A

It's time for Security Now. Steve Gibson is here. He's a little miffed. We actually get a rare Gibson rant over the life cycle of code signing certificates. It's going to be dramatically reduced for no good reason. Ads coming to your ChatGPT. Why did they ban the Raspberry PI from the New York City inauguration? And an astonishingly good British TV series that Steve wants you to know about. Plus magnesium as a supplement. And then a look at a very big, very problematic flaw called Mongo Bleed. It's a jam packed show. Stay tuned. Security now is next.

B

Podcasts you love from people you trust.

A

This is Twit. This is Security now with Steve Gibson. Episode 1059 recorded Tuesday, January 6, 2026. Mongo bleed. It's time for security now. The first show of 2026. Let's see if Steve has changed at all in the new year. No.

B

And the answer is no. And that's a good thing.

A

And that's a good thing. Steve Gibson is here, the man of the hour. The man every Tuesday we tune in for to find out what the latest is in the security news.

B

Hi Steve, Leo, 2026. It is a new year, a new amazing ride for our listeners, for the world, for everything. I and I have to say I'm developing another major platform feeling philosophical thing for about security is beginning to evolve. We will, we will be seeing authentication is broken again because that's something But I'm really beginning to get a sense of diminishing returns. I'm reminded of the fact that we can't build light rail because we have so over regulated ourselves, you know, on the off chance that something bad might happen to something somewhere that you know, I mean you can't prove a negative, right? And so the insurance salesman, you know, makes his living by saying but what if, right? And as a consequence you, a lot of people have insurance that you know, they actually may not actually ever need because that thing, you know, didn't fall off or whatever we're beginning to see. I'll be talking about another reduction in certificate length which has no justification. And, and, and this new feature, SAP smart app or SAC smart app control that landed in Windows 11 which cannot be turned off where you can't allow apps you trust or, or, or exceptions. All, all of Microsoft stuff as until now all of the Windows Defender you could say okay fine, I want to dedicate this directory to things that you don't bother me about that's going away. So, so end users are being increasingly inconvenienced be in the same way and for the same reason that we can't build light rail in California. It's, you know, it's like it's diminishing returns. It's the belief that we can apply our fancy technology to solve problems that where the, where the presence of that technology creates a bigger problem than what it is trying to solve. And, and I, I think this is the year where we're going to begin to see we were the, the, the signs have been there and we've been reporting this until now. I think it's going to mature. Unfortunately like this year and next where things are going to. Are becoming increasingly constrained in a, in a mistaken belief that we're going to be able to fix this just by being more tricky by applying technology to where mistakes. We're not really fixing mistakes much and the human factor is still there anyway.

A

You've got a new philosophical framework building. I understand. When you said that I was hoping you were going to write a new operating system to replace the crappy ones we have, but I guess that's off the table.

B

Actually you're going to see a bright light for Linux here.

A

I have gone all in on Linux long ago. Was fed up with Windows and I'm not happy with the direction Apple's taking with macOS. The only operating system out there I know of that I can really have it be exactly what I want. No more, no less. Without ads, without constant. Hey, you want to download Chrome without any of that stuff is Linux. But we'll talk about that in a little bit.

B

Yes we will. Today's podcast is titled Mongo Bleed which.

A

Is not from Blazing saddles. Mongo bleed.

B

MongoDB is. Turns out it's the fifth most popular database system in the world. We'll be getting to that in a second. But it's got a bad problem. And the cool thing is we're gonna. Where we're gonna look at is a problem that we can perfectly describe that is this bug which has been in there for 8 years. So all versions of it all 87000 copies at least 87000 have been identified by census are vulnerable. And oh, it's been a rocky Christmas and New Year's for, for those people. We're going to talk about code signing certificate lifetimes having being shortened. A vote was made late last year to shorten code signing certificate lifetimes by two years. Sadly, Chat GPT is heading toward an advertising profit model. I want to touch on that. The Python package index guys are strengthening their security they just announced. That's great. Bitlocker gets hardware acceleration. But not today. New York City's mayoral inauguration did the weirdest thing. They banned Raspberry PIs and Flipper Zeros. Yeah. Like what we've got. Oh, I have news. I was bending Benito's ear before we began recording about my discovery of an astonishingly good British time travel series, which I love.

A

Time travel.

B

Oh, Leo, if you have not seen the Lazarus Project, I, I, I don't. There's no danger of me overselling this thing. It is.

A

Oh, I want to see it.

B

So, and it's, it's. Well, yeah, we'll get there. Also, we've got a, a news just in the news following our vitamin D special podcast last week of a critical link between vitamin D and magnesium. You know, but our listeners don't know that. Magnesium is another one of the things that I have focused on.

A

I take so much magnesium now.

B

Good.

A

I actually have to, I had to back down a little bit because I think I was reaching saturation as one does.

B

I'm going to delicately explain about that.

A

Well, there's all kinds. There's glycinate, there's citrate, there's three on eight. So good. I want to hear more about this. Yeah.

B

Yep. And, and ask me things, because there are things I didn't get to. I was a little self conscious about, you know, talking a lot about supplements on our Security now podcast. But the response I got from like people being reminded about vitamin D, I think probably, Leo, many of our listeners have been aging along with us for the past 20 years. And so, you know, we're, when you're a, a Gen Z, indestructible, you know, go all day and night person, you don't think about law, you know, health in longevity, but when you're in your late 60s and 70s, it becomes something you tend to focus on a little bit more.

A

So but anyway, it's too late, of course.

B

So yes, you do want to get. Yes, you want to create as much foundation for the future as you can. And you and I both did 20 years ago. Oh, and a picture the week. I'm so happy with my, with my headline on this. It was a picture that had a different caption. I gave it one that I love, which I think everyone's going to get a kick out of. So I think probably we've got a interesting podcast for kicking off 2020.

A

Well, it's about time, Steve. I've been meaning to mention that. No, this is the show I, this is rapidly becoming our most popular, popular program on the entire network. And I'm not surprised. It's all because of your stellar personality.

B

Spent the last two days, spent the last two days writing it. So all of Sunday and all of Monday went into.

A

I don't know if people understand how much work you put in. I guess they probably do. If they ever look at the show notes they, you basically write a novel. This, this Today's is 22 pages long of density.

B

This one, I did write most of it. Instead of just copying and pasting stuff.

A

You really, you really put a lot of effort into it. So I appreciate that Steve and I know our audience does as well. Let's take a little break. You know who else appreciates it? Our fabulous sponsors were very happy to know that they've got an audience of very smart people who are working in security, working in areas that you know, they're experts in, but they're always interested in new ideas, new products, new tools that can make their life better. This is a brand new sponsor. We're very happy to have them on. In fact I had a great conversation with them just a couple of weeks ago. It's called Meter. They are a company that's devoted to building better networks and actually their history, their story is interesting. They were of course network engineers just like you, working on the ground. And they said there's gotta be a better way, there's gotta be better hardware, there's gotta be better control planes. If you're a network engineer like them, you know the headaches. Legacy providers with inflexible pricing, I'm talking ISPs even right? IT resource constraints stretching you thin. I mean nobody's ever got a sufficient budget. Complex deployments across fragmented tools. Especially nowadays with companies acquiring other companies and other properties. You know you're going to have a one wifi system in, in that warehouse that's not compatible in any way with a WI fi system at the home office and, and on and on and on. You as the network engineer, it all is on your shoulders. You're mission critical to the business, but you're working with infrastructure that wasn't built for modern demands. That's why so many businesses are switching to Meter. Now I admit I had never heard of them. So I went to the website when, when they first approached us and I looked and I said, wow, this is what people need. Meter delivers full stack networking infrastructure. I mean the whole stack, wired, wireless, even cellular. It's built for performance, it's built for scalability, it's Built for you to manage. That's important to Meter. Designs their own hardware, writes their own firmware, they build the software, they manage the deployments and they provide support. In fact, you can have Meters set the whole thing up if you want. You can have them be a consultant, you can have them just be out there for support and do it all yourself. Because they know as a network engineer, everybody's got different needs. Meter will help you with everything from ISP procurement down to that level. Security. Of course, that's job one. Routing, switching, wireless firewall, cellular power. They'll do DNS security, VPNs, they'll help you set up SD, WANs, multi site workflows, all in a single solution. Meter's single integrated networking stack. All of this is built on, on the same stack, on the same hardware, the same software. It scales. You'll see people using it in hospitals. I mean, I spent a little time in hospitals over the, over the holiday break. Everybody's fine. But I noted that most of them, cell phones don't work. WI fi doesn't work. They need Meter branch offices. You got the home office, then you got the branch office, and nether the twain shall meet. No, you need Meter warehouses, giant warehouses, or campuses, large campuses, data centers. You know who uses Meter? Reddit, perfect example. Or I'll give you another testimony. The assistant director of technology for Web School of Knoxville. He said we had more than 20 games on campus between our two facilities. Each game was streamed via wired and wireless connections. The event went off without a hitch. We could have never done this before. Meter redesigned our network. If you're just hearing about it now, as I was, I really want you to look at this. With Meter, you get a single partner for all your connectivity needs. This is your dream come true. This is what you've been looking for. From the first site survey to ongoing support without the complexity of knitting together and managing multiple providers, multiple tools. The ISP says, well, it's the router's fault. The router says it's the isp. None of that. Meter's integrated networking stack is designed to take the burden off you, off your IT team, and to give you deep control, to give you visibility, totally reimagining what it means for businesses to get and stay online. And we needed this because everything has changed. Meter is built for the bandwidth demands of today and tomorrow. We thank Meter so much for sponsoring. Go to meter.com securitynow book a demo. That's all I ask. M e t e r.com SecurityNow to book a Demo. The time is right. We need it meter.com security now. Thank you Meter for believing in us.

B

And.

A

And I think you're going to have some people who are very happy to find out about meter.meter.com security now I am prepared. I have not looked at the picture of the week.

B

I think you should just gaze upon it. Let it soak in. I gaze upon it will it will share your response.

A

I shall scroll up and then I.

B

Will explain and you can see my.

A

Face as I see it for the first time.

B

I will share the caption.

A

Okay, well, I've seen this many, many times. Account verification. Oh, we, yes, we just said. They're telling me what the code was.

B

So I gave this the caption. I gave this the caption. The sales pitch. Really? Why reinvent the wheel? Allow agentic AI to take all the drudgery out of your repetitive coding tasks.

A

This is vibe coded. It probably is, isn't it?

B

Isn't this wonderful? And then we have the AgentIC AI and Vive code produced a second factor authentication screen. It has the headline account verification. And then it says we have just sent the code 435841 to your phone number. And then it has that blanked out with the last four digits are 8247. Please enter the code below to access your account. So isn't that wonderful? Oh my God, it is so good.

A

And when you first look at it, you might not. Yeah, right. That makes sense. Yeah.

B

Yeah.

A

I guess I don't have to look at my phone now.

B

It does speed up the login process. Sure does that.

A

That's good.

B

You don't have to. Don't have to wait for the code to arrive. Okay, so I want to begin this first podcast of 2026 by exploring around the edges of a recently decided and announced and I have to say, discouraging update that follows a disturbing trend which will have a significant impact on our industry. And I understand that those behind it are claiming it will have a net positive impact on security, but I question whether that's true. And I suspect that the positive impact it will most have is upon the certificate authorities, revenues and profits. Today's level of persistent cybercrime which we know exists. Right. I mean, it's out there and the bad guys are, you know, are more aggressive and frankly, money hungry than ever. It's the ability to get paid through cryptocurrency that has enabled this. They're pushing the world, you know, the cybercrime baddies are pushing the world to a place where Only software that is validly signed will even be considered for execution. Signatures are required for for iOS apps, Linux distros, secure booting, Android APKs, browser extensions, and all of the various gaming consoles, including smart TV, well, and smart TVs and even the firmware for home routers, NASA's and cars. All of this needs to be signed. Linux, being inherently more open, is the only remaining OS where signing is either unnecessary or not strongly needed.

A

It's a different kind of signing. I mean, I, when I downloaded an app, often it is signed with a hash, you know, MD5/to or PGP key to identify the developer. But that's voluntary, that's not from the operating system, that's from the developer.

B

There is no requirement by the os. Windows apps can theoretically run without signing, but only now with Windows Defender there, if they are very well known. The only hope any newly minted Windows app has of running today is if it's carrying a signature, and even then, only if that signature itself has previously established a strong reputation by virtue of the applications it has signed that had been previously seen that haven't caused problems. You know, it's all about reputation. But we've seen that other apps like Notepad, which have a sterling reputation, will have serious trouble if they are unsigned or as its author briefly attempted, are self signed. You know, that landed with a big thud because everybody was complaining that Windows Defender wouldn't allow their update to Notepad that they'd had for years to run it all. You know, so if Linux we could consider is lax, but probably not necessarily guarded, whereas Windows is, then Mac OS sets the bar about as high as it can go. Any Mac OS application that's not signed is assumed to be malicious. You know, you really need to be a registered developer in good standing to have any chance of Mac OS running your software. So that's pretty much where we are today. Essentially anywhere it's practical to require a signature on software, a signature will be required. The problem is this is still an imperfect system. But bugs in signed software are no less prevalent than in unsigned software. So signing offers no guarantee about software quality. And bad guys are just as able to exploit bugs in signed as in unsigned software. But it is certainly worthwhile to require a signature rather than not. If nothing else, something somewhere is known by someone about the signer of the software. There's at least some modicum of accountability and traceability. So I can see that you know, that it's not a bad thing. And if a piece of signed software is discovered to, to be malicious, then its signing certificate can be immediately blacklisted and is so that nothing else signed by that presumably malicious certificate will be trusted. Now, it's not unreasonable to expect a Linux user to be cautious about what and where they obtain their software for their machines. That's more the Linux user demographic, Right? But that's certainly not the case for the casual Windows user who browses around Microsoft's Windows Store looking for stuff to download and run just because. Why not? It's there. So everything and anything that comes from the Windows App Store is signed must be by a known developer. We're talking about what has become the crucial security topic of code signing today. Because in another move that makes very little sense to me, late last year the CA browser forum voted to reduce the maximum lifetime of code signing certificates for any certificates issued from March 1st of this year on they. So less than two months from now, the maximum lifetime of a code signing certificate that will be issued by any certificate authority will be reduced from 39 months, which is a comfortable three years plus three months, to a far less convenient one year and three months, taking two years off of what has been the pattern so far. Yeah, and this is occurring for no apparent reason. That addresses no apparent problem. Back in 2022, the policy was finalized that no code signing private keys could exist outside some form of hardware token or HSM which would prevent their theft. That policy took effect on, on June 1, 2023, fully two and a half years ago. From that date on, from that date forward, June 1, 2023, certificate authorities would only issue code signing certificates in hardware. And critically, this is not. This applied not only to extended validation code signing certificates which had long been required to reside in hardware isolation, but to all code, even of lesser verified code signing certificates. So that move made two and a half years ago, ended the opportunity for code signing certs to be remotely stolen. I remember years ago, Leo, like decade ago more than we talked about a, a theft somewhere, I don't know, like in, in Taiwan or there was a theft of a physical facility where their certificates got got stolen. Or maybe it was a remote break in, but you know, they have a.

