Leo Laporte (4:33)

I know. December 11th.

Steve Gibson (4:35)

Yeah, on the 10th I think it is 10th.

Leo Laporte (4:37)

Yeah.

Steve Gibson (4:37)

But it's like what like what it's like like they took the wrong lesson from Mississippi and said yeah, let's do that nationwide. Anyway, we'll talk about that.

Leo Laporte (4:50)

Six million people. By the way, it's not the huge.

Steve Gibson (4:52)

Okay there are a lot of kangaroos. So yeah the EU parliament is moving to replace all US computer technology. And an interesting bit of feedback driven response about when to use passwords, passkeys or yubikeys. XDA recently posted Some surprise on some people's part saying that unpowered SSDs lose their data. Well we've known that for a long time. We've talked about a long time ago but it turns out it's not actually the unpoweredness of them apparently. We'll touch on that. We have a oh I wanted to respond to a listener's suggestion of a Joy of Coding podcast event that we should talk about. You and I touched on it and and so I wanted to to to come back circle back to that also bit Warden had a brief pass keys integration glitch. Also XSLT turns out to be a little sneakier than we thought. That's that technology that's been around since the dawn which is sunset and also and how it's not it like it comes up in places where you don't expect it. We now know exactly where last week's picture of the week was taken. One of our listeners provided the information so we will touch on that. We've got a long awaited in many quarters Return of Stargate in a new series that was just announced. And then we're going to touch on a very simple to check to see whether anyone's residential soho. You. Technically, you could do enterprise, but Enterprise probably has lots of public IPs. Whether an IP that you're checking in from has ever seen any bot activity. So I think. I think a fun podcast for this first beginning of December, there are 28.

Leo Laporte (6:55)

Million people in Australia. 35 million kangaroos, according to the Australian government.

Steve Gibson (7:01)

I was right. I thought I was kidding. Now, the ruse won't care too much about the loss of access to social media, but the 35 million people who now have to.

Leo Laporte (7:13)

Is it all of them or just people under. It's people under 16.

Steve Gibson (7:16)

But remember, you have to prove you are over 16, which means everybody. Yeah, that's the. That. That's the catch. I. It's insane.

Leo Laporte (7:28)

Yeah. Well, this is what happens is these legislators who don't really understand what they're talking about, make these laws that are not, in fact, enforceable.

Steve Gibson (7:39)

The only flip side is that we know how reluctant technology is to move forward. So were it not for. And an insanely pressing need. Well, we're gonna have another meeting and then we're gonna have some drinks and, you know, it's like the WC3, they had a. Their most recent meeting was a meeting about the meetings. We're gonna. We're gonna have a meeting about our future meetings. The shape of the meeting exactly what is what we would like to accomplish by the end of the 12th meeting? It's like, guys, get on with it. So I think that, that, like, having this actually be a very pregnant problem is probably a good thing.

Leo Laporte (8:26)

Yeah, it's. It's the shortest path to finding a solution, I guess.

Steve Gibson (8:30)

And it gives Stina more leverage because she's been on this for a while now. Yes.

Leo Laporte (8:34)

That's good of you.

Steve Gibson (8:35)

I wouldn't want to get in her way.

Leo Laporte (8:36)

Yep, we will have more. In fact, the picture of the week is just around the corner. You're watching Security now is Steve Gibson. Our show today, brought to you by. Delete me. If you've ever wondered how much of your personal information is out there on the Internet for anyone to see, anyone to buy, please do me a favor, do not search. But if you do, you'll see there's a whole lot of it. Your name, your contact info. Steve and I were shocked to learn our Social Security numbers were publicly available. Home addresses, salary information, even information about your family member. And the reason it's out There it's being compiled by a industry that is fully unregulated, at least in the United States, which is shocking, called data brokers. These are people who make it their business to buy and collect every bit of information they can about every single person in the country. And there's no one immune from this. And then they bundle it up, they make a dossier about you and they sell it to anybody, whether it's marketers, law enforcement, foreign governments, anyone on the web can buy your private details. And what does that lead to? Well, all sorts of nasty stuff. Identity theft, phishing attempts, doxxing harassment. We get phishing emails. In fact, that's what got us to use Delete Me, our sponsor is we were getting phished by people who knew a lot of information about our employees, about our management. That's why we decided to do what we're recommending you do, which is protect our privacy. With Delete Me. You know, I, I, I'm not so much worried about myself because I long ago realized that I unintentionally, as well as intentionally share every detail about myself in public. That's, you know, it's kind of my job. It has been for 50 years. I live in public. But if you don't, or if you don't or you want to control what it is that's out there, especially, I think businesses really need to consider this for their management, especially because these, this is, this information which makes it so easy to fish your employees to make credible. Phishing emails, text messages, slack messages that really look like they come from management and have all the details. And it's, it's because this information's out there. That's why we recommend and why we use for our management. Delete Me. It's a subscription service that's important. It's not a one shot deal. It removes your personal info from hundreds of data brokers and they know them all. That's, that's their job. They know where to go, how to do it. You sign up, you tell Delete me exactly what information you want deleted. Their experts will take it from there. But what's nice is, as I said, it's an ongoing process. So they will send you regular personalized privacy reports. We just got one for Lisa actually the other day showing what they found, where they found it and what they did about it, what they removed. That's important because even though they remove this from these data brokers, it's so lucrative. There are more data brokers all the time. Data brokers routinely shut down Change their names and start over again. And even if they didn't, they often just start rebuilding the portfolio. Oh, that's the same person. Oh, I didn't know. So you got to continually monitor and that's what Delete Me does. They're always working for you, monitoring and removing the personal information you don't want on the Internet. To make it simple, Delete Me does all the hard work of wiping you, your family. If you want personal information from data broker websites, take control of your data. Keep your private life private by signing up for DeleteMe. We've got a special discount for individuals right now, just because you're listening. 20% off your delete me plan. When you go to joindeleteme.com twit do use the promo code Twitter checkout. The only way to get 20% off is to go to JoinDeleteMe.com TWIT and enter the code TWIT at checkout. That's JoinDeleteMe.com Twitter codes TWIT. And it's really important that you say join Deleteme. There is a European company does something completely different that has deleteme.com don't go there. It's join deleteme. One word joindeleteme.com twit and you'll know you're in the right place when you get 20% off using the offer code twit. Thank you DeleteMe for the. That's the name of the company, right? So the work you do and you go to joindeleteme.com TWIT don't forget the promo code TWIT. That helps us out quite a bit. All right, picture of the week time, Mr. Gibson.

Steve Gibson (13:23)

Okay, so this is the return of desire paths, okay? We, we have a 12 frame cartoon that tells a story essentially. Now the, the, the crux of the problem, as is always the case with these desire paths, is that they, the path that whoever it is who, who paved the. The path originally laid down does not correspond with where people want to go. So it's like it's, it's a bad path, right? I mean, what's a path? Presumes that it takes you where you want to go. No? So here we've got a we, we. In the first frame, we see a nice green lawn and a path going up to the sidewalk in the upper left. The problem is nobody wants to go to the sidewalk on the upper left. They want to go to the street corner which we can see over on the upper right where there's a Bit of a crosswalk. So inevitably, what happens is that once as people are walking toward the end of the path that meets the sidewalk, they're looking more and more off to the right, which is like, well, I want to be going over there. Why am I going over in this way? And so if you think about it, Leo, when you're starting off on the path at the beginning, your. The where the path goes and where you want to go, they're pretty close together from your perspective. But as you walk along the path, the. Where you're wanting to go begins to diverge. It veers off to the right to. To. At some point, you're like, not quite at right angles, but it's like, wait a minute, I want to be over there. So there's nothing preventing somebody from just walking across the grass. And so they do. And inevitably, you end up with a worn, you know, dirt trail through what would otherwise be nice grass, because everybody wants to go to the corner for the crosswalk. So after that has established itself, those in charge of this park say, well, we can't have this.

Leo Laporte (15:42)

The authorities, yes.

Steve Gibson (15:45)

So this brings us to frame three, where a park bench has been stuck on the. On the place in the path where the foot traffic diverges to go where people actually want to go.

Leo Laporte (15:58)

That'll show them.

Steve Gibson (15:59)

That's right. And so we see the grass beginning to regrow a little bit in the wake of this. Of the establishment of this park bench. It doesn't last long. Fourth frame shows that people just said, oh, well, I'm gonna go off the path sooner. I'm going to go around the park bench and get to the. Where I actually want to go. The corner with the crosswalk.

Leo Laporte (16:23)

I'll show you.

Steve Gibson (16:24)

That's right. And so somebody comes back and look. And looks at this situation now and goes, well, we can't have that. So they stick a. A, a permanent trash can installation to the. To this side of the park bench where people have decided they're just going to take off early and to get over to the corner they want to go. So inevitably, people are blocked. Now, the trash can is far enough down path that people aren't getting anxious about heading to the corner by that point. But by the time they get past the trash can and the park bench, they're like, what? I'm going in the wrong direction. So sure enough, they start cutting across the grass after the park bench this time. And so that brings us halfway through this to the sixth frame where we've worn another dirt trail through this grass the authorities finally say, okay, look, we're gonna deal with this once and for all.

Leo Laporte (17:27)

A hedge.

Steve Gibson (17:28)

We're putting a hedge. We're gonna just hedge our bets here. So we've got a long linear hedge, which is meant to say you have no choice. You didn't like that? You do. You disobeyed the park bench, you disobeyed the trash can.

Leo Laporte (17:45)

You.

Steve Gibson (17:45)

You went around it. So now we have a hedge. Unfortunately, hedges are not bulletproof. I'm sure we've all seen people walking through hedges. So we have the next frame showing that the hedges become a bit damaged. And in the following frame, well, the hedge has just given up. It's basically been bisected into two hedges with another worn dirt trail running between it, going to where people actually want to go. So finally the message gets through to management here. It's like, okay, fine, we're going to give you a paved trail to where you're telling us you want to go. So we finally, in the 10th frame, have a. The. The. The. The path comes up. It continues to go where no one wants to go, to the. To. To the sidewalk, on the street where nothing is happening. But it also formally forks and veers off to the corner. Everything is good for a while. We get another. We get 10 and frame 11 look the same. Everybody seems happy with that. Oops. But no, turns out the new trail doesn't actually go exactly where people want to go. So we have another dirt path branching from the. The updated path taking us to the. The crosswalk.

Leo Laporte (19:14)

So I love that.

Steve Gibson (19:15)

Yes, people are going to do circle.

Leo Laporte (19:17)

People gonna do what people do.

Steve Gibson (19:19)

