Yeah, yeah.

B (34:11)

Matteo Wong.

A (34:11)

Here's how the AI crash happens.

C (34:14)

Yeah.

B (34:14)

And it was just. It explains it reasonably simply, but reminded me that nothing financial in the United States is ever simple. Money is moved around, sort of what you all were saying, you know, what's amortized, whatever. But, you know, so much of this money right now is going into real estate and building out these huge server farms for AI. So when you are acquiring real estate that the Atlantic article poses, they're not really interested in taking on debt to get that land and to build. So they're selling. Instead of taking traditional loans, they're looking to essentially package up the money they need and get it from.

C (35:04)

Oh, this is the securitization of the data center loans. Yes, the data center contracts by the tech companies.

B (35:12)

Right. So they're going to private investment.

A (35:13)

We work at a business.

B (35:17)

If they're going to private investment.

A (35:19)

Am I too simple on this?

B (35:21)

Everything is sort of being packaged and sold in ways that makes it harder to trace, harder to figure out who owes money to who. How much debt do they actually have?

A (35:29)

And there's a lot of this circular stuff that Nvidia's giving a billion dollars to a company so they'll buy a billion dollars worth of. Of Nvidia chips, things like this, it's very confusing.

C (35:37)

Well, there's. Okay, so there's a bunch of stuff at play there.

A (35:41)

That's the, that's the opex versus Capex, right? No, so, okay, I'm going to shut up now and let people.

C (35:52)

So securitization, which is what this is this the securitization article. Okay. That is when you do a deal, like an extended financial deal and then you, you slice it up into little slices and then.

A (36:05)

Oh, like Red Lobster.

C (36:07)

It is exactly what caused the mortgage bubble in 2008 right here.

A (36:11)

Oh dear.

C (36:12)

As a former bond reporter, this is like, this was my.

A (36:16)

Oh dear. So it's so, so okay, so what happens?

C (36:20)

So what?

A (36:21)

So we are in a bubble is what you're saying. This is a bubble.

C (36:23)

Well, it's not transparent. So the issue is there's a lot of insider. So if we sum up the whole thing, there's a lot of insider dealing that people don't necess understand. And it's not transparent either to like the media or people watching investors, but even also within like the securities in banking world. So there's a lot of, I would call it financial chicanery or shenanigans. Yeah. But it is actually legal, so I'm not sure.

A (36:50)

It's not illegal chicanery. It's legal chicanery.

C (36:53)

I'm like, I'm like. So I don't know if that's actually, if I were writing an article. I don't know if I could use those words.

A (36:57)

Wong and Warzel say the US is a burgeoning AI state and in particular an Nvidia state number keeps going up, which is buoying the markets. In the short term that's good, but it's precarious. And I think there are a lot of people. I, you know, my, I'm, I'm at retirement age. My IRA is, you know, heavy heavily in US equities. Everybody's a little worried about a bubble or a crash. But we just spent half an hour talking about how valuable AI is and how transformative it is to businesses and coding and security and so many areas. In fact, the chairman of the, the Fed said this isn't exactly a bubble because there's value being created.

B (37:47)

I mean, I would ask where is the value? Where is it right now?

C (37:52)

Yeah, we're throwing out AI, we're hyping it up to be this economic powerhouse, which I think it absolutely could be eventually. So it's not like a tulip bubble where there's no underlying value except for like Flowers are good. It's more like a railway or the very early days of, I don't know, oil.

A (38:11)

That's what Jeff Bezos said. It's not a financial bubble, it's a, it's a, it's an industrial bubble. So what happens with industrial bubbles like railways or the dot com bubble is you get infrastructure which survives the bankruptcy of a number of companies. And the infrastructure is of value.

C (38:27)

Except we have fundamentally changed our definition. We have changed how long our infrastructure can last because this infrastructure is built on a, a chip that has an 18 month life. Right. If you're really lucky. So we have to think about like if you're doing your financials and you're thinking I'm going to amortize this over 18 months versus I'm going to amortize it over computers have, what is it, a depreciation schedule of like five years.

A (38:57)

Yeah, well in reality it's probably like that, but yeah.

C (39:01)

So I don't, and I don't know where we are on like our accounting yet for accounting for this, but. So we're basically saying, so it's like figuring out what we can do with like oil and gas or even electricity. Right? Like we've got to build all this infrastructure in place, but the infrastructure is not as long lived, so we have to have different financial tables and account for it and value it differently. We aren't.

A (39:24)

So, so what you're saying is, to paraphrase Terminator 2, we are in uncharted territory, making up history as we go along. Is that what you're saying?

C (39:35)

It's charted. We're just using the wrong, like depreciation.

A (39:38)

The wrong chart, our maps don't match the land mass that we' are actually traveling. Is that what you're saying?

C (39:45)

No, I might not.

A (39:47)

Jerome Powell says. Jerome Powell, chairman of the Fed says unlike the dotcom boom, AI spending is in a bubble. I mean his proof of this is I can't name names, but some of these companies have earnings he did this in.

C (40:03)

So okay, think about, think about akamai in the 1999 Akamai. Think about building out the telecommunications infrastructure for the underlying Internet way back in.

A (40:13)

The late 90s, right before the dot com crash.

C (40:17)

And all of that eventually became super valuable. Right? We were not wrong.

A (40:22)

There's a lot of dark valuable. Yeah.

C (40:24)

But one of the reasons it became so valuable is because the financial and the bubble aspects of it became untenable and we got bankruptcy for a lot of these companies and it wiped out all of their debt. Right now we have a different financial structure. This isn't necessarily debt funded. This is venture capital funded, which is a little different. But anyway, we're basically. We're spending money too fast on this and we're. We're putting too much money too quickly in it, or we're not accounting for the actual. How. Never mind. I.

A (40:58)

Let me quote Wong from that Atlantic. Let me quote Wong and Wurzel from that Atlantic. If you really want Dystopia from that Atlantic article that Jill gave us, listen to the AI crowd talk. Enough. You'll get a sense. We may be on the cusp of an infrastructure boom, and yet something strange is happening to the economy. Even as tech stocks have skyrocketed since 2022, the company's share of net profits from S&P 500 companies has hardly budged. Job openings have fallen despite a roaring stock market. 22 states are in or near a recession. And despite data centers propping up the construction industry, US manufacturing is in decline. They say AI is drowning out, is obscuring the wobbling American economy.

D (41:46)

Yeah, I think AI can have value. Part of the problem here is there's a handful of AI skeptics for whom their skepticism has become their entire personality and their entire brand.

A (41:59)

And we know who they are. Yes.

D (42:00)

Yeah. And I'm not going to say the name because they have followers who.

A (42:03)

We know who they are because we've had them on our shows.

D (42:06)

Okay. Yeah. Some of these people, their followers will send you death threats and stuff like.

A (42:10)

Yeah, no, they're very. Yeah, yeah.

D (42:12)

And so, like, they make it hard to talk about this because if you're not fully in their camp, you're. You're a mush. And then they also make any kind of AI skepticism seem like you're a Luddite. Right, Right. And AI, from my perspective, AI is incredibly valuable. I use it every day in a variety of ways. And I think these companies will make a bunch of revenue. But there's a bunch of ways this can still be a bubble. 1. If the real economy is hollowing out. Right. The way the AI companies will make money is from the real economy giving them money to do things. So if State Farm and Walmart and every consumer products company, the Procter and Gambles and Boeing and all of these folks are losing money, then they will not have as much economic flow. They will not have as much free cash flow to take. Shave money off the top to send it to the AI.

C (43:05)

Right.

D (43:06)

So if we end up because of a confluence of issues, including tariffs, the business Cycle a bunch of other things, hollow out the real economy, then we can be in a bubble no matter what's going on with the AI companies. Second, I think even if things were going great, you can have this bizarre financialization that Stacy's talking about. I saw this personally of like a friend of mine got in on one of these deals and then offered for me to invest in a data center. And I didn't do it because in the end I do some seed investing in companies. Every once in a while I know what I'm buying. I'm buying stock in a company or I'm getting a safe, which is debt that can turn into stock. I had no idea what I was buying, what my money was being turned into.

A (43:49)

It's like bitcoin. It's like NFTs.

D (43:51)

Oh, at least in Bitcoin I know I'm getting some kind of bs.

C (43:56)

You're getting the promise of a payment from a, from a bank that is getting a payment or a chunk of a payment from the data center company. But yes, it's. Right, but it was like repackaged.

D (44:07)

Yeah, but yeah, and it was like a contract with an entity with another entity and there's like five entities with made up names. And you're like, this is so spectacularly sketchy. I'm going nowhere near this. Right. Like. And so it screamed financial bubble to me. Right. Like. And so everything could be going great, even if the economy is going great. That could be insane that you have like this crazy financialization where you have the AIG mortgage issue stuff going on. Now like Stacy said, we're not talking about banks here. You're talking about like hedge funds and VCs and a bunch.

A (44:38)

Yeah, who cares if they go belly up? Right?

D (44:40)

Yeah, but like it's still, who knows, like that's what people said about aig. Right?

C (44:45)

You do care because they're all over the economy and if they go, they're going to start sell. I mean that's a. You do not want them to start selling all their debt.

D (44:54)

And then I think there's a third way. This could be an interesting bubble, which is with the railroads. Like we laid all this infrastructure like there was no situation in which all of a sudden the railroad tracks themselves were not going to be useful or the engines. Like when all this railroad track was being laid in the mid 19th century, we were not going to have all of a sudden like diesel electrics were going to be invented like 1865 or something. 1870.

A (45:21)

Right, right.

D (45:22)

But we're in these Revolutions Stacy talked about like 18 month chips. Like, I mean, I think, you know, the depreciation on these things, that you can use them more and stuff. But like, you know, all this money is going. For example, I just gave this talk, I gave a talk at Vercel and I gave a different talk at like Infosec World. But in both cases I talked about like Gary Marcus at MIT talks about this a lot. Like we, you know, if you think about what AI is, AI is studying computer science of making computers act like humans. Within that you have machine learning, right? Which is getting computers to learn from data. And within that you have reinforcement. And within that you have LLMs. And that is LLMs are like a tiny little bubble of these concentric circles of which AI is a huge circle. And all the money is going to LLMs because it's the first thing that people are like, oh, this is actually useful. Yeah.

A (46:13)

Marcus has said that's a mistake. Because we're spending so much on LLMs, we're not paying attention to other systems that might be.

C (46:20)

Yes, they're so fundamentally limited. We just like them because they look like us. That is all it is.

D (46:26)

And so there's all this cool other research, right? People are building these models that are much smaller, that are much better at solving real interesting problems. They can't write poetry, but they solve useful things. And so I think. But we also could have technological breakthroughs that either make LLMs much more efficient and therefore massively change the economics of all this, or that replace LLMs for certain use cases and then invalidate a bunch of this spend. I mean there's all kinds of stuff that's unpredictable that could happen in the next five years and then that could blow up parts of the stuff. So that wouldn't be like an overall bubble, but that could create micro bubbles or, you know, partial bubbles and cause all kinds of churn. And overall it'd be great because we'd be having a new efficiency. But that could absolutely kill one of these companies that looks absolutely dominant right now. And in the long run it would be great. In the short term it caused lots of damage. And so I think it's crazy to have. It's also. All of us have decided it was good to put all of our money in the S and P, but the way that The S&P 500 allows these companies to expand, I think somebody at Standard and Poor needs to get slapped.

A (47:41)

Richard Campbell told me there is AN S&P 500 minus the Magnificent Seven, there's a EFT that has. It's like 493. And I guess that might be a good investment. I don't know. I'm not an investment expert and I don't know what to do because, yes, it's overvalued. AI is highly overvalued. Even in something as supposedly as diversified as the s and P500, if you're.

D (48:06)

Going to call it an index and you're going to say there's 500 companies, then you should not allow seven of the companies to be 50% of the 500 or whatever. Right. Like, I think there is this crazy thing is like, as the companies get bigger, we cannot. This index investing has gone too far.

A (48:24)

Don't tell me that that's the only way I can invest because I can't buy individual stuff, stocks.

D (48:29)

Yeah.

B (48:29)

I'm just. I'm just waiting for somebody to start using the term too big to fail about all of these seven tech companies. Because, I mean, they're all administration. Right. Like, why do you think they've donated so much money?

A (48:43)

Sure.

B (48:44)

So cozy with the president. Like, they, they need not just laws and legislation on their side, but I. I have a feeling that they meet, they may in the near future need some help making regulation problems go away or investment.

A (49:02)

Are they too big to fail in that respect? Can they be bailed out like the banks?

B (49:06)

Yeah, well, that's kind of what I mean. I mean, if you have 56% of the S&P riding on these seven companies, how can you let any one of them fail?

A (49:18)

Well, thank goodness the president is a businessman. Oh, never mind.

D (49:23)

He knows the art of the deal, Leo.

A (49:25)

He knows the art of the deal. I'll grant you that.

D (49:30)

There is an.

C (49:31)

Argument to be made that they're too big to fail on the actual infrastructure front, as we saw with, like, all.

A (49:37)

These networks, operations centers that are being built. This is.

C (49:39)

Although does anyone else remember when AWS E or the Eastern.

D (49:45)

The one US east one. Yeah.

C (49:47)

USC thing. I was like, that used to go down all the time. I mean, I. I remember when Adrian Cockroft was doing his, you know, chaos monkeys, and that's. That's why that came around. So I actually think we're really amazing. But it is too big to fail from that perspective.

A (50:02)

Yeah. It's amazing how many people were dependent on AWS East.

D (50:07)

That was a big deal all the time.

A (50:09)

We learned a lot.

D (50:10)

Going down at the same time was a big deal.

A (50:11)

Yeah, we learned a lot happened. Yeah, yeah.

B (50:16)

But financially, too. I mean, like, Leo, like you were saying, you Know, your, your retirement accounts are completely vested in these companies.

A (50:24)

I'm terrified.

B (50:25)

If we have just this massive number of baby boomers who are starting to collect on their retirement and, and that, that money collapses, that value collapses. Are we gonna, is the government gonna allow that to happen? Is there gonna be some rectification there?

A (50:41)

Yeah, because we baby boomers vote.

C (50:42)

Don't forget, they can sell their houses. They'll be fine.

A (50:45)

Oh, that's right.

B (50:46)

All their houses.

A (50:47)

All our houses, we'll just sell them. Yeah, no, it's a, it's a, it's a scary time because if you look at the s and P500 for the last 10 years, boy, that was a good thing to buy into.