A

Piece of paper in a safe. How could you? I don't.

B

Yeah, so but for the last two and a half years, all code signing certs of any caliber had to be installed in hardware.

A

Yeah.

B

So there was. As a consequence of that, it meant that no code signing certificate could be exfiltrated by any remote attacker, period. You know, even the owner of the dongle, the hsm can't get the private key. It won't. There's no API, you can't extract it. It is a write only system by design. Nevertheless, the certificate authorities have voted and decided that even safely stored code signing certificates must be renewed now much more frequently.

A

So I understand why this happened with TLS certificates because of issues with revocation, right? There's nothing like that for code certificates, right?

B

No, no, you could, you know, if so and this is another part of the annoyance, it's not as if this is actually going to prevent maliciously signed malware. You're going to get companies posing as reputable software publishers who obtain a code signing certificate and establish a reputation. Very much the same way that people who run forums see people creating accounts that are dormant or for a while in order to sort of slip under the radar and then they start getting up to some mischief downstream at some point. Same thing is happening here. So it's not like this actually solves a problem. You can still have valid code signing certificates issued to malicious, to malicious parties because the validation process is cannot be perfect because it's again, it's the human factor, which is where all of our security ultimately fails. Whether it's humans writing code that has bugs or humans saying, you know, are you really, you know, Steve Gibson? So this raises the question, right? Why would the CA browser forum feel the need to reduce the life of absolutely theft proof code signing certificates? What benefit could there possibly be to them? And does this have any impact upon the browser side? Remember the CA browser form is the certificate authority and browser form. Does this have any effect on the browser side? Looking over the results of the ballot measure which was voted on CSC 31, which was titled Maximum Validity Reduction, I was struck by the mix of voters. And using the term mix would be technically inaccurate since all 10 of the yes votes came from certificate issuers. Subsequently updating myself about a conflict of.

A

Interest at all, is it?

B

Oh, it gets better, Leo. It's exactly this. What we have forming is a cabal. While updating myself about what's been going on and poking around the industry, I stumbled upon an interesting tidbit that pretty much explained what's happening. The light bulb lit for me. There's been a recent significant increase in cloud based code signing. In other words, the push for shorter and less convenient use of the super secure hardware security modules by shortening the maximum life of the certificates they can contain and store while providing no automation for their management. That has the indirect effect of actively discouraging code signers from Obtaining and managing their own code signing certificates. It appears to be that the future of code signing will be the establishment of a subscription relationship.

A

Oh my God.

B

Yes, you're right.

A

It does get worse.

B

It does get worse with it will be the establishment of a subscription relationship with a major provider such as Global Sign or Digicert. Remember that what code signing actually signs is a cryptographically secure hash of some code. This makes it entirely feasible for that process to be remoted with a code base with a cloud based service. A cloud based code signing utility takes a cryptographic hash of the code to be signed and forwards it to the signing providers cloud service after verification and validation of the identity of the signing party. And note Leo, this is the glitch here because they still have to verify. The cloud provider needs to verify the person asking for this to be signed is who they say they are. Well, have we ever seen authentication fail? Huh? Once that's done though, after first verifying that of course their subscription is in good standing and they're all paid up. The cloud signing provider uses the customer's own private key, which the provider maintains for them and their customer never receives or sees.

A

Why would you want your own private key after all?

B

That's right. Trust us. Trust. Exactly. That's right. We'll keep it for you.

A

Oh my God.

B

They sign the hash of their code for them. The signed hash is then returned to the customer, whereupon the cloud signing utility affixes it to the end of their code to complete the signing process. So taken in aggregate, what has happened, and this is deeply disturbing, is that to an ever increasing degree, all code from anyone and anywhere is inherently mistrusted by default, will probably only run on Linux unless it has been signed by one of a diminishing number of increasingly large select few signers who are pretty much free to then charge whatever they wish for the privilege.

A

This is in shit. Exactly.

B

Yes it is. Yes, that is exactly what it is. What has been slowly been growing and evolving is a cabal. We've been witnessing a consolidation of certificate authorities over the past decade as the bigger fish swallowed up the littler fish, while also not surprisingly, raising their rates. Today the least expensive code signing certificate I could locate was ident trusts at $270 per year. But purchasing a three year certificate offers a 20% discount. So that's $647 for three years. They'd like to get your money up front if they can. Global Sign is just over twice as expensive per year at $550 with no multi year discount and Digicert leads the pack at $840 per year. Think about that for a second. $840 per year for no reason other than because they can. And because we are not, we code authors everywhere will have no recourse, no choice.

A

And this really impacts you because you're not running your software on Linux. You're running on a Windows I'm running. So this will be a requirement, right?

B

Yes. My stuff will not run unless it is signed. I, I made a mistake over the holidays because I've been producing in incremental updates of the DNS benchmark. I'm going to have a really neat surprise for all DNS benchmark people another couple weeks. But I, I dropped an unsigned copy on virus total and oh, it lit up like a Christmas tree in red. And I, and I thought, what the heck? And then I thought, oh, thank goodness, it's just because I forgot to sign it. I signed it. 0 out of 73 or 72 AV tools thought there was a problem. Unsigned, Not a chance. And then of course we have that noob, that PA, the SAC, the smart app control in Windows 11 that doesn't allow an exception. We stumbled on that a couple times. Good news is you try a couple hours later and then it works. So it's, you know, okay. Anyway, so the upshot is all of the commercial platforms now require code to be signed. And a very small and shrinking group of increasingly powerful commercial authorities have decided to allow to follow the TLS model of continually shortening the lifetime of those code signing certificates which they alone are empowered to issue. Today's code must be signed. Even the Notepad plus plus guy, he's now got a global global sign certificate. He had to, he had to buy one because he had no choice. Today's code must be signed. So code authors have no recourse other than to pay an annual tribute to the certificate gods in order to qualify for the privilege. It's against this backdrop that the certificate authorities all voted to take two full years off of the maximum code signing certificate lifetime that we have today, reducing it by 24 months from 39 months to 15. Why? Because they can. They all voted for it because there's no one to stop them. Certificates that have been locked up in hardware are not subject to remote attacker theft, period. And we know where this is headed, right? We've seen this play out already with the web server TLS certificates. We've watched as TLS certificate lifetimes gradually dropped from their original lifetime of 10 years and are now headed down to 47 days. A few years from now, with certificates expiring more often than every seven weeks as they will be, automation becomes the only practical solution despite all of the many inconveniences it incurs in situations where the use of the ACME protocol is not practical and there's, there's, I mean it's creating lots of problems for people. And so the same thing is clearly happening with code signing. Once the various certificate authorities get the infrastructure in place to support cloud based code signing, that'll be the only practical way code can be signed. Maximum code signing certificate life was just reduced for no reason effective this coming March 1st. Does anyone imagine that will be the end of it in the future it will be necessary for anyone who wishes to produce software for general use that any platform will accept except Linux which will be the behaven Essentially they will need to obtain and maintain an account with a cloud based CL Code signer.

A

What happens when you write your own code? You can run your own code on your Windows box?

B

No, no, I can't. I, I. You have I. The only way I could do it w was by white listing the entire assem tree on my system before I was. When I set up a new system and I forget to do that, the code I assemble and link into an XE is immediately deleted from the hard drive.

A

Oh my God, that's awesome.

B

That's the world we're in now.

A

Now you can disable this feature right under Windows 10.

B

I can. Windows 11 is coming with this new SAC, the smart app Control. It cannot be turned off. If it's turned off and you can force it off, you can then never turn it on again because Windows Microsoft has decided that. Oh well, if you're going to turn it off, we're not going to let you turn it on. You have to reinstall Windows 11.

A

Yep. Yeah. Yeah.

B

So I mean think of it, Leo. I mean basically all of this original PC hobby control, which you could argue built this industry is going commercial and is being taken away from us.

A

And this isn't really the spirit of computer of personal computing if you ask me. No. If you can't write your own software, it's not your computer.

B

Right? Right. So I don't know when this is going to happen. It'll be gradual over time. That is the shortening of, of code signing certs. But watch it. It happened just like it was with TLS Certs and we have a model for that today. No one needs to wait. Digicert is ready today for only 11, $4 per year.

A

What?

B

1100 and $4 per.

A

100 bucks a month.

B

They'll be glad. But wait, there's more. They'll be glad to sign your code in the cloud, but there's one limit, Leo, a glitch.

A

What?

B

They limit it to a thousand signatures per year. I'm not kidding. Unlike the past world where after obtaining a code signing certificate, we were free to exercise our right to sign as much code as we like. Once code signing has evolved into a disservice, the provider will hold not only our private key, but all the cards. And with ever few certificate authorities, we can expect this to continue increasing in cost. So what if. For what? What?

A

For what?

B

I know. So now there's not only do you have to pay $1,000 a year or $1,100 a year, but you can. You. There's a limit on how much you can sign because it's now it's a service and they can.

A

But okay, that's like 1100. A thousand different programs, not the same program a thousand times.

B

Well, yeah, you would never. But, but for example, right now I've been producing incremental bills.

A

Oh, every version is a different program.

B

Yes. Yeah, we're at, we're at release 85. All of them signed. Because all of the people testing have to have a signed executable or their windows won't run it.

A

So you could easily hit that limit even with just one packet, one software.

B

Yeah.

A

Wow.

B

So for what it's worth, anyone who's been signing their own code, who may be getting ready maybe to make that jump, might wish to grab a 39 month code signing certificate, that is to say three years and three months. While you still can, prior to March 1st, you'll be able to obtain an additional two years of hassle free, cloud free and also unlimited. No one's counting your signings. Code signing in and frankly, thanks to our listeners, generous purchases of spinrite and our new DNS benchmark, all of which is signed, I can afford to take my own advice and I plan to do so. I will be up refreshing my code signing certificate before March 1st so that I could get 39 months and push off for another three years and three months whatever happens next, you know, and that means that I won't need to continue to keep continually updating a hardware security module. You know, while that's not a big problem, it should not be necessary. There's no big problem that's being solved by shortening the lifetime of any certificate that's stored in hardware. So forcing this upon the world appears to be about nothing but profit and control. Because they can. I'm sure our listeners are also aware that none of our real world experience suggests that the use of a As I said before, a remote third party cloud based signing system would actually be more secure than simply signing with the use of a local physical dongle that can remain offline unplugged, you know, when needed. Until it's needed. Earlier I glossed over the fact, you know that the remote code signing certificate that that the service would need to be certain that the certificate's owner is the one requesting some code be given their signature. You know, I don't know that I want my private code signing key held in the cloud by a third party. How is that more safe for me it's less safe.

A

What if they have a breach?

B

Yes, exactly.

A

And this not like that's not ever happened.

B

Exactly. And before we leave the topic of certificate lifetimes, I'll remind everyone of the upcoming March 15 deadline which is also approaching. That's when maximum TLS certificate lifetimes will will be cut in half from around 398 days to just 200 days. So anyone who may need to be managing TLS certificates manually and there as I said there are still many such use cases updating close to but before this upcoming March 15 deadline will allow you to defer the need to find some better solution for another 13 months before it gets cut in half. So Leo, we are in a different world and as I and I said this is just, this is. It feels so usery that you Nothing costs them $1,000 to for an automated service. Nothing. It used to be what $45 for a code signing cert.

A

You you know, it's pure greed.

B

It is and there's. We have no control. I mean there's, there's nothing you could do. Someone suggested I, I. There was some dialogue of this in the GRC news groups and someone suggested well what about and in fact he was an author of free Wear or charity wear uh to I think like that that supported it was some application that that supported the members of his church and he said I can't afford you know hundreds of dollars every year to to have a code signing certificate. He said I mean I, I can't and but of course his members are all using Windows because that's the, the most common desktop platform still. So what does he do?

A

Yeah, you can't tell your your potential customers oh just disable security on your system and then you'll be able to. You can't say that. That's so.

B

No, you, you can't. No. And Microsoft has made it one way. It used to be under Windows 10 with Defender that it would quarantine and you could go in and click a few, you know, drill down and say, no, trust this.

A

Or, or that's how it is on the Mac right now. But not probably for very much longer, I would imagine.

B

Yes. And it's gone. It has disappeared from Windows 11. They said no, all in the name.

A

Of security, but we know better. It's not more secure.

B

And that's just it, Leo. It's not. And this is, as I said at the top of the show, it feels to me like, because we can do, we can use our fancy technology to do these things. You know, we're. And it's, I mean it's, it's like, it's like the, the UK saying, well, we want decryption of, you know, of messaging because we know you geniuses can figure out how and you'll make it safe and, and you'll just do it because we're going to pass a law that, that says you have to just nerd harder.

A

That's what Cory Doctorow says, nerd harder. You're not nerding hard enough. Is it possible, Steve, for somebody to do what let's Encrypt is done and make an open source code signing like free code signing?

B

Windows would have to decide to trust.

A

Microsoft, have to support it.

B

Yes. Yeah, Microsoft and Android. And Android. And they would say. And so, so, so there is a difference in the model though. Let's encrypt verifies your control of the domain. The only thing the TLS certificate is doing now is giving you encryption. That's why it's called let's Encrypt. It's not saying who owns the domain, it's saying whoever owns it can have a certificate to encrypt it. That's where this is different. Code signing certs say this person owns, you know, this person or company owns, you know, is the producer of the software. So, so there is some work that they have to do in order to say, okay, you know, you're, you're who you are. But so it's, it's not automatable in the same way. If it were, then malware would all do it. So malware has to go to some lengths to fraudulently obtain a code signing certificate. But you know, they will and they will then use it like crazy until it becomes blacklisted and then they'll get another one or pull another one out of their queue of previously acquired, maliciously obtained certificates. And, but it feels to me like, like all of the legitimate use cases for unsigned software are being killed in the name of, of trying to pursue forcing everything to be signed, even though that signed code will still have bugs. It's not like the bugs are, are disappear because you have a signature. It's just saying we know who signed this. It's, it's like it's creating a big barrier that doesn't actually improve security. It's not. And it's not like they're like, when are we talking about maliciously signed Xs? On this podcast we talk about everything that happens that isn't a problem. It's like certificates being stolen from websites. It's easy to say, oh, they could have their certificate stolen. Well, that doesn't solve the problem. You still need to route traffic. You need to maliciously route traffic to a domain name, to a bad server. So even stealing a certificate isn't the end of the world. You've got to somehow arrange for that domain to map to an IP which is malicious, which also has that certificate. So we're doing all these things that really create serious inconvenience for very, very, very little gain. Again, why? Because they can. And I was reminded of, of our, of something I said on this podcast earlier. I should be, I, as the owner of grc, should have the ability to say my security model is fine with a, with a TLS certificate that has a five year life or ten year life. I, if, if Microsoft or Amazon or, or some, or ebay want to have 47 day or four day continually renewing certificates, great, let them have them. Why force the world down to this lowest common denominator.

A

Especially if it doesn't improve security. It doesn't. Yes. And it just gets in the way of people who want to own their own computer, own their own system. I mean, I understand we got a situation where we got malware and bad guys rampant, but this is not the way to stop that.

