A (4:49)

We're working on it. We're getting better with age. 20 years we've been doing this show. Getting the hang of it. All right, we will get to. You forgot the picture of the week coming up. Oh no, I haven't seen.

B (5:01)

This one had an unfortunate caption. This one I struggled for the caption on this one. I had to show it because it's such a fantastic picture. But I thought how can I like give it some context. I tried. We'll. All right, we'll let our listeners judge.

A (5:15)

How I did and maybe they'll come up with something when you never.

B (5:19)

Maybe. Of course we got.

A (5:21)

Of course they will.

B (5:22)

You betcha.

A (5:23)

Our show today brought to you by. Oh, you know this name 1Password. It's easy to assume that being small means flying under the radar. The reality is small businesses are being targeted more and more by bad actors. You thought you were immune, right? Cybercriminals know that lean teams often lack the resources to prevent or respond to a breach. In short, the bad news is teams of any size can be a target. The good news is even the smallest teams can foil cybercrime. 1Password provides simple security to help small teams manage the number one risk that bad Actors exploit weak passwords. One Password provides centralized management to make sure your company's logins are secure. It's a simple turnkey solution that can be rolled out in hours. Whether you have a dedicated IT staff or not. And however complex your security needs may get, 1Password will stay with you every step of the way. A password manager should be the first security purchase you make for your team. I really believe that small businesses need to plan for the worst case scenario and guard against cyber attacks right from the start. For small teams, responsibility for security often defaults to a single employee, often one who's already juggling other business functions. Yeah, yeah, Sally down the hall. She's the one in charge. The most effective security solutions have to be intuitive. They also have to be user friendly because, you know, if it's not easy to use, people won't use it. You want everyone at your company to use 1Password. 1Password's enterprise password manager helps your company eliminate security headaches and improve security by identifying weak and compromised passwords and replacing them with strong, unique credentials. And don't let one Password's name fool you. They're not just a password manager. They're 1Password EPM. Extended password management lets you securely store and share developer secrets and other sensitive data and helps streamline the transition to passwordless authentication by transitioning to passkeys. Love that. With 1 passwords, EPM's simple automated workflows, your team can enforce security compliance and prevent breaches and potentially preventing millions of dollars in losses. It's the single most impactful investment you you can make in your company's security. Unfortunately, it's not expensive and it's easy to implement. Take the first step to better security by securing your team's credentials. Find out more@1Password.com SecurityNow and start securing every login now. That's 1Password.com SecurityNow. Thank you so much for supporting Steve and Security now and picture of the week. Time, Steve.

B (8:13)

Okay, so I gave this pair of pictures. The caption, each year we jump through more hoops to increase our security. It's become a lot. How much does all that really help? Okay, so that's the caption for two frames. The frame on the left shows a, an opening with a, you know, a red.

B (8:42)

Rope. Line.

A (8:43)

Rope.

B (8:44)

And the caption, google when hackers try to hack my account. In other words.

B (8:52)

Okay, not that difficult, right? And then the right one shows it. It is titled Google when I log into a new device. And this one, I didn't see the guard dog with its Teeth out down in the lower right initially. So this one looks like something that Maxwell Smart would have confronted back in the day. It's got chains and locks and slide bars and triple hinges and a keypad and a thumbprint reader on there.

B (9:33)

Meaning God help you if you have to get through this door. It's going to take you an hour to unlock and deal with everything. And, and of course that the, the, the gist of this is something that we do feel which is, you know, accounts are still being hacked, passwords are being obtained, people are still getting hacked, yet we're doing all this more stuff. I mean, I have to say, Leo, I love the one time password idea, but it gets a little tiresome after it's like, okay.

B (10:15)

Yeah, fine, 326294. It's like, okay, you know, and then again, again. So it's like, so I look for those check marks. Yes, I trust this device. Leave me logged in. Please remember that I've been here so that I, so that you'll believe me next time with less rigmarole. And which is not to say I believe me. I'm like, I like one time passwords. All of this is good. One of the strongest measures of, one of the strongest improvements is they should you be remembered at this browser because no bad guy can be remembered as you if they've never logged in as you before from, you know, some foreign country. So it's, it's really good protection. But yes, it is annoying Google. When I log into a new device. Google's doing the right thing. You know, you've, we've, we've never seen you logging in through this device before. So we need a blood sample. That's, that's going to be good. But you know you're going to end up being drained if you do it too often. So.

B (11:32)

Okay, we've noted before that regulations that are not enforced will often simply be ignored. In fact, I could probably more strongly say will be ignored until they're enforced because it's like, yeah, you know, it's the equivalent of that annoying high school tough guy whose favorite retort was, oh yeah, make me. It's like, yeah, fine. And in the news. Is that French? The French edition of the Vanity Fair website@vanity fair.fr.

B (12:07)

Had their bluff called to the tune. And it's not, it's an expensive call for a cookie. €750,000. So that'll get your attention and you think, wow, isn't that a pretty stiff penalty for just like some problem with cookies? The company lay Publications. Conde Nast publishes printed and online magazines, including the vanity fair magazine. Six years ago, okay, six years ago, way back in December of 2019, the CNIL, which is the abbreviation for, you know, it's in French for France's data protection agency, received a public complaint. So the agency received a complaint from the association noyb, which is Europe's center for Digital rights. And it doesn't actually stand for none of your business, but it's a great abbreviation for, for noyb.

B (13:10)

So. So noyb, which does not stand for none of your business, but it's too bad it doesn't. Complained to cnil, French's data protection agency, about cookies being placed on the devices of users visiting vanity fair.fr.

B (13:29)

This was happening without any user notification or permission. After several investigations and discussions with cnil, Condi Nast, the parent, received an order to comply in September of 2021. So first of all, almost not, you know, almost two years, right? December 19th, this began December 2019, this began September 21st. Nearly two years later. Finally, fine, you, you've got to remove your cookies, fix your cookies, because your cookies are not working right. And then the proceedings were closed in July of 2022. Now it's not clear whether the proceedings were closed the next summer after verification that Conde Nast and their vanity fair.fr site was doing the right thing or not. Would have closed a year later in July. And also in November of 2023. Then again in February of 25, the CNIL carried out further online investigations. So it sounds like they just assumed Conde Nast would take care of this, get it done. Following the order, after all these negotiations, two years of negotiations. I don't know what you have to negotiate over a cookie, but okay.

A (14:52)

So.

B (14:52)

They, so CNIL went back and looked and what do you think they found? Based on their findings, the Restricted Committee, as it's known, which is the. The cn, CNIL body responsible for issuing sanctions, considered that the company lay publications. Conde Nast had failed to comply with the obligations of Article 82 of the French Data Protection act and imposed that fine of, I mean, €750,000. The amount of the fine is intended to take into account the fact that the company had already been issued with an order to comply. It couldn't have come as a surprise after nearly two years of discussion about whether we're going to receive an order or not, after which they did, but apparently it just blew it off as well as the other thing factored into this $750,000 fine is the Number of people likely to have been affected by this misbehavior of their cookie policy and the various breaches of the rules protecting users with regard to said cookies. So, you know, no one's going to shed a tear here except some accountant at Vanity Fair if it was, you know, and again, it wasn't as if the fine could have shocked anybody. They were very clearly told what they needed to do and they apparently just blew off CNIL saying, yeah, you know, everybody else does it. So, you know, I would imagine that someone's going to lose their job or maybe a team, whoever is in charge of cookies over@vanity fair.fr Three quarters of a million euros, which could have been easily prevented. I mean, what everybody else does is bring up a little cookie banner and say, hey, we want to store some stuff on your computer. Just tell us it's okay. Click here. But apparently either they didn't do that or they did and they didn't honor it. Who knows? Anyway, so I hope everybody else sees this, that when CNIL says, you're in breach of our regulations. Now, of course this is against the backdrop of this whole wacky model of cookie management getting ready to change because the GDPR is being updated. And so we have California now and the EU both saying browsers need to accept a setting from their users, transmit that setting to everywhere they go and everywhere they go needs to honor what the user has said they want. So.

B (17:44)

But you know, that was 10 years ago, right? That all that, that came into place and so it's going to take a while for all this to catch up and change. Meanwhile.

B (17:55)

The very nice Android alternative, and I think you were just talking about it last week or the week before Leo Graphene OS which is an Android compatible, API compatible or. Yeah, right, Android alternative, API compatible. They recently posted on X that they're leaving France due to a new French law that would mandate breaking their encryption. Obviously. No. So they posted we no longer have any active servers in France and are continuing the process of leaving ovh. OVH is a French cloud hosting company which they've been using. They said France is no longer a safe country for open source privacy projects. They expect backdoors in encryption and for devices too. Secure devices and services are not going to be allowed in France. We don't feel safe using OVH for even a static website with servers in Canada and the US via their Canada US subsidiaries. We were likely going to release an experimental Pixel 10 support very soon, but that's getting disrupted. So that'll be delayed. They're saying the attacks on our team with ongoing libel and harassment and they're talking from the French authorities, from French law enforcement. They're being harassed have escalated. Raids on our chat rooms have escalated and more. It's rough right now and support is appreciated. So it appears that Graphene OS believes that they may have already been compromised because they also posted we'll be rotating our TLS keys and let's encrypt account keys pinned via account URI DNSSEC keys may also be rotated. Our backups are encrypted and can remain on OVH for now. So that you know the reason you rotate keys is you worry that they could have been compromised, that your keys could be in somebody else's hands meaning that TLS and your less encrypt domains and your D DNS sec security you know is not as sure as you'd like it to be. So they're gonna change all their keys after completely excommunicating themselves from from any dependence on on France based servers. In the thread that followed a more lengthy which was a more link a much more lengthy posting on X which I I won't bother everybody with where they go into all the details of of of what's going on.

B (20:54)

And and the way they're going to be moving someone named Lars posted I'm a lead developer for a hosting company in Denmark. We do not have any backdoors or.

B (21:09)

Influence will never.

B (21:15)

Ask question. It's not illegal for normal fox we definitely do not ask questions which and this was posted you know offering the option of some assistance or an alternative to the graphene OS guys in the in you know in reply in in the reply thread to their posting whereupon the graphene OS guy said we appreciate it but unfortunately we'll likely have issues in Denmark too due to their push to outlaw encryption without backdoors will hopefully still be able to operate in the EU in general but we want to avoid chat control supporting countries due to this experience. GrapheneOS is not based in the US and is a non profit open source project. We're leaving France because we don't trust that French law enforcement won't coerce OVH to do something after a judge signs off based on falsehoods. We've been subject to attacks by law enforcement on graph graphene OS including many false claims and also direct threats.

B (22:32)

Geez. So reading between the lines it sounds as though authorities with French law enforcement have demanded that Graphene OS unlock some suspected criminals handsets and Graphene has tried to explain that they do not have that capability. They wrote it's not possible for GrapheneOS to produce an update for French law enforcement to bypass brute force protection since it's implemented via the secure element. So, you know, again, that sounds like, like French law enforcement is saying you need to help us brute force force open these locked smartphones that are running your os. They Graphene said the secure element also only accepts correctly signed firmware with a greater version after the owner user unlocks successfully. So someone may have been suggesting a downgrade attack where you deliberately load older graphene OS software onto the device in order to bypass some of the later protections. And they're saying, sorry, that's been accounted for in the design of this. Can't do it. They wrote we would have no legal obligation to do it even if we could. But it's not even possible. We have a list of our official hardware requirements, including secure element throttling for disk in disk encryption key derivation. Okay, meaning that the secure element throttles brute force attacks, making them impractical and that's in the hardware and there's nothing they can do to get around it. Secure element throttling for disk encryption key derivation combined with insider attack resistance. And they wrote and they aren't blaming goo, and they aren't blaming Google for this design, meaning they're saying that Graphinos is at fault for making it brute force impossible. But it's actually Google whose engineering did this properly because users don't want their smartphones to be hacked. Then they finished saying in Canada and the U.S. refusing to provide a PIN and password is protected as part of the right to avoiding incriminating yourself. In France, they've criminalized this part of the right to remain silent. Since France has criminalized the refusal to provide a pin, why do they need anything from us? Which that's some good logic. And of course we don't know anything about what the French authorities believe might be on a criminal's confiscated graphene OS based smartphone. But we certainly know why a suspect might choose not to share their password with the authorities. Right, we talked about that trade off ages ago back in the context of TrueCrypts early whole disk encryption, which was designed by cryptographers who knew how to completely and correctly protect a hard drive's data. It was effectively and practically not brute force crackable because it was done right. The bad guys might very well have horribly incriminating material stored on a true cryptid drive, so they would much rather face some charges whatever they may be for not providing their password, than provide the password and have authorities learn firsthand just how criminal they were. So I doubt that law enforcement authorities will ever accept, you know, ever in the future of humanity, accept the truth of being unable to unlock an encrypted device or spy on encrypted communications. They just, you know, they know the data is there, they want it. So, you know.