B (51:01)

You know, in the financial news world, everything I keep hearing is the K shaped economy. K shaped economy, which is, you know, the people who are doing well, it's going up, up, up. For the people who are not doing well, it's going down.

A (51:11)

Right.

B (51:13)

Is that just not the story of America?

A (51:15)

Yeah. And income inequality is really on a fast track.

B (51:21)

You're going to sell your houses, but to whom? Who's going to buy houses?

A (51:23)

Yeah, well, that's the point. You know, if you fire everybody to make money for AI, who's going to buy your sky? You're making.

B (51:32)

Who's going to buy your stuff?

A (51:33)

Yeah.

B (51:34)

The other story, I mean, not to get too much into financial news and the economy, but, you know, the other one I keep hearing about is the birth rate.

C (51:40)

Right.

B (51:41)

So the birth rate is low. People are not having enough children. Big, big problem in South Korea. But it's starting to be in China again.

A (51:48)

In China.

B (51:49)

In China, yeah. But in the United States now, so the average birth rate for women is a little over two children.

A (51:58)

But once it goes under two, that's.

B (52:01)

Well, it's already a little too low. So it's a little too low for the economy. Right. Like, it's not a problem for anything but the economy. It's not necessarily a bad thing for the environment, for keeping the human race alive. Like, it's fine for most things. It's a problem for the economy. And it's because we want our economy to keep growing. And like, that is just a fundamental problem that we're going to have to deal with at some point.

A (52:31)

We need to make more customers get to work.

C (52:33)

Our standard of living in addition to the economy. So I'm not by any stretch of the imagination, like, arguing that we all should be.

A (52:41)

So you have one kid?

C (52:43)

Yes. I am not contributing.

A (52:44)

Jill, how many kids do you have zero. Okay. Alex, how many kids do you have? Two. Three. I have two, but I have three wives, so the five of us only made three kids. So we're negative this whole panel. Even with Alex's overproduction.

D (53:02)

My wife and I did our part. She did the hard part. Obviously.

A (53:07)

You did the hard part. All right, I want to take a break on that note. I will talk about. Well, there's many other things to talk about, and we have such an excellent panel. No more financial talk because I don't know, you know, we're not a financial podcast, but this is kind of what has tech wrought in a big way.

D (53:27)

Have your ads started? Are you gonna start selling food and survivalist stuff? Yeah.

A (53:33)

Gold, baby, Gold.

D (53:36)

This is gonna turn into the. The same ads as, like.

A (53:39)

Yeah, as AM radio, as talk radio.

C (53:42)

Yep.

A (53:43)

Gold, baby. All right, let's take a break. We do have a fabulous panel and lots of good things to talk about. We'll get to those. The president actually is in Asia right now. He's apparently made a deal for TikTok. No one knows what it is, but we'll find out. Maybe we'll get to that in just a little bit. And the FCC has voted to make it easier for your ISP to rip you off. Isn't that good news? All that and more still to come. Alex Stamos is here. Always a pleasure to have him. From corridor.dev, our security guru, Stacey Higginbotham is here. We'll talk about the Neto vacuum cleaners in just a bit. Policy fellow at Consumer Reports. And Jill Duffy is also here. We could talk about EVs. What's your beat these days? You're doing PCMag and Wired.

B (54:35)

Yeah, I'm writing still about organization a little bit. I had some fun stuff recently about death. Death in organization.

A (54:43)

Yes. I want to talk about Swedish death cleaning. I believe you brought this up. Okay, we'll get to. It's not as bad as it sounds. I've actually been. I embarked on a little Swedish death cleaning myself because I am almost 70. I mean, it's time, right, to start. I don't want to dump all this on my kids. Anyway, we'll get to that uplifting topic in just a moment. This is this Week in Tech. Well, I'm glad you're here anyway. I hope you. Hope you feel the same way. Our show today, brought to you by Zschen Scaler, the world's largest cloud security platform. They could not be in a more timely position, as you can tell. AI you know, it's changing the world. The rewards for enterprise are too big to ignore. The risks for enterprise are also humongous. The loss of sensitive data and attacks against enterprise managed AI, generative AI increases the opportunities for threat actors we were just talking about. I can't remember if it was before the show or during the show, but helping threat actors rapidly create, you know, perfect phishing emails or write malicious code, automate data extraction. There were. This is, I mean these numbers are terrifying. 1.3 million instances of Social Security numbers leaked. And how were they leaked? Through AI applications, often by your employees who are using AI. Right. Chat, GPT and Microsoft Copilot alone saw nearly 3.2 million data violations. So there's all sorts of things to think about. This is time to think about your organization's safe use of public and private AI and perhaps to protect yourself against overachieving bad guys. Chad Pallet is acting CISO at BioIVT and he says Zscaler helped them reduce their cyber premiums. I was just looking at our cyber premiums. What a depressing number that is. They got theirs down 50% and doubled their coverage plus improved their controls. Take a look at this. We got a video from Chad.

D (56:56)

With Zscaler. As long as you've got Internet, you're good to go.

A (56:58)

A big part of the reason that we moved to a consolidated solution away.

D (57:02)

From sd, WAN and VPN is to eliminate that lateral operation opportunity that people.

A (57:07)

Had and that opportunity for misdirection or open access to the network. It also was an opportunity for us to maintain and provide our remote users.

D (57:18)

With a cafe style environment.

A (57:20)

With Zscaler Zero Trust plus AI you can safely adopt Genai and private AI to boost productivity across the business. Zscaler's Zero Trust architecture plus AI helps you reduce the risks of AI related data loss, protects against AI attacks because you know, zero trust is the way and guarantees greater productivity and compliance. Learn more@zscaler.com Security that's Zscaler.com Security we thank you so much Zscaler for supporting this week in tech. I have to say AI has been very, very good to us advertising, advertising wise. There's no question about that. So maybe, maybe we're the magnificent little Magnificent Seven. The baby Magnificent Seven. The benefactors of all this. US government is, has voted to tighten restrictions on Chinese tech companies deemed threats. This is from the FCC including. They're getting close to banning the number one. According to Wirecutter, the number one router and I know there's millions in the US TP links routers.

C (58:39)

Yeah, they've got like a 52% market share or something.

A (58:42)

52%. For years, Wirecutters said, you know, the TP link routers are the best. The Washington Post says a number of US government agencies are backing a mood by the Commerce Department to fully ban TP link routers. Now we've done this and I think understandably with things like Huawei networking gear and infrastructure gear, should we be worried about TP link routers? Alex, what's your take on this?

D (59:11)

So I think this is a hard one to justify for a ban. I mean, TP links have a really bad security history. They have lots of bugs and they get exploited a lot.

A (59:23)

But so does Microtik. So does so many. Consumer routers are awful.

D (59:29)

Consumer routers are awful. They don't, you know, this is why I usually push friends and family to Eeros and other ones that are both made by big companies, but are also Amazon. Amazon makes Eero and they're cloud connected and they auto update.

C (59:45)

Right.

D (59:45)

That's the thing about.

A (59:46)

That's the key, isn't it?

D (59:47)

Yeah, yeah.

A (59:48)

Because if there is a flaw, you want it to be owned by a company that cares enough to fix it and then you need the mechanism to do that without you checking because no one checks their router firmware. Is it up to date?

D (60:02)

I mean normal people will never log in again, right. They'll set it up once and they'll never touch it. I like the Euros too because then I can manage them remotely. Right. Over the.

A (60:11)

I set my mom up with Eero.

D (60:12)

Yeah.

A (60:13)

For that reason.

D (60:14)

But they're expensive, right?

A (60:15)

Yeah, they're very pricey. And so I use Ubiquiti. Here is Ubiquiti. Okay.

D (60:20)

I love Ubiquiti. That's what I have at home. But I mean that is prosumer slash. Yeah, that is SME gear.

A (60:25)

Like expensive. Yeah.

D (60:27)

And they're like, they're, they're great for if you have Cat 6 through your house or into your office.

A (60:34)

Right.

D (60:34)

But their mesh stuff isn't that great. Right. Like, so the ERO mesh works pretty well. Some people are saying, isn't it?

A (60:41)

Do you think it's the best or is Orbi? Orbi is another one that people.

D (60:44)

I think Orbi, I mean, I've heard Orbi's fine. So I just haven't used it myself. Some people were saying Asus, I like Asus stuff. Right. But I mean are famous for getting.

A (60:54)

Owned a version of ddwrt, which is an open source router firmware. So you're.

D (60:58)

But again if you're not updating it like anybody can have of a flaw but like unless I have not seen evidence, I mean there's a difference between like a TP link and a Huawei, right? Like the Huawei stuff is going into American core networks. It's going into you know, the Verizon's and the T mobiles and stuff like that. And you know we are coming out of the largest mass hacking incident that we stopped talking about.

C (61:30)

Right.

D (61:30)

Which was the Salt typhoon campaign.

A (61:31)

Oh my God.

D (61:32)

Against the US telecom industry.

A (61:34)

And they're still in there, right. We can't get rid of them.

D (61:38)

It is widely discussed that they are still in there. There was supposed to be an investigation by the csrb, the Cybersecurity Review Board which was unfortunately disbanded in the first month of the Trump administration. Security completely new the CSRB and it was never restaffed. And my understanding is the report they were going to put out was scathing like the, the one they did on Microsoft was extremely enlightening and it would have been great to get this. I saw a briefing from a CISO of a telecom company that is not an American telecom company. This is a closed door briefing. So I can't really speak about who it was but it was shocking.

A (62:22)

Well, the telecoms in the US say yeah, we could get rid of it. We'd have to swap out all our equipment and the entire telecom infrastructure be down for a few days. Is that okay?

D (62:32)

It's that, it's money basically. They never patch these devices, they never reboot these devices to a certain extent.

A (62:40)

Is it SS7 still a problem or.

D (62:43)

SS7 is definitely a problem. That is not the core problem here. A lot of the attacks here are IP level attacks. But SS7 is definitely a problem and causes a lot of the. You know every one of our mobile devices has an SS7 stack on it, right. So like when you send an SMS message that actually has SS7 framing. SS7 was never meant to be something that it was untrusted device.

A (63:06)

It was hacked years ago. I mean more than a decade ago. Right?

D (63:09)

Yeah, it's a problem. And, and SS7 causes all kinds of issues. That's why foreign adversaries can track Americans around the world is through SS7 signaling attacks and such. There's this home record location attack that actually some colleagues of mine demoed at Black Hat I think in like 2006 or 2007 that still hasn't been fixed. So yeah, I mean there's, there's all kinds of layers of problems here. The idea that TP links at the top of the list is low to me in a high inflation environment where we're like raising prices on consumers. Like, I don't see this as the top of my list unless there's some classified data out there that these really bad bugs in TP link are intentional. I think they're just like crappy devices.

A (63:50)

We're about to ban DJI drones because they're made in China, right?

C (63:55)

Yeah. And in the article, the WaPo article, they talk about this being another bargaining chip for Trump. And look, I don't love TP link. I've been doing a lot of research on cybersecurity for routers, like consumer routers for cr. That's one of my side projects that one day you'll see out in the world. Yay. In TP Link, all of consumer routers are terrible or not all. Many do not have the features that we need. And there was actually an effort. Biden did a 2021 executive order that was like, hey, it's the same one that did the trust mark. They were like, let's make a router standard for secure routers. And NIST actually did it. Very few router companies actually participated in the nist.

A (64:43)

I remember that, yes, there was going to be a seal that you could put on the box and all that.

C (64:48)

Well, they didn't know what was going to become of that. But yes, NIST actually came up with a secure router framework. And one of the top things, like Alex said, was you've got to be able to update it over the air. And people, it should be opt in and you can opt out if you feel like you're a super expert and want to. There's a bunch of other recommendations in there about like remote access, what port should be open. My favorite thing, you have to declare the end of life for the router when you're planning to stop supporting it because thank you. Doesn't happen.

A (65:21)

Thank you.

C (65:23)

So, yeah, so I on the TP link front, we test a lot of routers at cr. We see a lot of the same stupid bugs. I'm just going to call them stupid bugs because they are. There are things like your SSID and password going over the network in plain text. We see this across multiple brands and I'm like, why is this still happening in the year of our Lord 2025? And we tell consumers for this front, look, don't panic. If you've got a TP link router, just your Next router, maybe look at some other options. I know they're expensive, but think about.

A (65:59)

This as like they're all made in China though. I mean. Right. Everything's made in China.

C (66:03)

I don't know how. They're all made with basically the same underlying chips. They've got. A lot of them use the same like reference designs. I mean, this is not like.

A (66:13)

The Post quotes Jeff Seidman, a spokesman for TP Link, saying it's nonsensical to suggest that any measure taken against the company could serve as a bargaining chip in US China talks. As the administration suggests any adverse action against TP Link would have no impact on China but would harm an American company. If that's true, I'm sure China knows that, you know.

C (66:35)

Well, so I mean, his brother's still in China. The guy, the person who owns the company. I mean, like. But I don't know, it's not, it's.

A (66:43)

Split, but it's not fully split or it's. They say we're fully split.

C (66:47)

They fully split, but his family is in China.

A (66:50)

Okay. I mean it seems like it's a pretty tenuous.

C (66:55)

Well, the FCC has done some really. They've been very. So the FCC itself has been very focused on China, like much of the administration. So they've done a lot of their bad labs. So they're trying to make all of your, you know how everything electronic gets tested by the FCC for interference.

A (67:12)

Yeah.

C (67:12)

So they're trying to take all of that testing capacity outside of China. That's their bad labs efforts. So they don't want Chinese owned companies or labs that are in China to be testing this stuff. The reason that stuff's in China is because it's all built there and you don't want to ship your boards back and forth across the ocean. And then there's a lot of the cyber trust Mark right now is actually in the air because the FCC is investigating the fact that UL has a Chinese testing relationship.

A (67:43)

I'm disappointed because as you know, every time I buy a drone, I crash it. But the new DJI drone has LiDAR built in and, but it may be banned as well because guess what? Made in China Chinese company. And I guess if I have a Chinese drone, it could be sending pictures of my house or something.

C (68:03)

If we go down this route, we're.

A (68:05)

Going to, we're not going to have.

