A (3:14)

Well, what else is coming up this

B (3:15)

week as promised, we're going to talk about the. What all that was about Eth Zurich and the deep analysis of the focused on three prominent password managers and they made a point in their 28 page research document of saying that they did choose these because these were the three that had at least some of their client side source available. Of course we know in the case of bit warden all of the source is available. But it's a point that I've made before which is it just seems wrong that researchers are forced to first reverse engineer some product of some sort which whose security they want to verify and then after going through all that work then need to presume, you know, then then need to proceed to do the verification. It's just like guys, you know, it just. We're asking a lot of them anyway. I guess it's worth it because they do it. So we're gonna. What I wanna focus on is less the minutiae of the details because they've been fixed now, but the. The nature of the problem and why while yes they found problems, it never was like a pants on fire issue. But mostly why there were problems. What was the source of these problems? Because isn't this supposed to be easy? We'll talk about why it's not. So I. I guess I. I'm going to start off by sharing a piece of email that I received last week that I just. That just made me look and go really? You're kidding me. Where my certificate authority is warning me to prepare for the inevitable, which of course they brought about. So. Okay, and then I'm going to drop this, I promise for a while. Although I will. I want to make sure that I don't forget to tell people that the five most downloaded pieces of freeware on GRC on the freeware page are now co signed not only with the original DigiCert EV certificate, but with that new one that I managed to Finagle from Identrust. I found a beautiful 72 HSM called Smart Card HSM which is. Which I'm very pleased with. It's all supported by open source software. I did struggle to get it all working and since I'm now not going to need to mess with it for three years and I will promptly forget everything I just figured out, I'm going to spend some time to document the details of what I went through and I will share that online. So I know from all of the feedback that I've had from our listeners that there are many people out there who are interested or in or need to do code signing. And I've worked out I think a very flexible, powerful and inexpensive path for doing that having just done so myself.

A (6:37)

So good I can't wait to hear that.

B (6:39)

This is a cute little thing that this little smart card hyphen HSM available internationally and actually locally there here in Orange county the one of the retailers of them anyway so that's all done then. I'm also want to talk about another piece of lunacy that we're going to have fun with. Leo. Three US states are attempting to ban 3D printed firearms by once again legislating it. Even though, sorry, you can't get there from here there that that's not going to, you know, deter anybody. It was triggered by the, the third state to join was it's so it's Washington State, New York State and then most recently California have decided yeah, let's just not have those. We don't, you know, we don't want 3D printers to be able to print guns. So we're just going to say you can't. Also denied their ransom, Shiny Hunters has leaked just shy of a million 967,000 personal details online. We'll touch on that also in a different report. Billions, literally it said billions of U.S. social Security numbers have been leaked. Only problem is some only like 400,000 or so have ever been created. So I don't know how you have billions unless you have lots of duplicates. Anyway we'll, we'll look at that. I wanted to touch on Apple planning to add cameras to three new gadgets. Also Firefoxes has hit another end of life event for Windows 7 and 8 and 8.1. Russia made a mistake blocking some open source software that they themselves need. And there's a weird site Leo freedom.gov which our government is planning to put out. We'll talk about that and, and I'm interested in knowing from our European listeners whether they see something different than I do when I go to freedom.gov here in Southern California. Apparently LLMs are or will be happy to give you a password if you ask them. Don't, don't ask them.

A (9:04)

Well even if you ask it, don't use it. That's I think more important.

B (9:08)

Yeah, you can ask it. You can ask all you want. We're going to talk about that. Also as predicted that that exploit that has had me so worried and upset which is known as the click fix attack, turns out to be every bit as popular as I was worried it was going to be. We have a listener who, who was convinced based on his next DNS logs that his computer had picked up a virus. And based on what he shared with me, I agreed until I looked more closely and then I had to smile when I saw what the cause was. And then we're going to look at how could 3 popular password managers get things wrong? So podcast wrong and. And then, of course, a picture of the week. That's that. Everyone thinks their first reaction is, well, Photoshop. Turns out, apparently not.