B (26:53)

I'm sure they believe that they should have the right to see inside anything they choose under the logic of, after all, they're the good guys. Right? And of course, we know that the EFF would beg to differ. So.

B (27:08)

So there's that, but it's also happening in the EU.

B (27:14)

And Leo, I know you talked about this over Mac break. Here we are. It is December 9th. We are on the literal eve of the Australian law to ban the use of social media, all social media, by anyone younger than 16.

B (27:34)

As we know, this effectively requires anyone who does wish to continue using any social media to arrange to prove that they are at least 16 years old. If that wasn't the requirement, then somebody who was 14 could say, yeah, I'm an adult. Okay, so, you know, the onus has been placed, unfortunately, on the social media providers to prevent the use of their systems by anyone younger than 16. So we're recording this on December 9th and tomorrow.

A (28:06)

Sorry, it's already December 10th in Australia, so.

B (28:09)

Right.

A (28:09)

It's going on now, I guess.

B (28:11)

Right. Which is always weird. Why, why does it turn.

B (28:16)

Next year in New York before it turns it. I don't get that, Leo. But, you know, we're not a flat earth. We are a spinning globe. And, you know, it would be weird if it was midnight in the middle of the day. Yeah, yeah, so that's that. That wouldn't work either. So.

B (28:39)

What'S different here? What's happening now in Australia.

B (28:43)

Is countrywide. And that's the, that's the difference, you know, and actually saying that the whole world is watching is not an exaggeration. On Sunday. Today's Tuesday. So two days ago on Sunday, the New York Times piece was titled, a grand social media experiment begins in Australia with the tag the country is trying to wean children under 16 off the likes of Tick Tock, Snapchat, YouTube and Instagram. With a new law, the teenagers are skeptical. The New York Times said Saturday the BBC's headline was, can you ban kids from social media? Australia is about to, but some teens are a step ahead. I. I read the BBC piece. Kids are still using. Or, Or, Or. I'm sorry, Are are using still photos of their parents or VPNs. Surprise. UNICEF in Australia just has a piece titled Social media ban is was their title and they summarize their position by writing and this is unicef writing from 10th December 2025. Anyone under 16 in Australia won't be able to keep or make accounts on social media apps like Tick Tock, Instagram, YouTube, Snapchat x Facebook and more. There's 10 total. The rule doesn't punish young people or their families.

B (30:19)

Instead, social media companies have to stop under 16s from having accounts or, or risk serious fines. And, and the fines are up to 50 million Australian dollars, about 35 million U.S. they said the new law is meant to make things safer online. But UNICEF Australia believes the real fix should be improving social media safety, not just delaying access. And and then for their part, the Guardian headlined their piece Everyone will miss the socializing but it's also a relief, they said five young teens on Australia's social media ban. And it was an interesting article that they said Australia's world, world first social media ban for under 16s will begin in just a few days. This was written on the weekend Malaysia, Denmark and Norway are to follow suit. And the European Union last week passed a resolution to adopt similar restrictions. As the world watches on, millions of Australian adolescents and their parents are wondering just what will actually change come the 10th of December. And NPR had a piece as well. As I said, everybody's like, okay, these guys are going first, what's going to happen? So it's going to be interesting to see, right, how all this pans out. As I said, the economic fine for repeated failure to enforce is 50 million Australian dollars, 35 million U. S. So that's not nothing. But there's also of course reputational damage. Anybody who screws this up is going to be in the news because everybody's watching. So it's clear that the 10 affected social media platforms can't ignore this and do nothing. And we know that, you know, the claim of being old enough that no longer washes that we were, we were all happily using that for the last 20 years, but no more. So you know, they're going to need to adopt what, some lame measure that allows them to avoid penalties or while kids gleefully work around and you know, spoof the proof of age, which is pro what's going to be happening a lot. And you know, I mean classrooms will be buzzing. Everyone will be talking about how they did it. There was in, in the, in the BBC piece that interviewed five teens. One 13 year old said she just took a picture of her mom and showed it that and it said okay, go ahead. So you know, my feeling is that there was probably no way to avoid the present mess that the world is about to endure and a mess it's going to be. As we know, change is difficult even when everyone is pulling in the same direction and wants it. But change, when the platforms and their users all want to leave things the way they are and only some unseen government, legislators and their regulators or want to force change, it's just bound to be a mess. I of course hope that some good technology will eventually step into the gap to provide privacy respecting age verification, but we don't have that yet and we don't even appear to be close since the handset, the, the handset makers are very much strongly in the we don't want this to be our problem camp. Although I think that's exactly wrong. I think, you know, that's the point of contact between the user and the technology is the handset. And I get it that Apple doesn't want to do this, but they're inching towards it. You know, we've covered various of those measures, as is Google. So I think they probably know that ultimately they're going to need to be the place where this decision gets made. It is the right place, it's the logical place for it to be. And on the eve of this first countrywide event, I wanted to also note that the EU is now making much the same noise which one of those articles talked about. And also whereas Australia's human, which is to say non kangaroo population is about 27 and a half million, the total population of the EU's current 27 member states is around 450.5 million. So a huge population. The European Parliament News recently posted a piece with the headline Children should be at least 16 to access social media say Members of the European Parliament. Those are members of the European Parliament. MEP is an acronym meps. However, things may be better in the EU from a privacy and accuracy standpoint. At least we can hope. A vote was held 2 weeks ago 2 weeks ago Wednesday where the members of the European Parliament these MEPs voted to adopt a non legislative report by 483 votes in favor of 92 against and 86 abstentions. The report and their votes expressed deep concern over the physical and mental health risks minors face online and called for stronger protection against the manipulative strategies that can increase addiction and that are detrimental to children's ability to Concentrate and engage healthily with online content. So here's the part that caught my eye. In that EU's adopted reporting, they wrote just, it's a short paragraph expressing support for the commission's work to develop an EU age verification app and the European digital wallet, the Eid wallet. MEPs insist that age assurance systems must be accurate and preserve miners privacy, which is to say everyone's privacy right, because again, you need to assert that you're not a minor and you'd like your privacy protected. It's funny how they get that no one really latches on to that in any of this reporting. Such systems do not relieve platforms of their responsibility to ensure their products are safe and age appropriate by design, they add. But you know, so, so these guys may be moving forward in the, in the right way and with 450 million users and Stina over there in the EU and it just not being a hard problem to solve if you want to solve it. I'm hopeful. So you know, the idea that that commission would be pressing for an EU age verification app, that's really good news. Given some means for establishing an individual's date of birth, which we know that may be the European digital identity, that date can easily be protected inside the device. While simple assertions of older than X are then trivial to generate with total security and anonymity. As I said, crypto can do this without, without breaking a sweat. So my takeaway here is that yes, we're about to descend into some extremely messy, chaotic times. But you know, given the kicking and screaming by the platforms and their users, this was inevitable given that the legislations and the legislators are just barreling ahead without any solution to the well, we'll let other people solve the problem approach. So the right people understand the concepts of accurate privacy preserving solutions and they know this is possible. So I doubt that the world's gonna have to wait that long and that we're eventually gonna finally obtain a good solution. And I know Leo, you guys were talking about it over MacBreak weekly.

B (38:43)

The loss of absolute unaccountability is going to be mourned by some. But you know, Jason was talking about the loss of privacy. That's just interim. We can do this without any loss of privacy. Yes, you will have to identify yourself in order to, in order to securely embed your, your date of birth in the device. But once that's done, all the people using it, that's the, that's the real difference here. We do not want to have to be showing a driver's license individually to every website we visit. You're going to have to show it once to your device and then. And then be biometrically locked to that so that it knows you. You, that you didn't use your license for a friend's phone in some fashion. So you know it needs to be done right, but it can be. And once that's done, then that strongly constrains any, any further dissemination of, of privacy loss. That's where we're going to end up being. So it'd be fun to watch it here on this podcast as it happens, and it'll be fun for me to take a sip of coffee. Leo.

A (40:04)

Well, that we can arrange. I don't know if we can help with the other one, but I think we can arrange.

B (40:08)

We can at least be here.

A (40:10)

CHEERING yes, our show today, brought to you by Veeam. Oh, you need to know about Veeam. When your data goes dark, Veeam turns the lights back on. Veeam keeps enterprise businesses running when digital disruptions like ransomware strike. And you know ransomware is just out there waiting to strike. How? Well, by giving businesses powerful data recovery options that ensure you have the right tool for any scenario, broad, flexible workload coverage, from clouds to containers and everything in between. With Veeam, you get full visibility into the security readiness of every part of your data ecosystem tested, documented and provable recovery plans that you can deploy with a click of a button. How's your recovery plan looking? This is why you need Veeam. If you're out there in the world and you're not prepared, you need Veeam. Veeam is the number one global market leader in data resilience. That's the term. Just call them the global leader in helping you stay calm under pressure. That's the offer with Veeam. It's all good. Keep your businesses running@veeam.com V E E A M.com all right, back to Steve.

B (41:30)

So this is such a weird path.

B (41:37)

Staying with the topic of government legislators seemingly losing their multi decade simultaneously all losing their multi decade shyness toward legislating our use of personal technology, which sort of seems to happen, have happened globally all at once. We have the news that the government of India.

B (42:00)

Intends to verify and record every smartphone in use by their citizens.

B (42:10)

That was essentially TechCrunch's headline last week, under which they wrote, the Indian government is widening the scope of its anti theft and cybersecurity initiative to cover both new and used smartphones, an effort aimed at curbing device theft. And online fraud, but a move that's also raising fresh privacy concerns. Yeah, no kidding, they wrote. As part of the expansion, the Indian Telecom Ministry is requiring companies that buy or trade used phones to verify every device through a central database of IMEI numbers. This comes in addition to a recent directive order, get this, ordering smartphone manufacturers to pre install the government's San Car Safi app on all new handsets and push it onto existing devices through a software update. Ordering smartphone manufacturers to do that. Good luck with that. Yeah. In other words, India is now requiring all handset makers both to pre install a state mandated app and also to retro install the app into all existing devices. TechCrunch continues writing. Reuters first reported the news on Monday, which was later confirmed by the ministry in a public statement. So ministry said yep, that's right. Got to do that. Launched in 2023, that Sancar Sathi portal allows users to block or trace lost and stolen phones the system has blocked. I was a little surprised by these numbers, Leo. The system has blocked more than 4.2 million devices and traced to 2.6 million more devices per government data.

A (44:14)

India is a big country and there's hundreds of millions of cell phones in use.

B (44:18)

So yeah, yeah. The system expanded earlier this year with the release of a dedicated San Car Safi app in January, which the government says helped recover more than 700,000 phones, including 50,000 in October alone.

B (44:39)

Wow. So I guess they've got a smartphone smartphone theft and reuse problem and they're taking steps, TechCrunch said. The San Car Sathy app has since gained broad adoption. The app has been downloaded nearly 15 million times and saw more than 3 million monthly active users in November, up more than 600% from its launch. From its launch month, which would have been 2023, according to Marketing intelligence firm Sensor Tower, Web traffic to San far to Sanchar Sathi has also surged, with monthly unique visitors rising more than 49 year over year per sensor tower. Data gathered shared with TechCrunch. So okay, up to this point, it appears that the choice to have one's smartphone protected with this tracing and recovery app has been the users. But TechCrunch explains what's changed. They wrote the government's order to pre install Sanchar Sathi has already drawn significant backlash from privacy advocates, civil society groups and opposition parties. Critics argue that the move expands state visibility into personal devices without adequate safeguards. The Indian government, however, says the mandate is intended to address rising cases of cybercrime such as IMEI duplication device cloning fraud in the secondhand smartphone market and identity theft scams. Responding to the controversy, the Indian telecommunications minister said Tuesday that Sanchar Sathi is, quote, a completely voluntary and democratic system, unquote, okay, and that users can delete the app if they do not wish to use it, which again, sort of flies in face of the other things that were previously said. The directive, reviewed by TechCrunch and circulating on social media on Monday, instructs manufacturers to ensure the pre installed app is, quote, readily visible and accessible to end users at the time of first use or device setup, and that its functionalities are not disabled or restricted, unquote, raising questions about whether the app is truly optional in practice. India's deputy telecom minister said in media interviews that most major manufacturers were included in the government's working group on the initiative, though Apple did not participate.