D (68:06)

Anything hoes consumers so much stupid too because the Chinese are way ahead of us in drone technology. Right. Like, yes, the irony here is that China is begging for American tech Right. Like in these negotiations, what they're trying to do is to get the boundaries for American exports lowered. They're looking to increase. Yes. There's this basic arrogance. The idea that the US Is better at everything than tech. That is just not true. And drones are one of those things. So getting American kids to play with drones, taking DJI drones apart, and then going to college and then going and working at Andrew or whatever next generation of American drone companies are, and then competing with DJI to build. Unfortunately, the truth is the weapons that World War 3 will be fought with is way smarter. Like the idea that, like, this is as dumb as China boycotting Nvidia. Right. Like, if they did that, we'd say that is ridiculous. That is as ridiculous as us boycotting DJing right now.

A (69:09)

Right. So just to get back to this, because I see in our chat room there are a lot of our listeners have TP link routers, some of them still in the box. Should.

D (69:20)

I'll send all those listeners a link. They can click and just your advice.

A (69:26)

Is make sure you check the firmware regularly. Is that.

D (69:29)

Update the firmware, change the default password. Right. Yeah, the usual. Because a bunch of these have CSRF attacks against the interface is also the way.

A (69:38)

Turn on WPA3 encryption. Turn off WAN administration change.

D (69:45)

Yeah. Most of them should have nothing on the wan. But yes, make sure you have like WAN SSH and wan.

A (69:50)

Turn that off.

D (69:52)

Admin off for sure.

A (69:53)

Yeah. To the usual. But you do. You're supposed to. You should do that with anything, any router you put on your network, you know.

D (70:00)

Yeah. If you know what you're doing, you can map yourself from the public Internet or you can look yourself up, see what happens.

A (70:04)

Yeah, yeah.

D (70:05)

I mean, you can. Like after, you know, after you have it set up for a day or two, you could.

A (70:09)

There's some advice. Look yourself up on Shodan. You know, I'm scared to do that. Where you just put your IP address and Shodan and see what happens.

D (70:19)

Yeah.

A (70:19)

Oh, God. Your public IP address. Don't put 19216.

C (70:24)

No.

D (70:24)

Right. You're probably. But. But like, I mean, or, you know, go to a coffee shop or, I mean, go to a place where you have free.

A (70:31)

See if you can log in, go.

D (70:32)

To school and then end up yourself. You know what you're doing. I mean, people are on the twit discord.

A (70:37)

They know what they're doing.

D (70:38)

Install brew, install nmap. Yes. Yeah.

A (70:41)

Brew install nmap. Ladies and gentlemen, there's your tip for the week.

C (70:45)

And if your Router is more than 5 years old. Get a new, look it up.

D (70:49)

Put the.

C (70:50)

Put the model number in and see how long and Google that with like end of life and see if it's actually still supported.

A (70:55)

Were you shocked that Nito vacuum cleaners are no longer going to work? Because the NEATO folks.

C (71:06)

So they announced that in 2023. What they announced though at the time was that they were going to try to do the cloud updates for five years and keep inventory for.

A (71:16)

They went out of business in 2023. Although they're owned by the same company that makes my. The thing. I bought that. You told me to buy my Thermomix. When I saw Vorwerk owns Neato, I thought, what is my Thermomix gonna stop working in a year or two?

C (71:35)

I mean, maybe.

A (71:36)

So it's expensive.

C (71:38)

Yeah.

A (71:38)

I love it.

B (71:39)

Wait, I'm curious. Where did you buy your Thermomix?

A (71:43)

I don't know. Why do you have a Thermomix?

B (71:46)

No, no, no. But for the longest time they were not available in the U.S. oh, are they in the U.S. now?

C (71:52)

Yeah, they came to the U.S. like three or four years ago.

A (71:55)

So you know about the Thermomix?

B (71:58)

Oh yeah.

D (72:01)

Makes sense.

B (72:01)

No, it was like.

A (72:02)

It was like really hard risotto. The best tomato soup I ever had. All of them? Yeah, that's all I know.

B (72:08)

You could get them. You could get them in Europe, but then it would have a 220 plug. Right. So you. And then I think they finally started selling them in Canada, but they, they wouldn't ship them over. So you physically had to go to Canada if you wanted to buy a.

A (72:20)

110 version, you can now buy them in the U.S. that's exciting. For $699.

B (72:27)

Yeah.

A (72:28)

This. I tell you this will give you some idea of this device. If you ever watched Below Deck, which is the Bravo reality show about living and working on a yacht. All the yacht. All the super yacht kitchens have Thermomixes in them.

B (72:44)

Yeah. Should we tell people what it is just so they.

A (72:46)

Yeah, I've never figured out a way to. It's a blender that heats up.

B (72:50)

Is it heats and cools. Right. So you can make. You can make soup, you can make ice cream. All in all.

A (72:55)

Wait a minute.

C (72:56)

Right? Is that right?

A (72:58)

Can you make ice cream in a Thermo? I don't think it cools.

B (73:01)

It doesn't cool.

A (73:02)

What does it. Stacy does it cool. She's looking it up. If you've. I don't remember. Oh my God. I have to stop the show right now and go try it.

B (73:11)

I might be wrong, but it definitely has a heating function, right?

A (73:14)

It definitely heats. That's why it's good for soup. But you could. Anyway, I don't know how it steam.

D (73:18)

It doesn't say cooling.

C (73:19)

Yeah, you could. Okay. You could.

A (73:22)

You probably. I know what you have.

D (73:24)

You would need, like, an external. You need to run like, a Freon tube outside.

C (73:30)

You can make your custard for your ice cream and the Thermomix. But then you have to run.

A (73:34)

You still have to put in the fridge.

B (73:35)

Yeah, yeah.

A (73:37)

You probably have one of those slushy machines that's all the rage right now.

C (73:43)

The Ninja or the.

A (73:44)

Really Ninja? Yeah, the Ninja. No, well, I don't. I don't know anything about that. I only know about ninjas.

D (73:50)

This is the. This looks like the closest thing to the. The machine in Back to the Future, right? Like.

A (73:56)

Yeah, look at this. It comes in purple. It is. It's like the fusion. It's like the. Yeah, just throw your garbage in it and.

D (74:02)

No, no, no, I meant like one of their cooking where it's like the old.

A (74:06)

Oh, yeah, totally.

D (74:07)

Right. Where it's the family. It's all messed up. They put something. It just comes out. Yeah.

A (74:13)

Larry in our discord says we have the Ninja Creamery to make ice cream. This seems like such a bad idea. I don't want anything that can make ice cream in the house. I have enough problems as it is.

D (74:24)

Yeah. Now I want to buy one of these things and just run through Wireshark.

A (74:27)

Oh, here's a bundle. Here's the. But this will make slushies and ice cream. You get the creamy and the slushy. Two for one, baby.

C (74:35)

Okay, let me just tell you the best ice cream maker. And I got one as a wedding present. It's the winter automatic compressor ice cream and yogurt maker. It is a heavy.

A (74:48)

That's a giant wedding present.

C (74:49)

Difficult thing.

A (74:50)

Yeah.

C (74:52)

And you can't clean it because you put all the ingredients in this, like, stainless steel bowl that's built into the winter.

A (74:59)

Is spelled W H Y. And that's my question.

C (75:05)

It really makes amazing ice cream.

A (75:08)

This looks like my giant hermetic sealer. It's huge.

D (75:12)

Oh, my God. Because it actually does have a compressor built into it.

C (75:14)

It has a compressor? Yeah. No, it's amazing.

D (75:16)

It blows, like, hot air out the side.

C (75:18)

Yes.

A (75:20)

It sounds like a cement mixer, but.

C (75:22)

If you have a Thermomix.

A (75:24)

Well, I might as well, right? I'm out of Counter space. To be honest, I. But this thing.

D (75:30)

Oh, my God.

C (75:31)

I'm just gonna let y'. All.

D (75:32)

It's like, we're not gonna let the laws of thermodynamics get between us. And making ice cream on top of.

C (75:37)

Your counter, it's the smallest amount of ice. I mean, it's like it only makes.

A (75:43)

A little tiny bowl.

C (75:45)

It's not awesome.

A (75:46)

It does it in 30 minutes, though.

C (75:48)

I mean, it is an awesome mixture.

A (75:51)

Can I make the custard in the Thermomix and then pour it into the winter compressed?

C (75:55)

Yeah, you probably could. You could mostly automate it.

A (75:59)

All right, we're going to take a break now.

D (76:01)

Features and specifications, 180 watts.

A (76:05)

Okay, I'm going to have to get a new fuse box put in, but other than that, I get another 40amp circuit for this thing and the Thermomix. All right, I'm sorry, folks. I apologize. And trust no one says. I can't believe I'm saying this, but $500 for both the creamy and the slushy is not a bad deal. The Ninjas are very affordable. Very affordable. We're having fun. This is this week in Tech, the wonderful Jill Duffy who. Do you schlep it? Do you move around a lot? You bring your Thermomix with you everywhere you go?

B (76:44)

I don't have a Thermomix. Oh, I'm.

C (76:46)

I actually.

B (76:47)

I do a lot of old school stuff. I've been making homemade yogurt lately, but I do it just in glass jars. And then I have a. I have a water distiller because I can't drink the water out of the tap here. But the water distiller is warm, so.

A (76:59)

I just use it for making yogurt.

B (77:01)

Glasses, like full jar glasses.

A (77:04)

It keeps it.

B (77:04)

Just put them on top of the distiller and then 12 hours later, I have yogurt.

A (77:08)

Aren't you thrifty?

B (77:10)

Very. Yeah.

A (77:11)

Old school. Old school. Yeah, that's it. Now I'm hungry for yogurt. If you just got the slushie, you could. You could make Frieda.

B (77:18)

I could do that, yeah. But I'd need 220 here.

A (77:24)

That's a problem, isn't it?

C (77:25)

You.

A (77:25)

When you move around and you move around a lot, you have to always have the plugs, the things.

C (77:30)

Yeah.

B (77:30)

So there's something called the step down converter, which is a giant box. Right. So that I can plug in that with you. I usually have them provided.

A (77:40)

Okay.

B (77:41)

For our house here. Yeah, yeah.

A (77:42)

Right. Yeah. We're gonna have the house. You better put a converter, an inverter or whatever. Yeah, yeah. It's great to have you, Jill. Thank you for being here. Contributor, Wired magazine and PC magazine. Stacey Higginbotham's also here. She's policy fellow at Consumer Reports, working on that router stuff. I'm excited about that. Your colleague, Paris Martineau has become a radioactive shrimp and lead in your protein powder superstar.

C (78:09)

I loved her radioactive shrimp story. It answered so many questions.

A (78:14)

She figured it out where the cesium was coming from. Pretty impressive. I love CR. I've been a customer, subscriber, a member since 1980, my whole life. Yeah, it's the best. I was so happy when you went there, sir.

D (78:29)

You give it a full pizza?

A (78:31)

Full pizza, all eight slices. Alex Stamos, he's the CSO chief security officer@corridor.devo if you. If you're using agentic AI to do vibe coding, you better go visit quarter. You need some security. You can't just, you know, do what I did this morning and let Claude code go crazy on your repositories. Well, it was kind of fun, I admit. Tickled a little bit. Great to have all three of you. Our show today, brought to you by Miro. Oh, we love Miro. Maika and I used Miro for a long time as we were planning the show because we were in different places. We did the Ask the Tech Guy show together. Right? And Miro was such a help. The gap between when you're a startup or you gotta, you know, you, or you're planning a show or you're working on a project together, the gap between idea and impact can kill your team's progress. And I think it's safe to say, just throwing AI at the problem without you knowing, without the clarity that, you know, the planning doesn't help. That's where Miro's amazing. Yeah, it's powered by AI, but with Miro, teamwork that typically takes weeks done in days. So your team, your team focuses on building the right things and having AI available in a contextual, easy to apply way. Because the AI sees your planning. It's all there in the Miro. Here's how Miro helps teams get great done. Your second brain with Miro. AI sidekicks. Okay, AI sidekicks are trained to think like product leaders, like agile coaches, like product marketers, to review your materials, to recommend areas to double down on or to clarify inputs or to add direct feedback. You can build custom sidekicks yourself that integrate into other workflows for exactly what your Team needs. Think of it as an extension of your team's capabilities. It's not a replacement. No, no, it's an extension. It's great. You can generate meaningful insights faster by eliminating the need to switch between tools. With Miro Insights, Miro AI sorts through everything you input, even if it's in different formats. That's the beauty of Miro. So you throw in your sticky notes, your research, your ideas. Then Miro combines them into a structured research summary, product briefs. They can even do like things like sentiment analysis, which means you can take concepts, you take 20 concepts, test them rapidly. With Miro prototypes, you could generate instant and contextually embedded prototypes for right from your board without needing to do it anywhere else. It's kind of miraculous. You'll iterate rapidly on near limitless variations and then feel confident about the feasibility and visualization before you even even get into the high fidelity builds. It's nice to have that confidence. We're on the right track. Spend time on building, not digging for information. Miro doesn't replace the design tools your team loves. It works with them. It's aligning before you need them. Okay. Miro's blueprints and spaces organize your team's work in an intuitive and easy to follow format. Help your teams get great done with miro. Check out miro.com to find out how. That's M I R O dot com. We thank him so much for supporting this week in tech. You check it out miro.com and if they ask you, I don't know if they do, but if they ask you, say, yeah, I heard it on Twitter. So I, I mentioned this in passing before the last break. Let's get to it now. The FCC voted or is about to vote to scrap. This is almost stunning, but it's, I guess, shouldn't be surprised. Cyber security requirements. Brendan Carr, who's the chair, voted against the rules when he was just a commissioner in January, calls them ineffective and illegal. So they'll be voting this month on whether to eliminate cybersecurity requirements for telecom carriers. These are requirements that were enacted after salt typhoon in January.

C (82:46)

Yeah, yeah.

A (82:47)

This was basically wait, you know, Kaliyah's fine.

C (82:54)

I mean, Kali is not the best avenue to do this, but we don't have another avenue. Wyden actually introduced a bill last year, and I think this year as well, to require the FCC to set cyber security rules for carriers.

A (83:11)

So Carr said they moved too fast. It was an 11th hour ruling that not only exceeded the agency's authority, but wasn't effective or agile to the cyber.

D (83:20)

I've heard that Mr. Carr really cares about the FCC staying within its lane and not exceeding authority.

A (83:26)

We're correcting course, he says. All right, well, as long as, yeah, they're terrible.

C (83:34)

And we do need cybersecurity rules for our carriers because they are not. I mean, I'm sure Alex can tell you that if you don't force companies to, if you don't require them to have some sort of cybersecurity rules to follow, they will not follow them unless it becomes too painful for them. And Right. You would think Salt Typhoon was too.