Okay, so Salesforce's name has been dragged back into the news again due to another of their customers. Or I guess API affiliates is probably the best way to explain it. Well, I'll explain all of how that works here in a second. Whose security is not up to snuff. Not Salesforces, but the affiliates. I'm sure Salesforce is very unhappy to have their name dragged back into the news. So almost in response to their like, well, this is not our fault. They posted a very limited stiff acknowledgment. It was under the heading security advisory. Gotta love this unusual activity related to gain site applications. Gainsight being these apps that are causing the trouble. So yeah, unusual activity, right. As in more than 200 customers had their Salesforce stored data compromised. Anyway, their terse posting reads, salesforce has identified unusual activity involving Gainsight published applications connected to Salesforce which are installed and managed directly by customers. Our investigation indicates this activity maybe may have enabled may right we know how to read may have enabled may have for for 200 customers who everyone knows unauthorized access to certain customers Salesforce data through the app's connection. Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with gain site published applications connected to Salesforce and temporarily removed those applications from the App Exchange. While our investigation continues, there's no indication that this issue resulted from any vulnerability in the Salesforce platform and we'll be coming back to that and you know, giving that a little more attention in a minute. The activity appears to be related to the app's external connection to Salesforce, so right Blaine the Messenger we have notified known affected customers directly and will continue to provide updates. Now all of the available evidence today supports everything technically that Salesforce has said, but TechCrunch provides a much more fulsome account thanks to their reporting of Google's Mandiant Security Group and also Tig, the threat intelligence group. TechCrunch's attention getting headline was Google says hackers stole data from 200 companies following gain site breach, TechCrunch wrote. Google has confirmed that hackers have stolen the Salesforce Store data of more than 200 companies in a large scale supply chain hack. Now that's not the impression that you would get from reading Salesforce's, you know, sort of compulsory admission, TechCrunch said. On Thursday, Salesforce disclosed a breach of quote, certain customers Salesforce data, unquote without naming affected companies. That was stolen via apps published by Gainsight, which provides a customer support platform to other companies. So that's an important datum. Remember that. So this is Gainsight has apps which provide a customer support platform to the users of those apps. In a statement, Austin Larson, the principal threat analyst of Google's Threat Intelligence Group Tig said that the company, quote is aware of more than 200 potentially affected Salesforce instances. After Salesforce announced the breach, the notorious and somewhat nebulous hacking group known as Scattered Lapsus Hunters, which includes the Shiny Hunters gang, claimed responsibility for the hacks in a Telegram channel which TechCrunch has seen the hacking group claimed responsibility for for hacks. Now here's a few of the 200 Atlassian CrowdStrike, DocuSign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thompson, Reuters and Verizon. So not little people we've never heard of before. These are not obscure entities. TechCrunch said Google would not comment on specific victims and as well they shouldn't so TechCrunch did some more digging, writing. CrowdStrike's spokesperson Kevin Banaki told TechCrunch in a statement that the company is, quote, not affected by the Gainsight issue and all customer data remains secure. We'll see how that goes. CrowdStrike confirmed to TechCrunch. Oh, and this is a different story, that it had terminated the employment of a suspicious insider for allegedly passing information to hackers. TechCrunch reached out to all the companies mentioned by scattered lapses hunters. So TechCrunch was going to go, you know, find out who would comment after scattered lapses hunters said, you know, we've got data on the following companies. Verizon's spokesperson Kevin Israel said in a statement that, quote, Verizon is aware of the unsubstantiated claim by the threat actor without providing any evidence for the claim. Malwarebytes spokesperson Ashley Stewart told TechCrunch that the company's security team is aware of the Gainsight and Salesforce issues and actively investigating the matter. The spokesperson for Thomson Reuters said the company is actively investigating. Michael Adams, the chief information security officer DocuSign told TechCrunch in a statement that quote, following a comprehensive log analysis and internal investigation, we have no indication of DocuSign data compromise at this time, unquote. However, Adam said that, quote, out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows. And I'll just note that because this is a breach of Gainsight which is aimed at the Salesforce API, it might well be that there's no logging happening at the breached companies or in the breached companies networks. Which is not to say that their data stored at Salesforce did not leak. So this all feels like, like you know, we've like TechCrunch is asking right on the leading edge of investigations and it's reasonable that this will take some time and also that they might be asking the wrong questions because the companies are. Oh no, our networks are just fine. Well, yes, and that's. It still could be the case that your customer data was leaked from Salesforce. So again, kind of a different question. TechCrunch said hackers with the Shiny Hunters group told TechCrunch in an online chat that they gained access to gain site thanks to their previous hacking campaign that targeted customers of Sales Loft, which provides an AI and chatbot powered marketing platform called Drift. Remember we've talked about that. That's that annoying thing that comes up on the lower right hand side of your screen and says hi, what would you like to talk to me about? Support. And of course it's completely useless, but hey, it's pretends to be support. In that earlier case, the hackers stole Drift authentication tokens from those customers, allowing the hackers to break into their linked Salesforce instances and don't download the contents of their Salesforce store data. So the Shiny Hunters group are saying that they got into in some fashion and gain site did like tokens weren't rotated or refreshed or maybe it was a different, you know, they may have have gotten in and then and then made some lateral moves in order to maintain a grip. That's what they're claiming at the time. Gainsight confirmed it was among the victims of that hacking campaign. So this begins to, you know, feel substantiated. A spokesperson for the Shiny hunters group told TechCrunch, quote Gainsight was a customer of Sales Loft Drift. They were affected and therefore compromised entirely by us. That's Shiny Hunters Salesforce spokesperson Nicole Aranda told TechCrunch that as a matter of policy, Salesforce does not comment on specific customer issues. Gainsight did not respond themselves to TechCrunch's requests for comment. On Thursday, Salesforce said there is no indication that this issue resulted from any vulnerability in the Salesforce platform. Again, as I said, well, very likely true and and TechCrunch said that effectively distanced them from its customers. Data breaches Gainsight has been publishing updates they wrote about the incident on its incident page. On Friday, the company said it is now working with Google's incident response unit Mandiant, to help investigate the breach, that the incident in question originated from the application's external connection, not from any issue or vulnerability within the Salesforce platform and that a forensic analysis is continuing as part of a comprehensive and independent review. Salesforce Salesforce has revoked active access Tokens for gain site connected apps as a precautionary measure while their investigation into unusual activity continues, according to Gainsight's own incident page. So that matches what Salesforce said. And they also said that Salesforce is notifying affected customers whose data was stolen in its Telegram channel. Scattered lapses Hunters said it plans to launch a dedicated website to extort the victims of its latest campaign by next week. This is the group's modus operandi, writes TechCrunch. In October, the hackers also published a similar extortion website after stealing the victim Salesforce data in the Sales Loft incident. And finally, TechCrunch finished their piece writing the scattered lapses Hunters is a collective of English speaking hackers made up of several cyber criminal gangs including Shiny Hunters, Scattered Spider and Lapsus, whose members use social engineering tactics to trick employees into granting the hackers access to their systems or databases. In the last few years these groups have claimed several high profile victims such as MGM Resorts, Coinbase, Doordash and more okay, so I wanted to share this story not only because it's certainly important to those companies who are doubtless scrambling around trying to determine what of their customer data may now be in the hands of extortion happy criminals who are not shy about bragging to the press nor about releasing stolen data they have of that they have managed to acquire. The bigger message I think here is the steadily growing consequences which we keep seeing arising from outsourcing. I'm not suggesting that the benefits do not outweigh the risks, only that risks which remain unseen and unappreciated cannot be hedged against nor planned for When Cloudflare goes down, as we saw two weeks ago, it takes an appreciable portion of the web down with it. The same is true for AWS and Microsoft. From the perspective of the individual customers who've outsourced their needs to those providers, this is an inconvenience for several hours while their critical infrastructure is completely off the Internet. So collectively the amount of pain is huge. But on the other hand, it's very likely that many of those individual providers are positioned behind Cloudflare to obtain the 247 benefits of Cloudflare's bot attack prevention and mitigation. And were it not for Cloudflare on an individual basis, those companies would be periodically blasted off the Internet at the whim of random unknown attackers using today's inexpensive DDoS as a service facilities. So what does this have to do with Salesforce? Same principles are at play here. In the case of Salesforce, the new model is known as BPO Business Process Outsourcing, where significant pieces of a business's operational requirements where there would be, you know, a lot of wheel reinventing without much value to add, are instead of being done in house, developed and done and maintained in house, outsourced to specialist providers. While it makes sense from an operational standpoint to do that, we've just seen more than 200 of Salesforce's individual customers who are all using Gainsight's apps connected to Salesforce's back end API, having their data of an unknown number of their customers exposed through no fault of their own. Recall that long ago there was a story of all of those dental offices that were compromised when the managed service provider that they were all using to outsource a bunch of their dental specific operations, probably dental insurance and dental billing, and their internal networks were all in turn hacked because the msp, the managed service provider they were all using, got breached and the bad guys crawled down the network connections to all of that company's clients. This gainsight Salesforce event is an updated version of that and it's happening at a much greater scale than. Because the services are being, that are being offered have become much more granular and much more generic. You know, sales support desk services. Well, lots of people need that. The general idea is let's not have anything in house that we can subcontract for. It makes companies much more dynamically resizable. And it's far easier to terminate a contract for an outside service that's no longer needed than it is to terminate the employment of a department full of employees with whom multiple birthdays have been celebrated. So the unspoken of cost, the downside of that is that our industry still has very significant operational security problems that show no sign of having been worked out. The fact that Salesforce's reaction to the breach is to invalidate a provider's static access credentials, thus effectively excommunicating them and all of their users from having any access, strongly suggests to me that that today's model of interacting networked applications is still far too crude to withstand the sort of scaling that demand is creating. I'm not close enough to the problems to be able to propose any better solutions, but the way things are being done today feels wrong. I hope those who are in the trenches are thinking about how to make this all work in a more secure and robust fashion. The feeling is that these breaches are still being seen as individual exceptions that hopefully won't repeat. But they are repeating. All the evidence suggests that this is the wrong way to think about them. This feels like, sort of like it's reminiscent of the Internet in the days before the concept of a firewall was introduced, which of course changed the whole landscape. The general concept of widely distributed API linked outsourced services seems to have proven itself. That works. But now the industry needs to figure out how to reduce the blast radius when something evil manages to crawl into the network. What we know is that the more interlinked such complex systems become, the more fragile and vulnerable to malicious exploitation they are. And that's what seems to be happening here. So anyway, and you know, another event of an API user of Salesforce having A breach which in turn allows all of this data stored on behalf of the, of the customers of that API being obtained by bad guys. And you know, we need to prevent that from happening. It's happening over and over and over, which suggests that the model is wrong. The interaction model is like, it's the obvious thing to do, but it's not robust enough. And Leo, I am very excited to share this next piece of news, which was an early Christmas for me. There's nothing, I, I mean, I'm astonished by what Cisco wrote. But let's tell our listeners, okay, why we're here and then we're going to do that.

Leo Laporte (39:22)

You saw, I don't know if you saw this. Brian Krebs was able to kind of ferret out one of the guys running shiny Lapsus spider guy, whatever their name is. He's a 15 year old living in, was it Jordan? Let me see. I can't remember. Living in the Middle east somewhere. His father is a pilot for the Royal Jordanian airline and he had some, you know, he had some poor operational security and basically accidentally reused some account information. So Brian has his name. He contacted, he couldn't contact him, so he contacted the guy's father. Always good if you got a hacker go after, talk to the dad, which he says his name is Saif Al Din Kader and he is now corresponding with him on signal. And he says, yeah, I'm trying to get out of this. You know, this has gotten out of, way out of hand. He was one of three administrators on their Telegram channel, ran a, a hacking website which seems to be responsible for distributing some of the software that they were giving to affiliates. And of course, one of the things.

Steve Gibson (40:40)

Kevin, 15 year old.

Leo Laporte (40:42)

15 year old. 15 year old.1 of the things, by the way, he was using his dad's computer because Krebs says it was a shared Windows PC. It was the family computer that the kid was using. But you know that one of the real skills that Scattered Lapses Hunters has is social engineering. And I think a lot of times these kids are very good at making phone calls and saying, you know, I'm a little old lady and I need some help or whatever it is that they are able to do to get this.

Steve Gibson (41:15)

They are unabashed.

Leo Laporte (41:16)

They're unabashed. I think that's the part of the problem is that they're, they, they don't have a frontal lobe yet. They're not, they don't, they're not, they're not yet fully developed. Anyway. He says he's already Heard from European law enforcement. He'd been trying to extricate himself from shiny lapses Hunters.

Steve Gibson (41:36)

He, meaning the, the 15 year old. Oh, yeah, good.

Leo Laporte (41:39)

Well, yeah, we'll see. But he was, you know, I mean, they're slowly rolling these guys up.

Steve Gibson (41:45)

Yes, they are. And yes. And in fact, I think it was a week or two ago that I reported on that. I wanted to make sure people understood that people, you know, these kids were being caught. It's not like, you know, they were getting away with all this. And so it's important to recognize that.

Leo Laporte (42:00)

Well, and in fact, Saif says that he's one of the reasons that they're getting caught. He says, I've been cooperating with law enforcement since June. So it's an interesting, interesting story. It's on cribs on security website. Brian does really good sleuthing to track.

Steve Gibson (42:15)

This guy down and he does. He's, he's great at that.

Leo Laporte (42:18)

Yeah.

Steve Gibson (42:19)

He ends up being, you know, often attacked as a.

Leo Laporte (42:21)

Well, that's, that's the other side of the story. Yeah. He becomes the enemy.

Steve Gibson (42:26)

Yeah.

Leo Laporte (42:27)

All right, we'll have more in just a little bit with Steve Gibson and security now.

Steve Gibson (42:31)

But first of work, Cisco.

Leo Laporte (42:34)

I'm very happy, Steve. His Christmas came early. But first, a word from our sponsor, Vanta Compliance. That doesn't sock too much. I love that. I love that Tagline. What's your 2am Security worry? Is it, Do I have, you know, you're lying on your pillow? Do I have the right controls in place? We were just talking about it. Are my vendors secure or the really scary one? How do I get out from under these old tools and manual processes? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence, filling out endless questionnaires. Vanta's trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, to flag risks, to keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and get back to sleep. Get started@vanta.com SecurityNow that's V A N T A V.com Security now, we thank Vanda so much for the work they do, which is really important, and for supporting the work Steve does, which I would submit is also very important. And now with the good news, I.

Steve Gibson (44:06)

Would argue that it's important if in any way I might have influenced this podcast, might have influenced Cisco? I, I don't believe so. I'm sure that my observations are shared by many.

Leo Laporte (44:20)

But you are part of a general pressure campaign on Cisco, right?

Steve Gibson (44:25)

I mean, well, I've pretty much been as hard on them as, yeah, anyone could be also proposing solutions. I mean, it's not like I'm saying, oh, you're bad and evil. It's like, no, they need to do this, they need to do that. Anyway, so we all know that I have, I frequently find fault, tremendous fault actually, with the apparently from all outwardly observable evidence, this cavalier attitude that Cisco has always had towards security. And we all know that change is difficult. And I get it that Cisco, being an early and like the early pioneering commercial network equipment supplier, was building routers way before security was even appreciated as an issue. You know, as we know, the original Internet had no security. It was just amazing enough that it worked. And as I've noted earlier, their original, Cisco's original routers were running a large collection of often unneeded services. By default they just had all this stuff turned on because they woo. It was cool. And since those routers, Cisco's routers treat all of their network interfaces equally, they're just numbered without. There's no concept of a LAN or a wan. The only way you, you imbue that onto an Interface is the IPs and, and network range. You give it the declaration of it as a gateway and the other characterizing that you do for the interface. So as a consequence, all of those often unnecessary services were bound to and available on all of the router's interfaces. I mean it's the definition of insane lack of security. And Cisco, only slowly and with what seeming reluctance, has begun to change the behavior of at least not running all of those services by default. Instead of saying explicitly having to say no HTTP service in the config file to turn it off, now you have to say HTTP service in order to turn it on. So there have been improvements, but I mean they've just been inadequate, as evidenced by the fact that huge numbers of Cisco routers are being commandeered and penetrated when some random fault is discovered in, in the authentication of them. And they're wide open to the Internet. So we're back here today because of a short blurb that I read which caught my eye. The, the blurb was titled Cisco's Resilient Infrastructure. And I thought, okay, what's that? This little, the short little thing said Cisco has announced Resilient Infrastructure, a project modeled after Microsoft's Secure Future Initiative program that aims to improve the security of its products. Okay, maybe this includes this thing said increasing default protections, removing legacy insecure features, and introducing advanced security capabilities which reduce the attack service and enable better detection and response. Okay, that's all. That's all the right words. You know, never before have I been hoping that somebody in a position of authority inside Cisco may have gotten wind of my own thoughts about the problems with their approach to security. Hopefully these are widespread. So, you know. Okay, so anyway, I went looking then for what had triggered that short announcement. You know, capture. In their Executive Platform section, Cisco's Executive Platform section, I found the article titled Doubling down on Resilient Infrastructure. This was posted under the name of Anthony Grico, a Cisco Senior Vice President and Chief Security and Trust Officer. So the title is right. The posting says global networks have faced relentless attacks for years, with recent and dramatic increases in sophistication, scale and speed. The current dynamic requires urgent change. Organizations must assess their current risk posture and use technology, vendors, guidance and tools to securely implement, maintain and operate their networks. We recognize that the vast amount of information across products and services from different vendors can create insurmountable complexity for customers attempting to secure their infrastructure. To that end, we are simplifying our offerings so that secure configurations, protocols and features are the default. We are proactively alerting network administrators when insecure choices are being made and deprecating legacy methods that have served as operational mainstays for over two decades, all to create a more secure, resilient and modern network. Okay, please. I could not have better expressed what they need to do. They get more specific, Anthony continues. At Cisco, we've spent years making technology that allowed our customers the ultimate flexibility in how to configure and deploy networks. I would agree. We also have a long history of constant improvement in the design of our portfolio. To be secure and resilient to evolving threats, remaining trustworthy and transparent throughout its life cycle, and equipping our customers with the tools and information they need to manage risk. This technology is useless if it is not deployed securely. Okay. Running global networks is complex, he writes. While experts once thrived in this environment, today's okay, this is interesting. While experts once running global networks is complex. While experts once thrived in this environment, today's landscape has turned past complexity into vulnerability. Network infrastructure that was designed, built and deployed in decades past did not anticipate today's hostile security environment. Again, it sounds like a digest of the podcast. This is further amplified by the fact that many organizations have not updated and maintained Their network infrastructure missing opportunities to fix known vulnerabilities and update configurations based on the latest security best practices. 100% there. Anthony A new Cisco Commission report found that 48% of network assets worldwide are now aging or obsolete, creating significant technical depth debt that diverts budgets toward maintenance rather than modernization. It is the equivalent of a city relying on a rusted cracked bridge for all its traffic. As dependence on global networks grows, failing to break the current cycle of escalating threats could have a significant impact on our ability to trust future digital systems. Amen. We believe it is the responsibility of all trustworthy vendors, including Cisco, to inform customers when the use of certain technology oh, we believe I'm going to repeat that. It is the responsibility of all trustworthy vendors, including Cisco, to inform customers when the use of certain technology may expose them to potential risks. That's all. This is all new. This is why we are doubling down on the model where security is the default and any reduction in security requires an explicit choice. Wow, okay, this sounds wonderful. And as we've discussed, it is exactly the way to do it, he said. It moves our customers from facing unexpected risks to managing known and deliberate ones. In some cases, we will completely remove the ability to do things insecurely, regardless of choice. Wow.