B

Yeah, we have a guy in the news group's first name is Alan who wants to run his own email server. Well, email has to be tls, but, but email isn't a web server that can accept an ACME challenge.

A

Automated. No.

B

And so, you know, it's like he's going through all this too. It is just diminishing returns.

A

Yeah, well, it's good for Linux.

B

Actually, Linux is beginning to look mighty fine yeah. And I did find myself wondering, although this isn't a solution solution for everybody, whether, whether Wine, the, the, whether Wine cares about signatures.

A

I'm sure it does.

B

It does. There's no enforcement mechanism.

A

It's not running Microsoft Windows, it's emulating it. Not even emulating it.

B

It's so you don't have Defender sitting around stomping out things before they have a chance to, to see the light of day.

A

Interesting. And WINE runs a lot. I mean look, Windows compatibility on Linux has gotten very good partly because of gaming.

B

Yeah.

A

And Wine has done a great job. I mean you can pretty much run anything now.

B

Yeah, I've learned a lot in the last few weeks after releasing the DNS benchmark because so many people want to run it on Linux and there are a bunch of like commercialized Wine packages. The WINE license allows commercial reuse of all of that. Good work. Where. And they like round off the rest of the rough edges and you know, and create more of a drop in solution.

A

Yeah, it's a business model.

B

Yeah, yeah, yeah. But I can't tell everyone, go get Linux and then like software.

A

This is the problem. And if you're a business you're going to be running Windows. If you're a church you're going to have to support parishioners that run Windows. You just have to. Yeah, they're so dominant now. Somebody's pointing out. Well, I guess you could install a local certificate if you're a business. You could install a local certificate on all the businesses computers. So you could run your line of business software that you wrote without signing or you would sign it, you'd sign it with that personal certificate as opposed to a public certificate. Right. You just add it to the certificate store, say yeah, this is trusted. But that's not a solution. Except in that environment where you control every computer in that environment.

B

Well yeah, try telling people who come to your website here, install my own CA certificate in your root.

A

That must be what happens. I mean my synology NAS does not have a certificate. The first time I go there in my browser it says oh, you sure? You sure? It still lets me get through. And once I go once, I say yes, I never have to see that again. So it must be installing a certificate at that point.

B

Well no, it still sees that there's a problem. It just put in an exception. It said okay, it whitelisted that. Yeah, yeah, yeah.

A

You want to take a break? And. I really, for a variety of reasons I'm becoming more and more disenchanted with Big tech, big operating systems and I really feel like, I've always felt strongly that open source is the right solution. But more and more I don't want to participate in these big tech things. I want to run my own AI locally. I want to run it on a Linux box. You know, I want to do my own thing. But not. But that's a very. Most people cannot do that. It's just, it's a privileged position to be in to say that you can do that. Oh, well, all right. Well, we'll have more in just a bit. Steve Gibson, he's going to have a little coffee. He'll feel better. I hope you do too. Actually, Steve and I are very excited. We are planning a trip to Orlando, Florida.

B

We're going to Disney World.

A

Actually, we're going to Zero Trust World. Very excited about this. This portion of the show brought to you by Threat Locker. They do a wonderful conference every year all about Zero Trust. They are the Zero Trust company and Steve and I are going to be presenting at that. I'll tell you more about that in a little bit. But let me tell you about Threat Locker first. It's certainly not necessary to tell you that ransomware is just killing businesses worldwide. But there is a way around it. Threat Locker, it can stop ransomware before it starts. Not just ransomware that it knows about. Zero days. Ransomware no one's ever seen before. Ransomware custom designed to target you. Recent analysis from Threat Locker shows how one particular ransomware operation, I think it's Chi Lin, it's called in 2022, 45 incidents. They're just getting started. Last year, 800 incidents. And that's just one of dozens of ransomware gangs. ThreatLocker, Zero Trust Platform stops Qilin, stops them all, even the brand new ones, because it takes a. And this is what's so great about Zero Trust. A proactive deny by default approach. Deny by default blocks every action that's not been authorized, explicitly authorized. It protects you from both known and unknown threats. Threat Locker, they call it their ring fencing. Threat Locker's innovative ring fencing constrains tools and remote management utilities. It keeps attackers from weaponizing them. So even if they're in, they can't. There's no lateral movement. They can't encrypt mass encrypt stuff. They can't exfiltrate, they can't do anything. Threat Locker works across all industries. It provides a very robust 24. 7 US based support. Really great support, people. It works in Windows, it works on Macs, and it Enables comprehensive visibility and control, which is great in a world where compliance is important too. That's just one of the nice side effects of Zero Trust, because everything has to be approved. You know exactly who did what when you have complete visibility and control. And this is the kind of solution that companies that can't afford to be down for one minute need to rely on. I'll give you an example. Emirates Flight Catering. You know, this is, this is, this is like the best airline in the world year after year. And their food, amazing. They're a global leader in the food industry and they're big. I didn't realize it's 13,000 employees for just for the catering. Threat Locker gave full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support. Just ask the ciso, it's Emirates Flight Catering. He said, quote, the capabilities, the support. And the best part of Threat Locker is how easily it integrates with almost any solution. Other tools take time to integrate with Threat Locker. It's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO. It's not just Emirates Flight Catering, it's JetBlue, it's Heathrow Airport. Remember, they had some problems before, they were down for a little bit. They've decided that's never going to happen again. Threat Locker is a solution. The Indianapolis Colts use Threat Locker. The Port of Vancouver uses Threat Locker. Threat Locker consistently receives the highest honors in industry recognition. It's a G2 high performer and best support for enterprise. Summer 2025. Peerspot ranked it number one in application control and GetApp's best functionality and features award in 2025. Visit threatlocker.com TWIT to get a free 30 day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT for a limited time. We've got a code for you. ZTW Twit 26. Zero Trust World is ZTW ZTWIT 26 all one word. I think it's all caps ZTWIT 26. That's 200 bucks off registration for Zero Trust World 2026. And it gives you everything, access to all sessions and hands on hacking labs. You get meals, you get that after party. The most interactive hands on cybersecurity learning event of the year. It's March 4th through the 6th in Orlando, Florida. Join Steve and me and do register to save 200 bucks with the code ztwit26threatlocker.com TWIT I'm looking forward to this. It's going to be very, very interesting. And this will be a chance to see Steve in a. A little bit different setting, I think. Yeah, we're gonna make a show out of it. So even if you're not at Zero Trust World, you'll be able to hear what we do. But, but I think it'd be fun to be there in person. I'll never forget we went to years ago. It must be 30 years ago now. Chris Pirillo's locker gnome in Des Moines, Iowa. You remember that?

B

Oh yeah.

A

And just in impromptu, Steve and I, we went down. We were in the lobby of the hotel. They had a nice little lounge with a fireplace. We sat down, we started talking. And as you were talking, it was like the Maharishis there. People started to gather. Crowd got bigger and bigger. You were. Pretty soon you were holding court.

B

Leo, I think you're being a little too generous. I was unknown at that point. You celebrity.

A

Oh, I. Well, once people heard what you were talking about.

B

Well, I was the keynote speaker, so I guess somewhat known, but it was.

A

A long time ago.

B

Yeah, yeah. That was when I first met Mark Thompson. I had never met. We knew of each other, but Analog X. Yeah, yeah. And he, and he came out for that purpose.

A

Yeah, yeah, yeah. It was a lot of fun. Anyway, back to the show.

B

Okay, so.

A

No, come on, more bad stuff.

B

Yeah, we were talking not long ago about this Sad idea that ChatGPT's clean answers only dialogue might become laden with advertising. Now, anyone who was around during the birth of the Google will fondly recall that original, super clean, no nonsense Google search results. I mean, it was so nice. Well, those days died once Google realized how much money could be made through advertising. One of the observations I can't help making is that AI is currently a money losing enterprise with high hopes for the future. But it's astonishingly expensive at the moment. And that's worrisome because I, like many others I'm sure, and I know you, Leo, have now figured out what our current AI is and how to leverage its benefits for our lives.

A

Oh my God, it's amazing.

B

I don't ever want to lose access to it. No, it is, it is really phenomenal.

A

It is, I'm afraid, because I use Claude code. So now for everything, for configuration, for setup, anything, you know, I would say, oh, my laptop buttons, the, the don't turn the screen up and down. How do you fix that? And Cloud code.

B

Fixed it, Fixed it.

A

I know they used to have to go, look, you know, go to Reddit, do all these. It just knows. It goes, yeah, fix that. If I lose that, I don't know what I'm going to do.

B

I feel a little guilty sometimes asking it dumb, like obvious things just because I'm lazy. But it's like, well, there's the answer.

A

And, you know, it's not judging you.

B

And, and Leo, I do despair a little bit about young ones who grow up with an AI always there. I mean, you've got an oracle on your elbow that just like, why, you know, you're going to end up just learning how to steer it rather than.

A

You know, Steve, remember we used to have to. If you wanted to know, like, who starred in that movie in 1939, you'd have to go to the library and look it up. But now you've got all that in your phone and we're all used to it. People don't have to research stuff anymore. This is just the next step along that road.

B

We had to learn. We had to know what eight times eight was. Leo.

A

Yes.

B

We had to learn how multiplication. That will no longer be needed.

A

I'm sure when people first got calculators, they said, oh, kids will never learn the math tables anymore. Which is probably true. You know, we had a story on Sunday on Twitt. They took away the cell phones in New York City schools, and it's been a problem because high schoolers can't read analog clocks. So they keep asking, hey, what time is it? They keep asking the teacher, what time is it? And the teacher said, I'm at the point now where I'm saying, well, where's the big hand? Where's the little hand? So this is just the way of the world. Yeah. I don't know how. I don't know how to shoe a horse.

B

If you asked a whole line of a bunch of high school seniors and said, okay, do some long division, they'd say, what?

A

What? How do you do that? What, can I use Claude code? Yeah.

B

So a couple days after Christmas, Tom's Hardware posted reporting along these lines, which I wanted to share because it contains a bunch of additional interesting detail as well. Tom's Hardware's headline was, Chat GPT could Prioritize Sponsored Content as part of Ad Strategy. Now, unfortunately, having the phrase ad strategy affiliated with AI, that's sad. But they open by, by posing the rhetorical question, are we going to see ads in chat GPT's answers soon? And they explained writing OpenAI is allegedly still working on adding ads to chat GPT with sources saying staff are discussing ways to bake them into the chatbots responses. According to the information, the AI company is looking to create a new type of digital ad rather than simply copying what existing search and social media companies are running. Well, okay, maybe there's a little bit of hope this is possible because OpenAI can use historical chat data to serve ads that are highly relevant to users interests. Okay, now I'm going to interrupt here just to note that it's difficult to argue with that. Right. You know, I mentioned that many of us have come to understand what's going on with LLMs, and we understand that one of the things we've come to learn and appreciate is the context window that an account holder builds over time. I remember being taken aback the first time Chat GPT offered some example code to me in intel assembly language. I'd like to what? How does it know? I was quite certain that, you know, it wasn't what it would have offered most users, but I've come to appreciate the degree to which it's able to tune its replies based on our dialogue's history. So, you know, this is not to say that that it's going to have any advertisers in its bag that will necessarily match up with my particular interests. That's going to be a problem, right? It's got to have somebody to offer to me. But you know, I certainly understand the notion of an AI that's been working with someone for a while being unusually well suited to matching them with relative with relevant advertisers. That idea I think has clear merit and we know from our previous study of advertising tracking and profiling that much more accurate matching means much more revenue for every highly targeted ad. Anyway, Tom continues writing OpenAI told the Information quote, as ChatGPT becomes more capable and widely used, we're looking at ways to continue offering more intelligence to everyone. As part of this, we're exploring what adds our product could look like. People have a trusted relationship with Chat GPT and any existing and any approach would be designed to respect that trust. Okay, let's hope anyway. Tom's hardware wrote staff discussions on ad implementations have ranged from prioritizing sponsored content in the chatbots answers to adding a sidebar that shows ads related to the user's query. They've also considered showing them only when the conversation moves towards shopping or similar activities, or as secondary or as a secondary step where ads are displayed only when someone clicks a Link in chat GPT's results it's been reported that OpenAI is shifting its focus away from ads, especially after CEO Sam Altman declared a code red for the company following the latest version of Google's Gemini, which outpaced Chat GPT in several benchmarks. Altman said that OpenAI needed to improve the AI chatbots personalization speed and reliability and cover a broader range of topics, so the company is pausing work on all other projects to focus on these capabilities. However, it seems to be continuing progress on ChatGPT ads despite the recent change in focus. Chat GPT has three main revenue streams at the moment, subscriptions to Chat GPT plus Pro and Business API access for developers and enterprise solutions. Aside from that, writes Toms, OpenAI said it will start earning revenue from non paying users by 2026, projecting $2 per user per year, which will grow to $15 per user per year by 2030. I'm sorry, by by 2030. Despite that, OpenAI has yet to turn a profit since its founding in 2015. Even though its annualized revenue is hit $10 billion earlier this year, it's still expected that the company's operating losses will hit $74 billion annually by 2028. Nevertheless, investors continue to pour money into the company, even as some are starting to ask how its long term profitability will look. For comparison, they finish Google's ad business accounted for $237.8 billion in revenue in 2023, representing 77% of the company's total revenue. This amount is more than enough to cover OpenAI's estimated losses, and it seems it wants to follow the search giants playbook by baking ads into its results as well. However, this also raises privacy concerns, especially since ChatGPT likely has large much more information about its users than Google does. Furthermore, there's the question of how OpenAI will ensure its LLM gives the best answer to the user, especially if it stands to make money by showing ads instead of organic results. And to that I will say, oh boy, nobody wants a skewed reply from an AI to that's trying to lead its user down one commercial path because of a hidden kickback that the AI receives. So Leo, what do you think about ads?

A

And well, it's all in how you do it, right? I mean, if as the worst thing of course would be, as you say, if you included the ads in the results Response yes, and it's not clear that it's not an ad. I mean, look, we have ads and I think that's how we support Ourselves, I think ads are okay as long as they're clearly identified. Advertisers, of course, always want you to somehow hide the fact that that's an ad. They love that.

B

One of the, There's a great publication called the Hackers News and I love it. In the last couple years they began slipping in interstitial like, you know, paid for insertions. Yeah, that's not that looked. That were made, you know, there was no way to look at them and know that's what it was. And you had to read a little ways in and then you go, oh, wait a minute. And it's, it's, it's sad, but I call that advertorial.

A

Or sometimes if they don't want the word ad in there, they'll call it. What was it? Something content. Create custom content or something. It's not okay. And we don't do it. And your AI should not do it either. But if it's a little thing on and the, you know, I understand why they're saying shopping because if you go to an AI and you say I want to buy running shoes and they put a link to a place to buy running shoes and it says ad, I think that could even be helpful. Right?

B

Yeah, yeah. I know that, you know, Lori and I are sharing an account which makes me a little uncomfortable because I wonder if it thinks we have if chat a slip personality.

A

Yeah.