A (10:07)

I haven't looked. I shall look. My eyes have been sealed. I'm going to unseal them. We'll all look at it together in just a bit.

B (10:13)

But it is funny. Yeah.

A (10:15)

First, a word from our sponsor. This episode of Security now brought to you by Guard Square. Are you a mobile app developer? You need to know about Guard Square. Mobile apps today have become an inescapable part of life ranging from financial services to healthcare, retail, entertainment. We trust mobile apps with our most sensitive personal data. That's what makes them useful. But a recent survey showed that 72% of organizations experienced a mobile application security incident last year. 92% of respondents reported rising threat levels over the last two years. We see it. It's in the headlines. Meanwhile, attackers who want your user's personal data are constantly finding new ways to attack your mobile app. They reverse engineer it, they repackage it, they distribute the modified app via phishing campaigns, via side loading third party app stores. You don't want that to happen. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and and maintain the trust of your users. You owe it to us. You owe it to us users. That's where Guard Square comes in. Guard Square delivers mobile app security without compromise, providing advanced protections for both Android and iOS apps combined with automated mobile application security testing to find vulnerabilities and real time threat monitoring to gain insights into attacks. Discover more about how Guard Square provides industry leading security for your mobile apps@guard square.com that's guard square.com do it for us. Do it for yourself. Guard square.com we thank them so much for supporting security. Now they're certainly in the right place. All right, picture of the week time.

B (12:05)

So I gave this picture the caption but officer.

A (12:10)

All right, scrolling up. I think we've seen this kind of thing before. This is an impossible traffic sign.

B (12:24)

It's like what is what? Yeah. And it's okay. So several of our listeners have taken it upon themselves to try to locate this actual like, you know, geolocate where this was taken. The clue. There's a Tim Hortons in the background there.

A (12:49)

There you go. Maybe it's Canada.

B (12:51)

And so yeah, I thought that's what I was thinking. And someone did say that there had been some modifications to the street. So. Okay, so for those who can't see this, we have a. We're, we're on a road and this is one of our street sign pictures. We're on a road approaching a T where you must either, you know, and you can see there's a guardrail on the far side of the intersecting road. So you can't go straight.

A (13:21)

Can't go straight.

B (13:22)

You got to turn left or right. Right. Because you don't have a choice. There's a stop sign there. So yes, you certainly you'd want to stop before you made your choice. The problem here is that up in front of all of that is one of the circle red slash signs. Normally, you know, there would be like a right arrow with a slash through it telling you that you cannot turn right or maybe a left arrow depending. And you would expect that that would be reinforced with a one way sign that you would also be confronting in the distance just reminding you that like when you get to the stop sign, this is a one way street.

A (14:01)

Well, there is only one way and

B (14:03)

that's straight up apparently because this sign that we're looking at has both direction arrows, red slashed. So you come up to this T intersection and if you've paid attention to the sign that you, that you had to pass in order to get there, it says you can't turn left, you can't turn right. And we know that because of a guardrail there, you can't go straight. Thus, but officer, when you, you know, get pulled over. Anyway, thank you. Our listeners are sending these to me and I do, do we have any

A (14:40)

theory as to why this exists?

B (14:44)

No, no, no. I mean, and I, as I said the, the first thing you would think is that somebody photoshopped it. I don't know why it was that someone said that was not the case. What I heard was. But it was just in passing as I was, as I was like you know, scrolling through email that there had been some changes made to the road. Apparently they forgot to change the signage in order to just stay synchronized.

A (15:10)

That makes sense.