Leo Laporte (54:02)

This.

Steve Gibson (54:03)

You know, this is Cisco's Senior vp, Chief Security and Trust Officer talking. I just hope it happens, he said. Today we are announcing the next step in our security evolution, focused on reducing the attack surface in our portfolio, increasing protection of sensitive data, and enabling the defender with more robust capabilities to monitor and detect threats in network infrastructure. It's like they've awoken to security, which, while late, is, you know, certainly welcome, he said. Resilient Infrastructure is a Cisco effort to strengthen network security by increasing default protections, removing legacy insecure features, and introducing advanced security capabilities which reduce the attack surface and enable better detection and response. Simply put, we are making it incredibly obvious. He actually said incredibly obvious when our customers are configuring insecure features that introduce new and unnecessary risks into their networks. Oh please be true, he said. Initially, customers will receive increased security warnings that recommend discontinuing the use of any insecure features. In subsequent releases, features will be disabled by default or require additional steps to allow for configuration. Eventually, insecure options will be removed entirely. Woohoo. God, it's Christmas for security.

Leo Laporte (55:56)

What are you going to talk about?

Steve Gibson (55:59)

Most importantly, he said, we are furthering our commitment to our customers and the industry to provide visibility in areas where customers and large network providers are exposed to risk. We encourage all technology vendors to adopt the same approach to transparency. Historically, network infrastructure has not received the same level of monitoring and scrutiny as other parts of the IT infrastructure, he said. If it ain't broke, don't try to fix it. That is no longer the case. We want to emphasize the importance of and make it even easier to perform effective monitoring, detection and response within network infrastructure when not if, vulnerabilities and attacks manifest. Addressing newly discovered vulnerabilities often requires patching or or updating systems, which can create operational disruptions and cause unwanted downtime. Instead of waiting for a patch or scheduling emergency upgrades, we will be designing features to deploy targeted real time shields that protect against specific vulnerabilities soon after they are identified.

Leo Laporte (57:29)

What?

Steve Gibson (57:30)

Did everybody hear that he just said? Instead of waiting for a patch or scheduling emergency upgrades, we will be. We, Cisco, will be designing features to deploy targeted real time shields that protect against specific vulnerabilities soon after they are identified.

Leo Laporte (57:54)

Shocking.

Steve Gibson (57:56)

This method allows teams to mitigate potential risks immediately without the need to interrupt operations or perform unplanned maintenance. It means faster responses to threats, fewer operational headaches, and a more resilient network so critical services stay online even as the threat landscape evolves. Okay, I'm just speechless now, except to say thank you, Cisco, he said. He finishes, we know security and trust in technology will look different in 2040 as it did 15 years ago. As we. Meaning 15 years from now is 2040. 15 years ago. We know about that, he said. As we evolve the network to be secure today, we we must prepare for the future. It is crucial we get this right. The network is the foundational infrastructure that powers every aspect of our lives, enabling technologies like artificial intelligence. We rely on the network to protect our most sensitive data. But quantum computing is poised to upend today's modern encryption algorithms. Therefore, the network must evolve to support post quantum cryptography and must be secure by default. This is not simply a switch to be flipped. In the next decade, as AI becomes the norm and quantum computing inches towards mainstream adoption, those that do not act now will unfortunately be doing so at their own peril. I wonder if this guy just got hired. I. I don't know. What. How do you explain this? No measure, he writes, can guarantee perfect security. But as the threat landscape evolves, so will our security practices to put that promise into action. We will continue to invest in innovation to help our customers effectively manage risk, overcome threats, and work to earn and maintain their trust. We remain committed to raising the bar, giving defenders the tools they need to operate, detect and Respond securely and doing so with trust, transparency and accountability. We urge all network operators to act now to comprehend and mitigate infrastructure risk. Actively protect your organization by keeping systems up to date, using secure configurations and planning for device lifecycle management. Now is the time. As an industry, we must raise the collective bar for securing our global infrastructure. Join us as we collectively move toward a more resilient future. Okay, now I, I fully understand that it's one thing to say it and another thing to get it done, but after reading this, I'm not feeling at all cynical. This writing evidences an absolutely perfect grasp of the problem which no one inside Cisco has ever shown with their but didn't you read our optional device hardening guide? What you know, the huge sea change evident here is that Cisco is for the first time ever actually taking full and direct responsibility for the in the field deployed operational security of their products. That is a switch from read our optional device hardening guide to we no longer publish a device hardening guide because we built it all into our systems from the start. I couldn't possibly ask for anything more from them and I hope that what they do that, you know, that the approach they take will be seen and emulated by every other similar network equipment and services company. You know, it's, it's 2025, almost 2026 and network security is no longer a buzz phrase. That's, you know, given some lip service, network security has become at least as important as performance, perhaps even more so. So it's significant that anyone deploying any of this next generation, you know, new security first Cisco gear, they will themselves directly experience Cisco's then demonstrated commitment to their network security, their, you know, their company's network security. So it occurs to me that in this era where now network security is truly important, experiencing Cisco's commitment, when you're configuring their equipment and you're getting dialogue saying I don't think you want to do that. That's got to be a sales promoting feature. So, you know, feeling that Cisco has your back and is demonstrating that fact during device setup, that's got to be good for Cisco sales and for their reputation. Well, so what I think this means is that what Cisco is now doing is just good business. The world has evolved to the point where device security trumps its features. I'm so happy, you know, the world has just received an early Christmas present. Yes, deployed gear will stay out there, but it's going to die over time. It's going to need to be replaced. Cisco is saying the Replacement gear is going to have features unlike any of our previous approaches. And when those devices are updated with a new version of iOS, it's going to take a whole different approach. So. Bravo, Cisco. Wow. Wow. Be fun. Be fun to see it happen. Okay, so. The headline of an announcement which you, Leo, you were already clued in on this. I was just like, what? From the Australian government, as legislators continued to lock down Internet content was Twitch assessed as age restricted social media platform. So here's what Australia's Esafety commissioner posted last week they posted Esafety has informed Twitch it is considered an age restricted social media platform required to take reasonable steps to prevent under 16s from having accounts in accordance with Australia's social media minimum age legislation. And I should note that that legislation began back in 2021 and has been moving forward and you know, going back and forth and it's. But it takes effect next Tuesday. No, next Wednesday. Sorry. Okay, so. So E Safety wrote following Twitch's own self assessment, E Safety assessed Twitch as meeting the criteria for age restricted social media platform because it has the sole or significant purpose of online social interaction. Oh the horror. With features designed to encourage user interaction.

Leo Laporte (66:05)

What?

Steve Gibson (66:05)

Oh my God, Leo, who's ever heard of that? Including through live streaming content. Okay, so you know, it's not about the nature of the content at all. It's that Australian legislators do not want people under the age of 16 to be able to capture, post, share and interact about content. The announcement continues writing Twitch is a platform most commonly used for live streaming or posting content that enables users, including Australian children, to interact with others. Wow. We can't have that. In relation to the content posted, Esafety has also informed Pinterest it does not consider it subject to age restrictions on the basis it does not currently meet the criteria for an age restricted social media platform. While Pinterest enables some online social interaction in it is not the significant purpose. Pinterest is more commonly used by individuals collating images for inspiration and idea curation. So apparently we're going to now have a new E Safety commission that gets to decide who gets age restriction and who doesn't.

Leo Laporte (67:36)

Yeah and f already Facebook, Instagram, X.com you know the usual suspects are already.

Steve Gibson (67:42)

Covered and in fact they the this this Commission said from December 10, Twitch and the previously announced Facebook, Instagram, Kick, Reddit, Snapchat Threads, Tik tock X and YouTube.

Leo Laporte (68:02)

In other words all the places we stream.

Steve Gibson (68:05)

Yes. Will all be required to take reasonable steps to prevent Australian children under the age of 16 from having accounts, they wrote. Although it is ultimately a matter for the courts whether a service is an age restricted social media platform, ESAFETY undertook these assessments to assist Australian families and industry prepare for December 10, meaning next Wednesday. Just so everyone is really clear on that, you know, the day after our next podcast, ESAFETY expects all online platforms that operate in Australia, which is to say all online platforms, to assess their obligations under Australian law, including the social media minimum age. ESAFETY has provided an a self assessment tool to help industry understand if they're required to comply with the social media minimum age and remains in ongoing discussions with platforms about their compliance obligations and their planned approach towards compliance. E Safety. I mean this Leo, this sounds like. Like I can't. Like some other world.

Leo Laporte (69:26)

Yeah.

Steve Gibson (69:26)

ESAFETY has been assessing platforms against the criteria set out in the social media minimum age legislation and the Minister for Communications Legislative Rules. Over recent months this work has occurred in stages, allowing ESAFETY to release information to the public as some preliminary assessments were completed and and while others were still underway, there are no further assessments planned in the leadup to the 10th of December. Wow. So, so much for Christmas in Australia. Remember that the flip side, as we we noted at the top of the podcast, the flip side of preventing anyone under the age of 16 from accessing Facebook, Instagram, Kick, Reddit, Snapchat threads, Twitch, Tick tock, etch or YouTube is the implicit need to prove that anyone wishing to do so is at least 16 years old. Starting December 10th, Wednesday after next, every Australian, all 35 million of them. Wait, no. With 35 million kangaroos.

Leo Laporte (70:46)

Kangaroos? Oh, it's 27 million Australia.

Steve Gibson (70:50)

27 million Australians. Kangaroos. I'm sure they're accepted from this.

Leo Laporte (70:55)

I don't think they have to worry they're exempt.

Steve Gibson (70:58)

Yeah, yeah. All the Australians must prove their age.

Leo Laporte (71:03)

Yeah.

Steve Gibson (71:03)

And the, you know, grandpa must prove that you know, his age. And the world lacks, as we know, any privacy preserving way to do that at the moment. So I went over to the E. Safety self assessment page to better understand what was going on. I've got a link to that page in the show notes for anyone who's curious under the topic definition of age restricted social media platform, that page says an age restricted social media platform is an electronic service which meets all these conditions and they list five. It has the sole purpose or a significant purpose of enabling online social interaction between two or more end users. So a web forum, Right. It allows end. Right. It allows end users to link to or interact with other end users. It Allows end users to post material on the service. It has material which is accessible to or delivered to end users. In Australia, it is not an excluded service under the rules. Okay, now I want. Okay, excluded service. Excluded services are things like professional networking or professional development. Maybe LinkedIn for. For example.

Leo Laporte (72:33)

Yeah. Link on the list.

Steve Gibson (72:34)

Yeah, yeah. Support of education or health. Facilitating communication between educational institutions and students and, or their families and facilitating communication between health providers and people using those services. So, so these rules are so ridiculous and over the top that it was necessary to carve out a whole bunch of, of qualifying under these ridiculous rules. Services. That's not what they meant. Oh, but not if you're a university. Not if you're. Not if you use a, A service to communicate with your services. You know, in other words, it is the intention of the Australian legislators to deliberately target what we all know as modern online social media. You know, in that sense, as I noted, what we have taking effect in Australia is tantamount to Mississippi's far over the top blanket prohibition on access to any and all social media within the state of Mississippi. But this is being applied starting the middle of next week to the entire country of Australia. I, I was like, what's happening? Wow. So you know what? Blue sky goes dark in Australia. The way they felt that they had.

Leo Laporte (74:08)

To go this dark, it's an issue for me, believe it or not, because we have forums.

Steve Gibson (74:13)

Yeah.

Leo Laporte (74:14)

We have a Mastodon instance. We have chat, we stream in all these places.

Steve Gibson (74:20)

GRC has web forums.

Leo Laporte (74:22)

Yeah. I mean, and I don't have any way of, of doing age verification.

Steve Gibson (74:27)

Nobody does.

Leo Laporte (74:28)

Should I just block Australians? I mean, I, if I could, I would. We have a lot of Australian fans. I'm sorry, guys, but it's not you, it's your government. I don't know what the answer is. I'm just going to pretend I, I didn't know about it.

Steve Gibson (74:44)

Yes. I think that the answer is to do nothing until you receive a little note from the eSafety folks.

Leo Laporte (74:52)

Right.

Steve Gibson (74:52)

And then say, Mastodon's already said we.

Leo Laporte (74:55)

Have no mechanism for doing this.

Steve Gibson (74:58)

Who has?

Leo Laporte (74:59)

Mastodon? Yeah, as a company, of course, it's open source software. But the people who do the software say we have no way of doing this and have no plans to implement this. So all I've done on our Twitch social is I put a little thing is don't join if you're under 18. You promise by joining that you're not under 18, that you're not under 18. I mean, what else?

Steve Gibson (75:20)

And unfortunately we know that that does not. That no longer satisfies the the law. You must actually get some form of of identification.

Leo Laporte (75:31)

I know anything. I know nothing. What are you talking about?

Steve Gibson (75:33)

I know it's wrong. And I mean it's like so a 15 year old can't hang out at GRC's forum and talk about YouTube. What?

Leo Laporte (75:47)

Yeah, I really feel for teenagers in Australia who are must be going crazy. It's been very good for VPN providers. It's gonna be as you mentioned last week, what's the next step?