B

But I, I look at, at the, at the dialogue history and I mean she's using it for all kinds of things where. Definitely, which are definitely commercial front end. So you know, she's asking it for like get, you know, give her a table of, of of, you know, we're in the process of getting ready to, to set up a new household. So there's like all these things that she's like, you know. Exactly.

A

So I mean, we're gonna have to pay for it one way or the other eventually.

B

Yes. And, and, and I'm glad you said that because it did say in Tom's reporting that that non paid users would be generating ad revenue. I would, I'm, you know, I'm, I find ads abhorrent. I, you know, there's not an ad on grc. I could have ads on GRC and we'd be making money from all of the page views we get. There's not an ad there because, you know, I practice what I preach and.

A

Right.

B

And so I wouldn't have a problem paying more than what is it, 20 bucks a month or something that I'm paying 20.

A

Yeah.

B

Plus, yeah, I mean, I'll, I'll pay 50 for what I'm getting. You know, by the way, I, I did see my little, my little $10 from bit warden. I got my little receipt at the beginning of the year, so.

A

Oh, good. Yeah, I know. I like paying for that, Warden.

B

So we do pay, you know, we pay for the things that make sense.

A

But that's what we have to get used to is that this whole idea, this feeling that things were free has always been not true. And you got to pay for the stuff you use. You just do. And that's just the way it is. Nothing's. It shouldn't. It's not free.

B

It can't be free. Well, and the ad revenue model has shown that it works, as you said, that's why TWIT is still here. That's. And I'm here indirectly because TWIT is still here.

A

Right.

B

It's, it's what broadcast TV survived on. And the, the problem is it can be a slippery slope. Right? Because if you have some number of ads in your TV show, there's just so much temptation to squeeze another one in because, you know, at the expense of content, it's like, you know, so just don't.

A

Okay, stop.

B

So anyway, it's going to be interesting, but again, I, I think this needs to get paid for. I, I'm, I'm, I'm reminded of your comment that the cost that open AI is expending is in training, not in, in, in querying. So I'm hoping that, you know, it's.

A

Getting cheaper for sure.

B

That, yes, that, because I mean, generating 10 billion and losing 74, that's not, that's not the future.

A

No. In fact, at cesc, Nvidia announced chips that are considerably more powerful at a lower price. So you're going to see.

B

This is why I think it is so stupid to be building up data centers and like, like using your GPU inventory as the asset against the loan that you took out because you have rapidly depreciating inventory, right? Oh, that's just nutso.

A

This is going to be an interesting year. I think that's probably the best way to think of it.

B

We went a long time to our first break. Let's take one now and that'll kind of put us back on track.

A

Gladly.

B

About Python package indexes, increase in security.

A

I have a sponsor that should interest you and everybody who's listening because we're all nowadays working in the cloud. We use Google Docs or Microsoft 365. Most businesses our business is completely Google Workspace. Well, let me tell you about our sponsor for this segment of security now, Material. They are the cloud workspace security platform built for lean security teams. Managing security in a cloud workspace is a. It's a challenge, right? And by the way, phishing is far from the only way in. Today's email security basically ends at the perimeter. It's assumed. Well, the email got through, must be okay. But new attacks are so hard to detect. Not just an email, but you know, you've got siloed email, but you also have data. You have identity security tools. Material protects. They protect the email, they protect the file, they protect the accounts that live in Google workspace or Microsoft 365. If your business runs on those cloud systems, you need material. Because effective email security today needs to do a lot more than just block phishing and other inbound attacks. It needs to provide visibility. It needs to provide defense across the workspace. Threat surface, that's material. Material ingests your settings, your contents and your logs to give you holistic visibility into the threats and the risk across the workspace, along with the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. Yeah, automated remediations. So even when you're not on duty, Material is phishing protection and email security. Combining advanced AI detections with threat research and user report automation. And because we're all in this together, detection and protection of sensitive data across inboxes and shared files. You get account threat detection and response. People are trying to hack. I don't know why, but everybody's trying to hack Lisa's Google Workspace account pretty much all the time. You need material account threat detection and response with comprehensive control over access and authentication of people and third party apps. If you're living in the cloud, it gives puts your attack surface out there. You need something that's smart about cloud security Material. It empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication for sensitive content. It's got something I love. You've got to take a look at this on the website. Blast radius visualization for accounts and the ability to detect and respond to threats and risk across the cloud Workspace. Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API based implementation and flexible automated and one click remediations for email file and account issues, including an AI agent that automates user report triaging and response. Hey, we all need help, right? Give me all the help you can give me. Material protects the entire workspace for the cost of email security with a simple and transparent pricing model. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See Material Security to learn more or to book a demo. That's Material M A T E R I A L Security. This is an idea whose time has come. We are living in the cloud and now let's have some cloud based security for everything we do there. Material.security. we thank him so much for supporting security now. Steve.

B

So there's finally some good news.

A

Oh, I've been waiting. Oh my goodness.

B

On the Python Package Index, the PYPI repository front PYPI posted in their Pypi in 2025 year in review, they said. As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index. This year we focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PYPI every day, and responding to a number of security incidents with transparency. Let's look at some numbers that illustrate the sheer scale of Pypi in 2025. And, and I put them in the show notes because they're like, wow. So They've more than 3.9 million new files published during just that year, 2025. Last year, 3.9 million new files, more than 130, 000 new projects created, 130,000 new projects, 1.92 exabytes of total data transfer. I don't even know what that is. That's a big number. Giga gigabyte cake. All right, gigawatts. It's gigawatts.

A

It's many, many, many, many bytes.

B

2.56 trillion total requests served, which is an average of 81,000 requests per second. So think about that. 81,000. Every single second of the day, 81,000 pulls from the package repository. So that really does give some sense for the scope and scale of today's repositories. And PYPI is not even the big one. NPM is the, you know, is the biggie on the block. So it becomes, you know, very clear how rapidly, and here's on the security front, how rapidly a popular package, if its developer's account were to become compromised, would have the ability to spread. I recall when the notion of a supply chain attack was a new term for us. Yeah. And A new concept on this podcast. Oh, supply chain. That's interesting. Let's talk. What's that now? Sadly, it's become one of the most prevalent and worrisome security classes that there is. They're posting noted these numbers are a testament to the continued growth and vibrancy of the Python community. Then they said let's dive into some of the key improvements we've made to PYPI this year and I'm just going to do the the top lead one which is security. They said, security first, security always. Security is our top priority and in 2025 we've shipped a number of features to make PYPI more secure than ever. Enhanced Two Factor Authentication for phishing resistance they said we've made significant improvements to our two factor authentication implementation, starting with email verification for totp based logins. This adds an extra layer of security to your account by requiring you to confirm your login from a trusted device when using a phishable two factor authentication method like totp. And I'm going to come back to this in a minute they said since rolling out these changes, we've seen more than 52% of active users with non fishable two factor authentication enabled. Okay, so wait a minute. What we, what we see on this podcast over its 20 plus years is Evolution. Recall when the concept of a continually changing six digigit code was going to be the end all be all end of security. Remember the little ebay football? The what? PayPal or whatever?

A

PayPal football.

B

Yeah, the football is Joe. Look at that Leo. It changes its digits every 30 seconds. No one's ever going to be able to hack that. Okay. It was exciting because even if some site were to lose control of its static passwords, no bad guy would be able to produce the 1:1 in a million 6 digigit code that was correct for that moment, but changed every 30 seconds. Well, that was a nice theory while it lasted, but then re. But then reality struck. We learned that practical applications of time based one time passwords actually needed to open a surprisingly large acceptance window for codes. Remember that Microsoft's was like five minutes or something. It's like what the heck, you just, you know, I mean you could email it to somebody or pay or almost postal mail it anyway they need. It turns out they needed to accept many minutes worth of code on either side of the optimal code in order to minimize false negative failures caused by desynchronized clocks or, or communications delays. You know, or even maybe, you know, the users cutting and pasting or emailing themselves the codes or you know, who knows what why but that's that was the reality. But the real death knell sounded when the bad guys realized that those larger acceptance windows meant that users could be readily fished by having them attempt to log into a fraudulent website which they might get to by clicking on a link in email which of course is able to obscure its actual domain. They would provide their username and password and then be prompted for their one time password. The bad guys would collect all of that and log into their account on their behalf and you know, you know imagine then if that might be a corporate VPN they were logging into or remote access portal or who knows what maybe an A credentials for for API access that would then be that the bad guy would then be able to acquire much damage could result. So what the PI PI folks are saying is that sure by all means use two factor authentication, but so many of our past pip and I'm putting words in their mouth, so many of our past PI PI package submitters accounts have been hacked even when they were protected in air quotes by time based password1 time passcodes that we are strongly now urging all developers to allow us to require that they also on top of all that, respond to a link emailed to their account's registered email address. The requirement of an email loop authentication slows down the whole login process. No doubt about it, it's not as convenient. But the demonstration of control over an email account remains a strong useful an intuitive authentication factor which displays every sign of being with us for many years to come. So it's great news that PI PI is actively working to strengthen their authentication. And I hope everybody else follows suit because as we know, accounts being taken over of legitimate high reputation integrity software publishers and repositories that then get, you know, quickly have their stuff embedded with malware which is being downloaded at the pace of 81,000 pulls per second. That's a problem we still have to solve. Shortly before Christmas, Microsoft's Windows IT Pro blog posted the news that Windows 11 would be adding support for hardware encryption and decryption to their BitLocker whole drive encryption system. The chart of the relative performance of no BitLocker compared to software versus hardware crypto turns out to be quite bracing. But let's first see what Microsoft explained. They wrote we know that users desire both security and great performance, right? Historically we've strived to keep bitlocker performance overhead within single digit percentage points. However, with the rapid rise in popularity and advancement of non volatile memory express NVMe drive technology. These drives now achieve much higher input output operation speeds. As a result, corresponding BitLocker cryptographic operations, this is Microsoft can require a higher proportion of CPU cycles. This makes the performance impact of BitLocker more pronounced. Oh, Leo, I've got a picture for you on page 8 here. Especially on high throughput and IO intensive workloads like gaming or video editing. Okay, that's. Wow.

A

It does make a difference. Holy.

B

Oh boy. In other words, what they're saying is, and this makes sense, there's a fixed absolute overhead cost that's required to encrypt and layer decrypt all of the blocks of data being written to and read back from non volatile mass storage. It's a function of the data size. The cost is a fixed function of both processor speed and the amount of data being read and written. Significantly, it is entirely independent of of the storage medium being written to or read from. Microsoft talks about the overhead as a percentage that's added to the time that would be required without BitLocker. That's certainly a reasonable way to view the encryption overhead, right? As, as a. How much did this add to what it would have been otherwise?

A

Right.

B

But then comes along these pesky super fast NVME drives which are essentially PCIe devices themselves. SATA drives used a SATA interface to a SATA controller which was then attached to the processor's PCIe bus. And SATA is was never optimal for, for doing this, which is why you need a controller. It's basically it packages up the old IDE interface into a packetized system. And of course I know all about that from having written a SATA driver myself for Spinrite 61. But NVMe drives need no controller. They are themselves first party PCIe devices. So they're able to stream their data at the highest speed possible directly to and from the rest of the system. What this means in practice is that. Excuse me, someone inside Microsoft realized that the actual delivered performance of NVME drives was now being dramatically limited by the fixed speed overhead introduced by BitLocker. The chart above right in the show notes which was kindly provided by Microsoft, demonstrates the significance of the encryption overhead. The shortest center bar shows the average CPU cycles per I O operation. That is to say, without any encryption. The hugely tall orange bar is the average number of CPU cycles incurred by software BitLocker encryption. Okay. And, and for those who can't see it, it's quite sobering. It stands about four times the height of the NO encryption bar. And finally, by comparison, the hardware accelerated bitlocker only adds a modicum of additional overhead to the no bitlocker transfer. So the very clear takeaway from this is that anyone who is currently using BitLocker on an NVMe drive without the benefit of Windows 11's forthcoming BitLocker hardware encryption, which is to say everyone today because it doesn't exist yet, is seeing only a true fraction of the performance they could be obtaining from that drive without the comparatively massive overhead that's being introduced by bitlocker. Now, somebody may be wondering about spinrite. I brought it up, so I'll just mention that you get 100% full performance with Spinwright regardless of whether BitLocker is present or not. Because Spinrite 6.1 doesn't bother with BitLocker encryption and decryption, it just works on the raw encrypted data. But when you actually need to read, write and understand and use the drives data as Windows does, then you have no choice other than to run through BitLocker's crypto pipeline. Since the performance with and without BitLocker and with and without hardware acceleration is pretty astonishing, let's see what Microsoft has to tell us about this. They continue writing as NVME drives continue to evolve, their ability to deliver extremely fast data transfer rates has set new expectations for system responsiveness and application performance. While this is a major benefit for users, it also means that any additional processing such as real time encryption and decryption by BitLocker can become a bottleneck if not properly optimized. For example, professionals working with large video files, developers compiling massive code bases, or gamers demanding the lowest possible latency may notice delays or increase CPU usage when BitLocker is enabled on these high speed drives. Balancing robust security with minimal performance impact is more challenging than ever. The need to protect sensitive data remains critical, but users also expect their devices to operate at peak efficiency. As a result, the industry has needed to innovate new solutions that ensure both security and speed are maintained even as hardware capabilities advance. To achieve this, we announced Hardware Accelerated BitLocker at Microsoft Ignite last month. Hardware Accelerator BitLocker is designed to provide the best combination of performance and security. Starting with September 2025 Windows Update for Windows 1124H2 and the release of Windows 1125H2. In addition to existing support for UFS Universal Flash Storage inline crypto engine technology, BitLocker will take advantage of upcoming and that's the key upcoming system on a chip and central processing unit capabilities to achieve better performance and security for current and future NVME drives, so they said these capabilities are two first, crypto offloading bitlocker shifts bulk cryptographic operations from the main CPU to a dedicated crypto engine. This capability frees up CPU resources for other tasks and helps improve both performance and battery life. And second, hardware protected keys bitlocker bulk encryption keys, when necessary SOC support is present, are hardware wrapped, which helps increase security by reducing their exposure to CPU and memory vulnerability abilities. This is an addition to the already supported Trusted Platform module which protects intermediate BitLocker keys, putting us on a path to completely eliminate BitLocker keys from the CPU and memory. All that's great. Unfortunately we don't have it yet, they said. When enabling BitLocker supported devices with NVMe drives along with one of the new crypto offload, capable SoCs will use hardware accelerated BitLocker with the XTS AES 256 algorithm by default, which is what you want. This includes automatic device encryption, manual BitLocker enablement, policy driven enablement, or script based enablement. With some exceptions, we have enhanced the architecture and implementation of the Windows Storage and security stacks to support these new capabilities as an operating system enhancement that will bring value to all capable PCs over time. And here it is. Upcoming Intel V Pro devices featuring Intel Core Ultra Series 3, formally codenamed Panther Lake processors will provide initial support for these capabilities, meaning nobody can have it today with support that is on today's hardware, with support for other vendors and platforms planned. Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market. Okay, so all of this fancy new BitLocker crypto engine pipeline support will only be available when using these next generation intel processors, which, as it turns out were just unveiled by intel yesterday at ces, our annual consumer electronics Show.