A (83:56)

Painful, but yeah, the market's not going to take care of cyber security.

D (84:02)

I It's getting hard to not be conspiracy minded here. For all of the statements that this administration makes about China. Salt Typhoon completely owned up America's telecom networks to the point of where they were able to listen in on the calls of the then candidate Trump and the Vice President, apparently possibly even sitting members of the administration. Those space vulnerabilities have not been taken care of.

A (84:39)

Oh, but we're going to get rid of the TP link routers because those are the problems.

D (84:43)

They closed the Cyber Safety Review Board before the CSRB issued a report that would address those issues. They have destroyed cisa. They've eliminated the vast majority of the good people there. CIS it does not have a confirmed director. A ton of good people are gone. The National Security Council used to have 396 people working for it, including a fully staffed cyber division. There are now fewer than 40 people working for the National Security Council and nobody working for Cyber. As far as I can tell, the only person who's been confirmed doing anything for cyber is the National Cyber Director, who seems like a perfectly nice guy but has no background in this. And Mitch as much, if you ever meet with him, which I was able to do during the RSA conference, and if you look at the long term advantages the United States has over the People's Republic of China, our ability to attract the best and brightest people from around the world, high skilled immigration, the quality of our university system, our alliances, free trade, all of those things have been destroyed. It has been absolutely the best possible outcome for the People's Republic of China and XI since January. I don't know what else to say. So like this just adds to kind of a complete surrender, at least on the cyber side to the Chinese. We are spectacularly poorly prepared right now for a cyber attack. Another thing that we haven't talked about yet is just recently it was discovered that something like 200 different local municipalities, including especially, like, their water departments, had been compromised by a different hacking group inside of China, which is something that you would only do if you're preparing for potential significant conflict with the United States. That follows years and years of the PRC planting back doors in power grids, water grids, railroad systems.

A (86:45)

Are those backdoors in the United States still in there?

D (86:48)

No, they're discovered and then taken out. Right. But what we've seen over the last several years is kind of a real change in the kind of goals of Chinese hacking. Right. Which used to be very much focused on financial and intellectual property focused, and now you see way more focus on infrastructure and the planting of access capabilities, which could only be used in conflict. Right.

A (87:18)

So it's a time bomb. Should they say invade Taiwan and we decide to respond, they've got a time bomb.

D (87:28)

Right. There are situations that. Right. So that would both be to slow a US Response. So that's like the power and water grid in Guam, the rail system in Southern California. That is the mechanism by which Marines would ship out to San Diego to board ships, you know, to be shipped out to the Pacific in case of threat, shutting off water, water and power to our air base in Guam. But then also, you know, if you're talking about 200 water systems throughout the United States, that is a threat to try to make life more difficult for Mars. And we have not responded appropriately to this in any way. And the staff doesn't even exist, honestly to do so. We've also lost a massive number of people in the FBI. There's been kind of political purges that have happened, and a ton of people took early retirement. Because if you've put your 25 years in, if you've dedicated your life to the FBI, you're going to go take your pension and then go make a bunch of money doing something else in.

A (88:28)

The private sector, possibly.

D (88:29)

Right. Instead of possibly waiting to be purged out and then lose all of that time. So I don't know what to say other than it's a terrifying time. When you talk to CISOs who work on critical infrastructure, who work on companies that are possible targets, they feel like they're possibly alone here in California. It's terrifying because we have the World cup in 26, the Super bowl in 27, the Olympics in 2028, and without the federal government possibly here to protect us, so the state of California and our critical infrastructure company are kind of gearing up to be able to do our, you know, our own defense without Having cisa, the FBI or Cyber Command, which also had their director fired. The most qualified commander of Cyber Command and director of the NSA that has ever existed, fired because he works for Joe Biden, which every general who is currently in the US Military works for Joe Biden, by definition. That's how it works in the military. They're not just hired and fired randomly. They've spent their entire careers and lives.

A (89:33)

They're non political, they're nonpartisan.

D (89:36)

But he was fired at the recommendation of Lord Loomer and then his deputy has been just told that he is not going to be confirmed. So we have no idea who will be in charge of Cyber Command at nsa.

A (89:48)

The definitive expert in cybersecurity, Laura Loomer.

D (89:51)

Yes.

A (89:51)

Can I ask you about your partner, Chris Krebs? Because of course, he was the head of ciso, rather, under. Under Trump, and had the temerity after the 2020 election to say it was the most secure election in American history. Giving a lie to the, you know, the big lie. And Trump's been going after him.

D (90:14)

Yes, I know.

A (90:17)

Yeah.

D (90:17)

Yes, they.

A (90:18)

They killed his Global Entry membership. I mean, it's little, it's a little, you know, harassment stuff. Although the DOJ is apparently investigating him. What's the situation with that? Do you know?

D (90:28)

I haven't heard anything about any further doj.

A (90:31)

Yeah, because there's nothing to investigate.

D (90:34)

No, he did his job and he didn't even do anything particularly political. He just told the truth, which is he believed that the 2020 election was secure and, you know, he was fired at the time. And then, you know, since then, he has not been particularly political. He's talked about publicly about cyber issues.

A (90:51)

Yeah, he was your partner and I thought he, in a really respectable, upstanding way, decided to resign that partnership because he didn't want to bring trouble to you and to the company.

D (91:03)

So, yeah, we had sold the company to Sentinel One, so we were both working at Sentinel One, which is a much larger public company.

A (91:09)

Yeah, I remember that was the last time you were on. We were talking about that.

D (91:12)

And he stepped down after the executive order because the executive order said that everybody who works at Sentinel One was going to get their security clearance revoked, which obviously, for a company that does.

A (91:25)

$100 million, that's a big deal.

D (91:27)

Government work.

A (91:28)

This is the kind of pressure that a government and a DOJ that works for a political person can put on companies. That is just untenable.

D (91:40)

Yes, this is, I expect, not this exact situation, but this is, I think, why the Constitution specifically says that you're not allowed to single out individuals and say this person's a bad person. It says that twice, I believe. But you know, the Constitution does not seem to be too much of a barrier to this. So, yes, Chris stepped down and I have left as well. It was less fun without him, I bet.

A (92:07)

All respect to Chris Krebs. It's just shameful. So let's talk about the FCC again. Brendan Carr began dismantling rules requiring your ISP to offer detail. Remember the. I really liked this. The nutrition label that you've probably seen it, that actually showed the real broadband numbers and the information about what you were buying. They're gonna get rid of those.

C (92:33)

You probably didn't see it because it wasn't marketed super well in.

A (92:37)

I saw it because I was looking for it.

C (92:39)

So if you looked for it, you could see it. And there's. So we are actually filing. I am writing up comments this coming week about it. I'm also writing comments about the cyber security stuff too. So, you know, yay cr. Arguing against this. The real like. So they want to kill the broadband label. It's part of the cars, delete, delete, delete efforts. He's got a bunch of them. They're all pretty. Well, some of them are actually reasonable.

A (93:06)

They got rid of the click to cancel rules the FTC passed because Comcast said if you make it as easy to cancel as it was to sign up, we're going to lose customers. So they said, oh yeah, you're right, we shouldn't. This is so blatantly anti consumer.

C (93:25)

So that was the FTC's click to cancel. Yes, yes and yes.

A (93:28)

I'm just. I know it's not the fcc, it's the ftc. But it's similar. It's the same idea. It's like broadband. Who. Who doesn't like these broadband nutrition labels? Oh, the broadband companies. Because they don't want you to know you're not getting what you pay for.

C (93:43)

Well. And they don't want it to be easy for people to comparison shop and to see. I think based on how they've complied with this, like if you could actually pull the labels. So Comcast will give you an Excel file with all of the label data. There are 3,497 rows for each individual plan. And the idea is to make it as hard as possible to compare broadband pricing across.

A (94:09)

We wouldn't want to do that.

C (94:11)

You wouldn't want to show that.

D (94:13)

No.

C (94:14)

So yeah, they're doing this too.

A (94:20)

Now. It's a Rulemaking, So it has 60 days.

C (94:24)

Yeah, you can file comments, guys, you can file comments.

A (94:26)

Everybody should absolutely file comments. Although remember the net neutrality thing? The comments. There were a lot of fake comments.

C (94:35)

You could file real comments. Yeah, like I'm filing real comments. Y' all could also file real comments. If you do file real comments, you should say like, there's, there's a couple points that are really important and that is that I don't want to get into this.

A (94:52)

Yeah, it's like, do you want me.

C (94:54)

To get into it? But it's.

A (94:55)

No, I mean, I think enough. We, we could spend all.

C (95:00)

You like the labels, you like that they're machine readable. You should say that they provide useful information. You should say that it is important to have the labels in the same language that you were Soldier broadband subscription at. You should also say that it's important to have the fees, like the pass through fees. One of the things they're mad about is, you know, they want to take out the state fees and they're, they're enumerated in the label, but they want to take that out. So it just be like what Comcast wants to charge you as opposed to what Comcast wants to charge you, plus the utility rates and all the things associated with your.

A (95:33)

Now, I should point out Comcast gave a couple million dollars to the ballroom. So if you really want to be effective in this comment, you should probably donate to the ballroom.

D (95:46)

That was your mistake.

C (95:47)

My job seemed useless. Don't do that.

A (95:51)

Comcast, T Mobile, Meta, Apple, Microsoft, Google, all donated to the ballroom. So I guess that probably carries some weight with Brennan Carr. You know, he's, he's probably, you know, these are, these are good people. There are people. I'm being cynical. Yeah. Make your comments. Although, Stacy, do you think it's going to make a difference?

C (96:21)

It is important to be on the record.

A (96:23)

Yes. Get on the record. Get on the record.

C (96:26)

Because maybe one day we will not have the current administration and that's a good point.

A (96:33)

That's a good point. We only have three more years of this.

C (96:39)

Everything Alex told you about, like what's happening in cyber security that is literally like every day. That's true at that from a policy perspective. And I'm like, okay, what do I fight on now? Yeah, it's sad.

A (96:52)

It's frustrating.

C (96:58)

Death cleaning.

B (97:00)

Death cleaning.

A (97:00)

Swedish death clean. So what is Swedish death clean cleaning?

B (97:04)

Swedish death cleaning. It's a concept that was around in Sweden for a long time and then an author put it into a book and it sort of became well known for that.

A (97:13)

It's the Marie Kondo for this generation.

C (97:16)

Let me.

B (97:17)

Let me side note on Marie Kondo for a moment. I love her. She had three kids and she got sloppy.

A (97:25)

She got sloppy.

B (97:26)

She was asked like, so what do you do with three children? She's like, oh, I don't do that any. I don't see the organizing anymore. I have three kids. Leave me alone.

A (97:32)

Who has time?

B (97:34)

So much respect. Because she could have spun out, like, the artful joy of tidying up for mothers, the artful joy of tidying up for seniors. She could have spun it on anyways. She was just like, no, I'm done. My kids are messy.

D (97:48)

She said, thank you to that and goodbye.

A (97:53)

I appreciate your kids spark more joy than all the clutter.

C (97:58)

Yeah.

B (97:58)

So Swedish death cleaning. Anyway, it's this really phenomenal concept that we have too much.

A (98:03)

This is your article, by the way, in Wired.

B (98:05)

This is my article in Wired. We have too much stuff. We spend the first half of our life collecting stuff, and we should spend the second half of our life very slowly getting rid of things we don't need and keeping the things that we like in good condition and thinking about handing them down so that we are not leaving a burden to other people of our big mess.

A (98:25)

Now, let me ask you, does this include digital?

B (98:28)

Yeah, so. So this is what my article was really about. I was. I came up with this idea of beyond just passing along my passwords. Like, what about organizing my photos so that the person who inherits them isn't just faced with thousands and thousands of digital images they don't know what to do with?

A (98:45)

In my case.

B (98:50)

What about my diaries? Do I want anybody to see them? Do I want to keep them encrypted and protected and make sure that nobody has that path?

A (98:56)

That's funny. Yeah, that's a good point. Yeah.

B (98:58)

And then I started interviewing people, and it just got more and more interesting. So I interviewed this wonderful woman, Tina o'. Keefe. She has a personal organizing business and she specializes in working with seniors. So the senior element is really important because a lot of people think like, oh, I'll do my own Swedish death cleaning throughout my life, little by little, as I get older. But the way that most people first encounter it is with a parent or a grandparent, one of your elders.

A (99:26)

I've done this. My mom is in assisted living. She's got Alzheimer's. She's 92. She'll be 93 in a couple of months. And we have her house. I'm amazed at all the crap that's in there.

B (99:38)

But also, as we age, a lot of people have dementia, Alzheimer's, different cognitive abilities that. That start to decline. They also have physical abilities that start to decline.

A (99:49)

And that's why she's assisted living.

C (99:52)

Yeah.

B (99:53)

And not everybody has a lot of tech skills either. So, anyway, this woman I interviewed, Tina o', Keefe, she's a personal organizer. She specializes in working with seniors. And she said she was working with a woman who was terminally ill, who had had two marriages. And she said, I've kept all these mementos from my first marriage that I don't want my second spouse to see or find. So they had to come up with a way like, okay, do I give it to my kids? Do I save it for myself? Do I burn it? What do I do with it? And then the digital aspect was just so interesting. So I interviewed a guy named Adam, who is Swedish, and he went to help his grandfather with Swedish death cleaning. And one of the things he found was a phone full of malware. So not only did he then want to rescue all of the photos and.

A (100:40)

Important things, send it to Alex, I bet he could use it.

B (100:43)

So it was super interesting just to see the real world challenges people have in thinking about how do I organize my digital life? So then I'm passing it down in a way that's sort of like respectful. And I'm giving people the things that I want to make sure that some people have. And so you can think, what, do I not have to wait until I die to pass?

A (101:06)

Do it now, because if you're dead, you're not going to do it.

B (101:09)

So share photos and videos, for example, put them in a folder, organize it neatly. But thinking about things like if you give somebody access to your computer or your phone, is there a very simple readme file right on the desktop, or are they going to have to go.

A (101:25)

Digging through on my desk, Slaughter, there is a folded piece of paper under the leaf there that it's not visible, but if you know it's there, you can open the leaf. My wife knows about it, that says in case of my death or dismemberment. And it has. That's probably a little overdramatic way to put it, but it has my actually, you know, bit Warden has a form that you fill out. And I think other password managers do this.

B (101:52)

Yeah, they do.

A (101:53)

Yeah, it's clever.