Steve Gibson (76:00)

Yeah. Wow. Wow. Okay. So speaking of messes, Politico reported last week that more of Europe is wishing to move away from U S based computing solutions. The beginning of POLITICO's reporting said Brussels, you know, as in Dateline Brussels, Dateline. In Brussels, a cross party group of lawmakers will urge the European Parliament to ditch internal use of Microsoft's ubiquitous software in favor of European alternatives, according to a letter obtained by Politico. The call comes amid fresh concerns that the dominance of a handful of US Tech giants has become too much of a liability for Europe's security and prosperity. And as the U S administration renewed demands for digital concessions at a meeting in Brussels on Monday. That's what the, the, that's what precipitated this. In the scathing letter they wrote to be delivered to Parliament President Roberta Metsola on Tuesday, 38 lawmakers also list the screens, keyboards and mouses, it said mouses from Dell, HP and LG in use across the chamber's IT systems as technology that should be ditched. The letter reads, quote. With its thousands of employees and vast resources, the European Parliament is best positioned to galvanize the push for tech sovereignty when even old friends, and this means the US when even old friends can turn foes and their companies into a political tool. We cannot afford this level of dependence on foreign tech, let alone continue funneling billions of taxpayers money abroad. The lawmakers cite a broad range of European alternatives they argue are viable solutions, from Norwegian Internet browser Vivaldi, French search engine Quant and Swiss secure email suite Proton to the German collaboration platform nextcloud, the lawmakers wrote, praising the International Criminal Court's recent move to drop Microsoft over US Sanction fears. Remember we talked about that recently, they wrote. Our midterm goal should be the complete phase out of Microsoft products, including the Windows operating system. It's easier than it sounds. The Parliament's vehicle fleet, they wrote, is almost entirely made up of cars from European brands. The same can be replicated for end product computer hardware they call, they call to set up a task group of lawmakers and parliament staffers to help and monitor the transition. With enough political will, they wrote, we will have freed this institution from the danger of foreign tech dependency by the end of the mandate. So I'm sure these very strong US technology companies will survive. But interdependence creates stability, you know, global stability, because everything is about economics. So I'm sorry to see Europe, Europe as a whole pulling away from the U.S. though it's hardly surprising given the way relations have been during the past year. You know, we, meaning the US just need to be very sure that this is what we really want because it's what we're getting. And I know what our listeners want. Leo which is another break more ads so that really we're an hour and 15 in and we're going to switch to looking at some long responses and interesting, I think, to our, to our listeners feedback.

Leo Laporte (80:18)

I know our listeners want one thing for sure, which is a secure system, right? They wouldn't be listening to the show if they. And they want their businesses to be secure too. So I think this is the time to tell them about the best way to keep secure at home and at the office. Bidwarden, our sponsor, the trusted leader in password, passkey and secrets management. It's the password manager I use. Love it. It's consistently ranked number one in user satisfaction by G2 and software reviews. 10 million users now across 180 countries. More than 50,000 businesses. So here we are. I've got the Christmas trees up. I've got snow falling on my computer screen. The holidays are nearly here. That means so are many of the biggest credential risks of the year. This is December's the month, folks. Bit Warden's Cybersecurity Awareness Month poll, that's this month, Cybersecurity Awareness month revealed that 42% of parents, almost half of parents with kids aged three to five said their child has three to five has accidentally shared personal data online. Mommy, can I use your credit card? Meanwhile, 80% of Gen Z parents fear that their kids could fall victim to AI scams, of course, and 37% nevertheless still give full autonomy or only lightly monitor online usage. As cyber threats become increasingly personal, having a robust identity and access management solution is more critical than ever. Not just for you, for your family, for your kids, for your business. Whether you're protecting one account or thousands. Bitwarden keeps you secure all year long. And they do it. It's remarkable as an open source product and I think in some ways, open source means they're more nimble. They have continual updates in so many areas. For instance, they just haven't added a new capability that lets users access their vaults. Remember, normally you access the vault with typing the master password, right? If you have a biometric enabled machine you could use, sometimes you could use Windows hello or the Fingerprint. Well now if you're using a Chromium based browser, which is almost all of them, you can use a pass key, a passkey instead of a master password. This kind of. It feels like, Steve, that your work with SQRL is finally kind of catching up to the mainstream. This is such a great idea. It gives you a secure phishing resistant authentication method that really protects against credential threat. You can't accidentally enter your passkey into a site. Bit Warden's also doing stuff for AI. They've now updated their MCP server. This goes now beyond vault operations. There Bitwarden's McP server enables AI agents to assist with organization level administration using Bit Warden's public API. See, I think this is one of the reasons I'm a big supporter of open source for this kind of stuff. According to IBM, this is. This is a stat. I'll get you the average cost of a data breach. The average cost of a Data breach tops 10 million. That's including ransomware downtime and of course reputation loss, if you can quantify that. Anyway, with 80% more than 80%, 88% of cyber attacks on basic web apps tied to compromised credentials. Almost all, let's just say almost all cyber attacks are based on on compromised passwords. It's clear why a password manager like Bitwarden is a critical layer of every IT stack at work. Especially Bitwarden is a cost effective solution for any team, whether it's IT and operations, finance, engineering, HR marketing. Bitwarden will enhance your business's security and productivity. Introducing Bitwarden security is the simplest investment to safeguard credentials and your business to protect all your employees. So Bit Warden wants you to stay safe and secure online this holiday season. Take a look at Bit Warden Setup could not be easier. It supports importing from most password management solutions, so it's easy to move back and forth. The Bitwarden open source code is regularly audited by third party experts. You can look at it. It's on GitHub and Bitwarden meets SoC2 Type 2 GDPR, HIPAA CCPA compliance and ISO 27001:2002 certification. It's just the best there is. Get started today with Bitwarden's free trial of a teams or enterprise plan or get started for free across all devices as an individual user. Bitwarden.com TWIT bitwarden.com TWIT @Thanksgiving, did you tell your friends and family? Did you tell your relatives? Bitwarden.com TWIT free for individuals forever. Did you tell them? I hope you did. If you didn't send them an email Bitwarden send them a link. Better yet, because you know they like to click links in email. Makes them happy. Why they need bitwarden bitwarden.com twit we thank them so much for supporting security. Now we really appreciate their support and we encourage you to give it a try. Bitwarden.com TWIT okay, back to you Steve.

Steve Gibson (85:51)

Yeah, we were early covering the the whole birth of password managers. Yeah, you know, at some point in the early days of the podcast they were a new thing.

Leo Laporte (86:02)

The idea of using a pass key instead of a master password is kind of like squirrel. You, you put the pat. You probably have to put the pass key on a device, I'm thinking, and then you'll scan the QR code because of the how else would you do it? You can't do it with your password manager. It isn't unlocked yet. Right.

Steve Gibson (86:19)

Well, matter of fact we, we have. This first question was from a listener.

Leo Laporte (86:24)

Perfect.

Steve Gibson (86:24)

Brian Garland, who said, steve, I've been using a password manager and long random passwords for some time now. I'm seeing options for pass keys and yubikeys more frequently and I realize I don't have a good feeling for the best practices for those options.

Leo Laporte (86:41)

Good.

Steve Gibson (86:41)

Have you done a best practices segment for passwords, pass keys, hardware keys? If so, please point me in the right direction. If not, this might be a good segment for a future podcast. Thank you, Brian. So it is a great question that we've never directly addressed. I think that the optimal answer has been changing while we a waited for our chosen password manager to add support for passkeys, which they didn't initially have of course because passkeys didn't exist and b while we waited for the FIDO association to follow up the passkeys functional specification with a pass keys import export specification. So we don't yet even now have universal cross platform pass keys transport in any common format. It's said to be coming. The FIDO group are working on it but you know, it's it's not yet available universally. However, I would imagine that all of our listeners are using because they're Listening to this podcast, a single common password manager across all their platforms. You know, both 1Password and Bitwarden completely support cross platform pass keys synchronization. So the use of a password manager means that pass keys support is now entirely practical, even though it doesn't there. There isn't native import and export cross platform. If you're using a cross platform password manager, problem solved. So what does that mean for Brian's question of best practices? It means that there's zero downside and only a significant upside, meaning good news to the use of a pass key. And that and and the passkey option should be chosen whenever it's presented. Passkeys are clearly the future. Usernames and passwords are the past. So you know, use a username and password when and until you have no other choice but switch to authentication with a passkey whenever it's offered. There's just no reason not to as long as you're doing this with a password manager that gives you ubiquitous access to that passkey. So what about yubikeys? As we've observed, security and authentication always requires keeping a secret of some kind. It's by proving that one knows the secret that one's identity is asserted, since the assumption is that the holder of the secret will have successfully prevented that secret's disclosure. The problem with the username and password system is that the only way of proving that one knows the secret is by providing it in some form to the relying party. This is the danger inherent with usernames and passwords. The secret itself is disclosed to prove knowledge of it. And that's exactly what makes public key authentication systems so much more secure. In a public key system like pass keys, the relying party, the party that wants you to prove your identity to them, sends the authenticating party a unique piece of entropy to sign using their secret private key. When the signed entropy is returned to the relying party, that signature is verified using the the authentication parties previously the the the authenticating parties previously provided and stored public key. Since only the holder of its of that public key's matching private key could have properly signed the entropy, the signer has proven their identity without ever disclosing their secret, which is their private key. So this means that the protection of a pass keys private key is paramount. Secrecy Secrecy still must be maintained even when you're using pass keys as much as with your when you're using usernames and passwords. It's just that you're not disclosing that secret every single time you use it. So that's where Yubikeys enter the picture. A Yubikey is an hsm, a hardware security module which is capable of using previously stored private keys to sign a challenge in order to assert the identity of its holder. The Yubikey itself performs the signing operation so that the user's private key key never leaves the key and it can never be obtained or compromised. I mean it is the last word in security for any public key system. Original Fido and Now you know, Fido 2 you pass key style. But that's both a blessing and it can be an annoyance since the only way to authenticate anything that depends upon a Yubikey is with the Yubikey. That's what makes the Yubikey the most secure option available. You got to have it. But it also means that if you've left the Yubikey at home or at the office, then you're not there. It won't be available for authentication. And that fact and, and, and the fact that there's no workaround for that is the entire point of using it. You can't get around needing it, which can be the problem too. So depending upon the model of the Yubikey and its generation, you know, it may also have a limited storage for the private keys. Of pass keys, sometimes it's 25, sometimes it's 100. There are some that have a limit, an unlimited mode, but that's a factor too. You want to take that into consideration. So all of that, the issue of maybe not having it on your person when you need it and the fact that it may have a storage limitation that all argues for not using a Yubikey absolutely everywhere. You probably don't need it. That level of Yubikey security to log into Uber or Facebook or Instagram, they just don't matter that much. But you might want to use it when accessing your online retirement investment accounts and anything you might be doing with your national government. So protect the things that really need protection. But then, but don't over encumber yourself otherwise. So I'd say standing back that the best practice would today would be to always use a obviously use a password manager to get the, the cross platform connectivity that we all need. Then always use a pass key whenever possible because it is more secure in all kinds of ways. In favor of old school username and password only use them when you have no other choice and use a hardware token based pass key. For the handful of sites that really do matter most and we're having access to them being tied to the physical Presence of your authenticating device won't become an annoyance and a usage handicap.

Leo Laporte (94:59)

I think, you know, the password manager is a perfect thing then for that. You know, make that be.

Steve Gibson (95:04)

Yes.

Leo Laporte (95:05)

How you unlock the password manager.

Steve Gibson (95:07)

Yes. Yeah, yeah, exactly. Thomas a listener Thomas said, I had a discussion with a colleague today about whether an SSD would survive long in an environment where it was expected to write data once and only be read occasionally, if ever, such as a media server. He said the web is filled with warnings about not leaving SSDs unpowered for long periods or the charge levels can degrade, and claiming that due to periodic maintenance by the controller, an SSD that is powered on and idle won't have this problem. He said, I find this hard to believe because any controller programmed to maintain cell charge would be rewriting cells that tested marginal and that would also solve or greatly reduce the now infamous red disturb problems. Maybe some drives are doing this. He said. I don't think I've heard you talk about this in the past. What do you think? Okay, so, and I just, just the. The XDA developers forum just had a big thing about this, which is what I thought Thomas, it may have. What stimulated Thomas's question A great deal of empirical evidence from spin rights users support the belief which has become mine thanks to all the evidence. I mean an overwhelming amount of evidence in the three years we were developing Spin Right 61 that keeping SSDS powered on does apparently nothing to prevent the gradual deterioration of their data over time. It takes years, but people who use their laptops daily still experience a slowing down over time due to softening bits, accumulating errors and the need for SSDs controllers to perform time consuming retries and also error correction. And I recall very clearly having Alan Malvantano tell me in no uncertain terms that an SSD will never perform autonomous rights to its own media. For those who don't recognize his name, Allen, spelled A L, L, Y N is about as high up in the pecking order of solid state storage gurus as it's possible to get. You know, he that's his expertise. The empirical evidence from spin rights users who have run spin right over their SSDs at level three to perform a single pass rewrite of the drive's entire surface is that older drives had indeed slowed down over time and were completely rejuvenated by that one time rewrite. The only way to explain that is that those drives were not doing that on their own. I've heard the rumors of self repairing SSDs. You know, and maybe the rumors persist because it makes so much sense, but Alan says those rumors are not true and, and that tracks with spin rights before and after drive benchmark findings. So one thing we do know is if, is if you, if you pull an SSD offline, the temperature at which it is stored matters a great deal. Physics tells us that you will get much greater rate of charge drift. It's actually electron tunneling in a hot environment than a cold environment. So if you've got SSDs that have archival data on them, keep them cool, wrap them in a bag, stick them in a refrigerator or a freezer, and the data will be retained far longer than if they are stored in a hot environment. The first time this surfaced, and we talked about it, was a study that showed SSDs in data centers where the presumption was they were warm, the data centers were warm due to, you know, all these servers and the AC that was trying to keep up. They tended to lose their data being stored in a hot environment than in a cold one. So by all means do that. But I, I don't think you can count on leaving them plugged in, keeping them from, from having their data deteriorate. There's no evidence that I've seen that does that. Certainly it's not the same as just running a, a read, write, pass over it. Someone named Gorbash 1370 said, hi Steve in episode 1052, the picture of the week discussion pleasantly detoured into refactoring and Leo floated the idea of a coding session or discussion. He said, I just wanted to say how much I would love that. I'm a middle aged coding novice now, about three years of compulsive hobbying, who originally hoped to pivot into cybersecurity. There's a real irony in how AI coding assistance enabled me to learn slash, build so much faster, while probably also wiping out most of the entry level opportunities that might have once made a related career switch possible. He said, I addictively persist with building because I love the process of coding, the utility and the self sufficiency it affords me. Unfortunately, no one I know has much tech knowledge, let alone interest in code. So in human terms, I'm learning largely on my own. Obviously I don't trust AI's psychophantic reflections on what is normal. When I have an event about how long coding tasks are taking me. I'm embarrassed that a coding project that I thought would take me a couple of months has siloed me into a code cave for nearly two years? Hey, tell me you don't know anything.