B (15:11)

Okay, so I'm going to spend one more story on this and then I'm going to leave it alone. I want to do it because the amount of feedback I've received from a range of our listeners who whose lives are impacted by certificate authorities one way or the other has been extensive. The subject line of the email I received from Digicert, my certificate authority, last Wednesday. Okay, just made me shake my head. The subject was in the email. Urgent. It started off urgent. Revalidate domains expiring February 24th due to new 199 day validity requirement okay, so here's what they wrote with their with great urgency. Dear valued customer, we're reaching out with an urgent request to check your certificate domain validations before February 24, 2026, as we communicated in previous emails. February 24th. By the way, that's today, right? Today we're recording this on February 24th. February 24th is the date when domain validation reuse periods will shorten to 199 days, down from 397 days in accordance with the CA Browser Forums Ballot Science 081 version 3. Our records indicate that you or your sub accounts have existing domains that will expire on February 24th because of this change. If your systems require immediate certificate issuance, your issuance could be delayed if you don't check and revalidate these domains before February 24th. So what do you need to do? DigiCert Cert Central with a circle R because that's needed to get that registered, now displays which of your current domains will expire on February 24, 2026 due to the change to 199 day domain validation reuse periods. Steps for reevaluating domains that expire and then they go through it like, you know, Rick and Roll of how to march through their user interface and then they finish with we're here to help. We understand industry driven. Right? They had nothing to do with it. Despite the fact that they're the biggest CA there is in and voted for all this. We understand industry driven compliance changes pose significant challenges and we're standing by to assist you. Please don't hesitate to contact your Digicert account manager with any questions or concerns about the change to 199 day domain validation reuse periods. Thank you for trusting us with your digital with your digital security. Signed the Digicert team. Okay, so since digicert, a prominent, if not the prominent voting member of the CA browser forum, voted themselves to bring about these changes, it seems a little odd for them to be sympathizing with their customers over the inconvenience that these changes create. To be straightforward, they would state that these changes have been made in the interest of improved security. Okay, we might disagree with that, as we, you know. As we know I do. But at least then they would be genuine. What, what, what puzzled me in their note, which I read closely, was their statement that our records indicate that you or your sub accounts have existing domains that will expire, blah, blah, blah, on February 24th. As we know, it's, it's never the case that anything is ever done that causes existing certificates to suddenly become invalid. Right? They said your issuance could be, you know, your systems require immediate certificate issuance. Your issuance could be delayed if you don't check and revalidate these domains before the 24th. Again, as I was saying, it's never the case, thank goodness, that anything is ever done that causes existing certificates to suddenly become invalid. You know, obviously, revocation notwithstanding, it's always the case that the not valid after date continues to be honored. When you think about that, it's clear that a certificate that contains a built in not valid after date means valid until that date. And there's no way to after the fact have that no longer be true because it's, it's bound into the certificate. And this is why I went to all the trouble last week to establish a new code signing relationship with ident trust while they, while three year certificates were still allowed by the CA browser forum for code signing. And as I mentioned at the top of the show, I am now the proud holder of a code signing certificate that will be valid until February of 2029. And nothing that happens between now and then, no matter what new insanity the CA browser forum may enact, will change that. So the answer to the mystery of what Digicert means here is the phenomenon I spoke about last week, which is the new need which they created to decouple certificate qualification from certificate is issuance. Since a certificate, once issued, will always live out the duration of its valid life unless it's revoked. Back when certificates were issued for 10 or, or even five years, the qualification for that certificate was determined at the time of the certificate's issuance. And that was all that. And, and that would be that, that, that, that was it, you, you verify that you qualify. Here's your 10 year certificate, see in 10 years. But with the changes that are, you know, bringing about this shortening of certificate lifetimes, automation is effectively required. And you know, they're going to be seeing that more and more. As we know the industry intends to keep marching certificate lifetimes downward until they reach a maximum of 47 days in 2029. We're about