B (47:28)

Alongside pushing the Sanchar Sathi app, two people familiar with the matter told TechCrunch that the telecom industry is piloting an additional program interface, an API that would allow re commerce and trade in platforms to upload customer identities and device details directly to the government. The move would mark a significant step toward creating a nationwide record of smartphones in circulation. India's used smartphone segment is expanding rapidly as rising prices of new devices and longer replacement cycles push more customers toward cheaper alternatives. Indy became the world's third largest market for secondhand smartphones last year in 2024. But as much as 85% of the secondhand phone sector remains unorganized, meaning most transactions occur through informal channels and through brick and mortar stores 85% so only 15% are being, you know, formalized and and tracked. The government's move covers only formal re e commerce and trade in platforms, which leaving much of the broader used device market outside the scope of the current measures. Well, unless manufacturers are going to be.

B (48:53)

Back porting, you know, back installing this thing in any software updates which may still be happening on on remarketed phones anyway, TechCrunch said. While announcing the pre installation of its app, the Indian government said the move would help enable, quote, easy reporting of suspected misuse of telecom resources, unquote. Privacy advocates say that the growing data flows could give authorities unprecedented visibility into device ownership, raising concerns over how the information could be used or misused. The head of programs and partnerships of the Toronto based nonprofit nonprofit policy lab Tech Global Institute told TechCrunch, quote, It's a troubling move to begin with. You're essentially looking at the potential for every single device being databased in some form and then what uses their database? Can it be put to at a later date? We don't know. The Indian government has not yet detailed how the collected data will be stored, who will have access to it, or what safeguards will apply as the system expands. Digital rights groups say the sheer scale of India's smartphone base, estimated to your point Leo, at some 700 million devices, means even administrative changes can have outsized consequences, potentially setting precedents that other governments may study or replicate. Quote While the intent behind a unified platform may be protection, mandating a single government controlled application risks stifling innovation, particularly from private players and startups who have historically driven secure, scalable digital solutions, said the director of the New Delhi based technology think tank ESG Center. If the government intends to build such systems, they must be backed by independent audits, strong data, government safeguards and transparent accountability measures. Otherwise, the model not only puts user privacy at stake, but also removes fair competition for the ecosystem to contribute and innovate. Right? If the government's already got that locked up, then third parties need not apply. How can they compete? The Indian Telecom Ministry did not respond to TechCrunch's requests for comment. While the Sanchar Sathi app is visible on a user's phone, the broader system it connects to operates largely out of sight. The permissions, its data flows and back end changes included, including the planned API integration, may be buried in long terms and conditions, documents that most people never read or even see, he said. As a result, users may have little practical understanding of what information is being collected, how it is shared with whom it's shared, or the extent of the system's reach. Quote you can't go about restricting cybercrimes and device thefts in such a disproportionate and heavy handed way. Boy, is that a common theme, he said. The government is basically saying that, look, you need to put my app on every device that's sold, on every existing device you have to install it and in anything that's being resold as well, unquote. So wow.

A (52:34)

I think they felt the pressure because this is a press release from the Department of Telecommunications in India. They have. They gave up.

B (52:42)

Yes. And in fact I've got that after I tell you what Apple said.

A (52:45)

Yeah, Apple wasn't too happy about it, I know that.

B (52:50)

So.

B (52:52)

On on a practical side, we know about the tyranny of the default, right? If the app is pre and post installed, a great many more people will end up using it. Way more than 50 million recent downloads. There's 700 million phones in circulation. Most people will not remove it. They'll just assume, oh, whatever that is. It's, you know, it's good for me. And it's not completely clear whether removal will even be an option since the Indian government's intention looks to be more aimed at assuring that all smartphones participate. And of course one wonders what Apple, right, would think about such a mandate. On the other hand, India is now producing Apple smartphones, so who knows. Well, it turns out Apple does indeed say no. I dug around some more and discovered to no one's surprise, Apple does not plan to abide by India's order. The India Times headline was quote Apple to resist dot order. That's in India's Department of Telecom to preload state run Sancar Sathi app as policy outcry. I'm sorry, as political outcry builds and we get a little bit more interesting information about disabling or removing, that makes somewhat more sense, the India Times wrote. Apple does does not plan to comply with a mandate to preload its smartphones with a state owned cyber safety app and will convey its concerns to New Delhi, three sources familiar with the matter said after the government's move sparked surveillance concerns. The Indian government has con confidentially ordered, although it didn't stay secret. Of course you can't those sorts of things. Confidentially ordered companies including Apple, Samsung and Yami to preload their phones with an app called Sankar Sathy or which is.

B (55:01)

In English is Communication Partner is what that means within 90 days. The app is intended to track stolen phones, block them and prevent them from being misused. So that was news. We'll block them. So meaning that the government can prevent a phone from operating. I didn't pick up any of that in the previous reporting, so you know, you would call that a biggie. That suggests that this communications partner app would have the ability to shut down a phone. And if that's the case, it's no wonder that Apple is saying no thanks. The reporting continues from India Times writing Reuters was the first to report on Monday that the government also wants manufacturers to ensure that the app is not disabled. Also, for any devices already in the supply chain, manufacturers should push the app to phones via software updates. The Telecom Ministry confirmed the move, later describing it as a security measure to combat serious endangerment of CyberSecurity. But Minister Modi's political opponents and privacy advocates criticized the move, saying it's way too it. It is a way for the government to gain access to India's 730 million smartphones. So anyway, I'm going to skip the the balance of this. Basically.

B (56:30)

A bunch of opinions were polled by Reuters talking about it, you know, being more than a sledgehammer, it's more like a double barrel shotgun.

B (56:42)

And someone saying that there's no way Apple would ever agree to do this. And in fact we know that that's the case. So following on the heels of that, as you said Leo, India decided, okay, I guess that's not going to fly. They backpedaled on their requirement that their official press release from the Ministry of Communications which you had on the screen, proclaims across its top government removes mandatory pre installation of the Sanchar Sathi app. So it turns out that the government changed its mind two days after the announcement following extensive public criticism of this. What everyone was was concerned was veiled surveillance. And I decided to keep that original reporting in place for the podcast because it's still useful to understand what's in the air. And this is in the air. You know.

B (57:42)

India may not be done meddling's communications because the Indian Times also had a headline why your WhatsApp Web may now log out every 6 hours. India's Department of Telecommunications said.

B (58:03)

I'm sorry, the India Times is quoting them saying in their story. Due to a new directive from the Department of Telecommunications, WhatsApp Web will automatically log out its users every six hours under the new rule that the Department of Telecommunications requires messaging apps including WhatsApp, Telegram and Signal to implement SIM binding. In other words linking of the users of services to the SIM card used for registration via its IMSI identifier. If the original SIM is not present, access to these apps will be blocked 90 days from the directives issuance. So there's a 90 day, you know, get up to speed period from the, from the publication of the directive. Within 90 days this technology has to be in place for all text messaging apps and you know, whereupon I think, well you know, good luck telling Signals Meredith Whitaker that you're requiring Signal to bind to specific SIM cards. As we know, Signal has historically been bound to a user's phone, but there's no way that Signal would be modifying their app if it meant the slightest reduction in the privacy of their users. And if this move, you know, did not represent some enhanced form of government control, then why would India be mandating this change at all? Okay, but there's more there. The India Times explains under the same directive, web versions of these applications will log their users out periodically, no later than every six hours and Force a reauthentication via a QR code scan. A user logs into WhatsApp Web through a browser by scanning the QR code through the phone application. According to the authorities, this is to curb cyber fraud by preventing misuse of apps without active sims, often by scammers operating from abroad. Platforms are required to comply within 90 days and submit reports within four months, potentially by around February of next year. The rules will apply to WhatsApp, Telegram, Signal, Snapchat and other OTT. You know, over the top messaging platforms operating in India. Users are likely to face workflow disruptions, especially multi device professionals and travelers and small businesses that rely on shared devices. WhatsApp has 500 million Indian users and a major chunk of its business users are also in the country. One user wrote on x sim binding rule shall be a major disruption for professionals and businesses using web accounts of WhatsApp etc. It won't eliminate the fraud completely as SIM cloning and SIM spoofing will still work. While the section of the tech industry believes that the DOT might have breached its regulatory mandate, officials clarified that the directions issued to the apps are within the purview of of telecom cybersecurity rules. An official told the India Times quote, it's only for the entities that use telecommunication identifiers like a mobile number for their services. If they don't want to do the sim binding, they should not use the mobile number as an identifier, unquote. Industry representatives also question the effectiveness of sim binding if in curbing fraud originating outside India, noting that scam operators can still obtain Indian sims through mules or remote devices while a significant volume of fraud originates within the country. So, you know, we really appear to be entering a period where government legislators are feeling increasingly empowered Leo to dictate the operation of of the personal communications devices operating within their jurisdictions. And I found no indication yet that India will be backing down from this latest, you know, sim binding deal on. On messaging app platform or messaging platform apps.

A (62:42)

Yeah.

B (62:43)

Wow. So. So what do you think that's about? I mean that, that's just like, like.

B (62:51)

Tying, like what's. To be honest, WhatsApp is based on your phone number, right? Because we have to be anymore.

A (62:59)

It used to be, but it does no longer has to be okay.

B (63:03)

Because we had that story that we talked about last week where there was no rate limiting on brute forcing WhatsApp web to look up people's identities just by trying every possible phone number.

A (63:16)

Right.

A (63:18)

I guess you do have to submit a phone number, your ID can just be like my ID on WhatsApp is LeoLAport24.

A (63:26)

So that was a change that they implemented last. A couple of years, maybe last year. I guess that's why it's 24. But.

B (63:32)

So you can look up by ID or by phone.

A (63:35)

Okay. Yeah, but I don't know if you can look up by phone. That's an interesting question anymore.

B (63:41)

And of course, I guess the idea.

A (63:42)

Phone number to register it. So. Yeah, they have your data. That's right.

B (63:46)

Yeah. And I guess the idea also was that WhatsApp could. You would give it access to your contacts and it would, it would go through your contacts, take all the phone numbers out of your contacts and cross. Cross reference that with WhatsApp users in order to populate your WhatsApp contacts.

A (64:04)

Right. Oh, I was thinking of signal. I'm not, I've. You're right. WhatsApp, I don't know, I don't use WhatsApp. I think it is tied to your phone number. You're right. Yeah.

B (64:13)

Yeah.

A (64:13)

And of course every Facebook app asks for access to your contacts and I always say no. Yeah. Because I'm, I'm not gonna.

B (64:20)

What good could come of that?

A (64:21)

I'm not giving out Steve Gibson's phone number and home address and email that. What good could possibly come of that? If I, if you want me to know you're on WhatsApp, you'll let me know you're on WhatsApp, right? Yeah, I, you know, you, you had a, a sentence in here that's. I think you could have, you could shorten.

A (64:40)

Where you say that countries are increasingly feeling, ah. Legislators are feeling increasingly empowered to dictate the operation of the et cetera. Just say legislators are feeling increasingly empowered, period. And I think that's really what's happening is that governments worldwide are becoming more and more authoritarian and more and more interested in enforcing their worldview on their constituents. And I don't think, I don't think that's a good trend at all.

B (65:10)

No. And unfortunately the technology allows that. Right.

A (65:14)

I mean, well, technology has stimulated it because they feel like we are, they've lost control of us.

B (65:21)

Right. But the technology also is a control mechanism. It is a control mechanism.

A (65:27)

Exactly. So they've discovered that and they're trying to use it. And yeah, I don't have high hopes for this. You know, I think what happens, you give people power, they want more power.

B (65:37)

Yeah.

A (65:38)

And you can do everything you can. John Adams said that. I was watching the great Ken Burns documentary on the Revolutionary War and John Adams said, you know, we can make a democracy. But I have, I, I feel like people's greed for money and power is so great that it's unlikely we can sustain it.

B (65:58)

Right. And Washington, you know, responds to, famously to that woman who asks after the signing of the Declaration of Independence, frankly, what did you just.

A (66:08)

Oh, frankly, keep it. Yeah, yeah.

B (66:10)

Yes. A democracy, if or no a republic. If you can keep it, keep it.

A (66:14)

Yeah. I think even in the beginning they knew that this was going to be a difficult one.