Leo Laporte (101:33)

About I was gonna say you don't know anything about that, do you?

Steve Gibson (101:38)

He said. I have zero real world context for what's normal in terms of how coding feels or how long things take. Well, we could definitely make you feel better about that, he said. Over the years, some of your offhand comments about coding have been unexpectedly important to me. You've mentioned sometimes returning to old code to have nearly forgotten how it works, about the steep cost of context switching in your reflections on the DNS benchmark revamp. I thought I was just a crap coder for finding a finding a few days away from a project to be such a wrench and to take so long to decipher things I've written before. I can't overemphasize what a huge relief hearing these things was. I'd nearly convinced myself there was something wrong with me for having the same experience. You and Leo have commented how some coders simply aren't suited to being employees. I. E Can only really dev the as their own bosses. Hearing that framed without judgment was another relief. All of that is why I'd be so grateful if you ever did a one off episode or extended segment where you just chew the fat about what it's like to code, drawing on that rare decades long perspective and super rapport you guys offer. You already do this so well for security each week, even a single focused conversation about coding itself, habits, mindset, trade offs, he says. OMG time scales, how it feels over a lifetime. Anything I'm sure would be incredibly valuable for people like me. Thank you both for everything you already put into the show. It's a genuine highlight of my week seeing the Security now logo pop up on my podcast feed, all the best Gorbach 1370 so I'd be glad to participate in something like that. And I was thinking it would be fun to grab a couple of other coders to join. You know Randall Schwartz and Father Robert come to mind.

Leo Laporte (103:56)

We have by the way, in our club some really accomplished coders. I've mentioned names like you know Paul Holder because he's in your forums rig of course he's very good. Darren Okey is here. We have Sci Faze, Miguel Fire and I know they're good because they do the advent of code with me every December and I'm always blown away by how good they are at writing code. I think if you want Steve, we could do this as a club. You know we right now we have a AI users group. We have we could have a code users group.

Steve Gibson (104:25)

Well, I can't do anything other than a one time. I mean, one time only. Yeah, I'm giving us two days.

Leo Laporte (104:32)

We did a show called Coding one on one. Father Robert hosted that. The problem we found, I found is do you pick a language?

Steve Gibson (104:41)

Details, Details.

Leo Laporte (104:43)

Yeah. How do you do it? There are some really good YouTube coding videos. In fact, if you like Advent of Code, there's a few people doing it live on, on YouTube that are really fun to watch and interest.

Steve Gibson (104:55)

So maybe, I mean, the right thing to do is to tell Gorbash to take a look around YouTube. I mean, incredible.

Leo Laporte (105:01)

For this. Yeah, there's one, there's one. You do the guy who wrote Vanilla js, which was in itself a pretty amazing work of art to take vanilla, to take JavaScript and turn it into something useful. But he has a. I don't know if anybody uses it anymore, but he has a. I think it's called you suck it code. Uh, and it's, and it's a really good YouTube. Somebody mentioned it in our club, Twitter Discord or you suck at programming. This is the guy here. Somebody mentioned this in our club, Twit Discord for Advent of Code. And, and it's really. It is. So there is a lot of stuff on YouTube particularly, I think it might be hard to do a discussion thing because what are we going to discuss? I mean, I think people would, I would love to interview you about, you know, your design patterns, your best practices, your experience and what you've learned and stuff like that, you know, or what we could do is we could give you an interview, coding problem like Fizz Buzz and we could watch you solve it. That would be fun.

Steve Gibson (106:18)

Yeah, I don't know.

Leo Laporte (106:19)

I don't know. What would you like to do?

Steve Gibson (106:22)

I mean, I guess, Mike, my thought is sort of a round table of people who are, who we like to hear from. I mean, like, and, and that, and that's why I think Randall Schwartz and father Robert, you know, I'm sort of people, I don't know, people who have some perspective on, you know, like. So, yeah, sort of the, sort of the, the, the process of it. I mean, I've said things like we're.

Leo Laporte (106:50)

On coding one on one, by the way. I don't realize this four different times. Do you remember that?

Steve Gibson (106:55)

No.

Leo Laporte (106:58)

2015, 10 years ago, with Father Robert. One was called with Father Robert, the wisdom of Gibson, Steve Gibson's Entropy Harvester. Yeah, you were, he interviewed you and it looks like Lumaresca was there as well, who was also a coder for Microsoft.

Steve Gibson (107:16)

We have in that case.

Leo Laporte (107:17)

Yeah. A large number of very good coders in our company, in our group.

Steve Gibson (107:21)

You know, completely makes sense that you.

Leo Laporte (107:23)

Would, who else would watch this stuff? I, you know, I love coding, but it is also kind of a solitary thing, isn't it? It's like writers getting together to talk about writing.

Steve Gibson (107:34)

You know, it's actually why I love it. I'm not collaborative by nature. I show my results, but I don't show the process right.

Leo Laporte (107:42)

Exactly. I did stream last year the first four problems in advent of code, which was quite fun. I decided not to it this year because it really, it slows me down a little bit. Yeah, but, yeah, but I, I, I love the idea. I just don't know what we can do with it. Certainly take a look at what's on YouTube.

Steve Gibson (108:05)

There's, well, and I will feel, think about it live. I, I will feel empowered to spend a little more time here, you know, talking about stuff, you know, if you.

Leo Laporte (108:18)

Talked about code every once in a while on this show, that would be fantastic. Yeah, I would dig it.

Steve Gibson (108:23)

Yeah, that's good. So, Troy in Moncton, New Brunswick.

Leo Laporte (108:32)

Moncton.

Steve Gibson (108:33)

Yes, Moncton. He said. Hi, Steve, thanks for the years of great content. Been a listener since 06 and really enjoy the weekly roundups you put together for us listeners. The latest update to the bit Warden's browser extension 25 11.1 broke the passkeys integration that's been working perfectly for quite a while now. Speaking of passkeys, at first, like many in the community forum, I thought it was a Firefox update that messed up Bitwarden's functionality. But it ended up being a bug on Bitwarden's end. And he's got a link to it. Looks like the link is Firefox Bitwarden extension, not prompting for pass keys on any site. It was a little glitch in the extension. He said the temporary solution brought forward by the moderators of the forum is to scale back to the previous version 2025.11.0 and turning off automatic updates for that extension. That solution has fixed the problem in my browser as well. And he's using Firefox on Linux. And he said Bitwarden is already working on the fix. Maybe by next week's security now this will all be resolved. But just in case other listeners ran into this issue and didn't understand what was happening, it might be worth a quick mention. So there's the quick mention. Just a heads up, I checked over on GitHub and found the comment about the fixed, which read reverts some of the changes introduced by pound 1417466 and takes a different approach to hiding the extension URL by injecting the script contents instead of linking to it. I don't know what any of that means, but it does sound like there was a, you know, some way that they that the extension did something that broke some things and and they're now going to do it in a different way to unbreak it. So just anyway, if anybody might have had hit that glitch with passkeys, it's probably been fixed by now. If not, check back Gregory Paul said hello Steve, Regarding the deprecation of XSLT support, I'd like to draw your attention to the fact that this technology is very useful in the context of RSS feeds, which can be used for podcasts. Indeed, while RSS feeds are mainly used by RSS readers or podcast apps, if a user opens an RSS feed directly in their browser, a use case is to have an XSLT style sheet that provides a preview of the feed. A few years ago browsers used to display XML feeds directly, but now they're downloaded instead, which makes them harder to view. I created an open source project that lets you send a link to an RSS feed which I use as a bookmark or to send links to family members. There's a demo here and it gives us the URL RSS to do list EU rsstodo L I S T EU is that I used an XSLT to display a proper rendering. I think I'll be able to use Google's suggested fallback loading a library that emulates XSLT processing or alternative alternatively make two renderings, one in HTML for users with an alternate link tag pointing to an RSS feed. He says thanks for your amazing work. Gregory from Paris, France, a long time listener Spin right Owner and member of Club Twit.

Leo Laporte (112:25)

Nice. Hello Gregory. Thank you.

Steve Gibson (112:27)

So since we talked about this week before last I then I shared last week some of our listeners chagrin over Google's planned deprecation and eventual elimination altogether of XSLT support. I was not aware of any intersection of XSLT in in my own life, but a couple of days ago huh? While working on GRC's website changes to support the upcoming release of the DNS benchmark, I was puzzled by by an error Windows Web Server was producing. Microsoft's IIS web server has become incredibly convoluted through the years as it's been mutated to retain backwards compatibility. And a parade of features needed to remain, you know, like new features needed to remain competitive. Microsoft invented their own server side scripting language known as Active Server Pages. Then of course, PHP refused to die, then Java Server Pages became a thing, and of course Microsoft needed to add their beloved and ever evolving.net whatever into the server just to keep anything from ever having a chance to stabilize. And nothing that's ever come before has gone away. Right? So we have support for server side, includes the original CGI interface and then the newer fast cgi. Collectively, it is a mess. And of course each piece was then made into a module. So there's now an exceedingly long and ever lengthening processing pipeline of modules that are sequentially invoked to process each web request. So when nothing comes out the other end of the pipe, the quandary is where in the pipeline did the request die exactly? To answer this too often asked question, IIS has a feature called Failed Request Tracing, which nicely does what its name suggests. Through the years, I've needed to rely upon it from time to time to solve the sorts of mysteries that would otherwise be utterly impenetrable without a huge amount of trial and error. It'd be like, okay, well this works, but this doesn't work, so how about this? And okay, let me try this.

Leo Laporte (115:03)

Oh.

Steve Gibson (115:04)

So having covered the planned demise two weeks ago of our browser's XSLT driven XML processing, I realized for the first time that IIS's own failed request tracing logs are output in XML format and that it is only thanks to the presence of an innocuous 100k dot xsl. It's freb f r e B. I'm sure it's what? Failed request something something error, failed request error. And then a B dot XSL file sitting. It's sitting quietly in the same directory. Only if it's there, does double clicking on the XML file produce a beautiful a series of export of explorable web pages that are, you know, even remotely legible. So anyway, Gregory's note indicates that Google is suggesting a fallback. And it's clear that Microsoft themselves will be needing to do something about this by this time next year. Since it seems likely that our browsers are going to be losing the ability to ingest, process and display XSLT formatted XML files. It turns out even I will be a little inconvenienced by that. Although maybe Microsoft, I mean, Microsoft's gonna have to come up with some solution because it is a it's you need this thing in order to figure out where your request died in this lengthy pipeline of craziness. Brian Kirchen wrote hi Steve listener since episode one. Thank you for 20 years of Education Entertainment. It's crazy to think that I've spent a couple of hours with you in my ear each week for almost 40% of my life, he said. While I'm a long time listener, my family doesn't get as excited about keeping up on the security news of the week or learning exactly how the Internet works. As such, I haven't been very successful moving them from their current password chaos to Bitwarden. So Leo, we have a creation of Brian which is a YouTube audio. He wrote. I thought that AI might help me with my marketing better password practices to my family. I had Chat GPT write the lyrics and style prompt. Ben Suno created the song Good.

Leo Laporte (117:53)

Yeah.

Steve Gibson (117:53)

Inevitably, the this attempt was also met with shaking of heads and nearly and he said nearly audible eye rolls. You I can just imagine, he said, undaunted. I'm hoping to get a full family conversion to Bit Warden this holiday season. Thanks again for everything you do. I love the podcast. Here's to another 30. Another 20 years. Best Brian in Deerfield, Illinois. Should I so Leo, a little bit. Yeah. Here I think play as much as until you feel we've had enough.

Leo Laporte (118:26)

Okay. Until your judgment the great password cleanup of 2025 gather up my family.

Steve Gibson (118:35)

We have a quest today. Our password life is chaos in a swirling disarray. There are chrome ones, safari ones, apple ones, two and half of them are weak enough a baby could get through.

Leo Laporte (118:46)

This is great.

Steve Gibson (118:47)

So welcome. Welcome to Bitwarden, the tidy little vault. It simplifies your universe and none of this is your fault. You only need a master key to open every door and Bitwarden makes the others so you never think of them anymore. Sing it loud, Sing it proud.

Leo Laporte (119:06)

I'll send this along to our friends at Bitwarden, our sponsor, and see if they want to use it as their new jingle. That's hysterical. I will send it to Bit Word and they will love it.

Steve Gibson (119:15)

Sing it loud. Sing it proud.

Leo Laporte (119:19)

Very, very funny.

Steve Gibson (119:21)

Oh my gosh. Thank you very much, Brian, for sharing.

Leo Laporte (119:25)

I'm sending it to him right now.

Steve Gibson (119:27)

Robert Blackmere said He said hi. The Picture of the Week last week is about what is known as in the Netherlands, an elephant path. You know, we call them desire paths.

Leo Laporte (119:43)

Because they do look like the trunks of an elephant. Yeah.

Steve Gibson (119:46)

Or maybe it's that elephants don't bother to follow that Too, the curved line. They just go in a straight line and, you know, nothing you can do to stop them. He said. And this particular one, meaning our picture of the week, is located just outside the city of Teal in the Netherlands. An Instagram account published your picture five weeks ago. After it went viral, the city of Teal decided to fix it permanently by removing the fence again.

Leo Laporte (120:19)

Oh, that's funny.

Steve Gibson (120:21)

They took away the fence, he said, after it went viral. Oh, he said. He said the photo below, which he attached in his. In his email to me, is the same spot just one week later.

Leo Laporte (120:34)

They took out the fence.

Steve Gibson (120:37)

Yep, he said, and here's a Google street view from 2009 showing that the elephant path has been there forever. He gave me a link. I have it in the show notes. Yeah. So he provided us with two photos, which I've grabbed both of them, actually, for the show notes. So side by side, at the top of page 16, we have a photo of the same path after the city decided to remove the ridiculous barricade. And then the. The actual. Yes. The actual explanation for what? Remember that we. That we couldn't see where the path. The official path, what happened to it over here?