A

And I just bought a laptop.

B

This means exactly you and everybody else, Leo, that regardless of the version, regardless of the version of windows being used, 7, 8, 10, or even the latest 11 on our current hardware, the use of BitLocker is exacting a tremendous, typically unseen performance penalty that Microsoft is only now disclosing because they have a solution. Of course it requires buying new hardware, but that seems to be what Microsoft wants to happen, thanks to, you know, Windows 11 needing new hardware too. But that solution is, you know, for tomorrow, not for today. I would say that if Anyone has a BitLocker encrypted NVMe drive, which they encrypted out of the box just because, why not where their operating environment doesn't really require that the whole drive be encrypted and where they'd rather receive a significant apparently so says Microsoft boost in performance it might be worth considering de bitlockering any high speed NVE drives you might be using, reducing the load on your processor, improving the real time performance of everything else because it bitlocker is not hogging your CPU and finally obtaining the true performance that's available from a state of the art NVME drive. Everything that Microsoft wrote about the increased overhead of fixed speed encryption and decryption in light of the newer faster performance of NV and NVME drives, it makes absolute sense. What might also make absolute sense is waiting until your machine's hardware is able to support ultra low overhead bitlocker encryption, unless having it now is really necessary. Microsoft ended their post by showing how anyone could check to see whether a bitlockered drives encryption was hardware accelerated. They wrote to check if your device is using a hardware accelerated bitlocker, open a command prompt as an administrator and run manage hyphen BDE. You know that's BitLocker Drive encryption, so manage hyphen BDE space hyphen status. Look at the encryption method section. If hardware accelerated is shown, it indicates that BitLocker is utilizing the system on a chips SOC's crypto acceleration capabilities. So I've got it in the show notes at the bottom of page 10. It's on the screen. Thanks Leo. No one is going to see that today, but this is a useful tip for the future when you're running Windows 11 on the newest hardware that may be able to offer this support, and that may be why you purchased the newer hardware. Many years ago, back when we were talking about and exploring whole drive encryption with TrueCrypt, I clearly recall wondering about the performance overhead of using it. So I did some benchmarking of a system's read and write performance with and without TrueCrypt. I recall being surprised that I was unable to detect any performance overhead being introduced by its on the fly encryption and decryption. All in software, of course. And while I no longer recall the specifics, it's likely that the system I was using back then had a fast processor and a comparatively slower spinning hard drive. So as a consequence, the overhead that was being introduced by the encryption and decryption would have been completely masked by the drive's physical read write performance because those two things were able to happen in parallel. So that would have been the drives read and write performance would have been the limiting factor. It would have been slower than the system's ability to encrypt and decrypt its data. What's changed since then is that now we have not only solid state mass storage as the new default, but that storage is being attached directly, directly to the system's I O buses with no controller translation going on in between. Allowing today's mass storage to deliver unprecedented performance. Software based encryption and decryption cannot keep pace even with, you know, doesn't matter how many cores you have. One of the things that is happening is that the pushing all that data and running decryption and software is flushing your processor cache. So, so it is, I mean it is really rough on the, on the whole system to, to be, you know, doing bulk encryption and decryption by cpu. You don't want to have to if you don't, if you don't really need to.

A

See, I always turn on full drive encryption, especially with SSDs because as we've talked about before, you really cannot wipe an SSD very effectively. Right?

B

That's true.

A

So if I don't use encryption up front, I'm probably storing stuff on the in the clear on that drive. That can't be.

B

I would say that you, you can't know that you have wiped an ssd. The, this Secure Erase should even deal with all of the little pockets of, of swapped out, you know, leveled regions and, and, and no longer effective chunks that have been mapped out of, of the SSDs use secure erase should do that, but you're trusting the manufacturer to, you know, to implement that correctly. So if you, I mean if you really are belt and suspenders, then yes, you would turn BitLocker on. You know, I turn on full disk.

A

Encryption on everything I have. If it's on by default on a Mac file vault. On Linux I use Lux And I think BitLocker is on by default on Windows Pro. I'm not sure about Windows Home, but the point is.

B

Otherwise it's not turned on by default on installation. You have to. No.

A

Okay. It is on a Mac. That's interesting that Microsoft doesn't do it. Maybe that's why I'm sure that there's a similar hit in full disk encryption on other systems. But I don't know.

B

Yeah, after covering this, I did not take any time to look around. I'm sure people have done benchmarks that are going to be available so we can see what that is. There is a version of a drive that does it itself, but they are extremely more expensive. You know, they're like data center high end Drives, they're like triple the price. But it does, it has a, an AES encryption hardware. Well, in fact, that's what the iPhone has. You know, the iPhone storage is also.

A

Everything's encrypted.

B

Yeah.

A

So maybe, you know, hey, we're, you know, we're not getting the full amount of speed that we could be getting, but it's still faster than your old spinning drive in that old processor. A lot, right?

B

Yep. I don't know.

A

I think I'm gonna always still use full disk encryption just to be interesting.

B

To see what, what the, what, what.

A

The overhead is, what the hit is.

B

Yeah, yeah. I won't be turning it on because, you know, my environment doesn't really require it. So let's take a break and then we're gonna talk about, as you mentioned, Leo, the odd inclusion of two lines in the New York City recent mayoral inauguration. What. What is banned from being brought.

A

It's telling, isn't it?

B

It's, it's bizarre.

A

Yeah. Yeah. Okay. Well, our show today, brought to you, as it often is, by our good friends at Bitwarden, the password manager I use and strongly recommend. It's open source. That's the reason I use it. It's also the trusted leader in password pass keys and secrets management. Consistently ranked number one in user satisfaction by G2 and software reviews. With over 10 million users across 180 countries, more than 50,000 businesses. Whether you're protecting one account on your personal system or thousands in your business, Bitwarden keeps you secure all year long with consistent updates. I'm always impressed. Maybe it's because it's open source, but the speed with which the they add new features is very impressive. They've just added for enterprise something called Bit Warden Access intelligence, which lets organizations detect weak, reused or exposed credentials and immediately guide remediation right there at your user's desk. Replacing risky passwords with strong unique ones. This closes a major security gap. Credentials are still one of the top causes of breaches because people, you know, reuse passwords, they use weak passwords, their passwords are exposed in breaches all the time. But with access intelligence, those exposed credentials become visible, prioritized and corrected before expectation can occur. You got to have this in your business. They've also introduced something brand new. Bit Warden Lite. Bitwarden Lite. This is interesting. This is probably maybe more for us geeks. It delivers a lightweight self hosted password manager. It's for home labs, for personal projects, for environments that want quick setup with minimal overhead. This is a self hosted Bitwarden Vault. It's now enhanced with real time Vault health alerts. Actually all Bitwarden users get this password coaching features that help users identify weak, reused or exposed credentials and take immediate action to strengthen their security. Bit Warden now supports direct import too. This is great. You don't have to export into clear text and then import into Bitwarden and then make sure you remember to delete the clear text and all that.

B

No, no.

A

Bitwarden supports direct import from your existing browser Password vaults like Chrome, Edge, Brave, Opera and Vivaldi browsers. I guess those are all chromium based browsers. Direct import copies imports credentials from the browser right into the encrypted vault without requiring that extra plain text export. That is a lot safer. It also simplifies migration. You don't have the same kind of exposure that's associated with manual export. Like you forget to delete the clear text version of it. Always makes me nervous. It's one of the reasons both Steve and I moved from that other password manager to Bitwarden. We were very careful. We deleted the clear text and now I'm not moving again. I'm staying right there.

B

That's.

A

This is it. I'm very, very happy with bit warden. G2 Winter 2025 the one that just came out reports that Bitwarden continues to hold strong number one in every enterprise category. And that's now the sixth straight quarter number one in all enterprise categories. Maybe that's because Bitwarden setup is so easy. It supports importing from almost all password management solutions. So it's quick to move over. I think it's really important. It is to me that Bit Warden is open source, GPL licensed. You can see it on GitHub, you can inspect it. It's also regularly audited by third party experts. That tells you there's no backdoors, there's no insecurity. They're using well known standard crypto. Bit warden meets SOC2 type 2 GDPR HIPAA CCPA compliance. It's ISO 27012002 certified and you can get started today with Bit Warden's free trial of a teams or enterprise plan as an individual free across all devices as an individual user at free forever bitwarden.com twit that's bitwarden.com twitt you might want to do what Steve and I do. We pay 10 bucks a year for the premium just to show our support for Bitwarden. But you don't have to bitward bitwarden.com TWIT yes, it supports hardware keys, yubikeys. It supports everything. Secrets, pass keys, unlimited passwords. Bitwarden.com Twitter and I once asked them because we know other password managers that had free trials that yanked them back. And I said, can you ever do that? And the guy at Bitwarden, he's great, he said, no, we can't. We're open source, Leo. Even if we did, people would just go, well, that's that. I'm forking it. And we'd always have it for free. So they know perfectly well. Free forever. That's another benefit to open source. Bitwarden.com TWIT Take a look at the enterprise or business plans too, because they're great and the team's plans. Those are not free forever. Obviously those are business plans, but for individuals. Bitwarden.com TWIT thank you Bitwarden for doing a great job. Happy to give you my 10 bucks every January Okay Steve, let's talk about the Raspberry PI.

B

Okay, so last week the newly elected and controversial mayor of New York City was inaugurated. And that's not an event that would normally be mentioned here, but this inauguration was a bit special. I'm going to deliberately keep those who haven't already heard about this a little bit in suspense for just a minute because the reveal is just too much fun. The reporting that I want to share over this is from a perfect perspective and by someone who writes quite well. They wrote, public safety rules should be dull in the best possible way. Clear, Predictable. Written by people who understand what actually causes harm in a crowd of thousands. New York City usually gets this right. It has decades of muscle memory for doing hard things in public under pressure without panicking. Which is why the prohibited items list for the January 1, 2026 New York City mayoral inauguration block party seemed off. Okay, and at this point, the Post provided a link to the list of prohibited items, which I'm going to share with our listeners. The notice read, Prohibited items All spectators will be screened as they entered the viewing area. The following items are prohibited Large bags, weapons, fireworks or explosives Large backpacks or duffel bags, drones or remotely controlled aerial devices strollers, coolers, chairs, blankets, umbrellas, umbrellas, beach balls, bicycles or scooters Alcoholic beverages, Illegal substances, pets other than service animals. Large items that could obstruct views of spectators around you. Laser pens, bats and batons. And finally, tacked onto the bottom of the list as the final two items. What do we find? Flipper zero and Raspberry PI. Yep, we wouldn't want any of those crowd disturbing technologies or capabilities being bandied about casually. The posting to the blog of the well known and very popular Adafruit website continues Explicitly Banned Raspberry PI and Flipper Zero Why not categories, not capabilities? Two named devices, brand trademarked names parked right next to weapons, explosive and drones. As if the list itself is supposed to do the thinking for us. Raspberry PI is a general purpose single board computer. It shows up in classrooms, newsrooms, accessibility rigs, art installations and civic tech demos. Flipper Zero is a consumer electronics testing tool, but its functional territory overlaps heavily with laptops, smartphones, radios, microcontrollers that remain perfectly legal to carry. If the concern is electronic interference, signal disruption or hacking, the policy does not say that. It gestures vaguely by naming a couple of gadgets and hoping the implication sticks. Curiosity, it seems, is now contraband. There already is a list of prohibited items that works great at Times Square on New Year's Eve, one of the most tightly secured public events on the planet. The prohibited list is blunt and practical backpacks, drones, weapons, alcohol, large objects that block movement or sight lines. The rules focus on crowd dynamics and physical risk. They do not play whack a mole at the end with brand name electronics. When a policy bans specific devices rather than behaviors or capabilities, it creates ambiguity for people on the ground. Once a Raspberry PI is banned, a smartphone sails through security despite being one way more powerful, more connected and more capable of surveillance disruption or both. That's not a security framework, that's a vibe based list. Maybe it was AI generated. That would be interesting if that was what happened. If the goal is to restrict electronic interference, the language should say so plainly. Unauthorized transmitters, signal interception tools, electronic hacking devices. Those are enforceable things already. Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy. There's a cultural cost to banning brand names like Raspberry PI. New York is full of educators, artists, technologists and journalists who are who use small embedded computers as tools of expression and access. A device specific ban turns Curiosity itself into something suspicious while ignoring the far more capable computers already in everyone's pockets. The future ban list will have everything.

A

This is my favorite part of this article here.

B

Today it's yes to the enumeration. Today it's raspberry PI and Flipper Zero. Tomorrow it's Beagle Bone, Blacks, Arduino Q's, ESP35, Dev Boards, Teensy Boards, Pine 64s, Orange Pies, Jetson Nanos, USB Logic Analyzers, SDR Dongles, Bus Pirates, DEFCON badges, hotel key cards, garage door opener, Tamagotchis graphing calculators, old Nokias, Game boys with link cables. A TI80, a TI83 calculator, right held sideways. A pocket operator making beeps too abrasively. A Furby with unresolved father issues and. And some guy's wristwatch that definitely has a microcontroller in it. Meanwhile, everyone walks through holding a smartphone that can film, scan, transmit, triangulate and live stream the entire event in 4K. Yeah, he said. I tried to find emails to someone on the mayor's team, DM their socials, etc. So far, here's what I received from the mayor's team and some auto replies and bounces, quote looping in Audra Heinrichs to help answer your questions. All the best, Penelope Birnbaum. Penelope was the press assistant on Kamala Harris's presidential campaign and now press and digital associate Zoran for nyc. Audra Heinrichs quote, directed all press logistics on the Mondami campaign's final events. Public safety is a beacon, a flashlight, not a fog machine. They have heavy hitters here. They can fix this. The list feels symbolic rather than functional. New York has done better before and it can do better again. There's enough time for the New York for the new mayor's team to check this out. And if they do, I'll get word out and say there will be no tickets to a security theater. So, you know, I can, I can kind of see the Flipper zero being on the list. I mean, if it's gonna, if you're gonna have something like that. And I can see why it might have needed to be named directly. You know, it is now a famous mischievous hacking tool that you could argue has no real place or purpose at such an event. If someone were to attempt to bring one in, although I'm sure they could smuggle it, it would not be unreasonable to ask them why they have it and then probably hold it for them until they were leaving afterward. And you know, really, it would need to be called out by name, since using the generic no transmitters allowed would of course include everybody's phone. But that said, I can totally agree that the idea of the Raspberry PI being put on the list is nothing short of nuts. And I could see why this author wondered whether AI might have had a hand in there. Although, you know, it's all academic now, it would be interesting to know exactly where those last two items came from. You know, like, how did they find themselves on the list.

A

It's just a curious. I mean, I can't see getting upset about it. Although I am upset about another thing. Why do we always blame AI when people do stupid things? Humans are very capable of doing stupid things all by themselves.

B

We have. Well, first of all, humans train the AI and we have a new whipping boy. Oh, it must have been AI that's right.