B (66:20)

You know, we all grew up, all of us who are a certain age. Yes. The, the pigmentation has left our hair.

B (66:33)

It's always been the way it is and it's always going to be the way it is. And, but that's not the history of democracies.

A (66:40)

Right.

B (66:40)

They have a, they have a period.

A (66:42)

And if it's, if it's at all encouraging. We've been through bad times in the U. S before. There have been many any democratic eras.

B (66:49)

Yes.

A (66:49)

United States and we survived and we have swung back.

B (66:52)

Yeah, yeah. So let's hope, let's take a break. We're at an hour in, we're going to talk about the abbreviation of scatter lapses hunters. It's not an inspired abbreviation but it helps. And then a bit about RAM pricing that's gone nuts.

A (67:07)

Unbelievable. What's going on Pricing. I'm, you know, I'm, I'm glad I'm well equipped with computers but I'm worried about the future. I don't know.

B (67:16)

In fact that, that, that thing I had to sign for, I just purchased a machine, my machine. Probably my final computer for my new office that I'll be setting up in a month or two.

A (67:28)

Desktop laptop.

B (67:31)

It's a, it's a, it's a small.

B (67:35)

What do they call it? Small form factor.

A (67:37)

Like a nuc.

B (67:39)

Yeah, that kind of thing.

A (67:40)

Yeah, yeah. I, I think, I'm thinking maybe I was going to wait till next year. Apple has a. OLED screens coming and I really love OLED screens. Maybe I'll just got a PC instead. They have plenty of OLED PCs and just put limits.

B (67:53)

Well, and of course I, I will do. What this thing has is, is three display ports on the back.

A (67:59)

Nice.

B (67:59)

Because I, I am a, I'm a three screen person that works for me and I made the mistake on the system I have in my place with Lori of having us. That, that curved high resolution screen. No, no, I don't like that. And because I have lower resolution on the sides and when you drag something across the boundary it gets, it's all screwed up.

A (68:21)

It's like your peripheral vision on the screen that's not, not good.

B (68:25)

Yeah. So I'm going to go three flat screens, all the same resolution. And then, and, and do you organize it in.

A (68:32)

I'm sorry, parenthetically. We'll get back to the show in a moment, folks. But do you organize like, do you have code in one window? And you do?

B (68:38)

Yes, yes. I have, generally have static things in different locations. So like I always have Windows Explorer open on the right, the right half of the right side. And that's just where it lives.

A (68:50)

It's always there.

B (68:52)

Yes, it's always there.

A (68:53)

So that's smart. Yeah, yeah. And it's, you always know to go there.

B (68:57)

And it's interesting because Lori and I have very different organizational approaches and, and she wants like she's an organizer but she likes to put things in bins and I'm a position based organizer. I know where something is in like in location and so I go right to it and. But if it's, if she organized it, it's gone. So it's like honey, where did, what happened to the. She says, oh, I organized that. Oh, okay.

B (69:29)

Where is it now?

A (69:31)

We have that problem in the kitchen. I, I now know where everything is in the kitchen. But if we reorganize, I'm in deep trouble. In deep trouble. All right, let's take a break. I know where the ad breaks are on this show. That's one thing I do know. And it's time for one. We'll have more with Steve in just a bit. But first a word from our sponsor, BigID. They're the next generation AI powered data security and compliance solution. Bigid is the first and only leading data security and compliance solution that can uncover dark data through AI classification, that can identify and manage risk, that can remediate the way you want. You get to choose that can map and monitor access controls and scale your data security strategy along with unmatched coverage for cloud and on prem data sources. And by the way, that's huge. BigID also seamlessly integrates with your existing tech stack, which means you can coordinate security and remediation workflows. You can take action on data risks to protect against breaches. You can annotate, delete and quarantine and more based on the data, all while maintaining an audit trail for compliance. And as I said, it works with your existing tech stack. Everybody like I'll give you example, ServiceNow, Palo Alto Networks, Microsoft, of course, Google of course, AWS and on and on and on, on. That's nice. You don't have to adjust how you work to work with Big ID. Big ID's advanced AI models let you reduce risk, accelerate time to insight, and gain visibility and control over all your data. This is where I really think AI shines. When it's got a specific focused task, it can be so useful and so good. Intuit named it the number one platform for data classification in accuracy, speed and scalability. It really works. And some of the customers, well, people love Big ID so much, they're happy to give it a testimonial. Like for instance, the US Army. Yes, the US Army. Big ID equipped the army to illuminate dark data. I can imagine that after 250 years they probably have quite a bit to accelerate their cloud migration, which is a big priority for the services, to minimize redundancy and and to automate data retention. Something they have to do for a variety of legal reasons as well. U.S. army training and Doctrine Command gave them such a great testimony. Let me read it to you. This is a direct quote. The first wow moment with Big id, they said, came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zip files, SharePoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings this together like Bigid does. End quote. That's pretty good. CNBC recognized Bigid as one of the top 25 startups for the enterprise. They were named to the Inc 5000 and Deloitte 500 not just once, but four years in a row. The publisher of Cyber Defense magazine says BigID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives@bigid.com.

A (73:08)

Get a free demo and see how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI safely. Again, that's bigid.com securitynow. Oh, and while you're there, there's a free white paper that provides valuable insights for a new framework that's just coming down the pike. It's called Aitrism T R I S M. That's AI Trust, Risk and Security Management. It'll help you harness the full potential of AI responsibly and that paper is free@bigid.com security now thank him so much for supporting Steve and Security. Now back to you Steve.

B (73:53)

So a random observation that I'm beginning to see. The infamous Scattered Lapses Hunters being referred to by the abbreviation slh. I said no biggie, but slh, I don't know if it'll catch on but they have been so much in the news that the security industry appears to feel that they've become abbreviation worthy. So the news blurb that caught my eye referred to slh. It was a note saying that the security firm believed that they have seen SLH's focus shifting from Salesforce over to Zendesk. So SLH appeared to be enamored of the, you know, SaaS model, the software as a service exploitation like of customers of that there was a at this point a lack of razor sharp attribution for some of the very recent Zendesk related attacks. But there have been some and the suspicion is it is slh. So we now have SLH as a, as an, as a abbreviation for Scattered Lapses Hunters. Not quite as fun as Scattered Lapses Hunters, but what the hell. And I just completely off topic. I suppose we should have seen this coming. I, I this next bit of news is not security related, but it's tangentially AI related. And I thought that our computer centric listeners would find it interesting. The short blurb that first caught my attention and I'd seen something about it pass by but hadn't paused was Micron exits Consumer RAM Market. And a little blurb said American hardware vendor Micron will leave the consumer RAM market and discontinue its crucial brand. And of course crucial has been a, has been a well known, you know, consumer RAM memory brand for years, they wrote. The move, the move comes as the AI boom has led to an explosion in prices In RAM and SSDs as AI companies build data guzzling data centers and have swallowed almost the entire market output for the next few years. So okay, you know, I guess we should have seen this coming. That led me to look for some additional detail which I thought that our listeners would appreciate. I found a nice piece over on the Verge whose headline was RAM prices are so out of control that stores are selling it like lobster, they wrote. Michael Kreider's headline at PC World today perfectly captures how ridiculous the PC memory shortage has become. Stores like the San Francisco Bay Area's central computers are beginning to sell RAM at market prices like you'd pay for the catch of the day at a seafood restaurant. A message posted in the store's display case reads, quote, costs are fluctuating daily as manufacturers and distributors adjust to limited supply and high demand. Because of this, we cannot display fixed prices at this time. Unquote, Micro center is apparently doing the same. Quote Due to market volatility, we ask that you please see a sales associate for pricing. Unquote, they wrote. It's hard to overstate just how quickly the RAM crunch is changing the affordability of computers, and it might soon impact other realms as well as everything from game consoles to smartphones require ram to function three months ago yesterday the author said I bought 32 gig of memory for my gaming PC and at the price of that exact kit. Oh sorry. And the price of that exact kit has more than tripled since then. Three months ago, he says it now costs $300 more now 440 versus 130 in case you're curious, he said for 32 gig, he said a more common version of the same kit went from 105 to 400. Some prices have doubled since October and while you can still find some 32 gig kits for as low as $230, a 64 gig DDR5 kit can easily run you 700, 800, even $900. Some high profile product launches might be impacted by the price of memory. Valve pointed to the RAM crunch as one of the reasons it could not promise a specific price price for its Steam machine just yet. Just as out of control.

B (79:03)

He said. Oh, the author said, just as outof control GPU prices from earlier this year have finally settled down. Runaway memory prices might make them shoot back up again. Every graphics card requires gobs of vram. More is better and word is that Nvidia and AMD are preparing to raise prices to compensate for the crunch. Digital Foundry is recommending you buy a GPU at or below MSRP while you still can one with 10 gig or more of VRAM. Microsoft may also have to raise Xbox prices yet again to compensate, but Sony has stockpiled enough ram for the PS5 to last some number of months. Epic CEO Tim Sweeney says it may take years for high end gaming to recover from the RAM crunch because of AI. He says factories are diverting leading edge DRAM capacity to meet AI needs where data centers are bidding far higher than consumer device makers.

B (80:15)

Wow. So I noted another piece in the news Yesterday that said 200 environmental groups. First of all, I didn't realize there were 200 environmental groups. 200 environmental groups are demanding. I love that choice of words. A halt to the construction of new U.S. data centers. You know, I guess just on principle, first of all know, good luck with that.

B (80:48)

That might have stood some chance of happening, you know, if we had a bleeding heart Democrat running the countries at the moment. But you know, our President Trump recently again declared that global warming was a hoax and that wind turbines cause cancer. So I would be highly skeptical that any number of environmental groups, doesn't matter how many you gather together, are going to get much traction in the Washington climate at the moment. But what's interesting to me from a technology standpoint is that it does appear that the desire to concentrate an unprecedented amount of computational capacity within a comparatively small physical area is truly causing trouble. Right. If nothing else, we know that just getting that much electrical power service to a single location is not something that the existing power grid was originally set up to deliver, nor does it accommodate much variation without a lot of lead time. And when you step back to think about it, the only reason to want or to arguably, you know, make a case for needing that much computation in such a small physical space has to be economies of scale. What I mean by that is that what's being built is not a single humongous brain. It's a very large number of individual small brains. And they don't actually all need to be under the same roof or even in the same state for that matter. It's just more convenient and more cost effective if they're all grouped together in one place. That way they can all share staff and utilities and walls and security and cooling and a parking lot and so on, you know, and this sort of suggests that a reasonable compromise might be to limit the total size of individual AI data centers, have more of them and spread them around more, you know, and that said, I, you know, I certainly get the coolness factor of having a massive AI DA data center. I mean, I understand that that, you know, appeals to the Tech Bros. And, you know, if AI actually made money and could pay for itself, then you'd have a potentially viable business model. So I guess you have to save as much money as you can on facilities, hoping that, you know, you're saving money everywhere you can because none of this yet makes economic sense.

B (83:41)

You know. Leo, what does make economic sense?

A (83:43)

Is it that time again?

B (83:45)

No.

A (83:46)

Oh, what makes economic sense?

B (83:49)

What makes economic sense is GRC's new DNS benchmark.

A (83:54)

Oh, I can't wait. This is. We've been waiting. How long? How long you been. Well, first of all, you wrote it once before.

B (84:01)

Yes, I actually had and somebody found in a directory of theirs a, the beginnings of a DNS speed test in 2002. So, yeah, long time ago. And I distinctly remember in 08.

B (84:23)

In 2008, writing the first version 1 of the DNS benchmark at Starbucks. I had a little like, roadshow where because I have to have a clanky keyboard. Right. And so I had a.

A (84:39)

Who's that guy with that clanky keyboard again?

B (84:42)

Well, and of course, Starbucks, the Starbucks I was going to was across from UCI. So it's all Stoops Irvine.

A (84:49)

Yeah.

B (84:49)

And they're, and they're, they all have, you know, spongy, quiet apple keyboards. And I'm over in the corner going, clankety, clank, clank, clankity, you know, and I would, I would get there. They opened at 4:30, so I would get there because I had to have him. Yeah. 4:30am yeah.

A (85:08)

Okay.

B (85:09)

And so. And I, I had to have my corner. Right. So I would be the first person there. I would. Unlocking. You were, I would unlock the door because they, they hired university students who were short and they couldn't reach the, the, the door's upper lock.

A (85:27)

The guy with the clanky keyboard, he's gonna.