B (101:54)

So that's an easy way to pass on your online accounts. But there are tricky things you have to think about, too. So some social Media have terms of service that don't allow you to technically give your account to somebody else.

A (102:06)

You have to be careful. You can't hand that down.

B (102:08)

No, you can't or you really, really shouldn't give anybody your password for your banking accounts. Like that needs to go through the beneficiary form. That's really.

A (102:20)

Oh, really? I shouldn't give that to my wife? You're right. It's in my will.

B (102:24)

You know, it's something that you have to educate it. People don't know this from birth. You have to tell people this. So younger people may not know that. You can't just give somebody your. Your financial logins for.

A (102:35)

This is important. Here's my. Here's my bit warden security readiness kit which I'm. I hope you can't read through the paper I'm hiding. Let me just put that away. But this has all the important stuff in it, right? And then. Yeah, and then Lisa can. But that's a good point. That you probably shouldn't give your access. Well, it's got my. All my passwords.

C (103:00)

Right.

B (103:00)

But you, you really don't want anybody touching or moving your money after the.

A (103:05)

Well, I trust you, my executor. So I.

B (103:07)

They'll get in some big trouble if they don't do it through the proper channel.

C (103:10)

You have to do it right. You have to have a death certificate and bring it to the bank.

D (103:13)

But that's also why you have a trust, right?

A (103:15)

Yeah, I have a trust. Yeah, we have.

B (103:17)

But there are your wife.

D (103:18)

I control it without.

A (103:19)

Yeah, yeah, yeah.

C (103:20)

There are a lot.

B (103:20)

But you have to go through those channels. But there are lots and lots of other digital assets we have that we don't necessarily think about organizing.

C (103:27)

Planning.

A (103:27)

Every time I put another picture in my photo. My photos collection, I go, nobody's ever gonna wanna see this after I'm gone. Right.

B (103:35)

There's another article I wrote I wanna tell you about. There's a wonderful newsletter called Gloria. It's at. Hello Gloria. It's for women in midlife and I've been writing a little bit for them. So a piece I kind of wrote in tandem with this one was about creating a death notification list in my email. So I started. I had a friend who died unexpectedly young.

A (104:01)

I'm sorry.

B (104:02)

Oh, thank you. It was really upsetting in part because I didn't find out for almost five months after she died. We had an email based friendship. We didn't really have any friends in common and it was just like so weird. I haven't heard from her in a while. And I went to look up her name online thinking, like, let me see what her bylines are. Maybe she got laid off. She works in media. And I found an obituary. And I was like, what? Like, it was so. It was so unnerving. It was really, really shocking. But it sent me down this path of thinking, like, how do we tell people anymore how we die? And there are so many connections, connections I have that like, my partner doesn't know these people, My sisters don't know these people. Like, how are they gonna know? So I came up with this idea of making sure that I have an email list in my email that I plan to go through once a year and update. And it's lots of acquaintances and my accountants.

A (105:02)

Have you written the email that's going to be sent already?

B (105:04)

Yes, yes. So I wrote the email. I gave it to you.

A (105:07)

I am dead. If you're reading this, I am dead.

B (105:09)

Yeah, basically it's a mad library. I should let you know Jill Duffy has died on such and such date of such and such cause.

A (105:17)

So your husband has to fill that part in.

B (105:19)

I have a different trusted person. I have a different trusted person for this who will inherit some of my passwords. And yeah, I mean, I think it's a little goofy, It's a little wacky, it's a little low tech in some ways.

C (105:32)

I want to make.

A (105:33)

I'm thinking I should have a dead man switch so that like every month I have to say I'm still alive, but if I don't, then it sends it out to everybody. Leo must be dead because he didn't say he's still alive. That's how the emergency is really dangerous. Yeah, I know you're not a Leo, Alex. You sound like you might have some experience.

B (105:55)

I'm just saying there's the Google Google Inactive account manager, right? So it will pass on your Google account to somebody, to a trusted person if you don't touch it in so many months.

A (106:06)

Our sponsor, pit warden, and every other password manager I know of has an emergency legacy account, legacy feature. And they have a, they have a dead man switch. So if I, if Lisa requests my password, it sends me an email and then you get to set how long it waits for before it. You don't respond and then it says, okay, go ahead. He must be gone now. Somebody's saying Leo sounds so morbid. But when you get to my age, you start thinking about these things and everybody probably should think about because you know, this is, this is Swedish helpful.

C (106:41)

For the people I mean, people.

A (106:43)

You're doing it for them. Yeah, you're doing it for them.

C (106:45)

Think about it that way.

A (106:46)

Yes, they should rename. Somebody will have to Goodbye Gloria. And not hello.

B (106:52)

Somebody will have to do something with your stuff after you die.

A (106:55)

I think about that.

B (106:56)

Don't tell them. They're gonna throw it out.

A (107:00)

For instance, I have a painting from the early 19th century of an ancestor hanging on my wall. And I don't think either of my kids really wants this, you know, 1830s portrait of their ancestor. I don't know what to do with it. I guess it's going to end up at Goodwill and somebody's going to have my Antiques Roadshow. Antiques Roadshow? It's not worth. I doubt. Well, you never know. I should look and maybe there's stock certificates in the lining or something. Maybe it is worth something.

D (107:33)

Copy the Magna Carta.

A (107:34)

Yeah, the Magna Carta. Swedish. You know what? This is good advice. Wired.com has a story. It was just last week. There's a link to various things in there. And Jill's story with hello Gloria is also on their front page. You can read about that. I think this is. I think this is wise. This is good planning. Let's talk about the F5 hack in just a little bit. Also, YX may be telling you you need to re enroll your Yubikey.

C (108:05)

Huh?

A (108:06)

And Proton's new data breach Observatory. A little competition for have I been pwned? It's got a good name. Well, we'll talk about that and a lot more as well as ads on your $2,000 smart fridge when we continue. We got Stacy Higginbotham's here. She sounds. She looks sad. Now, are you making your list of people to send emails to if you pass away? You're gonna be with us.

C (108:31)

I'm wondering how often I need to, like, maintain my. My prep for death.

A (108:37)

No, don't. Don't even think about it.

C (108:39)

Well, don't. Like she said, you do it once a year. Jill. So I'm like is once a year. That feels reasonable. So check. Make sure everything's copacetic.

D (108:50)

Yeah, I guess you have to rewrite the angry because you have your enemies emails that go out too, right?

A (108:56)

Oh, yeah. Hey, good news. You know that guy you really hate?

D (108:59)

You're a rented car. I'm dead.

C (109:02)

I'm dead and I hope you really regret it.

A (109:06)

That's so depressing. You won, okay?

D (109:10)

You won.

A (109:11)

You could dance on my grave. It'll be at the cemetery in a few minutes.

D (109:16)

Wait, your guys's Dead Man Switch doesn't have all your blackmail material. It should. Yeah, that's not part of Swedish.

A (109:23)

You can't use it anymore. You can't blackmail me.

D (109:25)

I guess we have different.

A (109:27)

I'm gone.

C (109:28)

I'm done.

A (109:32)

Alex Stamos is here. So good to have you. Csocorder.dev and the Swedish Death cleaning queen, Jill Duffy.

D (109:42)

The Marie Kondo of Swedish Death Cleaning.

A (109:44)

The Marie Kondo of Swedish Death Cleaning. I did the condo thing. I did. I went through my whole closet but everything sparked joy. So it wasn't really much of a net gain. All these shirts.

B (109:56)

The one thing I don't like about the Marie Kondo method is it's sort of framed as do it one time. Like take a couple of hours, take a two day break and do it one time. And I'm much more of the idea that like thinking about it as hygiene, you know, something you do a little bit every day. If you miss a day, it's not a big deal.

A (110:13)

Little bit at a time, all the time. Yeah, that's the key. It's like tidying up. I have about 60 of these cuckoo shirts and Lisa keeps inviting her son over to take them. No, these are mine. I do admit I have at least three quarters of the closet space in the house. That's probably not as it should be. I know. Isn't that awful? Stacy? You wouldn't think. You don't. You don't see some source? No, I know it's not the first thing you'd think. Oh, Leo, he's probably got a lot of suits. No, it's all cuckoo shirts is what it is. And costumes, a lot of costumes. We will continue in just a moment. Ah, Alex, you probably know what this is. This is our sponsor. This, my friends, is a honey pot. This is brilliant. This is the Thinxt Canary, our sponsor for this segment of this week in Tech. Now, I disconnected my honey pot, so I'm going to get an alert in just a little bit saying your honey pot's disconnected. But that's what's the beauty of this. Thinks canaries. Honey pots traditionally are very complicated. I remember talking to, I think it was Bill Cheswick who wrote one of the very first honeypots and he said it's. It's complicated to create a good honeypot. A honeypot is something that attracts not flies, but hackers. Something that's sitting on your network that will let you know if a bad guy has penetrated your defenses. And you need this. Not just a bad guy or a malicious insider, but because it's so complicated, you really want to get a Think Stick. Canary, this is a honeypot that can be deployed in minutes. It can impersonate almost anything from a Windows server to I have a 2019 SharePoint server running on my network. Wink, wink, nudge, nudge. Bad guys can't resist that one. To SCADA device. It could be a SCADA device, it could be anything. It's absolutely indistinguishable from the real thing down to the Mac address. They actually have appropriate Mac addresses. My synology, NAS Kingston Canary has the DSM 7 login just like the real deal. So bad guys see it on the network. They, they, they're irresistible. They're irresistible. You can also create lure files with your Thinks Canary. I have a wire guard, a fake wire guard configuration file sitting on Google Drive, just waiting. How could a bad guy resist that? Right? It's the keys to the kingdom. The minute someone accesses your, you know, your, your Lore file or your or brute forces your fake internal SSH server, your Thinks Canary will immediately tell you you got a problem. No false alerts, just the alerts that matter. And you can get them any way you want them. Sms, email, syslog, it supports webhooks. There's even an API any way you want them. The thing is, if you hear from your Canary, there's a good reason. Just choose a profile for your Thinks Canary device. And it's easy to pick. There's hundreds to choose from. It's actually so easy. I change mine regularly. It's fun. Then register it with the hosted console for monitoring and notifications. And then you just, you know, you. You sit back and you wait. Attackers who've breached your network, malicious insiders, other adversaries are going to make themselves known by hitting your things to Canary. They can't help it. Visit canary tools/twit. $7,500 a year. You get five things canaries, you get your own hosted console, you get upgrades, you get support, you get maintenance. Ah. And if you use the code twit in the how did you hear about us? Box, you'll get 10% off the price. And not just for the first year, but for as long as you have your things canaries 10% off. You could always return your thinkscanary. They have a two month money back guarantee. 60 days for a full refund. I have to tell you, they've been advertising with us since 2016. We've been talking about this. That's how long we've been using them. And in all that time, no one has ever claimed the refund. Visit Canary Tools Twit Canary Tools Twit don't forget to enter the code TWIT in the how did you hear about us? Box for 10% off. Canary tools Twit this is a must for every network linkst Canary this is from Alex and risky biz. F5 says an advanced persistent threat stole source code. This was just a couple of days ago. F5 is one of the. Is a huge security company, right?

D (114:50)

Yeah. They make network devices in particular.

A (114:53)

Yeah.

D (114:54)

Not security load balancers.

A (114:55)

Yeah, yeah, yeah. So this is a security threat though, because it's one of the largest. Everybody has F5 equipment.

D (115:03)

Lots of large companies use F5 on the edge of their network.

C (115:07)

So.

A (115:10)

What do we do?

D (115:11)

It's a real problem. So it looks like it was the Chinese and they're in the F5's network for at least a year. This looks like it could be a solar winds level attack. So F5 released a patch with at least 40 vulnerabilities. Those look like those were bugs that were reported to F5 during that time that the Chinese know about.

A (115:32)

So this is an interesting story. Microsoft, this. I'd heard this and maybe you can confirm it. Of course Microsoft's had some real problems with Exchange and other servers. And there was some concern because Microsoft was getting its patches made in China.

D (115:48)

Yes.

A (115:49)

And they would send the breach in for the security flaw information to China for the fixed before it was publicly announced. And weirdly, the bad guys knew about it somehow before the patch went out.

D (116:06)

I know, it's a shock.

A (116:07)

How did that happen?

D (116:08)

Yes. So that's the SharePoint bug for this summer. There's a huge bug in on prem share and it turns out that Microsoft moved SharePoint sustained engineering to China. And so when there was a vulnerability found in SharePoint, it was actually found as part of one of the pwn to own competitions. That vault, that exploit code was turned over to Microsoft.

A (116:29)

That's why you do PWN to own so that Microsoft gets it first before the bad guys.

D (116:34)

Yeah. So Microsoft pays a bunch of money for this exploit. What do they do? They ship it to their engineers in China and then it gets used by the Ministry of State Security and a couple other groups in China to own up over a weekend, tens of thousands of American targets. In fact one I was still at Santa one at the time. One of the Chinese servers we were actually, we had data from upstream. We found that they did DNS requests for about 120,000 targets. And that Included a huge number of industrial targets. Most of the local and state government SharePoint servers in the state of California. Lots of folks important.

A (117:10)

If you think this doesn't affect you, it does. Because those servers had your information which was then exfiltrated.

D (117:16)

Yes. So what they're doing is they're just spraying everybody, putting a backdoor so they can get back later before the patch was then available. This is true zero day. It was not something that you could possibly patch yet. So Microsoft had to rush the patch out super fast. But yeah, so I actually, I was just.

A (117:34)

Do we know how the F5 breaches happened?

D (117:37)

No. So we don't. We don't know exactly how the F5 breach happened yet. There hasn't been a release of a full root cause analysis or investigation yet.

A (117:45)

But F5 says hackers were in the company's network for at least 12 months.

D (117:50)

At least a year.

A (117:51)

By the way, did I mention the things canary?

D (117:54)

Yes. If they had a thing's canary, they would have known that. They would have known that the Chinese would have tripped on one and set off an alarm. So they spent a year inside. F5 says they have not seen that they had planted the back door. But if they have access to source and they could be finding vulnerabilities that nobody else knows about, is that the.

A (118:13)

First thing these state actors do is they look for source code so that they can then implant other exploits.

D (118:19)

Well, if they find the exploit, then they have what's called a bug door, right? They don't need a real backdoor. They can have a bug door.

A (118:25)

They can introduce bugs.