Leo Laporte (121:20)

Yeah. Yes.

Steve Gibson (121:21)

It veered out of the frame. So what we now know, and this explains why it wasn't left in a straight line, is that there's actually a third path coming in from stage right.

Leo Laporte (121:34)

Right.

Steve Gibson (121:34)

And so the.

Leo Laporte (121:36)

The. And knowing, by the way, that this is the Netherlands, this is a bicycle path. You see the dotted line in there? And those. Let me tell you, in the Netherlands, you take your life in your hands when you walk on these bicycle paths. So this elephant path may merely be pedestrians dodging these speeding bicycles.

Steve Gibson (121:55)

Nice.

Leo Laporte (121:55)

I don't know. No, this makes sense. Why would you, if you're walking here, go all the way around, you just egg through.

Steve Gibson (122:02)

Exactly.

Leo Laporte (122:03)

Yeah, exactly.

Steve Gibson (122:05)

And. And so the. The ridiculousness of the gate apparently embarrassed the city officials, and so they yanked it out of the ground, and now people and elephants are able to just go in a straight line.

Leo Laporte (122:18)

Fantastic. Wow. Thank you for the effort there.

Steve Gibson (122:22)

So thank you, Robert. Appreciate it, really.

Leo Laporte (122:25)

He really put in a lot of effort to document the whole thing.

Steve Gibson (122:28)

Yeah. Guy Watkins said, Steve, listening to VPN blocking laws, he said, I decided George Orwell was an optimist, and that's all he said. You know, and. And I have to. I have to say I don't really believe I have. I just can't believe that wholesale VPN banning could ever come to pass. I cannot imagine that an entire Internet technology, which has many more applications, which is the point that the EFF made in what I shared last week. Many more applications than just geo relocation. That's kind of a side effect of using a VPN that the whole technology could be banned from because one of the many things it can do is geo relocate. And as we know, just bouncing traffic off a proxy server located elsewhere will have the same effect. Meaning it's not even a vpn, it's just a bounce. So, you know, I just we'll have to see what happens, but that just seems crazy. Ethan Stone said hi Steve, I listened to the latest Security now, and I thought I'd fill you in on what happens to people using VPNs right now. First, it's important to know so he's a heavy VPN user. First, it's important to know that a lot of sites are currently screening for IP addresses that are associated with a vpn, he says. I don't know how they're doing it, and actually we're going to find out by the end of the podcast how. Although I suspect there are commercial services that try to keep track of the latest IP addresses of popular VPNs, huh? And create continuously updated blacklists, huh? But empirically, he says, it's obvious that it's happening right now. Second, I think I have a different perspective on this because I'm almost always surfing the web on a VPN using a browser that has few or no cookies and is not logged into Google or anything else that would identify me. As I mentioned before, I'm one of your more paranoid listeners. As a result, my experience on the web differs significantly from what most people encounter. Given all of that, once a site has identified me as using a vpn, various bad things can happen. I I never use a VPN when I'm trying to log into my account at a financial services company because they commonly refuse to let me log in at all. But lots of other sites seem to be monitoring for VPN IP addresses and trying to exclude, or at least treat differently any visitor coming from one. For example, I often have to cycle through several VPN servers when I want to see a YouTube video before I find an IP address. Google hasn't blocklisted yet. Yeah, that probably doesn't happen to you because you watch YouTube while logged into a Google account. That's true, but as noted, that's not me. So I guess I stand out and look suspicious to Google. If I use a vpn, Google can identify the videos often either fail outright or YouTube requests me to log in so they can check my age or verify my identity. But that's just one example. It happens to me all the time, to the point that if anything on a website doesn't seem to be working right, my first instinct is to cycle to another server and at some point before I contact customer service, I'll try dropping the VPN outright to see if that finally helps. It's worth noting that for some weird reason, sites never tell you outright. You know, quote, we've identified you as using a vpn, please drop it. They just make things fail in unexplained ways. I'm not sure why, but it's universal. I don't think I've ever gotten a message telling me, just drop my vpn. So I thought it might be interesting to you to get a report from the tiny corner case where I spend my time online. I love the show. Thanks for everything you do, Ethan Stone. So very cool and valuable feedback. Ethan, thank you. Oh, I hadn't thought about it before, but sometimes when I'm doing a bit of research on a failed GRC web forums account creation, sometimes I look over and do like, see what, you know, bots are trying, you know, what's going on with bots trying to create accounts over there. I'll see what's known about an IP that's being used in a failed attempt to log into GRC. The Zenforo forum software links to whatismyipaddress.com and I'll often see that it has identified an attempted login as a vpn. So Ethan, I'm sure is right in correctly assuming that there are available databases of VPN Exit Point IPs and that websites are treating such visitors who are able to determine that in some different way due to far higher incidents, for example of fraudulent activity originating from VPN users. And Leo, it's time for our second to the last break.

Leo Laporte (128:25)

Yes, and from a company that I am rather fond of, as with all our sponsors. And there's some good news, Steve. I think we're going to be visiting them in March, but I'll give you some more of those details.

Steve Gibson (128:41)

I did say I would.

Leo Laporte (128:42)

So yeah, yeah, we're talking about Threat Locker. They do a conference every spring called Zero Trust World and I do believe you and I are going to go out to Zero Trust World and do a little presentation. So we're going to have to think about what we'd like to do and we'd like to invite all of you to come, but more details about that to come. But keep, keep. I think it's March 4th open, so you can march forth to Orlando, Florida and join me and Steve at Zero Trust World. That's something Threat Locker does every year. And Threat Locker is really the king of zero Trust. That's one of the reasons they're, they're, they're big fans, as we are, of Zero Trust, which seems to be one of the few technologies that can really prevent you from, from becoming the next victim of ransomware. Threadlocker Zero Trust platform takes a proactive, and this is the key deny by default approach. If it is not explicitly permitted, it doesn't happen. It blocks every action that's not been authorized prior to this. That's the best way to stop things, you know, zero day exploits, supply chain attacks, things coming in over the transom that you don't know about ahead of time. They just, they can't do anything. It's called Zero trust because the whole idea is you don't trust. Just because somebody's inside your network doesn't mean you should trust them and let them do anything they want. That's crazy talk. But the easiest way to implement Zero Trust, Threat Locker. It protects you from both known and unknown threats. And it's so good, it's so affordable, so easy to set up that it's used by some of the biggest companies, infrastructure companies, companies that can't afford to be down for even a minute. Companies like JetBlue, for example. They use Threat Lock, the Port of Vancouver. Ports, as you know, are really targets for ransomware attacks. Port of Vancouver can. Yeah, we're not worried. Threat Locker shields them and can shield you from zero day exploits and supply chain attacks. And incidentally, providing complete audit trails for compliance. This is good. As more cybercriminals turn to malvertising, you might want to know more about this. We talk about it on the show for sure, so you probably heard Steve talk about it. But malvertising is so insidious, it's almost impossible to stop an employee from seeing these bad advertisements. They don't take a click. And they often operate in a way that they can't be filtered out. They use fileless payloads, they run in memory, and they often exploit trusted services that traditional filters say, well, it's a trusted service, right? The way it works, attackers create convincing fake websites. They look just like popular brands, AI tools, software applications. They advertise them through social media ads. They propagate them through hijacked accounts. The thing that's really insidious is they use legitimate ad networks to put that malware on websites that your employees are going to every day. Anyone who browses those websites on a work system is vulnerable unless you're using Threat Locker. Threat Locker's innovative ring fencing technology strengthens endpoint defense by controlling what applications and scripts can access or execute that contains that malvertising and other potential threats. Even if the malicious ads actually reach the device, which almost inevitably they're going to, they're harmless to you. It's amazing. Threat Locker works across all industries. It supports Mac environments as well as PC. They've got a US based support team. That's excellent. 24. 7, always there for you. And of course because of the way this works, you get comprehensive visibility and control. Jack Sennasap is the director of IT infrastructure and security at Redner's Markets. He says, and this is a quote, quote when it comes to Threat Locker, the team stands by their product. Threat Locker's onboarding phase was a very good experience and they were very hands on. Threat Locker was able to help me and guide me to where I am in our environment today. Get unprecedented protection quickly, easily and cost effectively with ThreatLocker. Visit threatlocker.com TWIT to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT we thank him so much for their support of Steve. They've been big supporters for all the past year and I think a couple years before that and hosting Zero Trust World 2026. It's going to be March 4th through 6th in Orlando and I'm probably a little premature in saying this, but we're going to be there, Steve and I hope you will be there and come see me and Steve. We haven't decided what we're going to do yet, but we're going to have a presentation. So I think it'll be a lot of fun. I'm looking forward to it. All right, back to the show we go, Steve.

Steve Gibson (133:55)

So Jacob says, hi Steve, I'm coming to you in search of a solution to a problem I have little experience with. My Grandmother frequently uses Apple 2 GS programs for her piano studio. She does not have copies of the disc and they have an unknown copy protection on them. Oh, they are 3.5 inch floppies and we only have one working drive for them. Oh, I'm going to try to use ADT Pro to get a nib copy of the disks but from what I found that is unreliable with the 3 1/2 inch disks. I know you have a lot of experience with spinning media and I was wondering if you had any suggestions for making copies or digitizing these discs. Sincerely, Jacob P S. I love the show. Keep up the good work so this is a bit of an oddball question, but I thought our listeners might enjoy knowing of my reply to Jacob. I replied hi Jacob, the problem is that the formatting of three and a half inch diskettes is largely software defined. Oh, as such?

Leo Laporte (135:09)

Like hard tracks or anything?

Steve Gibson (135:11)

Yeah. As such, they could have any sort of bizarre physical formatting that would be impossible to duplicate without some sort of very specialized equipment. Assuming that the diskettes copy protection details are unknown and undocumented, it would be impossible to even know where the protection was stored. For example, diskette media is self clocking where only the speed of the spindle and the frequency of the data being written determines the placing and spacing of the bits on the magnetic medium. If a drive motor was spinning just a bit faster than normal while a tracks data is being written, the end of one track might start to overwrite the start of that track the start of that track, because the too fast spinning would bring the track start back around too soon. This problem is not just theoretical. To prevent this from happening, diskette tracks contain a dead zone at their end. This allows some slack in case of a too fast spindle motor. Consequently, when looking for some sneaky place to place a bit of copy protection authentication information that would never be copied by duplication software, some copy protection systems write an additional small bit of data into that slack region. Normal software doesn't know to look there, but the copy protection does. Another example is the use of an additional cylinder. Diskettes determine where their head is by incrementally stepping inward or outward. But anytime they cannot find the sector they're looking for, they seek to cylinder zero to recalibrate and then step back out again. Most diskette drives contain an optical sensor to let the diskette controller know when the head has reached cylinder zero. But Apple saved a dollar by eliminating that sensor. Apple's drive just runs the drives ahead back into a hard mechanical stop. This is why Apple's drives made some disquieting noises when they were recalibrating their head positions. Once the drive seeks to cylinder zero, it then counts cylinders as it moves inward. But who's to say that a drive can only record 80 tracks? Sure, 80 is the official track count, but why not 81? If the 80th track is reliably read and Written, chances are that the 81st track would be 2. So the unofficial track 81 could also be where a copy protection system might choose to store its data. And one last trick might simply be some deliberately miswritten sectors. Normal diskette software places checksums on sector headers and sector data. Normal software won't read sectors with bad headers and data. This might be what the ADT Pro diskette copying software will read if it can. But writing deliberately damaged sectors again is another trick that diskette copy protection systems have used. So anyway, my answer about, you know, Jacob's probably hopeless quest to back up some Apple IIG's programs that were copy protected.

Leo Laporte (139:08)

The point is, you could image it, but then when the program ran, it would try to read the malformed disk parts. People used to put little holes in the disk, for instance, to make it.

Steve Gibson (139:20)

Yes, there were physical damage on media.

Leo Laporte (139:22)

And so then the software is going to run, it's going to say, well, let me see if this is a legitimate disc. And the thing is, your imaging software was unable to copy whatever weirdness the copy protection scheme put in there.

Steve Gibson (139:33)

Exactly.

Leo Laporte (139:34)

However, I have to say, in my day, I did this a few times with Atari disks. Sometimes you can load the program into ram, find the part that is doing the copy protection and with a hex editor, jump around it.

Steve Gibson (139:48)

Known as hacking, my friend.

Leo Laporte (139:50)

Yep.

Steve Gibson (139:51)

I think, I think I may have mentioned that a very good friend of mine, the wife of a very good friend of mine had a computerized embroidery shop. Yeah. And, and so they had some dongles that had to be plugged into the parallel port.

Leo Laporte (140:09)

This sounds familiar. Yeah, yeah, yeah.

Steve Gibson (140:11)

And, and, and, and she, she. I don't remember what happened. It was one of those, you know, dog ate my homework things. The company refused to replace one. Right. That actually was damaged by, by a lightning strike on Newport coast one day. I mean, I. It was a, you know, so it was a. Like the computer needed to get, to get rebuilt. And then Gary finally discovered that the thing, the dongle that had been plugged into the parallel port was dead. And the, and, and I think that the software was like custom vertical, you know, embroidery stuff for thousands of dollars.

Leo Laporte (140:50)

Sure. That's why they had a dongle.

Steve Gibson (140:52)

But that's. Yes, exactly. Yes. And so anyway, he came to me and he said, Steve, he called me Gibson for some reason. But he said, gibson, come on, you gotta, you know, gotta help me out. It came at a time when I wasn't doing anything. So I said, oh, this will be fun. So anyway, I found it Was one instruction, a jump instruction that I just no opt and then I saved the.

Leo Laporte (141:17)

Change jump to the copy protection.

Steve Gibson (141:18)

So it didn't.

Leo Laporte (141:19)

Yeah.

Steve Gibson (141:19)

So somewhere there is a decision point where it's should I run or not? And so you just say, yeah, you should.

Leo Laporte (141:28)

And usually it's at the beginning. So that's, that's what I would say. The best bet is if you can image it, do it. Won't run that image. Won't run. Your next job is to go in with a hex editor into that image.

Steve Gibson (141:39)

And see of course the knowledge base of people who know Apple. I mean, I do, but you know, from the light pen, but. But I've forgotten everything I knew.

Leo Laporte (141:49)

But you know, there's 6502 assembler. It's going to be early on and the thing is it's going to be a jump, but there'll be a lot of jumps. Yeah. I don't know. You might try. It might be a fun little exercise. You can't, I guess you could disassemble it, try to figure out what's going on, what it's doing.