B (85:30)

Having me there. Having me there. I, they wouldn't have to still get.

A (85:33)

Up at 4:30am no.

B (85:35)

Lord, no.

A (85:36)

Oh, this is a long time ago.

B (85:38)

This was in. I happen to know that it was a 2008 when I wrote the Benchmark.

A (85:42)

Okay.

B (85:42)

Yeah. And so I just sat there and, and then, you know, and then I was part of a group of, of regulars. And so around 6:30, some of the regulars would start showing up and so I'd pause and, you know, talk to them and then, and then they'd wander off and I'd go back to work.

A (86:00)

Now I understand why you go to Starbucks because I wouldn't want to be in a crowded coffee shop trying to focus. But at 4:30am it's, you got the place to yourself, lots of coffee to boot. So that's good. I could see two hours solid work there. Yeah.

B (86:16)

Yes. And, and I would leave at a little after 4. So I would spend about a full 12 hours in a single stint and then I'd go find some dinner. So that was my routine. And I, I also perfected the. Putting the sponge ear foam things deep into my ear canal and then putting these Bose sound blockers on top of that. So, you know, I would just see people's mouths moving, but I'd just be in my zone for about 12 hours a day. Writing the benchmark.

A (86:50)

And you did this at Starbucks? Why?

B (86:53)

Because it was better than being home alone.

A (86:56)

Okay. Okay.

B (86:57)

I mean, you know, a little socializing people around. Yeah, yeah, yeah. And I didn't have to walk far to get more coffee, so it was good. Anyway, so I did not.

A (87:08)

I've known you for so long, I had no idea that's what you were doing. Wow.

B (87:13)

Yeah.

A (87:13)

Okay, so you're on a sprint to write this.

B (87:16)

This would have been. Oh, eight. This was during the podcast. Yeah, yeah.

A (87:21)

Like I said, I had no idea. Okay.

B (87:26)

Anyway, so.

B (87:29)

Put this on. GRC made it available and as I've mentioned before, for many, many, many years it was seeing more than a thousand downloads a day.

A (87:41)

I used it all the time. I still do.

B (87:43)

Yeah, we have more than 9.7, I think it is, or maybe 8 million total downloads. And I just. And I. And it had gotten to be 16 years old. And so it was a year ago, it was in December of 2024 that I had finished with Spinrite 6. One that was finished. Put it to bed. It's like, okay, I've made, I've made my commitment to give everybody a free update to Spin, right. Even after 20 years. And I thought, okay, I want to see what I can do with like bringing the DNS benchmark back up to speed.

B (88:23)

Anyway, so I spent a year working with a bunch of neat guys in the, and, and, and Layla, who maybe are one female in the, in the GRC DNS.dev group. Oh, you know, our, our news group. Old, old school NNTP servers.

B (88:46)

And for a while I remember I talked on the podcast about having. Imagining having. Well, so the idea was to. To do something GRC has never done before, which is to have an inexpensive.

B (89:00)

An inexpensive commercial product. You know, I. The only thing I ever had was Spinrite at $89 and I wanted to try doing a, you know, under $10. Well, a little bit under $10. $9.95. Fill it with features, bring it up to date.

B (89:23)

And offer something that I thought was a. A good value for a good price. So that it happened on Friday. Was that it it? We know it. We had a couple almost finished things that needed to get fixed and changed. As everybody knows, the original benchmark.

B (89:44)

Only did. Was only able to benchmark IPv4 servers, which is all there almost was back at the time. So the big change was I needed to add IPv6 support. But then of course none of the. Of the UDP resolution is encrypted, so it's not Authenticated, it's not encrypted. So we have DoH and Dot. Android devices support Dot natively. All of our browsers support DoH natively. So. And in fact in the picture there, Leo, you can see the IPv6 addresses being lots of little digits in two in two rows.

A (90:27)

They're huge.

B (90:28)

And fourth from the bottom is a DNS over TLS server. That's also in the list.

B (90:37)

Anyway, the.

B (90:40)

Essentially what's happened is over the course of these 16 years, the Internet has changed a lot. Oh yeah, and the big problem I had was that I had a bunch of false starts trying to figure out how to get this thing to do IPv6 and TLS connections because.

B (91:07)

IPv4 addresses fit in 32 bits and I was working in a 32 bit architecture, so it was, you know, so I. So resolver addresses were like, like they fit in registers. Well, not in the future they didn't. So that all had to get changed. But the biggest thing that has really changed is that version one prioritized cached lookups over all else. And that's changed.

B (91:46)

When, you know, we've been talking about things like UBlock, Origin and other content control utilities. We've noted that the content of today's websites are now being pulled from scores of different places, you know, from all over the Internet. Libraries and ads and trackers and like, like, like chat add ons and, and AI pop ups and all this junk that are now on web pages. Well those all require DNS lookups. So what's changed is that whereas a server's caching performance was probably most important back in 2008 when I wrote version one, that's no longer true. So what, what the original DNS benchmark has done and the, the, I mean has always done and, and still does at version 1 is it first sorts the resolver performance by their cached performance.

B (92:52)

That completely dominated by design, all of its resolver ranking cached performance.

B (93:01)

Was as we know, would be the amount of time the resolver would need to reply to a query for a domain's IP that it already knew that it had already cached locally from someone you maybe or someone previously asking for it and it not having yet expired. Because ips, you know, all of the records that DNS caching resolvers cache has an expiration time which allows the Internet to update itself for changing IPs. It turns out that Internet transit times completely dominate that measure. Whatever it is we're measuring when we measure cached performance, all of that time is the time it takes the query to get to and back from the resolver. So it is essentially equal to just pinging the resolver. That's, you know, we, we, we have, we've tested that, it's about the same.

B (94:07)

You know, and, and while it may not seem very useful to know what a resolver's essentially its ping time is, it turns out that DNS performance is all about connectivity. How well are you connected to the, the resolver that you are asking for IP addresses from? So, as I said, the problem was that's all that version one of the benchmark took into consideration. If a resolver close by you could beat out other resolvers, then version one of the benchmark gave it the highest rating. It was at the top of the list. But, oh, and it was only in the case of a tie in cached performance within its 1 millisecond resolution that the uncached lookup performance would be considered as the second sort key. Essentially it was like a multi key sort where, where, where the first key, you know, does the gross arrangement and the second sort key does the, the, the finer grain arrangement within the grossly arranged first key. So the problem with that was that a resolver might reply to cached queries in 5 milliseconds, but then take 10 times as long, like 50 milliseconds to perform a lookup for something it didn't already have in its cache. Whereas another resolver might take only 1 millisecond more 6 milliseconds to reply to a cached query, but be much faster for looking up uncached data, like 10 milliseconds. So you'd much rather be using that second resolver. Unfortunately, you know, well again, in 08, cached performance dominated because most of the material was coming from the domain you were browsing to. Most servers were providing you all of the content. Now that's no longer the case. So.

B (96:18)

The other little confounding thing is that 16 years ago in 2008, no one had local border NAT routers that were also serving as caching resolvers. You know, we had NAT back then, but those early NAT routers were not doing DNS lookups for their NAT clients and as they are now. So that matters because the original version of the benchmark would be seriously over impressed by the performance of that local caching DNS router or resolver sitting right there on our lan. How could any remote DNS resolver know how, Matt, no matter how fast it might be, possibly compete with a caching resolver that was sitting right next to the user on their own lan. So you know, just try pinging your land's gateway and you'll see how quickly it responds. No, no other DNS resolver out on the Internet can compete. And again the, the version one of the benchmark was, was only looking at cached performance. So what does the new version 2 do? It takes the average of all three types of DNS queries, cached, uncached and dot com resolution. It's got four sorting options. The original cached first sort if they're still, you know, it's still there for anyone who might want it for some reason. But the new default is best performance which averages all three types. So anyway, I've spoken before about all the features that are in there. We, we learned that we were not getting much benchmark to benchmark consistency. It turns out that even asking 50 different domains for, for their IPs for each of your resolver, there's enough jitter in the Internet because the Internet's gotten busier and it's gotten bigger than it used to be. It turns out that we need to do more asking in order to get a, in order to get statistical significance from the, the data that we're collecting. So this thing allows you by default to run essentially five rounds of the benchmark and aggregate all the data. But you can also go for 10, 20, 50 and 100 if you really, if you don't mind waiting like four hours for a, a 100x benchmark. And what's interesting is that you see all of the sorting stabilizing after a while because initially there, the, the, the, the, the ranking is jumping around because of Internet jitter and it take, it actually takes a lot more looking. Anyway, short version is I'm done with the benchmark. Anyone can have it for $9.95. I appreciated what Andy was or what not. Andy.

A (99:21)

Alex. Jason.

B (99:22)

Alex. Yes thank you. Although Andy did chime in. Alex was, was, was has all of our sentiments about how much he hates subscription stuff. Yes, yes, and, and I hate it as much as everybody. So the, the deal here, you buy this one time, I will never ask you no matter what happens for anything. For the DNS benchmark again, all updates and versions, no matter how big or small they are included in the one time purchase price. So you get to own it for life. And you are also purchasing its entire future when I cycle back around to it and continue to update and improve it. So anyway, I'm done with that. I'm going to get moved into my new home with my wife. And then I will be starting in on Validrive 2 which is my next project to work on. A major improvement to Validrive, which is now GRC's most often downloaded freeware.

A (100:28)

This is the app that lets you determine if you're getting the proper amount of storage on your USB thumb drive.

B (100:36)

Yes.

A (100:36)

Or if it's just a bogus. Which many are it turns out even for many.

B (100:40)

Turns out many are. More than a thousand copies are downloaded every day now. I think we're up about 1100 copies a day.

A (100:46)

Amazing.

B (100:47)

Wow. And I'm going to do a lot more for version two. So it'll. The gang who worked with me for a year on, on testing and came up with lots of good ideas for, for, for, for the benchmark. I mean Leo, this is the like things like it looks at the resolvers and I do something called sidelining because if a resolver very clearly doesn't have any chance of even being in the running it just gets sidelined by version 2 of the benchmark so that we don't waste time asking it a lot of questions because it's just too far away. Physical distance on the Internet is what really ends up making the difference. And so anyway this thing is just, it's got a whole bunch of pop up dialogues and anyway I'm very proud of, of this last year of work and before long we'll be on to the next one.

A (101:46)

Yes. Congratulations. That's fantastic. All written in assembly language we might.

B (101:52)

Add all an assembler that version one, I think it was 163k. I think this one's 200.

A (101:59)

Holy cow.

B (102:01)

So Christmas.

B (102:06)

It does run under Wine and Leo, it's very cool. It runs on ARM Max. Really?

A (102:13)

Under emulation?

B (102:15)

Yes. So the Mac is emulated, the Mac is emulating.

B (102:21)

Intel and WINE knows how to run on a Mac. Oh and use the it, use the intel emulation. So we've got guys in our news group who are running it on, on ARM on maybe it's Windows arm. We know that but I'm sure someone is running it on a MA on an ARM based Mac using WINE and the, the, the intel instruction emulator.

A (102:49)

Well and because this is about network performance, not processor performance, running an emulation is harmless. That's not right. Nothing wrong with that.

B (102:56)

Yeah right.

A (102:58)

Nice. Very nice. Congratulations GRC.com for more and then top.

B (103:04)

Of it, top of every page says click here for GRC's new DNS benchmark version 2.

A (103:09)

Nice.

B (103:10)

Oh and I got rid of all the plus and pro. I did talk for a while about having a plus version. A pro version.

A (103:16)

Right.

B (103:16)

I just ended up putting everything into the plot into the one version version. That was just the right thing to do.

A (103:23)

So that makes sense. And 10 bucks. Come on, that's nothing. Spend more than that on an ice cream sundae.

B (103:31)

Well, you may spend more than that on our next advertiser.

A (103:34)

I hope you do.

B (103:35)

I'm going to take a. I'm going to take a sip of coffee. Then we're going to look at some feedback.

A (103:40)

I'm praying that you will. Absolutely. Our next advertiser today. Let me make myself big. And that small is zero Trust. Zscaler. Zscaler is the world's largest cloud security platform. Wow. Potential rewards of AI we, we all know are are too great to ignore, especially in business. But as we've often talked about, so are the risks. Through exfiltration of sensitive data attacks against enterprise managed AI. Generative AI also helps threat actors become much more efficient, helping them to rapidly create phishing lures that are impeccable. Right. Write malicious code. We've seen evidence they're even using AI for data extraction, to automate data extraction. That because nowadays it's not enough just to ransomware to encrypt your computer. First they steal all your data so they can blackmail you as well as ask for money ransomware. There were 1.3 million instances. This is the. This is actually the topic of AI.