D (118:27)

Well, they don't have to introduce it, Right? So changing the code is really risky, Right? So if you look at F5's code, remember F5 just patched 40 vulnerabilities, right? So you're talking about a product that had 40 unknown vulnerabilities. So if their code is that buggy and you're the Chinese, like the first thing you do is you pull down the code and you're like, you don't.

A (118:46)

Need to put introduce that bugs.

D (118:48)

They're there, right? And so if you're the Chinese, you might look at that and say the risk reward ratio here is not worth to plant something. Let's just find five bugs that they don't know about and then use them in targeted circumstances. And then when one gets patched, move to the next one. Move to the next.

A (119:05)

Could you use AI on a code base to look for vulnerabilities?

D (119:09)

In fact you can, and I believe this is one of the stories that we have there, if you want me to pitch to it. But OpenAI just announced exactly this. Google has a project to do this too. So OpenAI just announced a project called Aardvark where they have an agent specifically to do this. They're going to have this as an agent that you use for your own code. But they're also doing against open source.

A (119:31)

Do you know how effective it is?

D (119:32)

It looks I haven't gotten access to the beta yet, but from what I've seen, it's been pretty effective. Google's is very effective. Google has a project called Big Sleep which is a little, I mean, from a naming perspective, I'll look to Stacy or Jill for their professional writers.

A (119:48)

But like Swedish Big Sleep. Yes.

D (119:51)

Yeah, like if you're, if you're like a trillion multitrillion dollar tech company, would you call something Big Sleep? I mean, it just sounds a little Bond villainy, but it comes from.

A (120:01)

It's Raymond Chandler.

D (120:03)

What?

A (120:03)

It's the Big Sleep. It's the Humphrey Bogart movie. It's the long sleep, the sleep that doesn't end. That sleep, I guess not a good name for a bug hunter, but okay.

D (120:13)

Right. But anyway, so Google's running their bug hunter against large amounts of open source and it's very.

A (120:21)

Is this the FFMPEG story here? Because they were upset over this.

D (120:25)

They were very upset, yeah. So you can go to Google if you search for like Google Big Sleep bugs. Google keeps a listing of all the big bugs that they have found and they have reported a bunch of bugs. FFmpeg. FFmpeg is this extremely important open source library that all of us are probably using.

A (120:45)

I have it on all my machines. Even if you didn't think you did, you do. Plex installs it. A lot of programs install it. It's a transcoder.

D (120:55)

It's used all the time. It's extremely important for encoding and decoding video. Google uses a ton of their products. So as a result, Google cares a lot because both, you know, Chrome, the browser Chromium, Chrome os, Android, all use mpeg. And so Big Sleep is going through their. Their AI is going through the source code.

A (121:16)

Well, that's good, right? They found one, found some in ImageMagick as well, another very widely used tool.

D (121:23)

Yes. And ImageMagic has been used to exploit Android over and over. The problem is what Google's doing is they are reporting using AI. AI is writing up these huge bug reports that are extremely detailed. It's great. But there's no fixes Attached. And what the FFMPEG people are now tweeting about is they're calling this AI slop CVEs, right? Like just like AI slop images. And they're complaining that Google is burying them in these reports as they've got.

A (121:51)

Are they not doing responsible disclosure? They're just, just publishing these?

D (121:55)

Well, no, they're doing responsible disclosure, but Google's policy comes from the project zero days when human beings were finding the stuff, right? And it's 90 days. They give 90 days to these developers to fix it and they're not giving them any money. Right? So the FFMP people are complaining like, wait, you're just burying us. You are one of the world's most valuable companies and they're burying. You have the world's best security researchers that are now backed by the world's best AI and you just expect us now for free to fix these bugs in the software that you guys use to make trillions of dollars.

A (122:26)

FMP says. Is it really the job of a volunteer working on hobby 1990s codec to care about Google's security issues? Yeah, well, it is everybody's security issue. I mean FFMPEG does need to fix it, but 90 days is insufficient. These are volunteers. These are, these are, you know, but this is the, this is generally a problem in the world which is a lot of small open source. It's that famous XKCD cartoon where there's one little brick supporting this giant infrastructure maintained by some guy in Wisconsin and he's not getting paid to do it.

D (123:03)

And they both have a good point. Like FFMPEG says that Google actually themselves now because of these bugs they have driven one of the FFMPEG developers away because FFMPEG tries to like, their goal is to decode every video format that's ever existed in the world. And like this bug was found in a video format that is only was used for like one LucasArts game in the 90s, right? And so it's like, why do you care? Well, the reason.

A (123:30)

But does it affect every user of FFmpeg?

D (123:32)

It does. This is the problem that Google points out, which is by default when you compile FFmpeg, this codec is included and FFMPEG has a bunch of modes in which it will automatically detect. So there are.

A (123:44)

So you put on a browser page a phony file from an old LucasArts game that gets downloaded and the FFMPEG jumps in, says I'll take care of that and you're owned, right?

D (123:56)

And so they're both right. I feel really bad For FMPEMPEG here because they're getting buried in these reports and they are not easy bugs to fix. My position here would be Google should not be reporting these bugs without patches of tests. Right. Like, if AI can do these incredibly beautiful reports, it can also come up with, here is a proposed patch. Right? Here is a. Here is a proposed patch. And if Big Sleep's not ready for that, then they should not be doing the reports at this point. Or Google can have their human engineers go write this up. Because Google does have the best paid security. You bet researchers in the world.

A (124:34)

Project is amazing.

D (124:36)

And this has been a bit of a problem with Google. Project Zero is. I know some of these people. They're great. They're also kind of arrogant. Kind of is doing a lot of work here. They're extremely arrogant and they embody a bit of what you see with security researchers, which is like lording over them of like, I found problems in your code, it is now your responsibility to fix it. And like crushing them under the brilliance of. And then doing that with your AI system now is like, it's very arrogant and it is punching down.

A (125:15)

Right.

D (125:16)

And I, I do think it is on Google here to do everything they can. If not paying these guys directly, at least every one of these reports should also have a diff attached of like, hey, our AI did its best to.

A (125:28)

Create, make it as easy as possible.

D (125:30)

Yeah.

C (125:30)

Yes.

A (125:31)

Yeah. We quote Tavis Ormandy all the time because he's discovered so many. We talk about him on security now all the time is so many, you know, heartbleed and other very serious issues.

C (125:43)

Right.

A (125:45)

I want to give credit to Manuel Laos, who did patch the Lucas Smush algorithm. That's only used in one case, the first 10 to 20 frames of Rebel Assault 2 from 1995. He fixed it. Thank you, Manuel Laos. But, you know, you're counting on some.

D (126:07)

Guy and there's like, if you look in their tracker, let's see how many more open for just FFmpeg. There's like a half dozen more open bugs in FFmpeg.

A (126:18)

And FFmpeg says arguably the most brilliant engineer at FFMPEG left because of this. He had reverse engineered dozens of codecs by hand as a volunteer. It was hugely demotivating and to the fun and enjoyment of reverse engineering. Yeah, this is tough. I have sympathy on both sides. The problem really is open source code like this that's written by hobbyists for the enjoyment of it is everywhere.

D (126:49)

Yes. It's the volume of what AI can do. Right. Is it can massively outstrip the capability of the maintainers to fix stuff. But the flip side is the bad guys are now gaining these capabilities too. So Google is trying to front Google and OpenAI and anthropic is probably going to be doing the same thing. They're going to try to front run the bad guys, which is a totally reasonable thing. Right? Because you want the stuff fixed before the bad guys have the same bug.

A (127:19)

Right. And it's amazing what AI can do. Financial Times story says that AI is generating a surge in expense account fraud because it can create such believable receipts.

B (127:37)

I got so mad about this story. Why I got so mad.

A (127:41)

What happened? Julia? First, I mean.

B (127:44)

Sorry.

A (127:44)

Jill. Jill.

B (127:45)

Jill E. Duffy.

A (127:47)

Jilly. What happened?

B (127:49)

It is not hard to fake a receipt ever. It is not hard. You go to Staples, you buy a pack of receipts, you can fill them out yourself. It has never been hard. What's frustrating is corporations require so much bull in very minimal expense report accounting that is not actually required by the I. So I used to work for this company that they were a fine organization, but they outsourced their expense account management to another company. And so they didn't really know what it was all about, but they said, everything needs a receipt. Everything needs a receipt. And I left hotel tips. And I was like, well, I have a receipt for the hotel tips, but I'm just going to write them in. We might get audited for that. I said, honey, it's less than $95. You like, it's in the IRS code that you will not get audited for that. And if you're not going to reimburse your employees, when they say in hotels, that starts to look bad on you. When you have 200 employees in a hotel for a couple, you can use.

A (128:50)

ChatGPT to create your tip receipts.

B (128:54)

The problem is not employees faking receipts. The problem is that companies are so. They have such a bug up their ass about this for no reason whatsoever. There is no fraud going on for a $28 meal. You know what I'm saying? Like, this is the dumbest place to spend any of your time and energy is approving somebody's $8 cab ride to get three blocks quickly.

A (129:23)

Like, I suspect that everyone on this panel shares your annoyance. I worked for Ziff Davis. I remember a very famous story that was was told to me by a Ziff Davis executive. He said, leo, you gotta hide the boots. Said what? He said, while back, we had an account executive who was wining and dining, you know, advertisers and of course he'd write off the wining and dining. But at one point he bought a $400 pair of Tony Llama boots and, and tried to write it off on his expense report and of course got denied because you can't expense the boots that you bought. And he said all he had to do was hide the boots. Just put it, put it to the dinner. It was a bottle of wine. He said, leo, when you do your T and E, hide the boots.

B (130:17)

But the thing is, the majority of employees, they are honest people.

D (130:21)

I know.

B (130:22)

Who takes a receipt anymore. We forget people are not creating, creating false expenses.

A (130:27)

Do you want to get paid back for my expenses, please?

B (130:30)

Yes, yes. It's a matter of. You're making it difficult. Just give me a per diem, right? Like just let me collect a per diem. It's such a minuscule amount of money for large companies. It does not matter. And it's just such a stupid thing to point the finger at employees and say, oh, you're making up this, this expense report. Like probably the person did spend the money, they just want to be reimbursed for it.

A (130:57)

I suspect there's going to be even more link baity articles like this. This was the Financial Times not known for link bait. But if you think about it, this is, this is what you're going to see is a lot of articles about, oh, look what AI can do now. Which is too bad because there is some legitimate complaining about Aisora, for instance, which is not this extraordinarily popular OpenAI video generator. And now they have a Sora app that's often number one on the App Store. IPhone App Store. I decided instead of trying to fight it, I just took my generated Persona. They call it a cameo cameo. By the way, the company's not happy about that. They're suing them. They call it a cameo. I did one of my cat the other day. You can now do pets and you could do objects. And I just made it public. I said, anybody can do it. Because that way I, I mean, it's like, well, it was made up, it was AI. It's just, you know, I, everything is going to be AI. But there are people complaining that apparently there, there are influencers, racist influencers who are using Sora to generate videos of poor people using, you know, flouting their use of SNAP food stamps as a way of saying, see, we don't want to give these people benefits. And, and so there is a legitimate misuse of AI I agree with you. Forged receipts from a company that really should be paying you back for those anyway. It's kind of.

C (132:27)

Yeah.

B (132:27)

Like, are we going to use AI to start looking where wage theft is happening? Because I feel like that's a much more important concern for employees who are getting shafted.

A (132:36)

I agree. I did mention Proton is now going into competition with Troy Hunt, whose very famous have I been pwned? Website is fabulous. And I think this is fine. Proton's calling it the Data Breach Observatory. And they say, unlike have I been pwned, they don't wait until a breach is reported. They actually search the dark web. Alex, do you think this is legit? Is this a good idea?

D (132:59)

I mean, I have to look. Troy does a lot of work to try to keep his consolidation from being abused by people. So it's like not easy, right? It's not easy. All that data in one place and then let people query it without then that. So they're used.

A (133:13)

A little conservative in that. As in that regard. Yes.

D (133:17)

Yeah. Yeah. Haven't been. Poems. Pretty conservative. So much more conservative. I mean, there are services in which you can just buy that data, which is good. I mean, that's. You buy that data and then that data is then used by companies to go reset, mass reset passwords, you know, give people notifications and such.

A (133:34)

So it's. And that would not be in the have I been pwned? Database.

D (133:40)

Necessarily a big overlap, right?

A (133:42)

Yeah, yeah. But not all of it is. So companies that are concerned about password breaches might go to a third party service other than have I been pwned?

D (133:51)

Yeah. I mean there are. This is what you pay intelligence firms for.

C (133:55)

Right.

D (133:55)

There are a bunch of intelligence firms that go into the black dark web and then they have a bunch of competing numbers of I'm the best, I'm the best. And they'll give you advertisements of who.

A (134:04)

Yes, we have advertisers that do that. Yes, yes, of course.

D (134:08)

Right.

A (134:08)

And they are the best. By that I just want to point out they really are the best. If we. If.

C (134:13)

Yes, I was interested. Oh, go ahead.

D (134:16)

Oh, go ahead, C.B. sure.

C (134:17)

No, I was. I'm interested in the verification side of it because they're pulling it from the dark web and they're saying that they're going to use a firm to verify that it is actually legit because sometimes.

A (134:28)

You see hackers put it, they're working with Constella Intelligence.

C (134:32)

Yeah.

A (134:33)

To verify it.

D (134:37)

So I mean, if you're a company buying this, you test against your own stuff. Right. So like when I was At Facebook, we would buy stuff ourselves and we also had our own intelligence team go. And then we'd run username password pairs and we'd find, like, for any reasonably sized breach, about 5% of username password pairs would match up with the username passwords people would use on Facebook. And so if there's a match, what we do is lock the account. So nobody could lock. You could not log in to a new device. Yeah. So we could basically, you could the cookies that you had. So if you had a browser that was already allowed on Facebook, the other mobile device was already allowed. Fine. And then you would get notifications, please change it.

A (135:17)

That's cool.

D (135:18)

Right? But a new one couldn't. Right. So somebody all of a sudden couldn't come from Romania and add a new browser to say, I'm Leo laporte, with a password that was known to be. And it's a controversial thing, right, because either you're paying directly or you're effectively for a number of those intelligence companies are paying money for those. The only way they can get that stuff is to pay.

C (135:39)

They're making a market.