to drop to 200. That's happening in the next week or two to 200 days maximum. Then it will be 100 where it holds for a couple years, then finally lands on 47 days. So the issuance of organization validation certificates, which is what Digicert produces, needed to be decoupled from the qualification to receive those issuance. Decoupled from qualification before the middle of next month. The CA Browser Forum would allow organizations to go up to 825 days between qualification intervals. So that's around 27 months and before an organization needed to be revalidated. But those 825 days now drops to 398 days, which is what Digis search letter was about. They're saying that one or more of the validations that they performed for Gibson Research Corporation's identity occurred more than 398 days ago until today. Literally today, February 24th. And that was just fine. But as of today, February 24th, that's no longer true. The validations that were, that were, that were valid yesterday are no longer valid today. So anybody who would need to reissue a certificate soon needs to recognize that although they could have done so yesterday, they can't do so tomorrow. Again, just craziness. But that's the way this industry is being played. So you know, don't just go thinking that all you need to do is push a button to issue yourself a certificate. Oh no, your button has been disabled. You no longer qualify until you've had the ch. You know, they, your, your authority have had the chance to look you up and down again, make sure you're still you. And what's more, that will now be annual. Oh yes, these wild times where you could go, well, yesterday, 825 days. But once upon a time, five years, 10 years, no problem, those are over. So this explains why once my previously paid certification with Digicert is over, in two years, I'll be happily dropping OV these organizational verification certificates in favor of the much cleaner and simpler DV domain validation certificates that let's Encrypts Automation has been gleefully issuing now to the vast majority of the Internet, to anyone who wishes to bring a server online. So I, I, I, I, all we could do is go along with it because we have no control. Okay, so I know you were up to speed on this, Leo, because you, you, you reacted to it when I was saying I was going to talk about this. We have another example of lawmakers apparently thinking we don't know how you techies are going to do it. Yeah, but that's not our problem. We're going to make it a law so that it becomes your problem. And I just wanted to point out thanks to our listener Tom Minick for bringing this little tidbit to my attention. Tom sent a link to the reporting on the well known and the reporting which appeared and was covered by the well known and popular Adafruit website. Adafruit ADA F R U I T for those who may not be aware, is a highly regarded hobbyist maker, hardware, electronics website and retailer. They posted the news of this new num skull legislation under their headline California's new bill requires DOJ approved 3D printers that report on Themselves. So here's what Adafruit wrote. They said California's new bill requires Department of Justice approved 3D printers that report on themselves targeting general purpose machines. Assembly member BAUER Khan introduced AB 2047, the quote California Firearm Printing Prevention act on February 17th. So just recently the bill would ban the sailor transfer of any 3D printer in California unless it appears on a state maintained roster of of pre approved makes and models Certified by the U.S. department of justice as being equipped with quote firearm blocking technology. Manufacturers would need to submit attestations for every make and model. The DOJ would publish a list. If your printer is not on the list by March 1, 2029, it cannot be sold. In addition, knowingly disabling or circumventing the blocking software would be a misdemeanor. And it gets worse. Much worse. Okay, is everybody sitting down? Adafruit continues, We've been tracking this pattern. Washington States HB 2321 requires printers to include blocking features that cannot be defeated by users with significant technical skill. You know, good luck with that. On open source firmware, New York's budget bill S.9005 buries similar requirements in Part C, sweeping in CNC mills and anything capable of subtractive manufacturing. California's version adds a certification bureaucracy on top, state approved platforms, state approved software control processes, state approved printer models, quarterly list updates, and civil penalties up to $25,000 per violation. As Michael Weinberg wrote after the New York and Washington proposals dropped, accurately identifying gun parts from geometry alone is incredibly difficult. Desktop printers lack the processing power to run this kind of analysis, and the open source firmware that runs most machines makes any blocking requirement trivially easy to bypass. Okay, so I'll interrupt to note again. Once again, you know, when when printers that can print weaponry are outlawed, only outlaws who wish to print weaponry will own outlaw printers. Nothing will be accomplished to curtail the fact that a 3D printer can be used to print a dangerous machine, Adafruit continues. The Firearms policy coalition