A (104:51)

Leaking information, private information, into the public domain. There were 1.3 million instances of Social Security numbers leaked to AI applications. ChatGPT and Microsoft. Copilot saw nearly 3.2 million data violations. It's not hard, it's easy. You're using AI, all of a sudden, you're sending it data from your company. And it's very easy to accidentally exfiltrate something you really don't want the outside world to have. Maybe it's time to rethink your organization's safe use of public and private AI. Chad Pallett, who is the CISO at BioIVT, loves Zscaler. He says Zscaler helped them reduce their cyber premiums by 50%. They said, oh, you got Zscaler. We're gonna cut your rates while doubling their coverage. Cut your rates and double your coverage and improve their controls. Take a look. We got a video from Chad. Watch.

B (105:52)

With Zscaler. As long as you've got Internet, you're good to go. A big part of the reason that we moved to a consolidated solution away from sd, WAN and VPN is to eliminate that lateral opportunity that people had and that opportunity for misdirection or open access to the network. It also was an opportunity for us to maintain and provide our remote users with a cafe style environment.

A (106:16)

With Zscaler Zero Trust plus AI you can safely adopt generative AI and private AI to boost product productivity across your business and not have to worry about accidentally sending out private information. Zscaler Zero Trust Architecture plus AI helps you reduce the risks of AI related data loss and protects against AI driven attacks to guarantee greater productivity and compliance. Find out more. That's the best thing to do. Go to zscaler.com security that's zscaler.com/security. Thanks East Killer for their support of security now 4:30am Huh? I had no idea.

B (106:58)

Yeah, yeah.

A (107:00)

Somebody in the YouTube chat says that you said that before, but I must have missed it. I knew you went to the Starbucks for that quad venti latte, but I know you stayed all day. Not anymore.

B (107:13)

Yeah, I think I was drinking Americanos back then which was the, you know, stronger shots of espresso in hot water.

A (107:21)

So sort of. That's right. So it's espresso.

B (107:23)

Yeah.

A (107:24)

So.

B (107:24)

So it's.

B (107:26)

No, it was the right thing at the time. So yeah, you know, we had a. We had a great group of people who became, I would say lifelong friends. Except it covet extinguished it.

A (107:37)

But it really was a social thing for you as much as anything else. That's interesting.

B (107:41)

Yeah. Yeah, it was fun.

A (107:42)

Yeah.

B (107:43)

Okay. So Stefano from sunnily sunny Italy, as he put it, he said, hi Steve. I feel there's a specific aspect which has been left out in this whole Cisco improvement of resilience see the light moment. He says. As a longtime network engineer, I always found infuriating the hoops that I have to jump through in order to download a patched firmware image from any of the biggest vendors, especially Cisco. Them crying about the fact that there's so many unpatched devices still exposed is peak irony and it is partially on them. If I buy some piece of hardware, I expect you the vendor to support it and patch it for a reasonable amount of time. I would argue, you know, the device is useful life but okay, he says, but within that reasonable time frame I must be able to easily access updates without them being locked out behind support contracts or similar immoral in my eyes. Double dipping device life cycle management is perhaps the hardest part of this job. The strings of, of the purse are never in our hands, so it's not our call. Only the consequences are on us. Oh, meaning that he's on the IT end, not on the management budget pay for IT end. So you know he literally if he, if he doesn't have the support contract or the paid for access or whatever, he can't update his hardware. He said he, he, he finishes writing. I'm sure many, many more fellow engineers have been in my same situation. Perhaps after changing jobs and ending up in a barely maintained infrastructure or simply having to wait for the next round of funding in order to swap out some old lemon Quoting Cisco's Anthony Grieco. This is further amplified by the fact that many organizations have not updated and maintained their network infrastructure, missing opportunities to fix known vulnerabilities, end quote. He said then stop preventing me from doing so. Anthony signed the Steve from sunny Italy. So his note reminded me the back when I was running a bonded pair of T1 trunks. Remember those old days Leo, when we were doing this over over those to my home here I was using a Cisco router to do the work. It's one of the reasons I know it intimately and Cisco was not wonderful to deal with back then. I had assumed that they were better now but sounds like it's really still the same Cisco based on what Stefano has indicated. So let's hope that Anthony now in charge, apparently having seen the light, does something with it. That'd be really good. Blair Learn wrote hi Steve. Ironic I ran across an item I don't believe you've covered yet. Google recently rolled out in Chrome 142 something they're calling local network access. The gist of it is that if you have a public website such as example.com it has the potential to host malicious JavaScript code which attempts to access resources on your local network. For example the router admin interface on 192.168.0.1 he says Perenze the technique seems similar to the issue you described a month or two back with adware setting up a server on a phone's local host address to be used by the adware vendors ad code for tracking purposes. He said local network access is a new permission in the browser. The user is. It's not quite that, but I'm going to explain exactly what it is. The user is prompted to allow access to devices on the local network and if permission is denied he's right about this then code onexample.com is prohibited from contacting resources in the myriad of local networks. Now you might ask why would you ever want to allow such a thing in the first place, he says my use case was a development website hosted by an external vendor with a JavaScript application contacting a test version of an API that was hosted on a server which is only accessible via vpn. He said probably not something most home users are going to encounter, but I have to imagine our enterprise developers would he said Google has a blog post about it and then there's the link in the show notes and the spec can be found out can be found at and he has the W3Cs, you know the World Wide Web Consortiums URL he says I always look forward to the next episode of security now spin right Licensee Club Twit member and general purpose geek Blair okay, so this issue that Blair mentions Google finally addressing has been a significant and growing problem forever and I'm surprised actually that it hasn't been causing more havoc. There was a point I think it might have been during the pre release of IE11, which was surprisingly long ago. Time flies Leo, where Microsoft and I've mentioned this before, flirted with flatly denying their IE11 browser access to the local host address 127.0.0.1 or and or the local LAN. This came up at the time because I was working on Squirrel and one of the ways that is the the Microsoft's plans of blocking local host access came up at the time because I was working on Squirrel and one of the ways Squirrel robustly prevented interception of any secrets was by allowing the user's local browser to connect to a little web server running in Squirrel on their machine. This gave the browser a private connection to the Squirrel authenticator which they could use to cut out any possible man in the middle. Now Passkeys, as we've discussed, implements the same form of protection with user smartphones over a Bluetooth link to create a local link between the web browser and the smartphone passkeys authenticator that no remote attacker can possibly intercept. Now in the case of Microsoft and IE11 and the local host IP, they fortunately came to their senses and realized that there were far too many valid use cases where a web developer, for example, might be running a local web server or web services or on their local machine and need to be able to access it with their browser during the development and testing. Now until now this has remained an unsolved problem which was really in need of a comprehensive solution. Our browsers are as we know, are no longer just passive content displays. Technologies such as JavaScript and WebAssembly have turned them into effective application platforms. So just to be completely clear about the nature of the problem from the perspective of any web browser device, you know, web client, web browsing client, sitting on a private local area network, that web browser has network visibility into two completely different networks. It can obviously see and access the global public Internet because it's able to access and obtain remote content. But that browser can also just as easily see its own local area network. We know this because for example LAN routers are managed by aiming a browser at the LAN router's gateway IP, which is typically 192.168.0.1 or, or 1.1 or something like that. You know, our, our web browsers can see everything on our own lands. So the problem is that a user might visit a malicious remote website which causes their web browser to download and run some malicious JavaScript or web assembly or whatever code. Now that the code is running inside the user's browser, essentially the Trojan horse has been invited into the house. So unless something is done, that malicious code that's now running in the user's browser has the same access to their LAN as they do. It can reach out and log into their LAN router, scan their network for other juicy targets. You know, find printers, transfer code, upload firmware, you know, get up to whatever mischief it might wish to. When you stop to think about it, it's somewhat amazing that this big loophole has been not been closed a long time ago. So the good news is it's finally going to happen. The W3C's specification for this new feature explains its entire purpose and scope. They write although RFC 1918, that's the thing that, that set aside our lands 192168 x x the whole 10 dot network, the 172.16 through, you know, a bunch of other successive IPs those were all set aside by, by the specification of RFC 1916 or long ago. So they said although RF19 61918 has specified a distinction between private and public Internet addresses over for over two decades user agents have not made much progress in segregating one from the other. This is the W3C writing this. Websites on the public Internet can make requests to local devices and servers which enable a number of malicious behaviors including attacks on users routers. Then they list a whole bunch of examples. They said Local network access, that's the formal name for this. Local network access aims to prevent these undesired requests to insecure devices on the local network. This is achieved by deprecating direct access to local IP addresses from public websites and requiring that the user grants permission to the initiating website to make connections to their local network. The overarching goal is to prevent the user agent, the browser from inadvertently enabling attacks on devices running on a user's local intranet or services running on the user's machine directly. For example, we wish to mitigate attacks on users routers or on software running a web interface on a user's loopback address. 127001 for better or worse, this is becoming a common deployment mechanism for all manner of applications and often assumes protections that simply do not exist. There should be a well lit path is the way they described it to allow these requests when the user is both expecting and explicitly allowing the local network address requests to occur. For example, a user logged in to Plex TV may want to allow the site to connect to their local media server to download media content over the local network instead of routing through remote servers.

B (120:44)

The specification then clarifies the intent of this with a couple of quick examples. They said Alice is at home on her laptop browsing the Internet. She has a printer on her local network built by Acme Printing Company that's running a simple HTTP server. Alice is having a problem with the printer not functioning properly. So Alice goes to to Acme Printing Company's website to help diagnose the problem. Acme Printing Company's website tells Alice that it can connect to the printer to examine its diagnostic output. Alice's browser asks Alice to allow support.acmeprintingcompany.com to connect to local devices on her network. Since this is something Alice wants and is expecting, she grants explicit permission for that website to connect to local devices on her network. Acme Printing Company then connects to her local printer's diagnostic output through Alice's web browser. And I'll just note that it may be a little bit unnerving for people to realize this is possible. That is, it is possible for Acme Printing Company to connect to Alice's web to Alice's printer through her web browser. We have the all of I mean these browsers have become incredibly powerful. Now they can act as proxy gateways into our land. So Alice's web browser says yes, tells Alice that it is part oh so Acme Printing Company then connects to her local printer's diagnostic output through Alice's web browser and tells Alice that a part is malfunctioning on the printer and needs to be replaced. Then W3C also provides an alternative.

B (122:42)

Sample. Alice continues browsing online to find the best price for the replacement part on her printer while looking At a general tech support forum, she suddenly gets a permission request in her Browser for print HTTPs://printersupport.evil.com to connect to local devices on her local network. Being suspicious of why printersupport evil.com would need to connect to local devices, she denies the permission request. And I'll just say well, we hope. Okay. Which is to say all of this of course presents us with a new problem. Because While yes, it's 100% true that the that for the first time ever.

B (123:40)

The user sitting in front of their web browser will be required to proactively allow some remote website to access their network. And that definitely represents a nice step forward in security capability. The trouble is it's still just a capability because we've also just saddled users with the new responsibility of determining what's benign and what's malicious. How is anyone really gonna know? If we've learned anything, it's that many users are unable to reliably tell the difference and it's not their fault. Since we've also seen bad guys who are highly motivated and very inventive cooking up all kinds of tricky schemes to trick people, we know that the so very human user remains the weakest link in the security chain. So now Chrome, as of Chrome 142 and presumably other browsers to follow since this will be, you know, this is a W3C official specification, all the browsers will be popping up notifications when something you're doing requires a remote site to have access to your local network. Allowing that to happen without any notification as we have been doing until now, is certainly not safe. But no one should imagine that if any really juicy targets should appear on user networks, you know, the bad guys aren't going to going to wait, right? They're going to cook up some very reasonable appearing reason why users should give their remote web domains to that will not be called evil.com they're going to be called heaven sent.com you know, access to the users local network devices. It's going to happen. So I'm sure that the Google Chrome guys, you know, who are driving, who were the driving force behind this W3C spec, you know, they know this is an imperfect solution, but they also know it's the best that they could come up with. They needed to put up some roadblock so that browsers could not do this behind users backs. They know that they really can't count on users to be judicious about what to and to not allow. I saw the a sample Google pop up and it just says example.com wants access to your local network. Hopefully people know that is. That should be. No. Unless there's like. Unless you want reason for it to.