D (135:41)

They're pretty a market. Now, the upside of it is they're also destroying trust in that market. Right. Because then on this black market, the person they're selling to might be an intelligence vendor, that the moment they sell it to that person, that goes out to Google and Facebook and a couple other companies and then the value of the thing they sold goes to the floor. Right, right. And so if you can create dishonor among thieves, if you make people not trust the market, then it makes a much less liquid market and then it reduces the economics. So it is a very sketchy, ethically difficult area for this specific one. Like in any case, where you're not selling it to big, trustworthy, trustworthy, but like companies that aren't going to go just use that for their own purposes, then you have to be extremely careful. And you know, Troy has been really careful and, you know, verifying that people are who they say they are, they have access to that account and stuff. And so I don't know if that's going to be true.

A (136:39)

I have huge respect for Troy and I use. He has an, I think, lesser known feature on haveibeenpwned.com where you can enter a password and see if it's shown up in the breach. And I think people might go, I'm not giving him my password. But it's actually quite cleverly done so that no information is exfiltrated. They hash it and then look for hash matches. Yeah, I think that's really cool. I think what Troy does is really important and very cool. So.

D (137:05)

Yeah, I mean, I would stick with have I been pwned. Unless these guys show that they have a significant. I mean his data set is pretty, pretty impressive. So I don't see any reason to switch.

A (137:16)

Yeah. If you used a Yubikey or a hardware key on X, X wants you to know they are abandoning the twitter.com domain and your key won't work anymore. So make sure you re enroll your hardware keys. Yeah, they'll let you know.

C (137:36)

Are they really abandoning it? Like they'll let it actually expire or.

A (137:39)

Are they just oh, I'd like to buy it.

C (137:40)

They're not going to have the infrastructure. I'm just curious.

A (137:42)

I should.

D (137:43)

Hard as the abandonment go, I can't imagine they're not gonna pay the 12.99.

A (137:47)

They're gonna keep the domain. They're gonna keep the domain. They're just not gonna say.

D (137:52)

I wouldn't even question it.

C (137:53)

But.

A (137:56)

Interesting choices. Elon might need that $12. He might. You never know.

D (138:01)

Yeah, they don't have a choice here. Right. Like a Fido token. The token itself, it's tied to the.

A (138:06)

Domain name, the URL.

D (138:07)

Yeah. It has a cryptographic relationship with. With twitter.com like with, you know, auth.twitter.com or whatever. And so they can't swap that over to X.

A (138:17)

So yeah, they'll let you know. If you have done that. They will let you know. But you should know that this is a possibility. I immediately went in and it turned out I have also. Maybe this is a bad idea. But also authenticator TOTP that I can use. So that wouldn't have gotten locked out. It just. My Yubikey wouldn't work anymore.

D (138:35)

Yeah, that's fine. I mean that's the only time that that's worse is if you're being attacked in the active man in the middle. Right. So as long as you're careful about making sure you're actually on X.com and such.

A (138:45)

Oh yeah. I did go once to T V-V-I-T T E R.com in that case, I.

D (138:52)

Would not use your POC. That's a great example. That's why the Fido token is locked to the domain. Right. Because in that case you might not notice the vv. You might not notice a Unicode attack where it looks like Twitter but it's actually a character. Character set or something. Right.

A (139:12)

Yeah. But this Fido cannot be spoofed.

D (139:15)

The FIDO can't be spoofed. It understands Unicode. It understands the bitwise UTF8. It cannot be spoofed.

A (139:21)

Actually, one of the values of using a password manager. Right. The autofill doesn't get spoofed either. Right.

D (139:27)

Yeah. There are some trickiness there in that you have to be careful. Like the autofill stuff can be tricked.

A (139:36)

In way because it's JavaScript. It's a little bit.

D (139:39)

Right. If you have a JavaScript injection. If there's an injection vulnerability. The other problem there is in situations where there are subdomains that are under the control of attackers. Right. And so some of them are way too aggressive about filling in.

A (139:52)

Oh, yeah, you went to hacker.twitter.com and I'm going to fill that one in too. Yeah, that makes sense.

D (139:59)

Yeah. And so what the good password managers do is they try to have a list of. These are domains that, you know, have subdomains that you can't trust.

A (140:09)

This stuff is.

D (140:10)

Or they'll log or. Yeah, or they'll lock it to auth dot. Whatever. Yeah.

A (140:14)

These bad guys, they suck.

D (140:17)

Right. This is why Fido is good.

A (140:18)

Fido does use a hardware key. It's a good idea. Let's take a little break. Final segment coming up in just a bit with a wonderful panel, which I would like to spend many, many more hours with. But the sun has come up in Laos and so Jill has got to go run some errands and make some ice cream.

B (140:37)

And I think my brain's finally awake fully now.

A (140:41)

It's so nice to have you. Jill Duffy writes for PC Magazine and Wired. But don't worry, she's not going to defraud you with her phony receipts for the tips that she gives the busboy. That's not going to happen. She's an honest, honest. Do you want us to put the E in there? I forgot. We usually do put the E in your name.

B (141:00)

We could put it in there. Yeah. Online. I'm Jill E. Duffy.

A (141:04)

Yeah, Everywhere. We'll put that in. Yeah, that way people can find you. Alex Stamos is here. He's the one, the only. He's here. CSO for corridor.dev.

D (141:15)

There'S an unfortunate high school kid in Chicago who.

A (141:20)

Does he get hacked a lot? People go after him. Oh, that's terrible. Do not ever. You never want the name of a. Of a famous security researcher because that's. You're gonna just be in trouble.

D (141:31)

Sorry, kid.

A (141:32)

Sorry, kid. By the way, I was gonna use hide the boots as the show title, you cannot fool AI anymore. You know, you told that Hide the boots anecdote in 2009 and was used. It was used then. Thank you. I think there should be a. I mean, there's a statutory limit, right? I mean, after 2009, after 16 years, I should be able to tell the same anecdote one more time. What do you think, Stacy? I think it's okay.

C (142:04)

I would even give you one or two years.

A (142:06)

Yeah, 16 years. Come on, man. But no. AI knows all AI or our engineer, Patrick Delahanty. Maybe it was Patrick doing Stacey Eagenbotham's also here. Here from Consumer Reports. Glad to have all three of you and glad to have our club members who. Who are so great and fund a lot of what we do here. About 25% of our operating expenses come from Club Twit. If you're not a member, lots of benefits, including Stacy's book club. We've decided on a book. Stacy says it's a depressing book, but it's going to be fun, isn't it, Stacy?

C (142:44)

So fun. If you want to extrapolate out, it's kind of like what. I mean, okay, this is way too much credit, but like, you know how Neuromancer predicted the future? Yeah, this kind of predicts the future. It's just a suitable future.

A (142:56)

Well, what the heck. Well, these things happen anyway.

C (143:01)

Not like the times we're living in are.

A (143:02)

So have we set a date for Stacy's book club? I think we're doing it next month, but I don't know if we set a date yet. I don't have a date. Okay, so we will set a date, but that's one. We do a lot of things in the club because we want to make it fun. We want you to be a member and be glad you're a member. 10 bucks a month. By the way, this is a good time to join because we have a coupon at TWiT TV Club TWiT for 10% off the annual plan. Best price. That's a good way to do it. Also good for gifting to the geek in your life. There are family plans and corporate plans as well. Well, and as I said, we. We make it fun. You get ad free versions of all the shows. You get lots of stuff going on in the club. Twit Discord, our AI user group is Friday. That's going to be fascinating. We're going to work on show how you can make your own mcp. I think Darren has said he would help us with that. That's great. Snow Crash, not Neuromancer. Neuromancer talks about the future too. Both of them do. Both of them count.

C (144:01)

Yeah, but Snow Crash is like the.

A (144:03)

Quintessential is where the word metaverse came from, right?

C (144:06)

Yes.

A (144:08)

But on the other hand, Cyberverse came from Neuromancer, so both of them are important. Anyway, join the club. I don't know. I'm easily distracted. I'm a little ADD twit. TV club. Twit. We thank you all so much for your support. Our show today brought to you by Melissa, the trusted data quality expert. They've been doing it longer than we have since 1980. 1985. Of course, it started with address validation. Address validation today, still 40 years later is Melissa's bread and butter. But they do so much more. They're really data scientists. But let's talk about address verification for a minute. Melissa's address verification services are available to businesses of all sizes. They're very affordable. And Melissa's address validation app for as an example for Shopify is vital for e commerce merchants, especially if you want to do international business. International companies like Siemens ag, they manage a diverse group of customers and clients all over the world. They have to have country specific address formats for many, many countries. They've got to make sure the data they hold is correct. If not, they can face significant costs and delays to supply and production chains. It could be a nightmare. Well, since they started using Melissa, Siemens AG has reliably processed more than half a billion queries for 174 countries. That's close to all of them using Melissa's dedicated web service. Ask the global IT headmaster of Data management at Siemens. He says thanks to these very stable solutions, we've achieved an automation rate of over 90%. Melissa reacts very quickly to our requests and offers us the right solutions to questions that come up and they consistently meet our service level agreements. They're happy you will be too. Data quality. It's not just Siemens. It's essential in any industry. Melissa's expertise, as I said, their data scientist. It goes far beyond address verification. Many banks all over the world have know your customer regulations. Similar regulations. Metabank, like any bank, absolutely must know the exact identities of all its customers. These are federal regulations. However, it's problematic, especially if a bank's customers include not only its own retail clients, but also hundreds of organizations with their own customers. And that's what Metabank faces an exponentially greater challenge. Senior VP of Data Systems and Business Intelligence at Meta Payment Systems says quote, I believe Melissa is helped us improve not only data quality, but also our downstream experience for end users. We're now able to identify everything from fraud to missing data and allow our individual customers to swipe their cards with confidence. And importantly, as every data engineer knows, having clean data translates to the bottom line. Melissa saves you money. And of course, your data is always safe with Melissa. They're compliant. Compliant, it's secure. Melissa solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC2 and HIPAA high trust standards for information security and management. You know your data is secure with Melissa, they they go the extra mile. Get started today. 1000 records clean for free melissa.com TWIT that's melissa.com TWIT we thank them so much for supporting TWIT. They've been with us for a long, long time. We're really glad, glad to have them. Bunch of this was actually a topic of conversation in our community. A bunch of tech tutorials were removed from YouTube. YouTube. I don't know if this is the right denial. They say AI didn't do it. Well, okay. Educational videos that YouTube had allowed for years are suddenly being flagged as dangerous, are harmful. No way to trigger human review to overturn them. Creators were pretty sure AI was running the show Friday. A YouTube spokesperson said, We've reinstated those. It wasn't AI and we're making sure that doesn't happen again. Sorry, what do they have a renegade content guy? I don't know. Some of them were, you know, people were thought, well, you know how to install Windows 11 without having to use a Microsoft account? Maybe Microsoft thought that was piracy. It's not, it's not harmful. Anyway, YouTube says, sorry, it won't happen again.

D (148:49)

Again.

A (148:51)

Now here is what something might not happen again. Maybe you saw the YouTube video by Trevor McNally. He is a lock pick former Marine staff sergeant. Seven million followers. You probably watched his videos. Two billion views. A Florida lock company called Proven Industries in March posted a promo video on their social media accounts saying, you guys keep saying you can easily break off our latch pin lock. No you can't. So McNally made a video. Apparently they didn't like it because he was drinking a Juicy Juice, swinging his feet, hops down from his seat, goes over to a Proven lock on a trailer hitch and uses a shim from a can of Liquid Deaths that he cut and opens the lock. So Proven Locks didn't like that so much. They, they, they tried to shut McNally down. They tried to get him taken down with DMCA takedowns on YouTube. He, he didn't bow to the pressure. In fact, he made several more, in fact, because Proven said, oh, he's doing a very. It's very tricky. You gotta cut this shim carefully. He said, he actually did it on camera. He finished the can, cut the shim, opened the lock in seconds. Proven sued him. Okay, there's this thing called the Streisand effect you might wanna know about. Proven. They charged him with copyright infringement, defamation, false advertising, violating the Florida deceptive and unfair Trade Practices act and, and tortuous interference with business relationships, civil conspiracy, trade libel and unjust enrichment. But they really didn't like was he was drinking the juke juice box, swinging his legs. It's actually in the court papers. McNally appears swinging his legs and sipping from an apple juice box, conveying to the purchasing public that bypassing plaintiffs luck is simple, trivial, and even copyright comical. How dare he? Of course, as you know, McNally had, as I just mentioned, quite a few fans who immediately started commenting on Proven's posts and product videos, mocking Proven. They doxxed the Proven executive, which no one should do, but I think the whole thing is going to go away. The judge said, did the plaintiff bring a lock and a beer can? She wanted the plaintiff to actually show that it couldn't be done. There was going to be no live shimming in the, in the courtroom. The judge, the judge, after several hours, the judge said, I'm declining to grant the injunction. And the purpose and character of the use to which Mr. McNally put the alleged infringed work is transformative. It's a critique. It's his own way of challenging it. He went to court and he, he got his fair use Proven, which I tell you is something I'm not prepared to do, so don't come after me. Anyway, the company dismissed the lawsuit they, they put when it ran as fast as they could in the other direction with their tail between their legs. So 110 million people watched the. The lock pick death of the Proven locks and Proven was not able to shut them down. I love those stories because most of the time, as I think Mike Masdick on Tech Dirt has said, fair use is just the right. Right to hire a lawyer. And most people say, including us, we're just going to back down when you do that. That's why we don't show videos anymore.

B (152:59)

My favorite line in the article was the judge stepped in and declined the injunction and said for her to do so, Proven would have to show that.

C (153:08)

It was likely to win at trial. Among other things.

B (153:11)

It had not.

A (153:14)

Yeah, they gave up. They gave up. Oh well, it's a happy ending now. How do you feel about Samsung's $2,000 fridge showing you ads on that big screen in the front?

C (153:28)

Yeah, I'm against it. And you know what, it's part of that whole software tethering we yelled about like back in the day. It is this concept that you don't actually, if you're going to have a cloud connection, you don't actually own your product.

A (153:41)

That's right. Yet my friend has a Samsung fridge and the browser is so out of date it doesn't work anymore. So maybe they'll use the money from the ads to pay to update the browser next week.

C (153:55)

We actually, I am finally, finally producing the longevity by design recommendations for connected device manufacturing.

A (154:05)

It's appalling, just appalling. WhatsApp can now use pass keys to secure your backups. That's good news, right? We like passkeys. Alex, do we like passkeys?