flagged AB 2047 on X, and the reactions tell you everything. John Leroux called it stupidity on steroids, pointing out that a simple spring shaped part has no way of revealing its intended use. The Foundry put it plainly. Quote Regulating general purpose Machines is another AB 2047 would require 3D printers to run state approved surveillance software and criminalize modifying your own hardware. Unquote. Adafruit continues, as we've said before on this blog when we covered Washington and New York, it doesn't matter if you're pro or anti gun. The state should prosecute people who make illegal things, not add useless surveillance software to every tool in every classroom, license, library and garage in the state. And as you can see, these bills spread. That's how a small group can push legislation into the entire country. First Washington proposed theirs, then New York, now California. Once these three states pass a law that's 20 to 25% of the country by GDP and population, and thus every manufacturer is forced to comply with a bad decision in order to stay in business. If you're a maker, educator, or manufacturer anywhere in the U S, even outside these states, this is a problem. It's a problem now. Adafruit's article mentioned Michael Weinberg. Michael is the executive director of NYU's Engelberg center for Innovation, Law and Policy. He's a board member of the Open Source Hardware association, and, as he describes himself, a maker of poorly made things. He's also, however, an astute thinker. And since I think this topic is extremely interesting and that our listeners are likely to find it so, I wanted to also share what Michael wrote in the wake of the New York and Washington state bills. The title of Michael's posting was 3D printers cannot effectively Screen for Gun parts, he wrote. This post is a handy reference for the technical reasons why requiring 3D printers to screen for gun parts is not an effective way to reduce guns or gun violence. I'm publishing it on the occasion of both New York and Washington state introducing bills to require this type of screening. In addition to a topic I've been researching for over a decade, the question of how to know if a 3D printer is printing a gun part is something I've spent a lot of time working on while overseeing trust and safety at a large 3D printing service provider. So consider that, you know he's been overseeing trust and safety at a large 3D printing service provider where the question of what is it we are printing on these with our commercial grade machines, you know, comes up. So he said this post is not about debating the larger legitimacy of gun control in order to focus on the technical reasons which why requiring 3D printers to identify and refuse to print gun parts does not work. It assumes that gun control is a reasonable and legitimate action of governments. Broadly speaking, it's responding to requirements that all 3D printers check prints to make sure they're not gun parts. If the part is a gun part, the printer would refuse to print it. The short version is that accurately identifying gun parts is incredibly difficult, and the hackable nature of desktop 3D printers makes it trivial to circumvent any requirements to even try. Here's the slightly longer version Matching files is fragile and anybody you know, we've talked about hashes, right? The whole point of a hash is that you want matching files to be fragile. So this is working against you here. He said the first reason that requiring 3D printers to identify gun parts is ineffective is because analyzing 3D files is complicated. Any attempt to identify gun parts will miss many parts that are actually for guns and may flag a number of parts that that have nothing to do with guns. You know, they're just kind of gun like expensive engineering design software is good at evaluating specific properties of a 3D file, like where mechanical stress will occur over a lifetime of use. However, even that software cannot tell you what a part actually does is that spring for a door, or a shock absorber or a catapult. This challenge is exacerbated by the fact that guns are just mechanical objects. That means that there are many ways to design any individual part, and many individual parts of guns will resemble mechanical parts with totally benign uses. Put another way, devoid of other context, a switch for a gun safety or looks a lot like a switch for a door. Broadly speaking, there are two ways to think about doing file matching. Algorithmic analysis is one. This approach imagines a piece of software that can analyze a file and determine with some level of certainty if it is a gun part or just a hinge. Assuming that this software exists, which it does not at the time of this writing, it is reasonable to expect that such an analysis would be reasonably computationally expensive. 3D printers do not have the onboard processing power to do this kind of analysis. Requiring that they include chips capable of this kind of analysis would fundamentally change the economics of 3D printer design, akin to requiring that all bikes include jet engines. And I'll interrupt Michael for a Moment to comment that he's not exaggerating how Totally inadequate any 3D printer is for performing any sort of complex analysis. 