A

This does not sound like something AI would say. This sounds like something somebody who kind of half had an idea that.

B

Yeah. Someone that someone's nephew said. Yeah.

A

You know, you really shouldn't let Raspberry PI. Again, I agree with you. I could see Flipper Zero. That's. That's a hacking device. That's what that's designed to do.

B

Yeah.

A

What would you do? What, carry a bear Raspberry PI in your pocket? What?

B

And a power supply and antennas and stuff.

A

It's like what we talked about on Twitter and they said, why didn't they buy Ban Wi Fi pineapples? I mean, let's. Let's get serious.

B

There's some.

A

There's some stuff they could have been, but you can't. There's no way you can make a blanket list now. There's too many ways people can do things. Anyway, I want to hear about this new show. I want to know about this.

B

I have, yes, I have the best news for our sci fi enjoying listeners. Okay, Forbes headline was ti with fors. Forbes headline was Netflix's best new show has a 100% Rotten Tomatoes score. But there's a catch. They're describing a two season, 16 episodes in total. And this is me speaking. I've watched it. Astonishingly well conceived science fiction time travel series that can currently be found on Netflix and Apple tv. Amazon Prime Video only has season two and the rights are expiring this. Okay, this thing is called the Lazarus Project. Lazarus. The Lazarus Project. There's a movie by the same name. And as you'd expect, Lazarus generically has been used several times before. There. There's a. There's a movie there. There's a Lazarus Project movie, Lazarus Files and other stuff. What you want is the Lazarus Project. So beware of name collisions when you're searching. The one I'm talking about is a two season British television production. I was made aware of it when it popped up on Netflix with the news that it would be leaving a few weeks from now on January 28th. I don't know whether or when Apple TV and Amazon may be losing it, but since I never want to be without it, I mean that I never want to be without this after getting a couple of no, it is so good, Leo. I don't even have to worry about overselling it. I know I tend to oversell things, but when I'm excited about them or infatuated. But oh my God. After getting a couple of episodes into the second season, I immediately purchased both seasons on Apple TV. They were $20 each, but you know, I assume that means if I bought them on Apple tv, I'll always have access to them. They're Apple TV is not going to say, oh, sorry Steve, you. You paid 20 bucks and now you can't see it okay, following their headline, Forbes wrote, Netflix's best new show has a 100 Rotten Tomatoes score, but there's a catch. They wrote that show is the Lazarus Project, a sci fi series that Originally aired in 2023 on sky, but as but has now ported over its two seasons to Netflix. The series has a perfect 100 score on Rotten Tomatoes from critics, an infrequent feat. Okay, I checked over on Amazon prime, where it has a 4.8 out of 5, with most giving it 5 stars and a few giving it 4. No one gave it a 1, 2, or 3. Now I'm mystified by the show's comparatively low 7.3 rating over on IMDb because I have never, and I really mean never, seen a more compelling, astonishingly clever and gripping time travel concept and plot. There is new stuff here. The Lazarus Project is truly remarkable science fiction. It's so good that I felt duty bound to tell everyone here, and I also posted about it over in GRC's Sci Fi News Group. One of the denizens who hangs out over there replied, I watched it somewhere besides Netflix, and I have to admit, he said, I was amazed as well. But I strongly recommend that people binge watch it because the plot is highly complex and some critical plot points happen almost in passing. This is not a series to watch in the background while you're doing something else. No, I can't even. I can't even imagine. I keep hitting the backspace button in order to catch something again because, I mean, there is so much there, he said. The logic of the time resets will have you twisted in knots at times, but it's a completely new take on time travel. And I replied to Milton's posting writing, I agree 100%. It takes extreme attention and focus, which is part of what makes it so good. It's the absolute reverse of nothing much happened during that episode. The sense is that they're working to cram as much content into each episode as possible, and they succeed. Oh, okay. So I'll just say that the series has been nominated for a BAFTA award. BAFTA is the British Academy of Film Awards, which is Britain, Britain's highest honor for British cinema. There is a downside, which is the catch that Forbes referred to in their headline, it's that the series apparently did not plan to end after just two seasons. It proved, I believe, to be a bit too much for Sky TV's British viewer demographic, who probably did want to be able to do something while they, like, iron or something while they were watching tv, you know, And I understand. I mean, it really is a lot. Lori is lost. She's like, okay, would you just tell me what happened? Because, I mean. Oh, Leo, it is so.

A

I can't wait.

B

It is so good. So sky chose not to commission a third season and we're left a bit hanging. Milton said that it looked like they tacked on kind of some. Some attempt to satisfy. And I got right. It was. It was almost 1am this morning when I could not make myself watch the final one because I had to go to sleep so I could do the podcast.

A

You watched the whole two seasons in one evening?

B

No, no, no, no, no. It took. It took the. I did the first three, then I was hooked. And then I did the second season in two pieces of. Of two blocks of two and five or something. And then. Or. Or two and two. And then I watched the. The. The third. The second season in three parts. Anyway, the point is I am one episode from finishing. I did not get the final episode, but. Oh, my God. This second or the last one? Last night. Oh, I mean, it. It. Oh, wow. Anyway.

A

Wow. I can't wait to see this.

B

It is really, really good. So if you don't have Netflix, I'm trying to think you could purchase, but you could purchase. But if you have Apple TV, you could buy the first episode for whatever it is 295 or something. Just the episode, right? Then when you see how good it is, you could join Netflix just to watch both seasons and then resign and save some money. In fact, if you haven't ever done Netflix before, I think you can join and get a free week or something and then resign. Oh, it is. It is really good. And. And so probably by. If you actually start Leo, you will be done by the time we talk about it, if we can. If you watch it by next podcast.

A

Okay.

B

Because.

A

Okay, I'll be that. That hooked. Oh, good.

B

It is. It is. Oh, it is beyond it. Is this the, the. Okay. I. Wow. Yeah, it's, it's just, it's a treat. So everybody, you know, and, and again, don't have, you know, like distractions while you're trying to watch it. You'll quickly see that you really need to pay attention. The acting is good as British. A lot of British TV really is where they have people you've never seen before, but they're really good. They just, it's. And, and it's one of those shows also where, where you kind of hope something's going to happen, then it does where like everything you want to have happen happens. So it's gratifying that way. But then they also completely keep you off balance with things that you didn't expect. And then afterwards you go, oh, that's so brilliant. Anyway, yeah, it's really good.

A

Can't wait.

B

Tom Kreitz sent me a link. He's a listener of ours. He sent Security now feedback. It contained nothing but the link, which I would normally be a little skeptical about. But it was the subject of his email that caught my eye, which was vitamin D and magnesium. And the link was to a just December 30th published piece on, on the Science Daily website. Science Daily does sort of synopsis of other studies across the realm of science and sort of like, like, like pulls them all together. So the piece was titled why your vitamin D supplements might not be working now. Since I was unaware of a, of a tight link between vitamin D and magnesium since last week's holiday podcast was a replay of our much earlier vitamin D podcast and since magnesium happens to be another substance that I have extensively researched and experimented with, I wanted to share the substance of this piece, which is brief. The. The. The summary at, at the top says a randomized trial from Vanderbilt Ingram Cancer center reveals that magnesium may be the missing key to keeping vitamin D levels in balance. The study found that magnesium raised vitamin D in people who were deficient while dialing it down in those with overly high levels, suggesting a powerful regulating effect.

A

Yeah. Increases it or decreases it depending it.

B

Pulls it into the, into the proper range. They said this could help explain why vitamin D supplements don't work the same way for everyone and why past studies linking vitamin D to cancer and heart disease as in prevention, have produced mixed results. The piece in Science News is a report on findings published in the American Journal of Clinical Nutrition. And so they went on to say the study published in the American Journal of Clinical Nutrition adds clarity to long standing debates about vitamin D's links to colorectal cancer and other diseases. These questions have gained attention due to mixed results from major studies, including the VITAL VITAL All CAPS trial. The the new findings also reinforce earlier research from 2013 by the same team, which found that people with low magnesium intake often had low vitamin D levels as well. So again, there was a correlation at that point they didn't have causation. You need to do what what happened, which was a randomized controlled clinical study in order to get the actual causal link. So they said beyond control Confirming earlier observations, the trial uncovered an additional insight. Magnesium did not simply raise vitamin D across the board. Instead, it appeared to act as a regulator, lowering vitamin D levels in participants whose levels were already high. This is the first clinical evidence suggesting magnesium may help optimize vitamin D levels rather than just increasing them, which could be important important for reducing disease risk linked to vitamin D imbalance. The Ingram professor of Cancer Research and lead author of the study explained that the healthiest vitamin D range appears to fall in the middle of a U shaped curve. Previous observational studies have linked this middle range to the lowest risk of cardiovascular disease. Despite earlier warnings, vitamin D did not show a clear link to cardiovascular disease in the recent VITAL trial. Dye and co author Martha Shrubsole, a research professor of medicine in the Division of Epidemiology, are now examining whether magnesium could help explain these inconsistent results. Their work is part of the ongoing personalized Prevention of Colorectal Cancer trial. Shrubsole said. There's a lot of information being debated about the relationship between vitamin D and colorectal cancer risk that's based on observational studies versus clinical trials. The information is mixed thus far. The researchers turned their attention to magnesium after noticing that vitamin D supplements did not work equally well for everyone. Some people failed to raise their vitamin D levels even when taking high doses, Dai said. Magnesium deficiency shuts down the vitamin D synthesis and metabolism pathway. The study included 250 adults considered at a high risk for colorectal cancer, either due to known risk factors or because they had previously had a precancerous polyp removed. Participants received either magnesium supplements or placebo with dosages tailored to their usual dietary intake. Shrub Soul noted that vitamin D insufficiency is widely recognized as a public health concern in the United States, and many patients are advised to take supplements based on blood test results, she said. Vitamin D insufficiency is something that has been recognized as a potential health problem on a fairly large scale in the US and as we know, that's relatively recent that was since we first did the podcast, she said. A lot of people have received recommendations from their healthcare providers to take vitamin D supplements to include increase their levels based on their blood tests in addition to vitamin D. However, magnesium deficiency is an under recognized issue. Up to 88.0percent of people do not consume enough magnesium in a day to meet the Recommended Dietary Allowance, the rda, based on those national estimates. And we know the RDA is not the live long and prosper level, it's the keep yourself above ground, barely level. Shrubsoul emphasized that magnesium intake in the study matched RDA guidelines and suggested that diet is the best way to increase magnesium levels. Foods rich in magnesium include dark leafy greens, beans, whole grains, dark chocolate, fatty fish such as salmon, nuts and avocados. Okay, so having said all that, first, I want to acknowledge that I know this is not a health and nutrition podcast and that as a health hobbyist and tinkerer with no formal medical training, I would never presume to be an authoritative source of medical information. So for those who have no interest in the topic of health longevity, please rest assured that we will not be spending much time on the subject. I'm not going to go that that. I'm not going to go there. That said, the subject of the preservation and maintenance of health, vitality and energy as we age is an extreme personal passion of mine. It's something I've quietly devoted a large fraction of my life to researching and and understanding as well as experimenting with. So in reply to this article, which Tom brought to my attention, I'm going to share a bit more of what I've learned and practiced on the magnesium front.

A

Good, because yeah, I want to hear about this.

B

Yeah, so it is absolutely true that magnesium is a grossly underappreciated mineral. It is a required co factor in more than 400 individual enzymatic reactions which in our human body which transmute, you know, and being enzymes, are involved in transmuting an organic model from one form to another. The book I read back in 2009 that started me down the path to understanding the role and importance of magnesium was called the Magnesium Miracle, written by Carolyn Dean, who's an MD and an nd. I went over to Amazon to double check the spelling of her name and Amazon flagged that book as having been purchased by me in 2009. It's currently $6 on Kindle and available in audio, Kindle and paperback now. And in fact I'm holding it up to the camera. The front of the book says titled the Magnesium miracle, which annoys me because it's not a miracle. Right. It's science. But okay, she needs to sell some and apparently she still is. It says discovering the missing link to total health. Lower the risk of heart disease, prevent stroke and obesity, treat diabetes, improve mood and memory. So the problem with magnesium, the reason for that report's observation that there's a general magnesium deficiency in the US is that natural sources of magnesium, you know, we don't synthesize the mineral in our body, we have to get it exogenously. And the natural sources of magnesium have largely been removed from our lives before we obtain, before we obtain our water from municipal processing plants, you know, which is what's happening now. We once used to drink water from wells or from river streams where the water would contain dissolved magnesium and we'd be consuming plants that were rich sources of magnesium. But plants don't synthesize magnesium atoms either. So if they're grown in magnesium poor soil, they're no longer able to provide the magnesium they once did. And the water we drink now has been processed and filtered and chlorinated and bears very little resemblance to the water that was consumed by pre industrial man. The upshot of living within a poor magnesium environment is a magnesium poor body that's unable to synthesize as many of the enzymes it would like to as it could if magnesium were available in greater supply. Now the problem is how to get magnesium into us, because that turns out to be a little tricky. One of the things anyone who practices dietary supplementation comes to appreciate is that it can be difficult to get some substances into our bloodstream due to the fact that they must first survive our stomach acids deliberately low acidic ph. And after surviving our stomach, the substance will be absorbed by our intestinal lining into our bloodstream. But its first destination will then be our livers, where it may need to survive what's known as first pass hepatic metabolism. Our livers may wish to take it apart and use its bits for its own purposes. So what about magnesium? Our stomachs low ph acidic contents is the death of most forms of supplementary magnesium, at least as far as disassociation from its carrier atoms is concerned. When my physician recommended, at my age, and this was several decades ago, that I should start probably having a periodic colonoscopy screening, he handed me a large empty plastic jug. Well, it wasn't completely empty. There was a loose white powder in the bottom of the jug. My instructions were to just fill it with water and shake it up to dissolve the powder. Then I was to pour a cup of this mixture every hour and drink it until the entire jug was empty. And not long after that, my entire intestinal tract would also be similarly empty and I'd be ready to have my intestinal lining inspected for any abnormalities. I'm sharing this seemingly off topic story because that loose white powder wasn't the only thing that was loose at that point. That loose white powder in the bottom of the initially empty jug was pure magnesium oxide. Magnesium oxide is the least expensive and least well absorbed of all magnesium formulations. It was what was traditionally used, along with ample water to flush out one's intestines.

A

Because what's in milk of magnesia.

B

Yes, exactly.

A

Interesting.

B

So my point is, this is not the magnesium you want to take.

A

You want to absorb it.

B

Yes, yes. If you're interested in replenishing and increasing your body's magnesium levels. Now, there are many forms of magnesium. There's magnesium oxide citrate, magnesium malate, taurate, orotate, L Threonate, and so on. All of these are simple salts of magnesium. And they all have their proponents.

A

They also all have, and probably meaninglessly on the label, different uses. Like L Threonate, it goes through the blood brain barrier.

B

Well, yes, it is magnesium. L Threonate is unique in being able to cross the blood brain barrier.

A

Okay, okay. So that's not untrue. So.