Steve Gibson (142:06)

And I, I also remember the copy protection software. You would often hear the head going. It was like very busy doing, like making sure that it was, you know.

Leo Laporte (142:19)

I bought a special floppy drive for my old Atari 800. It was very expensive, that had mechanisms to bypass copy protection. And it was weirdest sounding device ever because it was doing all these little oddball things. Yeah, yeah, yeah.

Steve Gibson (142:39)

Well, that's a. Jason. Yeah. Jason Egan said. Hey Steve, I recently came across this game and thought you might be interested. And Leo, you're going to want to go to unflipgame.com u n f l I p G-A-M e.com he said, I like to imagine this is a way of conceptualizing efficiently flipping bits, but I could be way off. Either way, my kids and I have enjoyed the challenges it presents. Some could be really tricky. The best part is watching my kids develop their brains muscle memory as they start to discover patterns during the unflip process of each board.

Leo Laporte (143:19)

Sure.

Steve Gibson (143:20)

Much like the Tower of Hanoi game. Let me know your thoughts and thanks for keeping us all informed entertained. So anyway, first of all, thanks, Jason. Several of our listeners who know of my penchant for puzzles without a timer also saw this and thought of me. So thanks to everyone else who also sent me notes about this. And again, it is unflipgame. U N F L-I-P G-A-M E.com.

Leo Laporte (143:46)

Oh, this is Fun. I get it. Yeah.

Steve Gibson (143:48)

Yeah, it is really fun. So it's a toy that runs entirely within the browser, thanks to a bit of JavaScript, and I've already spent some enjoyable time with it. The puzzle begins with an n by n grid of squares. End being a small number like five or six. And that square grid contains an initial starting pattern with some squares being black. The goal is to turn the entire grid white. This is done by dragging the mouse from one corner of your own square to the opposite corner. Once you release the mouse, all the squares contained within that newly drawn square invert, you know, black to white, white to black. So it's an xoring puzzle. You quickly learn that you're only able to invert square regions. That's an important limitation.

Leo Laporte (144:43)

Yes.

Steve Gibson (144:44)

The initial levels of the puzzle are nicely designed to teach the basics and to show some of the more important concepts. The puzzle has a moves counter and a and a best and a par indication to show what's possible. It's possible to just keep pounding on the poor thing, trying this and that and, you know, going around and around in circles racking up moves. But the fun is in using some planning and some finesse to always complete the whitening in the fewest moves. Anyway, I like it a lot. It's unflip game U N F L-I-P G-A-M E.com and I recommend it for level six.

Leo Laporte (145:28)

I think I've met my match. How far did you get?

Steve Gibson (145:32)

Oh, I. I think I got up to 15 maybe. And you. And up there at the top left, you can click on all levels over on the left. Ah. And that will show you. So you did the first five. And there's. Oh, it gets lots, lots to come.

Leo Laporte (145:48)

Clever. Very nice and beautiful. It is really neat. Simply designed. Yeah, yeah, yeah.

Steve Gibson (145:54)

Bob Sutt wrote, longtime listener before episode 50 Spinrite owner. And he said, he said and old about you and Leo's age.

Leo Laporte (146:05)

Oh, but we're not old.

Steve Gibson (146:06)

But we're not old. He says, no, no. My question has to do with pass keys and maybe digital IDs. He says, I have none yet. I'm a treasurer for a local church. Many of the government sites want me to use login.gov or ID me, which is fine, but I have two roles. One is me and, you know, and my personal accounts, and one as a treasurer. I haven't figured out how to use a PassKey and have two roles. I have purposefully used my church's treasurer email for all church business so I can One day hand all of those accounts over to someone else, he says. I use bit warden. I even have two user accounts on my computer to separate what I do. My bank is greatly confused and continually tries to link my personal account with the church's account. I end up at the Social Security site for my information instead of being able to file tax information for the church. I get it that I'm one person, but that doesn't mean I own all the funds in my. My church's accounts, he says. Are passkeys so simple that I'm making this hard? Am I missing something? Will digital IDs cause the same issue? Okay, so first of all, Bob, I'm wondering whether the confusion at your bank might be due to remaining logged in with one identity when attempting to log in with another. You know, I don't know what could be causing the linkage problem, but for what it's worth, multiple pass keys per single relying party, that is the website is a common need and as far as I know, all of the passkeys implementations allow for multiple pass keys to be associated with a single website and different user accounts. So when you have two assigned for example one for you and another for your church's treasure for. For your church's treasurer, who happens to also be you at the moment, your passkey authenticator should prompt you which one of the two you wish to use. And note that this is different from. From. From wanting it to be able to use multiple different pass keys to log into the same account. You know, the need that. That Bob explained is def. Is having different accounts wishing to have separate pass keys all stored in the same device. And that should be possible everywhere now. But not, not all sites support multiple passkey users logging in authenticating to the same for example bank account which you know, sometimes mom and dad would want to be able to to use different pass keys to log into their shared account. Not yet universally available. But multiple multiple pass keys on on the same authenticator for. For different accounts at the same website should be universally supported. Now Chad says hi Steve. Hey. Oh, I like this AI isn't all it's hyped up to be, he said. I asked Chat GPT to help me identify the 12 disks in the JBoD. You know just, just a bunch of disks JBOD that I'd attached I that I'd recently attached to this host. The Host already has a 16 disk JBOD attached. It identified the two enclosures but he has in all caps. He's very indignant about this Leo it literally reversed them. It told me to run a command to create a new Z pool. It only gave me disks from the 16 bay unit, not the 12. Since the 12 had discs from a previous pool of, I knew I needed to force a force parameter with Zool, thereby putting the data on my 16 DIS enclosure at serious risk. Meaning that he was going to use the force parameter, but on the misidentified 16 disk? Jbod, he said. Thankfully a WC L command caught chat's screw up and my data is still safe. I had provided the command and output it asked for, yet a simple basic task it could not do without making a serious mistake. I'm not worried AI will replace us humans anytime soon. Signed Chad okay, so one of the things I hear Leo and Leo's AI informed hosts and guests, noting frequently, is that today's AI is only as good as the depth and breadth of its training data. The key thing to appreciate is that today's AI doesn't actually understand anything that it is saying. No, what's so frigging astonishing about what we have today is that just by being what Leo originally described as a fancy spelling corrector, today's AI is able to do as much as it can and to appear to actually know what it's talking about. It does this so astonishingly well that it's easy to be seduced by it. I have a perfect example from my own recent experience. Last week I needed to multiply a 64 bit integer by a 32 bit integer. Naturally my language is intel assembly code, and I could not assume that the user of the DNS benchmark would have a 64 bit processor, could be a 32 bit chip or 32 bit OS. So I needed to only use 32 bit instructions. Anyone who's played with machine language knows that a 64 bit by 32 bit multiplication can be performed using a pair of 32 bit multiplies while saving the high half of the first result and later adding that to the low half result of the second multiplication. This is exactly what we do on paper when we multiply a two digit number by a one digit number. Just the same, I was curious to see what chat GPT's best code smithing model would suggest. It was an almost comical disaster. It was very sure of its result, which was utter nonsense. It even added some helpful comments to the code, which just added insult to injury. So why can't AI do something so basic? Because there is not a ton of pre existing intel assembly language code on the Internet for the model to have previously trained on. Sure there are some. So it spewed out some nonsense, but that's all it was able to do. Now ask it something about Python or PHP or C or even Common Lisp and Emacs. Yeah, and stand back because you often get near perfect, amazingly complex code. But that same AI cannot produce the code to multiply a 32 bit integer by a 64 bit integer using 32 bit intel instructions. Not even close. So my point here, Chad, is that you ask the AI something for which there is not a huge body of very specific knowledge and example, your question assumed that it actually understood what was going on in your system. But it's just a pattern finder and pattern matcher. It's an astonishingly good pattern finder and pattern matcher. But for now, at least, that's all it will ever be. And this of course is the crux of the big multi. Now it's a multi trillion dollar question. Can LLMs ever be more than this? Is this the way forward or is this a tantalizingly dead end on the way to more? There are many AI researchers who today still consider all this to be a very, very expensive parlor trick. Useful, yes, absolutely. And unfortunately, people whose employment is reducible to sophisticated pattern finding and matching are in trouble today and tomorrow those jobs are gone. But this may be all there is. This may be the end of the LLM trick, you know. No, this may, there may not be any further road for it to go down. We'll have to see.

Leo Laporte (155:57)

Yeah, my instinct is we've got a lot more to go down the road, but who knows? You just don't know.

Steve Gibson (156:05)

Oh, I agree, yeah. This has clearly, I mean when you pour this much money and this much focus in my feeling is that LLMs are probably not the answer, but that we have. But we're going to find it.

Leo Laporte (156:20)

Yeah.

Steve Gibson (156:20)

Because we've got, we have a sniff of it now.

Leo Laporte (156:24)

Right. One I think might have been Yann Lecun, some, somebody described and I found this very useful to remember the knowledge of AI. Its knowledge base is spiky in the sense that, you know, if you say this is, this is our knowledge base, it has, it'll fill, but there'll be spikes, there'll be areas it knows a lot about.

Steve Gibson (156:48)

Not uniform, it's not uniform.

Leo Laporte (156:50)

And, and we're used to saying, well, if this, if this is good in all these areas, it must be good in all areas. No, it's very clearly not. So it's spiky, it's not Uniform. Yeah, it's good to remember that.

Steve Gibson (157:01)

And so, and the good news is a lot of computer people and especially coders are asking it things that it's, it's pretty good at. Yeah, yeah.

Leo Laporte (157:09)

And you learn, that's the other thing you learn where to trust it, where not as you use it, you know.

Steve Gibson (157:14)

But it's not multiplication, it turns out. Yeah, yeah. So we must have talked about the Stargate science fiction series through the 20 plus years of this podcast. I've been a huge fan of the Stargate franchise through its many years. It was often the case that it was the only good source of science fiction programming. Part of that was a love of the various original cast members who I really enjoyed and part was an appreciation for the writing, which was also often great. The strongest well known personality on the Stargate SG1 series, which was the original series, was Richard Dean Anderson, who many know from the roles that made him famous, which, which was, as you know, MacGyver. He was known as MacGyver when he was very young and he maintains that same snarky, sassy humor in, in throughout the the Stargate series, which I think works quite well. So for those who may not know, and this is no big spoiler, the concept is that an ancient race of technologically advanced, brutal, and not very nice aliens created a massive network of circular portals which we humans dubbed Stargates. We call them Stargates because any pair of them can be interconnected by dialing the far gates gate code, sort of like an intergalactic IP address. Wikipedia, which has an extensive page about Stargate, explains that the pair of Stargates are linked by what is informally known as a wormhole, but is technically an Einstein Rosen Bridge. Anyway, what I always appreciated about this concept, you know, the concept of Stargate as a vehicle for science fiction storytelling, was that it very cleverly gave the writers an infinitely large blank canvas. In Star Trek, you know, Kirk, Spock, McCoy, Scotty and the rest of the crew roamed around in the Enterprise and stories were wound around whatever they might find on whatever planet they beamed down to. Similarly, in Stargate, after first discovering a lone abandoned and long buried Stargate on the Giza Plateau in Europe, I mean, in Egypt, after figuring out how to turn it on and discovering that there might be some very nasty aliens on the other end of the wormhole, a new military branch is formed to systematically explore the gate network. So teams of explorers would, would dial gate codes consisting of a string of alien symbols that are related to constellations. And then upon the Entry of the seventh symbol, a silvery liquid appearing event horizon would form across the gate's aperture and then our intrepid explorers would plunge into the gate, not knowing what to expect on the other end. So anyway, as I said, it gave the writers total freedom and this thing went on and on. The first series had back then, seasons were long, 22 episodes or 20 episodes later, but 10 seasons of the first series, four seasons of the, of Stargate Atlantis and two seasons of Stargate Universe. So if anybody of our listeners has any young kids of the right age, it's pretty kid friendly. Sci fi, there's a lot of it and it's a lot of fun. Amazon has the rights to it. And the reason I'm talking about it today is there was just the announcement that Amazon prime and MGM are going to be big, are going to be doing a new series and it's got the original creators behind it. So I mean, there's fandom sites, there's websites, there's forums. I mean it was, it was as big a phenomenon as Star wars and Star Trek, you know, in its own right. So we've got another series. We don't know when, but no one's talking about it. They, they just announced it and started working on it. But I'm hopeful that, you know, we might have some sci fi fun coming up. And Leo, we've got our final sponsor coming up and then we're going to talk about bots in the belfry.

Leo Laporte (161:44)

Which you said. Maybe young people don't know that phrase.

Steve Gibson (161:47)

I don't know.

Leo Laporte (161:48)

I don't know.

Steve Gibson (161:49)

Yeah. Bats in the belfry. Yeah. Bots in the belfry.

Leo Laporte (161:52)

Yeah. You know what this is, this here thing, this is so great.

Steve Gibson (161:57)

The light's not on.