A (126:26)

Happen because I go to localhost all the time and don't want to see that.

B (126:30)

I'm glad you said that, Leo, because that's a good point. What we. Thanks to the security work that's been done so far, there is a clear binding between any script or webassem and the domain from which it came.

B (126:51)

So, so essentially you are temporarily whitelisting that domain to have access to your local network, which is to say, you know, a browser will have multiple tabs open those and, and, and there, there will be scripts running from advertisers and from all of the different domains you're visiting. They will not have a white list for access to your land. It's only the script that you've whitelisted from that domain that will. And, and the point is you'll be able to still put 192.168.0.1 directly into your URL and go there because you are the source of that, of that access to the local domain. You at your browser, not indirectly through some remote domain. Yeah, so I don't. So unless something remote wants to do this.

B (127:58)

Most users, even power users who are logging into their local routers or going to their printers HTTP server, you know, their browser will just allow that without any trouble. You won't get challenged when you're initiating that to your own land yourself, only when some remote domain wants permission to do that. And then you. And then you get a popup which will only temporarily white list any script running from that one domain.

B (128:28)

And here we are, two hours. It's time to talk about the.

B (128:35)

Oh boy. The latest disaster.

A (128:39)

CVE in history.

B (128:41)

Yeah, it's really.

A (128:42)

There's nothing worse.

B (128:44)

Nope, you can't get better. It's too bad they didn't give it an 11. That would have been fun.

A (128:52)

A remote access to react sounds pretty about as bad as you can get the definition.

B (128:58)

In fact, we're going to define. We're going to start off by defining who what would be because our listeners all know now enough about this. What would be the characteristics of the worst possible exploit available?

A (129:10)

Okay, think this is a little thought exercise. Think about that for a moment while I tell you about our sponsor, Hawkshunt. As a security leader, you get paid to protect your company against cyber attacks. And you know what? Kudos for you for listening to this show. But I know Your job's getting harder. There are more cyber attacks than ever. And, and these phishing emails generated with AI, they couldn't be more perfect. They're indistinguishable from the real thing.

A (129:39)

Here's the problem. Those legacy one size fits all awareness programs you'd be using, they don't stand a chance against today's threats. They send at most four generic training, what is it, four a year? Right. And they're generic. Right. Most employees ignore them, they laugh, they hate them, they think they're stupid. And then somebody, you know, you send out a test, you know, and somebody actually clicks on it. Then what happens? You embarrass them. They're forced into an embarrassing training program that feels like punishment, that nobody learns from punishment. That's why more and more organizations are doing better. They're trying HOX Hunt. HOX Hunt goes beyond security awareness and actually changes behaviors by gamifying the process. Rewarding good clicks, coaching away the bad. Your, your, your users will never feel embarrassed. They'll, they'll be engaged, they'll be having fun, they'll be learning. I'll give you an example. When, when employee sees an email and suspects it might be a scam, Hawkson will tell them immediately and, and if it is, you know, your test email, they're going to get that dopamine rush, you got it. That gets them to click learn and protect your company. And as an admin for you, Hawks Hunt makes it really easy to automatically deliver phishing simulations and not just email slack teams using AI to mimic the latest real world attacks. The simulations are also personalized if you want to each employee you can have information about department location and more. And then instead of these big generic quarterly trainings, you get instant micro trainings to solidify understanding and drive lasting, safe behaviors. You could trigger gamified security awareness training that awards employees stars and badges. I know that sounds dumb, but they love it. It's like you would love it. It's like, yeah, I did good. Boosting completion rates, ensuring compliance, and really the bottom line is helping them learn how to protect your company. You could choose from a huge library of customizable training packages, or they have AI, you can generate your own, make them really, you know, effective. These simulations, HOX HUD has everything you need to run effective security training all in one platform. It's easy to measurably reduce your human cyber risk at scale. And you don't have to take my word for it. There are over 3000 user reviews on Hawks on G2 which make HOX Hunt the top rated security training platform for the enterprise including easiest to use and best results. This is easy for you best results for your company. It's also recognized as customers choice by Gartner and it's used by thousands of companies worldwide. Companies like Qualcomm, AES, Nokia, they use it to train millions of employees all over the globe. Visit hoxhunt.com securitynow right now telling my Modern secure companies are making the switch to hawks hunt. That's hawkshunt.com security now. We thank him so much for supporting Steve and Security now and doing a great job and and as an employee. I'm both an employee and a boss. As an employee I really appreciate it when it's fun fun to learn, you know, not to click on phishing attacks. I look forward to all right Steve, now on we go.

B (133:08)

As I said, by this time, from everything we've seen and shared on this podcast through the years, we can probably all define what a what a worst case vulnerability looks like. It would affect any popular, widely present Internet facing server. It would not require the remote attacker to be in any way authenticated on that server. It would allow said attacker to remotely supply whatever code they would wish any such server to execute on their behalf, and the attack would have a low complexity so that no rocket science is needed. Taken together in the parlance of the day, we would term this as a critical, unauthenticated, low complexity remote code execution vulnerability. A shorter, though less descriptive summary might also be CVSS 10.0. Yeah, because you know, most of what we see is that they're trying to get there. They're a 9.8, but they're not really completely just unbelievably bad underachievers. Obviously this yeah, they were. This is a 10.0. The headline given to Dan Guden's reporting of just such a vulnerability last Wednesday. So not even a week ago in Ars Technica was Admins and defenders gird themselves against Maximum Severity server Vuln in the subhead. In the subhead it says Open source React executes malicious code with malformed HTML. No authentication needed. So there's a lot to cover here. Let's begin with Dan's description in Ars Technica. He says security defenders are girding themselves in response to the disclosure of a maximum severity vulnerability disclosed Wednesday in React Server, an open source package that's widely used by websites and in cloud environments. The vulnerability is easy to exploit and allows hackers to execute malicious code on servers that run it. Exploit code is now publicly available.

B (135:36)

React is embedded into web apps running on servers so that remote devices render JavaScript and content more quickly, with fewer resources required. React is used by an estimated 6% of all websites and 39% of cloud environments. When end users reload a page, React allows servers to re render only parts that have changed, a feature that drastically speeds up performance and lowers the computing resources required by the server. Security firm Wiz said Exploitation requires only a single HTTP request and had near 100% reliability in its testing. Multiple software frameworks and libraries embed React implementations by default. As a result, even when apps don't explicitly make use of React functionality, they can still be vulnerable since the integration layer itself invokes the buggy code and that sends this a little bit like log 4J right? Which we recall. Although that wasn't bad. As it turned out, this turn has already turned out to be bad. The combination of the widespread use of React, particularly in cloud environments, the ease of exploitation, and the ability to execute code that gives attackers control of servers has earned the vulnerability a severity rating of 10, the highest score possible, writes Dan. On social media, security defenders and software engineers urged anyone responsible for React related apps to immediately install an update. Released Wednesday, one researcher wrote, I usually don't say this but but patch right freaking now the React CVE listing and that's CVE 20255182 is a perfect 10. React versions 1901, 1912 or 1921 contain the vulnerable code. So that's worth noting. It's only this year's reacts so this happens this year if I hope you're not running an older one because that would be worse but you know so update again the third party components, writes Dan known to be affected. So these are third party things that that have React in them include Vite RSC plugin, Parcel RSC plugin, React Router, RSC Preview, Redwood SDK, Waku and Next js. That being a biggie of course. According to Wiz and fellow security firm Aikido, the vulnerability tracked as I said, 20255182 resides in flight, a protocol found in the React server components. Next JS has assigned the designation. They have a different CVE 666-04-78 to track the vulnerability in its package.

B (139:01)

And then Dan hits us with the nature of the vulnerability, which will also come as no surprise to our longtime listeners since this podcast long ago identified interpreters as a particularly a particularly tough problem for secure systems, Dan writes the vulnerability stems from unsafe deserialization the coding process of converting strings, byte streams and other serialized formats back into objects or data structures in code. Hackers can exploit the insecure deserialization using payloads that execute malicious code on the server. Patched React versions include stricter validation and hardened deserialization behavior. In other words, they fixed a bug in the deserializing interpreter which interprets the serialized stream and makes a mistake, wiz explained. Quote When a server receives a specially crafted malformed payload, it fails to validate the structure correctly. This allows attacker controlled data to to influence server side execution logic, resulting in the execution of privileged JavaScript code, they added. In our experimentation, exploitation of this vulnerability had high fidelity with a near 100% success rate and can be leveraged into a full remote code execution. The attack vector is unauthenticated and remote, requiring only a single specially crafted HTTP request to the target server. It affects the default configuration of many popular frameworks Both companies, writes Dan, are advising admins and developers, meaning React and Next js. Both companies are advising admins and developers to upgrade React and any dependencies that rely on it. Users are of any of the remote enabled frameworks and plugins mentioned above should check with their maintainers for guidance. Aido also suggests admins and developers scan their code bases and repositories for any use of React, meaning you might have included it as a dependency in some build structure and not even know it's in there. But React is still accepting that stream when it comes to it and could then trip over its own feet and execute bad code in your system. Dan's article quickly generated 79 comments from which the RS staff chose one which reads just ask Grok for a proof of concept. Basically, the deserializer can be made to execute any arbitrary code by encoding a nested object with an eval expression into base 64 bytes. Shockingly easy to do, he wrote. Okay, so now let's step back a bit to answer the question. What is it? Wikipedia sums it up nicely writing React, also known as React JS or React JS, is a free and open source front end JavaScript library that aims to make building user interfaces based on components more seamless. It's maintained by Meta and a community of individual developers and companies. According to the Stack Overflow Developer Survey, React is one of the most commonly used web technologies today. React can be used to develop single page, mobile or server rendered applications with frameworks like Next JS and React Router. Because React is only concerned with the user interface and rendering components to the dom, React applications often rely on libraries for routing and other client side functionality. A key advantage of React is that it only RE renders those parts of the page that have changed, avoiding unnecessary RE rendering of unchanged DOM elements. React is used by an estimated 6% of all websites. Okay, so now we have some sense for what React is, how widespread is its use? The platform security company Ox titled their reporting of this Wednesday. Millions of servers vulnerable to RCE in React components they wrote A critical vulnerability in React and Next JS allows attackers to execute code on vulnerable servers without any authentication, potentially exposing millions of applications to immediate risk. React is one of the most popular JavaScript libraries for building user interfaces created by Facebook meta with over 1.97 billion total downloads. One point almost 2 billion downloads.

A (144:16)

That's a lot of downloads.

B (144:18)

That is a lot of downloads. Discovered today, Wednesday, this vulnerability affects the React and Next JS ecosystems, which power over 10 million active websites globally, including major platforms built with React such as Instagram and Netflix airbnb that serve billions of users daily. With react downloaded over 20 million times weekly, new vulnerable applications are being deployed continuously. The potential exposure is massive, spanning E commerce platforms, financial services, healthcare applications and enterprise systems worldwide. Okay, so you know the bad guys are going to be just salivating. They wrote what we know. React CVEs and that's the 55182 and next JS's CVE6 6478 contain a critical RCE vulnerability enabling the attacker to execute arbitrary privileged JavaScript code on the vulnerable server. While the core issue stems from the React vulnerability, that the Next JS vulnerability exists only because it directly used a vulnerable version of the React framework itself. The attack doesn't require any kind of authentication from the attacker or a valid running session for the RCE to work. Who's affected? Any server running an unpatched version of React or Next JS, or any package based on on a vulnerable React component. Using Shodan, we found that there are over 571 2, 571,249 public servers using React components and 444,043 using Next JS. So together more than a million. While we don't know the versions of each of those servers, it would be safe to assume that even if a small number of them are inside the vulnerable versions range, the impact.