D (154:19)

We do, yeah. Just checking. So I mean this has always been a real challenge with end to end encrypted messengers is that the expectation of people is that if you restore your phone, if you lose your phone, you restore it, that your chats are there. But if you're to do that, if you're not Apple and you don't own the whole stack and you have this really kind of complicated way of providing end of encryption, it turns out to be really hard. And in fact icloud backup has some really not so great security properties itself. And so WhatsApp first provided the ability to back up your chats and when they first did that, the backup itself was not encrypted. So all the work you did they did around and the encryption which shipped while I was at Facebook was negated by turning on backup. So they then created the ability to encrypt backup, but you had to remember the passphrase. And so now this does allow you to. It basically kicks the problem to pass key sync. But for, for example, if you're doing it with an Apple device, Apple has a secure way of syncing pass keys between devices.

A (155:28)

That is, that's relatively new. Right. The original, original Fido spec did. Had no way to do that.

D (155:33)

No, no passkeys. There's different kinds of passkeys. And so this is where it starts to get a little bit complicated and now things are starting to get a little confusing for consumers. There are passkeys that are hardware only. So let me. I can grab an example here. But basically, yes, if you're a. Yeah, so here's like a yubikey. Different kinds of Fido tokens. Fido 2 tokens have identifiers. And so if you're an admin of like a Microsoft Entra or Okta, for example, if you have like an advanced enterprise authentication environment, you can actually tell the difference between different kinds of passkeys. And you can say, I only allow hardware passkeys versus ones that can be synced. And so from a Google, Gmail or Facebook perspective, they're all the same. From an enterprise perspective, you can actually differentiate.

A (156:25)

Ah, interesting.

D (156:26)

Yes. Fido 2 does have the ability to have these syncable passkeys. They're supposed to still be biometrically tied to people and they're supposed to still be stored in a way that is encrypted, hardware secured. And then if they're synced, there are rules around syncing them, that they shouldn't just be stored in an insecure manner, but like, for example, the ones that are stored in one password and such. You can come up with these scenarios in which they can be compromise people often does reduce the security in some ways.

A (156:55)

Assume that these encrypted messengers, the backups, are also encrypted. They are not necessarily as spook and sugar and peso and scary Terry learned icloud backups, not necessarily encrypted. Those are the mafia guys who got busted in that gambling scandal. How did they find out? They got into the feds, got into the icloud backups.

D (157:28)

That's right. Unless you're running Apple's advanced advanced security. So you can opt into advanced security. Icloud backups are not necessarily equipped.

C (157:37)

Sorry.

A (157:37)

Quack quack.

D (157:38)

Yeah.

A (157:40)

You're going to jail. I don't know if they're going to jail. I shouldn't say that. It's allegedly. Allegedly that we're involved in the Pokemon poker scam.

D (157:49)

Allegedly.

A (157:50)

Alleged.

D (157:50)

Which is a incredible story and one of the biggest scandals in NBA history, certainly since like the Tim Donaghy. Yeah.

A (157:58)

Although I think some have pointed out that it's a little overstated that the FBI was really hyping up this NBA angle, But it was really mafia guys. They were using the NBA people to like, as shills to attract, like, for advertising.

D (158:13)

I'm sorry. Yeah. The real NBA scandal is the other one, the betting scandal, where people have been. There's also like, simultaneously, there's been a betting scandal involving like a friend of LeBron James, who is leaking in two friends who are betting on whether LeBron was injured on the injured list and stuff. So there's.

A (158:33)

Oh, I missed that one.

D (158:34)

Yeah, yeah. So there's another whole NBA betting scandal based upon all the, all the prop bets.

C (158:40)

Right?

D (158:41)

Because you bet on these.

A (158:42)

This is just gonna, this is just the beginning of that. I mean, you see now legalized gambling.

C (158:47)

Is just a really awesome thing, especially.

A (158:50)

With prop bets, because every second there's another bet. And I mean, this is a nightmare. And if I feel, I feel terrible for anybody who has a gambling problem because it's, it's now in your pocket, there's no way to avoid it. And you watch an NFL game, it's non stop the advertising for it.

D (159:09)

Well, I don't know if you just saw. Just a couple days ago, Brian Armstrong, the CEO of Coinbase blew away a bunch of this because there was side betting on the prediction markets of whether certain words. He would say certain words on his results call on the Coinbase earnings call and somebody in his team had told him about this.

A (159:28)

So he said all the words.

D (159:30)

He just read through the list of words at the end of the call.

A (159:34)

Prediction markets are the sneaky way to get these prop bets into real life. Unbelievable. Good for him. I guess. I mean, there's some unhappy people probably, right?

D (159:47)

But it's also like, it's, it's kind of like you should, you cannot, you should not allow betting on things. Like does a person say a word on a call?

A (159:55)

But.

D (159:56)

Right, right. At least like an NBA game is. There's a ton of people who have, you know, personal money writing on it like the players want to win. You know, like there's. But saying a word or not. He doesn't care. Right. Like there's just no, there's no externalities involved.

A (160:17)

Crazy. Yeah, but it's like bitcoin. There's no externalities. It's there either. You still a Kings fan?

D (160:22)

I am still a Kings fan. It's a little rough.

A (160:26)

Sorry about that.

D (160:27)

I'm a Kings fan and Cal fan. I'm wearing my Cal colors. You had another story about like, I couldn't watch the game yesterday because I had no ESPN on my YouTube TV.

A (160:35)

I. That's still going on and it's going to be an issue because tomorrow it's Monday Night Football, which is on ABC ESPN. So people with YouTube TV are not going to be able to watch Monday Night Football. I pay for the NFL Sunday ticket and what are they going to. What is YouTube going to do? They're going to make a deal eventually.

D (160:57)

Eventually. Yeah.

A (160:58)

Disney. Part of the problem is, and this is kind of new, you've seen these carriage battles go on in the past. But what's different now is Disney, ESPN, they have their own streaming. They have FUBU, they have Hulu, they have ESPN streaming. They have an incentive not to let YouTube rebroadcast.

D (161:20)

Yeah.

C (161:21)

And they don't have to abide by any FCC public license. Oh, yeah, they're not working over the public. So there's no, I mean, there's no regulator in the picture here.

A (161:31)

So it was a disaster on Saturday.

C (161:33)

Straight up.

A (161:33)

Capitalism, just. This is capitalism at work. Yeah. No Kings broadcasts, huh?

D (161:43)

No, I mean, Kings are on. It's tnt, so it's okay. But. Yes.

A (161:46)

Oh, okay.

D (161:47)

The Cal game was. It was espn, so that was a little rough. I didn't get to watch. I had to listen on AM radio like it was the 50s.

A (161:55)

There's been all these articles how you can watch these games if you have YouTube TV. And in most cases they're really, you know. Yeah, listen to the AM radio.

D (162:05)

They should do the voices, right? Should be like, ah, he's got the ball at the 10 yard.

A (162:09)

It's like, it's like Ronald Reagan going, it's a hit. It's going up. That, by the way, when Dutch Reagan, before he was the president, before he was the governor, before he was an actor, used to do baseball play by play, would do reenactments on the radio where he would hit with a stick to make the sound of a ball. He would be reading it off the wire. What happened in the game, doing the play by play.

D (162:36)

You know, I feel really old these days because I work with all these gen zers, but I feel better now. Coming on quit.

A (162:41)

That's really old, isn't it?

D (162:43)

You make me feel young.

A (162:44)

That's really old. I have. I got a million of them. From that to Alex Stamos, ladies and gentlemen. Check out Carter dot dev. He's a CSO there. He's one of the good guys. And thank goodness, thank goodness you're there. Just keep up the. I know it's hard. Keep up the good work. We didn't even get to the story about how someone snuck into the Microsoft Teams call with celebrite404 Media had this story and leaked the phone unlocking details that Celebrate was talking about was pitching. Almost all Google Pixel phones except for the most recent are hackable by Celebrate. So I guess I'm going to put graphene OS on my Pixel 9 is graphene safe, Alex?

D (163:37)

It sounds like it from this.

A (163:38)

It doesn't. It's not celebratable.

D (163:40)

It's not celebratable. So that's good. Yeah. I mean, I think that is one of the big upsides of the Android ecosystem is the ability to change out your os.

A (163:50)

Yeah. Well, not on all Android phones and.

D (163:53)

I think on the pixels. Right. The pixels are all unlockable.

A (163:56)

Yeah. You can root them. I'm going to put graphene on it tonight. Thank you, Alex. Great to have you. Stacey Higginbotham. We will make a date soon for the book club. I loved our last book, memory called Empire. In fact, I'm reading the second volume of that. I can't wait to find out what's going to happen in London. What's. You're reading it now. What's the name of the book?

C (164:18)

Oh, why do you. The Hollow Heist of London.

A (164:21)

The Hollow Heist of London?

C (164:23)

Yeah. No, the Heist of Hollow London by Eddie Robson.

A (164:27)

That's going to be our book for the book club next month. So get going. Read it. Look for Stacy's work at Consumer Reports, where she's a policy fellow. I can't wait to see the stuff you. It sounds like you're working on some big stuff right now. It's great.

C (164:42)

It's all big stuff. It's all important.

A (164:44)

It's all important. No, you're doing again, you're doing the work of the angels. Thank you, Stacy. And Jill E. Duffy is an angel contributor at PC Magazine and Wired. She got up very, very early to join us. I appreciate that. Thank you so much. It's great to see you again. It's been too long.

C (165:02)

Thank you.

A (165:03)

Anything else you want to plug, you.

B (165:06)

Can find me online anywhere at. Jill E. Duffy.

A (165:10)

What do you prefer?

B (165:11)

I've been using a Mastodon. I like to use. I gave up Twitter. I don't really use Blueski, but I have an account there.

A (165:19)

I like it. Blueski. That's good. I'm calling it Blueski from now on. I like it. It's the Polish Twitter, Blueski. Yeah.

B (165:29)

Somewhere in that region.

A (165:31)

Instagram and Mast Mastodon I use. And which server are you on on Mastodon or does it matter?

B (165:38)

I'm on the big one. Mastodon Social, I think.

A (165:41)

Yeah. So if I go to R. Masten on Twitt Social and I enter Jill E. Duffy, it should be able to find you. I think it.

B (165:48)

Yeah, I think it works.

A (165:50)

Thank you, Jill. Appreciate it.

B (165:52)

Thanks for having me.

A (165:53)

Yeah, thanks to all of you. For joining us. We do TWIT on Sunday afternoon. Yes. And we did go to standard time. So yes, we started an hour late. I hope you didn't get here an hour early. We are at 2 to 5pm Pacific. That's 5 to 8pm Eastern Standard Time. That's 2200 UTC. Because we moved. But UTC didn't. 2200 UTC. You can watch us live on YouTube, Twitch, tick tock. No, we took down TikTok. It's too complicated. YouTube, Twitch, Facebook, LinkedIn, X.com and Kik.com plus of course you're in the club. You can watch on the Discord. You don't have to watch us live. That's just if you want the freshest version, we'll take out all the swear words and we'll put it up on the Internet on our website, Twit TV. There's a YouTube channel dedicated to the video. There's audio and video available for subscription too in your favorite podcast client. That's probably the best way to get it. Leave us a review. Let the world know when you've been doing a show for 20 years. In podcasting, that means people, you know, like they're still around. So make sure you put a review up. So people go, yeah, they are still around. And you know what? I bet you're pretty glad you listen to this show. Lots of good stuff. Thank you for being here. We will see you next time. And as I've said for 20 years, and I hope I'll stay for another 20 years. Thanks for joining us. Another twit is in the can. This is amazing. Doing the twin all right.

D (167:23)

Doing the twin, baby.

A (167:25)

Doing the twin all right. This episode brought to you by Coda AI tools are everywhere, but many of them create more work, taking up even more of your time. Most of them don't really give you what you need. Superhuman is the AI productivity suite that gives you superpowers everywhere you work. With the intelligence of Grammarly, mail and coda built in, you can get things done faster and collaborate seamlessly. Finally, AI. AI that works where you work, however you work. Superhuman gets what you really need. AI that gets you from day one. No learning curve, just simple and easy to use. Superhuman ensures you stand out. No need to repeat what you need, sharing the same context over and over again. It works alongside you, automatically understanding where you're at and proactively offering suggestions. Superhuman cohesively helps you deliver quality work. Superhuman has specialized agents for writing, meeting, presentations and more agents that work together with collaboration in mind. It proactively helps you with every aspect of your workflow and task list. Get AI that works where you work. Unlock your superhuman potential. Learn more@superhuman.com podcast that's superhuman.com podcast Morning, Zoe.

D (168:27)

Got donuts.

B (168:28)

Jeff Bridges why are you still living above our garage?

A (168:31)

Well, I dig the mattress and I want to be in a T Mobile commercial like you. Teach me, Saldana.

D (168:37)

Oh, oh no.

B (168:39)

I'm not really prepared. I couldn't possibly at t mobile get the new iPhone 17 Pro on them. It's designed to be the most powerful iPhone yet and has the ultimate pro camera system.

A (168:49)

Wow, impressive. Let me try.

D (168:51)

T Mobile is the best place to.

A (168:53)

Get iPhone 17 Pro because they've got the best network.

C (168:57)

Nice. Jeffrey, you heard them.

A (168:59)

T Mobile is the best place to get the new iPhone 17 Pro on us without eligible traded in any condition.

D (169:06)

So what are we having for lunch?

B (169:07)

Dude, my work here is done.

A (169:09)

The 24 month bill credits on experience.

D (169:11)

Beyond for well qualified customers plus tax.

A (169:12)

And 35 device connection charge credits ended balance due if you pay off earlier. Cancel Finance agreement. IPhone 17 Pro 256 gigs 1099.99 and.

D (169:18)

New line minimum 100 plus a month.

A (169:20)

Plan with auto pay plus taxes and fees required.

D (169:21)

Best mobile network in the US based.

A (169:22)

On analysis by Oakland Speed Test Intelligence Data 1H 2025 Visit T mobile.com hey, Ryan Reynolds here from Mint Mobile. Now I don't know if you've heard but Mint's Premium Wireless is $15 a month.

D (169:32)

But I'd like to offer one other perk.

A (169:35)

We have no stores.

D (169:38)

That means no small talk.

A (169:40)

Crazy weather we're having.

C (169:42)

No it's not.

D (169:42)

It's just weather.

A (169:43)

It is an introvert's dream. Give it a try@minmobile.com Switch upfront payment.

C (169:49)

Of $45 per three month plan. $15 per month equivalent required. New customer offer first three months only.

B (169:53)

Then full price plan options available, taxes and fees extra.

D (169:55)

Seemindmobile.com.