B

Okay, no, that, that is true. And, and so, you know, I guess they, and they all have various benefits, except probably magnesium oxide, which is just really a laxative. So as you experiment, you will find that magnesium in general has this effect.

A

That is, by the way, Epsom salts are magnesium sulfate. So we've been used. This is an age old remedy, isn't it?

B

Yes.

A

Wow.

B

Yes.

A

Okay.

B

Yes. So. So magnesium is not harmful in any way.

A

Well, there must be a fatal dose. I mean, I'm sure.

B

Well, actually no, because the. You are unable to absorb more than you than your digestive tract will give you. Okay, so, so anyway. So. So. Babe. So oxide is, is the cheapest, but you don't want to use it. It's just basically a laxative. And as you experiment with it, you will find in general, magnesium has that effect. It's not harmful in itself, which is why it was once used by the medical establishment as the standard means of preparing a patient for being scoped. Right, okay. But the key concept to understand is that the laxative effect induced by magnesium is the result of its non absorption into our bloodstream. It's the magnesium that remains behind that causes that Effect. What happens is our intestines are induced to osmotically pull water into them by the by magnesium. So that's why that happens. It's not what we want for optimal health and certainly not for digestion. So the problem is that to varying degrees, all of those common, simple salts of magnesium succumb to our stomach's acidic environment. Their molecules disassociate into their constituent atoms, and then they suffer whatever fate awaits them. The problem of effective dietary mineral supplementation absorption was finally solved by a company called Albion Minerals. Their nutritional chemists came up with a means of sneaking magnesium and other minerals because actually they sell a huge amount of their bulk product into the veterinary and animal breeding markets where you need healthy animals. Their nutritional chemists, as I said, they figured out how to do this by, by sneaking the minerals into our intestines without being broken apart by stomach acid. The key, it turns out, is instead of creating a simple salt to carry the magnesium, bind it into a dipeptide. Now, that sounds more complicated than it is. A dipeptide is just two amino acids. So there are two forms, two most common forms of magnesium, that are highly successful and are worth taking. One is known as magnesium glycinate lysinate, and the other is magnesium biglycinate. The first one, magnesium glycinate lysinate, consists of an atom of magnesium bound to the two amino acids glycine and lysine. Glycine is actually a very good choice since it's the smallest of all amino acids and also because glycine is another substance that most people could use a lot more of. The second form of magnesium, which is magnesium B Glycinate, is an atom of magnesium bound to a pair of glycine molecules. And this is handy since, as I said, being the smallest of all the aminos, there's a much higher percentage of elemental magnesium per milligram of the combined molecule. Okay, so the upshot of all of this is that either of these dipeptide forms of magnesium, and they're readily available, you know, at wherever, wherever you find supplements and minerals and so forth, they will strongly resist disassociation in our low ph stomach environment. They will be able to transport the magnesium through our stomach and cross our intestinal lining to carry it into our bloodstream where it can be used by our body. So I should note that unlike vitamin D and many other bloodborne substances whose levels can be checked with a blood test, there is no reliable blood test for magnesium, because most of the magnesium that we have in our body is stored in our skeletal system where it is literally kept out of circulation. So anyway, if you decide to get serious about magnesium and I, I certainly have. The first thing I would recommend would be grabbing Carolyn's book or otherwise learn, you know, much more about it from what I than what I've just said here because obtaining sufficient magnesium I believe is important. I only just barely touched on the importance of, you know, of this very much under appreciated and inexpensive mineral for both immediate and long term health. Carolyn Dean and many others recommend that you experiment to find what's known as your either sometimes they call it your bowel tolerance level or your gut tolerance level.

A

I think we know what that means.

B

Yes. That being the amount of magnesium, magnesium you can consume in multiple divided daily doses and you should divide them up, not take them all at once where you begin to notice a laxative effect and then back off from that until you are again comfortable. If you're taking one of the dipeptide forms that should initially be a lot of magnesium. There was, I kid you not Leo, that during my early experimentation there was a Christmas where I went up to visit my sister and her, her young kids at the time where I was wearing a, some sort of a chronometer around my neck that beeped every hour and I would take a magnesium tablet. Oh, and my 7 year old nephew said mom, why is Uncle Steve crazy?

A

Uncle Steve.

B

Crazy, crazy Uncle Steve. Yeah. Anyway, what, what I noted is that like nine months later I could suddenly take less than I used to be able to. And my brother in law, who's I, who I explained all this to and who also decided to get on the magnesium bandwagon, he reported the same thing. That is you are replenishing your depleted body for quite some time and once it becomes topped off you can't take as much as you were before because it won't get absorbed. So there's really that, I mean you some like real world evidence that you've just done something by, by taking a lot. And I also do know that my, my, my rate of occasional PVCs, preventricular contractions, you know, which is just a normal consequence that everybody has. They used to be far higher than they are now.

A

Is that when your heart skips a beat a little bit.

B

Exactly. Yeah, yeah, yeah. It's sort of a little double, you know, thumpa, thumpa and. And then there's a little bit of a pause and then, and then you go on. So anyway, I, I may be doing.

A

It wrong because I take magnesium L. Threonate in the morning and I take magnesium citrate at lunch and I take some magnesium glycinate night to go to sleep.

B

I think that's good because they all.

A

They claim to have different properties. Right?

B

Yeah. I take, I am experimenting with L3 and 8 because of the promise of it crossing the blood brain barrier.

A

Right. And that's a newer form.

B

Yeah, it's a newer form. It's more expensive because some, someone has a patent on it. So, so you're, you're, you're paying some like some licensing fee. I, I just take, I, because I'm taking what I was always taking which is the, the doctor's best high absorption. Yes.

A

Magnesium bottle of that.

B

Yeah. And I remember when I was telling I was trying to turn my mom onto this, she said honey, this is an suv. She said I can't take this. It's huge.

A

Oh, it is a big pill.

B

That's one of the things you also get used to after while is you know, swallowing a bunch of stuff and.

A

Frankly can you have too much though? Want to impede the digestion? Like I'm not going to get my nutrients.

B

No, it doesn't bind to anything else. So yeah, like I mean I really liked taking Metamucil. I got into Metamucil in the mornings because I just liked, you know, sort of an orange tart, you know, psyllium fiber drink. But it turns out you can't do it anymore. Well, you can't combine it with supplements because the psyllium fiber, the reason it lowers your cholesterol is it binds tightly with cholesterol in your intestines and transports it out. It also binds tightly with all of the, the mineral, the, the, the supplements you might be taking.

A

So, so you know, it's as you know I'm on a zempic and it's been a boon to me. I've lost weight and my blood sugar is normal now and, and it's amazing. But one of the side effects is because it slows the food moving through your stomach that you feel bloated and you might be a little constipated because of it or a lot depending, you know. And I thought I was supposed to do more fiber. That's actually counter indicated because it just ends up your stomach's even fuller. And it turns out magnesium citrate is the, is the kind of recommended solution to that. And that's been okay, really good.

B

And the reason is that it's not as well absorbed. What I would do, what I do do so to speak, is I, I, I sorry, I couldn't resist. I, I just increase my, my consumption of glycinate lysinate because that has the same effect. You get to take more because it is much better absorbed. Citrate works at more.

A

It's not as well absorbed.

B

Yeah. Because it's not as well absorbed. So the magnesium that stays behind is the, is the one that causes the mischief. But you want some mischief. And I am getting just the right amount of mischief. I am, I'm taking a full milligram, which is to say 10 of those magnesium lysinate glycinates a day.

A

Okay.

B

Because each one has 100 milligrams. I'm sorry, a full grammar. They each have 100 milligrams of elemental magnesium. So 10 of those is a full.

A

Most of it is not being absorbed. Right. So you take a lot because a lot of it is just going right through you or.

B

No, a lot of it is being absorbed. But okay, but enough is not that it has that effect.

A

Okay.

B

And you can't overdose and I have, you can't. And I apologize to everyone for taking so much time. You might. The young kids are rolling their eyes going what the heck is he.

A

When you get to a certain age, children, right, you start to worry about these things. Let me just tell you, I can.

B

Say that I know that our, A huge body of our listeners find this really interesting and they like the fact that I bring science to, you know, to.

A

Yeah, we trust you not to be, you know, woo, woo about this.

B

Well there. And what fascinating is there are reasons this works. There's a reason dipeptide form is what you want. So.

A

Well, I have that doctor's best, probably because of you. The glycine.

B

Yeah. So it is the one. You could just take a few bottles.

A

Of that and take more of that.

B

You could just take more of that.

A

You know, one of the bad things about this as I try different supplements and so forth is I have a lot of bottles of supplements I no longer take. I don't know what to do with those. Yeah, I'll donate to Goodwill. Been there. Yeah. Now I have a very large bottle of magnesium citrate. Anybody want it? Okay, yeah. Let's take a little break and we are going to talk about mongo bleed. Mongo bleed.

B

Yeah, baby. And what I love about this is that everybody's going to understand the mistake. It's such a cool mistake.

A

MongoDB is everywhere. It's one of the most popular. No SQL databases out there.

B

That's exactly what it is.

A

All over the place. Yeah. So a bad flaw in it would be a bad problem. You're watching Security now. We're glad you're here, especially you Club Twit members. We hope you will continue to support the show by going to Twit tv Club Twit. Increasingly, your support is what makes the difference to us. It's more than 25% of our operating costs now. That includes Steve. That includes keeping the lights on. Does not include me. It is really for doing our programming. You get a lot of benefits. Ad free versions of the shows. You get access to the discord. You get special programming you don't do anywhere else.

B

You get.

A

You know, we've been doing this AI user group once a month. We just did it on Friday. It is incredible because we have some really smart AI users in our club. We talk about it. It's like the old school user group where we sit around and do little presentations for each other and talk about what we're doing. Just one of the many reasons I think it's well worth your 10 bucks a month. Find out more. Twit TV Club Twit especially a thanks to our existing club members. We really appreciate that going into 2026, your participation is absolutely vital to us. So thank you. All right. Mongo Bleed. You did not name this, I take it?

B

No, no. Although I like the name and we'll see why.

A

It's got a little blazing Blazing Saddles thing going on.

B

Well, remember there was Citrix Bleed and there was Heartbleed. That's the famous one. Actually, Heartbleed is where this got its name. So what is it? Mongodb for those who don't know, is a source available? This is what Wikipedia explains. Source available Cross platform Document oriented database program classified as a NoSQL database product. They write. MongoDB uses JSON like documents with optional schemas. Released in February 2009 by 10gen now mongodb.inc it supports features like sharding, replication and acid transactions. From version 400 on MongoDB Atlas, its managed cloud service operates on AWS, Google Cloud Platform and Microsoft Azure. Current versions are licensed under the Server side public license, the SSPL. MongoDB is a member of the Mock alliance. They said. As of May 25, MongoDB was the fifth most popular database software. It focuses mostly on managing large databases of unstructured messy data. It's typically used for mobile and web apps that commonly use unstructured databases. As of 2024, there were 50,000 MongoDB customers. MongoDB was originally best known as a NoSQL database product. The company released a database as a service product called Atlas in 2016 that became 70% of MongoDB's revenue by 2024. Over time, MongoDB added analytics, transactional databases, encryption vector databases, ACID transactions, migration features and other enterprises enterprise tools. Initially, the MongoDB software was free and open source under the AGPL license. MongoDB adopted an SSPL license server side public license for future releases starting in 2018. For those who are interested, I included a chart of the top five databases since I thought that our more DB centric listeners might be curious about the industry's current database popularity LineUp which has MongoDB in fifth place. So Oracle is firmly in first place with a January 26th score. And wherever it was I found this of 1237, MySQL is in second place at 867, Microsoft's SQL Server third place at 706, PostgreSQL at 666 and MongoDB in fifth place at 376. So if it's at 376 and Oracle in first place is at 1237, you know, it's about 1/4 of that popularity of Oracle, but still fifth place and 1/4 of of the of the leading DB. So that's a, that's a chunk to give us a quick snapshot of Mongo's history because this ends up being relevant, they wrote. The American software company 10gen began developing MongoDB in 2007 as a component of a planned platform as a service product. Two years later, in 09, the company shifted to an open source development model and began offering commercial support and other services. In 2013, 10gen changed its name to MongoDB Inc. On October 20, 2017, MongoDB became a publicly traded company listed on the NASDAQ as MDB with an IPO price of $24 per share on November 8, 2018 with a stable release. And this is important too. 4.0.4. Okay, back in 2018. Back in 2018, yeah. The software's license changed from AGPL 3.0 to SSPL on October 30. This is basically Wikipedia, just reciting some facts, but the last one is really relevant. On October 30, 2019, MongoDB teamed with Alibaba Cloud to offer Alibaba Cloud customers a MongoDB as a service solution. Customers can use the managed offering from Alibaba's global data centers and the final item In Wikipedia Short summary of Notable Benchmarks and O through time in December 2025, a major exploit was discovered entitled Mongo Bleed. This exploit led to the compromising of many corporate servers. And of course it's that final bit of news which is the reason MongoDB is our main topic for this podcast of 2026. Because a major exploit it was and still is, since we know how slow software updating can be, especially those servers forgotten and left in, you know, in some closet gathering dust somewhere, but still being plugged into the Internet. I've assembled a story of what happened here starting in late December from several sources, but I've chosen this not only because this is a new, significant industry wide mess, but also because the bug, as I've now noted several times, which is now more than eight years old, it's important too, and is thus present in virtually all instances of MongoDB. It is in many ways a classic mistake. No deep voodoo is used. By the time we're finished here, I'm pretty certain that every one of our listeners will clearly understand what happened, along with how and why. So what's being called Mongo bleed is officially CVE2025 148 47, the CVE assigned to this recently discovered vulnerability affecting all all versions of MongoDB since version 3.6, which was first published on November 28th of 2017. So this encompasses a huge span of major and minor releases, all of them. Essentially, it is a subtle bug which was introduced into version 3.6 a little over eight years ago, and it was not discovered until just over eight years later by the MongoDB people themselves internally, after everyone in the world had updated and upgraded to any of the past several years of releases, meaning that all, I'm sure all mongodb that is out in the world today incorporated this flaw, which was introduced at version 3.6. So now as for everyone in the world, how everyone is that the Internet scanning company Census has identified on the order of 87,000 publicly reachable MongoDB instances. And that's of course the crucial bit of information, since it's those publicly accessible instances that the bad guys have access to and access they have had. This is one of those inopportunely timed events which became public just before Christmas and was not the Christmas present many IT workers were hoping to unwrap. Exploitation of this long present vulnerability allows an unauthenticated, meaning anyone, attacker, which is, you know, again as you know, unauthenticated attackers. Now, the fancy way the industry refers to anyone to read memory from the database servers heap, meaning anything that was allocated to memory from previous database operations. It's only the fact that this is not directly a remote code execution vulnerability that rendered this a CVSS of 8.7 rather than 9.8 or 10.0, house on fire, so forth, you know. And it's because this vulnerability leaks database server memory that it's been named Mongo Bleed, which is meant of course, to remind us of Heartbleed, which was a flaw discovered in open SSL's 1.0.1 implementation and leaked server memory through SSL connections. Okay, so here comes a description of this exploit which just ruined many Christmases after bad guys figured out that they could spend their Christmas vacation reading out a bunch of MongoDB server data from around 87,000 publicly available server instances. Okay, first of all, MongoDB uses its own TCP wire protocol that is, you know, protocol on the wire, you know, instead of, for example, something like HTTP. And that's not unusual for databases, especially when they are working to obtain the highest possible network performance. So a general just generic raw TCP connection is established to the server's TCP port 270 17. Now, as an aside, when I just asked Chat GPT which port MongoDB server uses, as I confessed earlier on this podcast, I've. I've just asked Chat GPT things like this. I could have gone and looked, done a Google search, and I could have found the information too. But I knew that chat GPT would know. So I asked ChatGPT which port MongoDB server uses. And to that answer it told me it was 27017. It added the note note. Exposing 27017 to the public Internet is strongly discouraged. It should be firewalled or bound to private interfaces only, right? So Even this unconscious LLM knows better than some 87,000 server deployments.