Leo Laporte (161:58)

No, it's not plugged in. Ah, okay. This is my thinks, Canary. And you're right, very good. The light's not on. I unplugged it so that you could, you could see a little bit more. This is such a clever idea and I just think everybody should know about things. Canary. These are basically, it looks like if you're not, if you're just listening, you're not watching the video. A little, you know, black usb, external hard drive, you know, three and a three and a half inch hard drive. It's not though, because it's got an ethernet connection and a USB power dongle. What it is is a honeypot. And that means this little box can be anything. It could be a Windows server, it could be an SSH server, it could be A SCADA device. It could be a Synology nas. And the thing is, when it's impersonating, because it's a honeypot, the. When it's impersonating one of these things, it is indistinguishable from the real deal. It's got the Mac address, right? It's got the ui. Perfect. So a bad guy browsing around sees one of these things, canaries, tries to, you know, brute force this fake internal SSH server, and you're going to get an alert. No false alarms, just the alerts that matter. And you can get any way you want. Email, text message, Slack, it supports web hooks, there's an API, it's syslog, of course. So, I mean, it's almost any or all of the ways you want to be notified. You could be notified. The nice thing is you'll never hear from your Things Canary until it's important that you do. That's the key. The other thing you can do with the Things Canary is create Lore files that phone home, basically. And they can be, again, almost anything. I have a couple of wireguard, what looks like wireguard configuration files. I got the icon, the whole thing. It looks like the real deal. But if somebody tries to open it, it's going to phone home. It's going to phone this device, which is going to alert me. Somebody's accessing my Lore files. Spreadsheets named payroll information. That's a good one. And you can put them anywhere, not just on your local drives. You can put them on your cloud. You could put them anywhere. It is a way of knowing if there's somebody in there who's not. Why is that important? Because, on average, companies don't know they've been breached for 91 days. That's three months. An intruder gets to browse around without any limitations. Right now, you might have, you know, all kinds of security, but do you have a way of finding out if there's somebody sneaking around inside your network? Do you have. Do you have a way of doing it? That's what the ThinksCanary does. Just choose a profile for your ThinksCanary device. It's so easy to change it. You might change it every week, every day, then register it with a hosted console for monitoring and notifications. Then you just sit back, you relax, you wait. An attacker who's breached your network, or malicious insiders snooping around or other adversaries cannot help but make themselves known by accessing your Thinks Canary or those Things Canary Lore files. It is an absolute must for any setup. Now, if, if you're a big bank, you might have hundreds of these. A small business like ours might have just a handful. Visit Canary Tools Slash Twit. Let's say you want five of them. That's $7,500 a year. You get your own hosted console, you get upgrades, you get support, you get maintenance. And if you use the code twit in the how did you hear about us? Box, you're going to get 10% off that price. And not just for the first year, for life, for as long as you own your things. Canaries. Here's the best thing. You can do this with absolute confidence, risk free, because you can always return your thinks Canaries. They have a 2 month money back guarantee for a full refund. 60 days to try it. Now I should tell you that they've been advertising with us now, I think nine years. In all that time, the refund has never once, not once been claimed. Because once people get a thanks to Canary or two, they realize this is what we've been missing. This is what we need. Visit Canary Tools Twit. Enter the code TWIT in the how did you hear about us? Box for a great discount. Tin Canaries. These things are honey pots. Done right, absolutely secure, absolutely reliable. Canary Tools Twit. The offer code is twit for 10% off. Let's finish up with bots in the belfry.

Steve Gibson (166:33)

So last Thursday Bleeping Computer brought us the news that the reputable and well known security firm Gray Noise Labs was offering a new service to check and even to optionally continuously check user IP addresses for their association with known bot activity. So here's what Bleeping Computer wrote. They said Gray Noise Labs has launched a free tool called Gray Noise IP Check that lets users and anyone wants to jump ahead. GRC, SC, BotCheck, just all one word lets users check if their IP address has been observed in malicious scanning operations like Botnet and Residential Proxy Networks. The threat monitoring firm, they wrote that tracks Internet wide activity via a global sensor network, says this problem has grown significantly over the past year. That's important with many users unknowingly helping malicious online activity. Gray Noise said quote over the past year residential proxy networks have exploded and have been turning home Internet connections into exit points for other people's traffic. And I'll just note that this does track. You know, this statement tracks with some of the more recent reporting we've seen and shared here regarding the number of IP addresses that have been involved in recent high bandwidth and also scanning and probing Attacks. You know, we hear hundreds of thousands of bots, meaning bot IP addresses are enlisted in attacks. Those must all be somewhere and running from someone's hardware. You know this is not the attacker's hardware. Bleeping computer continues writing Some folks knowingly install software that does this in exchange for a few dollars. More often, malware sneaks onto devices, usually via nefarious apps or browser extensions, and quietly turns them into nodes in someone else's infrastructure. While there are ways to determine if someone has become part of malicious botnet activity, like examining device logs, configurations, network traffic and activity patterns, a tool that simply checks the IP address is the least intrusive method. Anyone visiting the scanner's web page will get one of three possible results. Clean no malicious scanning activity detected Malicious Suspicious the IP has shown scanning behavior. Users should investigate devices on their network and or third common business service. The IP belongs to a vpn, a corporate network or cloud provider, and the scanning activity is considered normal for those environments. Now just note that Bleeping computer kind of casually used the term scanner, referring to gray noise. Gray noise is not a scanner. You're not being scanned. You know, a scanner scans whereas gray noise does. What Gray noise does is passively collect and collate Internet traffic from across their widely dispersed global sensor network. They that gets captured into a database. So so when I use their Gray Noise IP check facility, I receive an instantaneous response as will our listeners that displays my network's public IP and the notification which in my case said your IP is clean. Your IP has not been observed scanning the Internet or contained in the Common Business Services database. Since this is a safe, quick, simple and interesting test, I've given Gray Noises service, as I've said before, the GRC shortcut of bot check. So you can just enter GRC SC botcheck B o t C H E c K into your browser's URL and and GRC Science will just bounce you over to Gray Noises page which is Check Labs Gray Noise IO Check Labs Gray Noise IO if you'd rather enter it the hard way and that will perform an instantaneous lookup of the public ip Your browser's request is coming to Gray Noise from against their dynamically updated database of known problematic ips. Now something's interesting. There's something that's in that is interesting about this. As we've noted in the past, IPv6 gurus grumble incessantly about the ubiquitous presence of NAT routers which they are quite certain have ruined the Internet. They doggedly and to this day cling to the original concept of a vast network defined by one IP for one host. In this original conception of the Internet, there is no IP sharing because there are plenty of ips to go around. Well, we all know that's not what happened. Even though IPv6 really was defined early enough to replace IPv4 and prevent what these gurus see as the scourge of nat, we have all seen just how unwilling the world is at every level to change away from something that's already working. The contrary view of of the gurus is why change NAT works great. Everyone's using it. I mentioned this because in the context of Gray noises very cool free bot check facility, this means that NAT really is serving us as a huge boon. Everyone's use of gateway NAT routers means that all of the random PCs and phones and tablets and NASA's and wacky IoT gadgets we may have encrusting our networks will all be sharing a single common public ip. This means that asking Gray Noise what they think of our single public IP address while we're sitting at one computer in our home lan behind a.com and NAT router automatically incorporates the collective behavior of every device we have perched on our LAN behind its router. In other words, receiving a clean bill of health from Gray Noises check automatically means that you can be reasonably certain that that not a single one of the myriad devices on your network has been misbehaving, or at least has been seen to be misbehaving. Now of course the flip side of of this is that if Gray Noise comes back with the appraisal that your network's IP has been seen misbehaving and participating in some attacks you know as a growing number of networks and devices have been, then the onus will be on you to determine what device or possibly devices behind your NAT router has been compromised, but at least you'll know that you have a problem. Given this, it is a no brainer for me to recommend that everyone listening should go to GRC SC Botcheck to quickly confirm that none of the devices that are sharing their network's IP have been seen to misbehave. Bleeping computer provided a little bit more information writing when any malicious activity is correlated with the provided IP address. The platform will also include a 90 day historical timeline which may help pinpoint a potential infection point. For example, when the installation of a bandwidth sharing client or a shady application precedes malicious scanning, strong correlations can be made that enable remediation action for More technical users. Gray Noise also provides an unauthenticated rate limit free JSON API accessible via Curl, which can be integrated into scripts or checking systems. If your scan results show malicious suspicious, it's a good idea to start the investigation by running malware scans on all devices on the same network, especially focused on devices like routers and smart TVs. They wrote. So you know, they conclude with the generic device. Users are advised to update their devices to the latest available firmware, change admin credentials and disable remote access features if they're not needed, which of course we all know. So GRC Scbotcheck and I expect this free and quick service to become quite popular. It's a win. And note also that if you do it from a small company, that's cool because, you know, this is not like running shields up where I'm actually doing a proactive scan of that IP which can upset some people. This is just checking a database to see whether that IP has ever been observed to be up to some funny business. So I think it's very cool. GRC Scbotcheck and that Leo is a podcast.

Leo Laporte (177:02)

It is. It is a podcast. Well done. You've gotten pretty good at making these after 1050. Some got the hang of it, I think. Kind of figured it out, I think. Think, yeah. Steve Gibson joins us every Tuesday to do this show. I hope you will be here. I can't imagine you missing an episode. This is, this is good stuff. Everybody needs to know. We do. If you want to watch us live, you can. If you want the absolute freshest version, we stream it right after Mac break weekly roundabout 1:30 Pacific of a Tuesday. That's 4:30 Eastern, 21:30 UTC. You can watch us in the Club Twit Discord. Thank you Club Twit members. We really appreciate your support. If you're not a member though, you can watch on YouTube, Twitch, X.com, facebook, LinkedIn or Kik. So we're streaming except for Australia. I'm sorry, Australia. We still do. I don't know what'll happen. I'm sorry. If you're under 16 and you watch this show, you can still download it, I presume. I hope you can. Easiest way to do that is go to our website, Twitter, TV SN or Steve's website, GRC.com Now Steve has different versions than we have. He has a 16 kilobit audio version for the bandwidth impaired. He has a 64 kilobit audio version. Sounds great. A little smaller than our version. He also has some really nice things like the show notes, which are very complete. He does such a Good job. Usually 18 to 25 pages. Let me just see how long. 24 today it's a long show, so 24 pages. You can get that from the website GRC.com or you can subscribe. He actually will mail it out to you every week, a day or so before the show begins. Subscribe by going to grc.comemail actually, the main reason for that page is to register your email with Steve. So it's whitelisted so you can send him pictures of the week or, or questions, that kind of thing, suggestions. But underneath the email part, there's two checkboxes where you can sign up for this weekly Security now newsletter. And there's another checkbox below where you can. And he's only sent out one email in his whole life. So it's a very low, low traffic email address. But the next time he has a new product, like I think any day now, the DNS Pro benchmark, you'll get an email about that. Maybe we can get you to send out an email too, once we've got the exact date and time of our Orlando trip settled in. We could send it an email that way too. Yeah, we, we actually have Twitter TV newsletters. We also newsletter. We also put it there. He also has very nicely written transcripts of every show by Elaine Ferris. A Hue, an actual human. Human being writes those. She's a court reporter so she doesn't miss a dot. It's every. Everything is in there. So all of that's@grc.com there's also a YouTube channel dedicated to the video for Security Now. And you can also subscribe in your favorite podcast client. That way you don't even have to think about it. You just know that come Tuesday evening, maybe Wednesday morning on your way to work, you will have a Security now you can listen to and you can download back episodes both on Steve's site and our site. All 1054 episodes are on both sites. So you can always get. There are people who go back in time and try to listen to everyone. If you want to do that, Twitter, TV, SN or GRC.com we have decided, you know, we won't be here December 30th because that whole week we go dark the week between Christmas and New Year. So before the show, Steve and I talked and I think we're going to re release a podcast we did in 2009 back in the twit cottage.

Steve Gibson (181:00)

I remember too, because we sort of had our pattern worked out. And you said, well, Steve, what security topic are we going to discuss this week? And I said, well Leo, we're going to do something a little different. We're going to talk about vitamin D. And you said what?

Leo Laporte (181:15)

Well, and it's funny because in the, what is it, 16 years since you. Everything you said about vitamin D has been proven so time and time again you were really early on this and it's just a fat. I think it's a fascinating show. It's. You know it. Because there won't be a lot of security news and we're going to take the week off. I think this is a good show to rerun. So if you haven't heard the vitamin D podcast, December 30th and I will.

Steve Gibson (181:42)

Say that, that what time of the year was it? Do you remember? Was it in the fall that we did that? I'm thinking because I got started getting email from people in the spring say noting noticing that, you know, hey, you know, I start, I took your advice and I started taking. Yeah. And they didn't get sick. They and their family went through the whole holiday season, you know, the winter months without coming down with the typical seasonal colds and things. And that's one of the things that vitamin D does is it's, it's very powerful for immune function. So yeah, for what it's worth, it's wintertime again.

Leo Laporte (182:23)

Yeah. This, you might, you might want to prepare yourself. So let me see if I can find the date on this. I don't know when we did it. I bet you're right. I bet it was probably fall or spring. I see the date that we re ran it which was just ironically 10 years ago, December 29th. So almost exactly 10 years earlier. August. August. We did it. So there you go. That's right.

Steve Gibson (182:52)

That makes sense then. Right.

Leo Laporte (182:54)

And by the way, you're in exactly the same spot with exactly the same books behind you.

Steve Gibson (183:00)

I am not.

Leo Laporte (183:01)

I was back in the brick house. No, I guess not. I was in the cottage.

Steve Gibson (183:05)

Cottage. Yeah. Yeah.

Leo Laporte (183:06)

And I, as you say, do look a little cherubic. I'm a little, a little heavier back in, back in those days. So that'll be our holiday episode for you. Instead of doing a best out, we thought we'd do something.

Steve Gibson (183:19)

Anybody who hasn't heard it really, I, I would commend it to everybody. There's a lot of, a lot of science. Also not just woo woo.

Leo Laporte (183:27)

Oh yeah. No, no, no, no, no. And as you know, Steve is an autodidact when he gets into a subject he dives in with both feet and there is a lot of great information and I think it was fascinating. And as a result I've been taken by MD ever since and been very healthy.

Steve Gibson (183:42)

Thanks to many of our listeners have.

Leo Laporte (183:43)

Yes, I know, I know. Steve, thank you so much. Have a great evening and I will see you and all of you back here next Tuesday for security now.

Steve Gibson (183:52)

Bye.

Leo Laporte (183:56)

Security Now.

Steve Gibson (184:04)

Fall is all about cozy comforts, but when you're prioritizing your health, it's easy to feel like you're missing out. With Herobred, you can enjoy all your Fall favorites because they're made with Herobred sliced bread loaves, tortillas, bagels, dinner rolls and more. Try their all new hero noodles with 12 grams of protein and just 80 calories. So skip replacing every carb with cauliflower and indulge in your breakfast, lunch and dinnertime favorites while still hitting your goals. From breakfast, bagels and meal prepped enchiladas to mouth watering burgers and cheesy noodles you won't believe. Herobred's options have 0 to 5 grams net carbs and are high fiber from the taste and texture. They've even got small batch drops of indulgent favorites like the popular Hero Croissant. And right now Herobred is offering 10% off your order. Go to Hero Co and use code fall25 at checkout. That's fall25 at HeroCo. All figures are per serving of HeroBread contains 2 to 18 grams of fat per serving. See the product Nutrition Panels on Hero.co for more information. Today we'll attempt a feat once thought impossible, overcoming high interest credit card debt. It requires merely one a Sofi personal loan. With it you could save big on interest charges by consolidating into one low fixed rate monthly payment. Defy high interest debt with a SOFI personal loan. Visit sofi.com stunt to learn more. Loans originated by Sofi Bank NA member FDIC terms and conditions apply. NMLS 696891.