B (146:38)

Is on a high scale and should be addressed immediately. Since this issue impacts any server online running react or next JS, which are highly popular JavaScript based packages, this means that attackers are could now scan and directly exploit those servers. This potentially could harm millions of servers around the world, causing information leakage, secret extraction and more. All right, so it's not good. Did anyone notice? Ha, you betcha. Two days later, Friday, December 5, Ox followed up with their report of active exploitation under their headline reacts CVE 2020555182 is now actively exploitable verified POC they wrote. Hacker Maple 3142 published a working proof of concept for 5 5182, which we successfully verified just two days after we published our initial analysis of the React Next JS server side RCE vulnerability. A fully functional exploit has been released publicly. The proof of concept works exactly as expected and results in unauthenticated remote code execution on vulnerable servers. The exploit abuses, reacts, blah blah blah. We all know about that. So then they get into details of the attack and congratulate the exploits author this Maple3142 calling it great work. They also provide a link to Maple's exploit demo on GitHub and I have a link at the bottom of page 20 in the show notes for anyone who's interested. To no one's surprise, the industry has jumped to get this resolved. This is an emergency and there were apparently a few hiccups along the way. Cloudflare notably suffered a 25 minute oopsie outage while working to protect all of the servers behind them from the abuse of the vulnerability, Network World reported under their headline Cloudflare Firewall Reacts. You know pun there badly to react exploit mitigation with the subhead in attempting to fix one problem, Cloudflare caused another, they wrote. Cloudflare's network suffered a brief but widespread outage Friday after an update to its web application firewall. You know, a WAF to mitigate a vulnerability in React server components went wrong at 9:09am UTC, the company reported that it was investigating issues with the Cloudflare dashboard and related APIs, warning that customers might see requests fail or errors displayed. Just 10 minutes later they had deployed a fix. And actually it looks more like it was a 25 minute outage. So maybe it was 15 minutes into it, then 20, then 10 minutes after that they had a fix. So a total of 25, they wrote. But not before a flood of reports of problems with Cloudflare and its customers poured into uptime tracking sites such as down detector.com during the same window, Down Detector saw a spike in problem reports for enterprise services including Shopify, Zoom, Claude AI and Amazon Web Services, and a host of consumer services from games to dating apps. Cloudflare explained the outage on its service status page, writing a change made to how Cloudflare's web application firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning. This was not an attack. The change was deployed by our team to help mitigate the industry wide vulnerability disclosed this week in React Server Components, unquote.

B (150:43)

The the OX report said Cloudflare was no about was no doubt attempting to protect those of its customers who've not yet had an opportunity to patch the vulnerability in the two days since it was revealed. The wobble in Cloudflare services comes just two weeks after a much bigger one rendered its customers websites inaccessible and so forth, blah blah blah. So anyway, I appreciated how these guys at Network World concluded their posting. They wrote there are some advantages in relying on single service providers such as Cloudflare or AWS for these tasks, including economies of scale and service consistency. But it also makes them single points of failure. When they go down, everything goes down with them. This is what we were just talking about two weeks ago. In such a monoculture, the alternatives that might be able to take up the slack have already been weeded out, meaning acquired or put out of business or they're just not available for whatever reason. So I think that gets it exactly right. Cloudflare's own posting about this noted that their logs did not capture any evidence of successful exploitation of this vulnerability against any of their free or commercial customers. And by the way both were were protected by this Cloudflare's waf. Their web application firewall update also protected anybody on the free plan. They never said explicitly that their apparently WAF change service outage was a mistake, but it certainly seems like it had to be. You know they're continually updating their web application firewall patterns with new detections and blocks and their customers are not experiencing system wide outages on an ongoing basis. So I think they fumble fingered it something somewhere. Of course AWS and fastly and other CDNs also quickly deployed their own network protections for their customers. So everybody pretty quickly got protected. I should also mention that two China based threat actors were seen to immediately jump onto this exploit with attacks beginning within hours of the vulnerabilities public disclosure well remember that was Wednesday and the the CDN protections didn't snap into place for a full 48 hours, so there was likely some serious damage done during this window from disclosure to fix, which sort of suggests that this could have been done better. There's no reason for example, that the major CDNs at least could not have been brought into a loop, you know, on the DL and allowed to have their their application.

B (153:45)

Firewalls updated so they would have been protected before the disclosure. No reason for that not to happen. So maybe somebody will be thinking about that. The AWS security team linked the attacks that they saw to two groups tracked as Earth Lamina, Earth Lamia and Jackpot Panda. AWS wrote. Earth Lamia is a China Nexus cyber threat actor known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle east and Southeast Asia. The group has historically targeted sectors across financial services, logistics, retail, IT companies, universities and government or government organizations. And Jackpot Panda, they wrote, is a China Nexus cyber threat actor, primarily targeting entities in east and Southeast Asia. The activity likely aligns to collection priorities pertaining to domestic security and corruption concerns. What that whatever that means. So Amazon says the attackers used anonymizing proxies to hide their infrastructure to so requests were being bounced through other systems and also deployed exploits for other vulnerabilities using these as the back doors to get in. Interestingly, both groups use their own homegrown exploit implementations. Remember the proof of concept? Even that took two days before it went public. But this thing was so dead simple to do that it no one waited, you didn't have to wait two days. These things. The attack started within hours of the of of the disclosure that there was a problem and they rolled their own exploits because it was so easy to do so. Then later multiple public proof of concept exploits were released, including one from Lachlan Davidson, a security reacher we've talked about before. He was the guy who initially found and reported this devastating vulnerability. So it's likely not an exaggeration to say that this vulnerability is probably going to haunt the developer ecosystem for some time due to its ease of exploitation, widely available proofs of concept, its low complexity versus its power, as well as React's popularity. Next JS is currently considered to be the best web technology available for producing very SEO friendly content. If a technology was you know, ever expected to replace WordPress, those you know, people in the know argue that it would be next JS that would be the replacement for WordPress, Palo Alto Networks wrote. Ultimately this incident underscores the inherent friction between performance and security in modern architecture. While React server components optimize data fetching and search engine optimization by moving logic closer to the source, they simultaneously move the attack surface closer to organizations most sensitive and valuable data. So which I think that's a Terrific perspective. So anyway, I wouldn't say we dodged a bullet. I would say that a bunch of people probably got hit. And over time we may get some more news like by next week of, you know, what organizations are in trouble as a result of this. We could see that, that those who weren't immediately reactive, so to speak, are. Are going to be in trouble and we'll start getting, you know, extortion notices and data exfiltration and all of the, all of the follow on.

B (157:51)

You know, badness that comes a. After a network is penetrated.

A (157:55)

Yeah. Wow. And so it's been patched.

B (158:02)

Yes.

A (158:02)

And are. Does react work to automatically update itself or do you have to explicitly.

B (158:09)

No, there's no. You need to get the. The updated stuff. Yes. And I should mention that the benchmark that is now available does have automatically check for updates enabled.

A (158:23)

Oh good.

B (158:24)

And it will, it will alert its user every time they use it. All I do is send a short DNS query to grc. I'm using DNS in order to clever in order to send back the. The. The most recent release number. And so it checks that against its own release and it lets you know if there's something better. And, and also gives you the link to update and puts your transaction code from your purchase into notepad. I mean into the clipboard so you can paste it directly into the form and get the download link for the new one. We had, thanks to a year of development, we had lots of time to polish the whole update delivery system.

A (159:06)

Feedback's great. That's really great.

B (159:09)

Well, good.

A (159:10)

Everybody should go to GRC.com and get your copy of the DNS Benchmark Pro. You're not calling Pro, you're calling it version 2.

B (159:17)

Just v2 version 2. Buy it once, own it forever, and own its entire future.

A (159:24)

Nice. That was that. Now did you send out the email to the list?

B (159:29)

No, I, I need. I want to do a walkthrough video. I need to get the documentation I had. The documentation pages need to be updated. They're still all talking about version one, so I'm not ready to do that. But I still have no spam being reported by Google. So all of those changes I made to my email system have taken hold and will probably be a couple weeks and then I will do that. I will notify that the. That main mailing list is now up to 153,000 subscribers. So.

A (159:59)

Wow.

B (160:00)

It'll be. That'll be fun to let them know.

A (160:01)

Well, I'll tell you what, you can kill two birds with one stone, if you go to GRC.com email, the idea here is you, you enter your email address and then Steve will know that you're you and not some spirit spammer. And that means you can email him from then on. And you'll also see the two additional subscriber lists. I always say there's a, there's a check mark, but, but I don't see a check mark.

B (160:27)

You just, you get one when, so.

A (160:29)

Oh, it's in the email.

B (160:30)

Yeah, well, yeah, well, you, you, you, you fill that out. Then I send you a link for managing your account. When you click that, that brings up your own page where you can subscribe and, and unsubscribe from, from whatever.

A (160:46)

Right. So, yeah, and there, there isn't a banner on this page to buy to upgrade.

B (160:52)

There it is.

A (160:53)

It's on this page though. It's just not on the email page. So Steve, you, you might want to add that to the email.

B (161:00)

Like I said, I mean, the, the, the site has only ev. The only thing I've ever had for sale was spin. Right? So the site is spinrite sales oriented. And for example, spinrite is there in the top level menu, but there's no mention of the benchmark in, in the menu. I do have it under freeware utilities, but it's not really a freeware utility. Although for what it's worth, version one is still available. If for whatever reason somebody doesn't can't spend 9.95, I understand. I still want them to have what I have available, which is version one. And so you're still welcome to that.

A (161:38)

Good grc.

B (161:40)

It does misrank your resolvers, unfortunately. I did the best job I could back then, but I know how to do it now because the World's changed in 6 in 16 years.

A (161:48)

Changed a lot. It absolutely has. If you go to GRC.com, you can also get the show there. There are a lot of places to get the show, but that's one of the places. There are some unique versions there though, I want to tell you about. There's a 16 kilobit audio version for the bandwidth impaired. There's a 64 kilobit audio version that's full, full fidelity. There are the transcripts written by an actual human being, not AI generated. But Elaine Ferris does those. Those take, as a result, a couple of days to get up on the site. And there's a show Notes, by the way, the show notes are one of the mailing lists Steve offers. So if you sign up for those mailing Lists. There is one for show notes, so you'll get that automatically. Otherwise you can go to GRC.com and and download it. Get yourself a copy of the DNS benchmark spin. Right. Give me your email, sign up for the newsletters and then anything that's your assignment. Anything else is on you. There's a lot of other fun things you can do@grc.com and one of them is his whole vitamin D story under. I think it's under research.

A (162:52)

It might be interesting for you to know that we are going to repeat that very famous yonder Health, that very famous vitamin D episode From I think 2009. It's that old. And that will be our New Year's Eve show. New Year's Eve Eve show, the penultimate day of 2025 show.

B (163:14)

We're going to update it a little bit also.

A (163:15)

Yeah, we'll have to update it. The other thing is because it was audio back in those days, there was no video. Anthony Nielsen has created a very nice kind of yule loggy thing you can run in the background. You could. You'll see when you do that, you're listening to the show. There is a little bit of video associated with it that Anthony did a nice job with that. So GRC.com to get all of that stuff. You can also of course get the the.

A (163:43)

Podcast. Almost called it a radio show. Get the podcast at our website, Twitter TV SN. There's audio there and video. 128 kilobit audio and video. There's video at the YouTube channel dedicated to to you to security. Now, in fact, you'll find that YouTube link on our website, Twitter TV SN as well as a link to a number of podcast clients. Or you can use your favorite. If you subscribe in the podcast client.

B (164:09)

Then you get it automatically.

A (164:10)

You don't have to think about it. And yes, you have the choice between audio and video versions of the show. We'd also like to invite you to join the club. This is the time of year when I am being very grateful for all of our wonderful club members who make all of this possible. You pay for a quarter of all of our costs now. It makes a big difference to us and I'd like to get that even more to 50% because ad sales are pretty slow for next year. And I think that this might be a time that you could help us help you go to GRC. That's in my my head now. Go to Twitter TV club twit. 10 bucks a month, $120 a year. There's a 10% off coupon for the yearly subscription that is available only now through December 25th. So get that for yourself or as a gift for somebody. You'll get ad free versions of all the shows. You'll get access to our club, TWiT, Discord, all the special programming we do. There's a lot of great stuff as a thank you really for your support of Twit. Well, I think that is every. Oh yeah, one more thing. We do record the show on Tuesdays right after Mac Break weekly. That's round about 1:30 Pacific, 4:30 Eastern, 21:30 UTC. And you can watch that live if you're in the club in the Discord. But there's also YouTube, Twitch, X.com, facebook, LinkedIn and Kick. So there's other places you can watch live. Chat with us live as you're watching now. I am finished, Steve. We'll see you next week on Security Now.

B (165:39)

Bye.

A (165:43)

Security Now.

A (165:51)

High interest debt is one of the toughest opponents you'll face unless you power up with a SOFI personal loan. A Sofi personal loan could repackage your bad debt into one low fixed rate monthly payment. It's even got super speed since you could get the funds as soon as the same day you sign. Visit sofi.compower to learn more. That's s-o f I.com p o w e r loans originated by Sofi Bank NA member FDIC terms and conditions apply. NMLS 696891.