A

You see? You see deployers. Don't blame the AI. People are dumb. All on the all on their own.

B

Okay, so just to be clear, MongoDB itself probably never needs to be publicly exposed. It would normally be sitting behind a publicly exposed web app server of some kind, serving as that web app server's back end database. MongoDB itself really doesn't have any public exposure use cases. We've been talking a lot recently about the need to make these sorts of public exposure mistakes far, far more difficult to make. When I was swooning over Cisco's promises a month or two back, it was because the noises Cisco was then making strongly Suggested that this might have finally sunk in. We can only hope and pray anyway. So we connect with TCP to the server's port 27017. Mongo uses a binary variant of JSON J S O n called BSON B S o n. You know, binary object notation. So the requests that sent the request that's sent to the Mongo server contains one of these Beeson messages, and for the sake of the speed of transmission, that request can optionally be compressed using Z libe. Compression makes the message smaller, of course. So one of the 32 bit values in the requests header at the front of the message, which specifies that this request has been compressed, indicates the original un uncompressed, you know, the decompressed size that the message would be, the way that what it originally would be, and what it would again be when decompressed by the receiving server. So this allows the receiving MongoDB server to request the allocation of a block of memory from the underlying actually it's the runtime, the C runtime. We'll get to that in a second into which MongoDB will decompress the message. So an attacker creates and sends a server request which claims to contain far more data than it actually does. In response, the server allocates the requested memory. An attacker might claim, for example, that the uncompressed request will require one memory million bytes, one megabyte, when in fact it only needs 1K. The critical flaw is that once MongoDB has finished decompressing, it never checks the actual resulting size of the newly decompressed payload. It trusts the data the user provided, using that as the actual size of the payload. Now, I need to stop here to hover over that phrase a bit longer. That phrase being it trusts the data the user provided. If we were to produce a list of the root causes behind many of the worst flaws that we that that have been found in software, trusting user provided input would definitely be right up there near the top, if not perhaps in first place, since even buffer overflows typically result from the similar mistake of trusting and using something that a malicious user deliberately provided. In this case, we have a deliberate buffer underflow that results entirely from from trusting input from the user. Okay, so what's the big deal about allocating an oversized buffer that's not needed? In many contemporary languages, memory allocated from a program is cleared to zeros. It's initialized to zeros before it's returned for use by the caller who requested an allocation of memory. But Malloc, the memory allocation function used by C, and C does not bother doing so. This is part of the trusting, performance oriented but dangerous legacy of C. Since zeroing RAM takes time and blows the processor's cache, C deliberately returns uninitialized memory. And wouldn't you know, MongoDB is written in C. The result of the bug is that multiple megabytes of the server's raw internal data can be exfiltrated to the attacker. This data might and often does contain clear text passwords and credentials, session tokens, API keys, customer data, database configurations, system INF info, docker paths and client IP addresses, and so on. In short, all of the internal operations of the server that would otherwise never be made available to anyone whether they had authenticated and were legitimate user or not. So to sum this up, an attacker sends an otherwise valid MongoDB message which indicates that it employs compression, but that compressed message is deliberately manipulated to specify a hugely exaggerated claim about the message's uncompressed size. Since the server has no way to know in advance, MongoDB obtains a large and uninitialized buffer from the C runtime based upon the attacker's messages claimed need. MongoDB's built in Z Live decompresses the much smaller compressed data into just the front of the huge decompression buffer, thus avoiding overriding the mother load of data that's already sitting there in that buffer. Subsequent commands then instruct the database server to return to this attacker what it believes is the user's provided data, even though it's actually megabytes of whatever data had been previously used and left behind by previous database operations and internal workings of any kind. It's obvious now why this critical flaw was named Mongo Bleed, right? And also why it was given a CVSS of 8.7, although it doesn't allow a remote attacker to execute their own code on the server, it's a data exfiltration flaw of the highest order. That's just about as bad as it gets. Proof of concept code has been published on GitHub, and the flaw is trivial to exploit. There's nothing like it only works less than one time in 1000, and only when your code wins some slippery internal race condition or something. No, this one is extremely straightforward. It obeys simple rules. The attacker receives much more than a tiny trickle of data, you know, over time without raising any alarms, without crashing the server or otherwise calling any attention to itself. The abuse of this long standing vulnerability that's been present in every version of MongoDB published in the last eight years allows remote bad guys to freely rummage around inside the more than 87,000 currently online and publicly exposed instances of MongoDB. They're able to keep sucking out and examining megabytes of a server's data that is assumed to be utterly private internal working data, and which might therefore and does, it turns out, often contain very juicy information. It's always fun to see Kevin Beaumont's take on these things. On December 16th, day after Christmas, Kevin posted Somebody from Elastic Security decided to post an exploit for CVE 2020514847 on Christmas Day. The vulnerable, which dropped just before Christmas in theory allowed memory read without authentication. Patches are available. It impacts every version of MongoDB going back about a decade. Another vendor decided it would be a great idea to post technical details on Christmas Eve and he has a link to an OX Security blog. He said the exploit dropped yesterday and is the first public exploit. It's dubbed Mongo Bleed. I validated that said exploit is real. You can just supply an IP address of a MongoDB instance and it'll start ferreting out in memory things such as database passwords which are plain text, aws, secret keys, et cetera. The exploit specifically looks for those class of credentials and secrets as well. The Internet footprint of MongoDB is very large, over 200,000 instances. Because of how simple this is now to exploit, the bar is removed. Expect high likelihood of mass exploitation and related security incidents. The exploit author has provided no details on how to detect exploitation in logs via products like Elastic. Advice would be to keep calm and patch Internet facing assets. So now we know all about this mess. And Kevin's ending advice to keep calm and patch Internet facing assets reminded me of something Leo and I talked about long ago. We made the observation many times in fact, that once a user's system had been infected by something, anything, it was never really again possible to trust it. How could anyone ever know with 100% assurance that every last bit of an infection had been removed? And what about whether an infection might have spread over the local network? Work to infect other assets? In short, it's a real mess. We've also seen instances where huge problems resulted when companies did not take prior intrusions seriously enough. The advice. The advice is always to, you know, rotate all credentials which may have been may have had any chance of being exposed, meaning invalidate any long term authentication tokens, change all passwords, and so on. But as I said, we keep seeing instances where companies, for one reason or another, you know what? Oversight, laziness, lack of belief that it was really necessary, who knows? But for whatever reason, they failed to adequately and fully remediate the consequences of a breach, only to suffer, again, often even worse. So now consider the plight of corporate users of publicly exposed MongoDB servers. You're told that for the past eight years, the database server you've been relying upon has contained a flaw that allows for effectively unfettered mass exfiltration of your server's internal working memory, which contains myriad private credentials, past database search results, and essentially any and all proprietary information to which that server may have had internal access, or may have been storing and retrieving over time. To call this a mess is truly an understatement, and this mess is now squarely in the laps of every enterprise that was using a publicly exposed MongoDB server. My question is, why was even a single instance of MongoDB publicly exposed? I'm sitting here right now as I talk to Leo and our audience in Southern California. From my location here, I have access to any and all of those 87,000 some instances of Mongo DB. Why? Why do I have access? Why can I send out a TCP sin packet to port 27017 of any to any of those 87,000 IPs and promptly receive a TCP SYNAC packet inviting me to complete the TCP handshake connection? Why? I have no need to ever do so. Whoever runs that MongoDB instance certainly doesn't want or expect me, sitting here in Southern California to be able to connect to their database server. But I can. Why? By now, I hope that everyone in this podcast's audience understands not only that this is wrong, but just how wrong it is. If I were to confront whomever it was who set up any given instance among those 87,000, that IT person would probably respond, well, we've password protected access to our database and you can't do anything without that. Oh yeah, Mongo bleed baby. No authentication needed. The decompression of the message is pre authentication and never requires any form of authentication for its exploitation. One of the refrains everyone listening to this podcast has been hearing from me beginning last year when it finally so clearly crystallized after we all witnessed mistake after mistake after mistake which all carried the same pattern. This pattern, which is that authentication does not work. Now, the world depends upon and turns on the strength of authentication. So I obviously don't mean that it can't work. What I mean is that it cannot be absolutely dependent upon to work. In my hypothetical conversation with that MongoDB IT person, their defense of their databases, utterly unnecessary public exposure was that I didn't know the secret handshake, so they didn't feel the need to take every possible precaution. The massive sweep of today's mongo bleed vulnerability is the direct consequence of that wrong way of thinking. That way of thinking is obviously defective and wrong. Sitting here in Southern California, I have no need to be able to connect to any of those 87,000 MongoDB servers, even if only to test the strength of their authentication. I should not be allowed to do that, but I can. And that's on them. That's on each and every one of them individually. This erroneous reliance upon remote authentication, which we keep seeing over and over, does not work. It's perhaps the single most important thing that has to change in today's Internet networked world. And what's most galling is that it's not about flaws or mistakes. Right? It's entirely about policy and caring. If we cared to, we could fix it.

A

Bravo, Steve. Good. Good to know. It's amazing that 80,000 plus people ignore the instructions and just do it.

B

I, I, I, I would love to be a fly on the wall to know how. What were they thinking? How did that happen? I mean, it must be that it's.

A

Like, well, we have a password maybe, or they not.

B

Right.

A

But it's not public by default. Right. So they'd have to explicitly say open up this port and make it available.

B

It's just like whatever that server was we talked about a couple weeks ago. I mean it, it, it says right there in, in, in, in, in, in the docs. Do not bind this to a publicly facing interface.

A

Right. It's kind of amazing. It's not how you would normally set up a database like this. You'd have the, the, the CMS would access the database and search.

B

Exactly. Yes.

A

It's so, it's a weird way to do it.

B

Why can I access their data? I have no need or purpose. I shouldn't be able to even see it. I shouldn't know that it exists. Yeah, it ought to be on their land.

A

It's bizarre that so many people have done that on purpose.

B

Well, and Leo, these are the problems we have, not the lifetime of certificates.

A

Right.

B

That's what's so maddening.

A

Okay, well, you've been warned. I mean, probably there are a few people listening to the show who are going, oh yeah, maybe I better go fix that.

B

Oh, and after you fix it, watch the Lazarus Project on Netflix. Oh boy, it is so good. Leo, you'll be immediately hooked.

A

Aren't you glad you listen to the show, everybody? Steve Gibson's@GRC.com the Gibson Podcast Research Corporation. It's a website. It's like Stranger Things. It's a throwback to the 60s or the 80s or something, but it's got it all there. Everything you'd ever want to see and know. You've got, of course, many of Steve's software projects, including his Bread and butter, which is of spin, right? The world's best mass storage, maintenance, recovery and performance enhancing utility. But there's also the now DNS Benchmark Pro there. And there's a ton of free stuff too. And most of what Steve does, he just gives away. You'll find that@grc.com if you want to contact Steve. I still get to this day email saying, can you send this to Steve? No, you go to grc.com email you put in your email address. Steve in his magic way will validate that it's not some spammer or weirdo, that it's you. And now you're going to be whitelisted. You can email him directly, but there's also security.

B

Nowrc.com yeah, it's very simple but.

A

But don't send it unless you do that because you'll just bounce, right?

B

Yep.

A

There are two newsletters that Steve offers. They're unchecked by default, but if you check them, you'll get the weekly show notes, 22 pages of goodness that you with pictures and everything. Usually it's even more. You'll also get announcements of new software and so forth. Did you ever send out an email for DNS Benchmark Pro? Did you?

B

Haven't yet, because I mentioned earlier that I have a surprise and I forgot to mention that everybody who has purchased it and will purchase it gets the surprise. That's the nice thing about today's deployment model is that there's no need to wait and you get it immediately. So yeah, I'm waiting until I, I'm waiting until it gets a little more stable in, in terms of like I've run, I'm, I'm added, I've added some things that are so cool.

A

This is what's unique about Steve. He's. He's actually reluctant to send out the email. So that's why you should sign it up. Sign up for GRC.com email He also has copies of the show there. He has, all of his copies are unique to GRC.com he's got a 16 kilobit audio version for the bandwidth impaired. He's got a 64 kilobit, which sounds great, but it's still smaller than the one we offer. He also has the show notes for download, if you want to do that. He has transcripts a few days after the show. Elaine Ferris is probably already madly typing away and she'll have that transcript available for you in a couple of days. So you can read along while you listen or use it to search. It's very handy. I did a little search for the. For instance, PayPal Football immediately found the episode. I was sad though, because it wasn't a video episode, it was an audio. So I can't show us holding up the football and showing everybody the PayPal football, but we interviewed the somebody from PayPal who had created it. It we actually interviewed, I think it was.

B

They were from Verisign or Verisign.

A

They created it for PayPal. That's right.

B

Right, yeah.

A

Verisign actually offers a key, or did. Nobody needs it now you've got it on your phone. Same thing. Yeah. So that's all@grc.com we have the show as well on our website, Twitter TV SN. There is a YouTube channel dedicated to security now, and I would refer you to that if you want to share anything from the show. Sharing clips in the show is really easy on YouTube. Everybody can see it. It's very easy for you to clip it. There's a dedicated channel for it. And of course, the best way to get it is to subscribe in your favorite podcast client and you'll get it automatically. You could choose audio or video. We have on our website the 128 kilobit audio and the video. That's our unique version of the show. We do security now on a Tuesday right after Mac break weekly. That's about 13:30 Pacific Time. 17:30 or. No, actually it's. Yeah, that's right. No, 16:30, sorry, three hours 16:30 East Coast Time. And it's 19. No, 21:30 UTC. So if you want to watch the show live, you can. You don't need to, obviously, it's a podcast, but if you do want to get the freshest version, you can watch on YouTube tickets. X.com not TikTok, Facebook, LinkedIn, Kik or Facebook. Anyway. Oh, Twitch. I ForGot Twitch. Twitch TV, you can also watch if you're in the club, on the club to a discord. So that makes seven places you can watch the show live if you should choose to do so. Well, now I've run out of all the things I need to say. I just want to say thank you, Steve, as always, for an amazing show. And we will see you right here next week on Security Now.

B

Rydo.

A

Security now.