3D printers are extremely simple and inexpensive. I've owned a number of them. They have nearly no brain power themselves. They're extremely simple robots that read instructions from a USB stick or SD card. You know, there are some that fix a liquid resin using an image, and others that move a plastic extruder around in three space. You know, basically saying, move the plastic extrusion head from. From where it is now to coordinates X, y, and z. The resin fix images or the instructions with their coordinates were created outside the printer by a real computer that's running some sort of engineering drawing, design conversion software. Once the design is ready, it's converted into fabrication instructions, which are typically written to a storage device and, and then transferred to a standalone printer, which simply follows the instructions step by step without in any way understanding what it is that it's being asked to print that just isn't there. So these printers are inexpensive. I mean, they're really inexpensive, you know, hundreds of dollars only because, you know, they could not be any more rudimentary. They've just been stripped of anything that they don't need. Michael continues, of course, writing, the 3D printer could upload the file to a cloud somewhere and let the processing happen there. However, Internet connectivity is not a default feature on desktop 3D printers. You could require that all 3D printers maintain a constant connection to the Internet in order to operate. But again, that would fundamentally change how people use their printer. There are also many legitimate use environments where constant Internet connectivity is neither possible nor desirable. Of course, we immediately think of this as, like, what about, you know, malware downloading itself into our 3D printers because they now have Internet connections? It's like, no, please, let's not go there. And he says, and of course, this raises the question of who's responsible for. For maintaining that directory and keeping it secure, meaning in the cloud. So what about blacklisting? He asks. If it's not possible to analyze the true purpose of each file, it might be possible to at least. At least match them against a known database of gun parts. Right. This approach also has some serious shortcomings. First, there's the question of keeping that database up to date on the printer. That would require constant or at least regular Internet connectivity for the printer. That raises the same issues as discussed in the last section. Second, also as discussed above, analyzing and matching 3D files is computationally expensive. The most logical way to do that with the processing power of the 3D printer would be to use a hash table of known gun parts comparing a hash of the file to be printed against the table. The primary problem with both geometry matching and hash matching is that it's incredibly fragile. The smallest change that had no impact on the functioning of the part right one bit changed would completely change its hash, effectively hiding it from the blacklist. That would make it trivial for anyone to circumvent. Identifying which changes are functional and which are merely aesthetic is not easy. That's especially true if people are making those changes with a specific goal of tricking the printer into printing a gun part. You know, make a cosmetic change, change a tiny little thing, a little tick somewhere, and now it's it looks like an entirely different file because it's in a completely different hash. And as we know, that's the nature of hashes, he writes. 3D printers print themselves the second reason this proposal is ineffective is because 3D printers are made in an incredibly distributed way. There are dozens of ways to make your own 3D printer using open source user modifiable parts, even non open source printers or are highly hackable. And I the point he's making is you don't have it's not the only way to get one is not to buy one. You can make one, he says. As a result, there's no way to mandate that a technology that starts in a 3D printer remains in a 3D printer. The software that runs most printers is open source, meaning a single update would circumvent any screening measures. This places 3D printers at the opposite end of the spectrum from 2D printers. This was interesting. I hadn't thought about this before. He wrote anti counterfeit systems prevent 2D printers from printing currency. To the extent that these rules are effective, he says. Paran's not I'm no expert, but they are often cited in these discussions as successful models. He says it is because the 2D printing industry is fairly concentrated and proprietary. 2D printer companies are actively hostile to users who want to modify their products, significantly raising the barrier to hacking around any countermeasures. Desktop 3D printers are the opposite. They all trace their heritage back to open source printers, and users expect to be able to modify, extend and hack their own printers. That means that workarounds for a screening mandate would be easy to develop, distribute and implement. Many open source software packages might even include the circumvention by default, meaning users would implement it without even actively intending to do so. 3D printers are general Purpose machines. This post is focused on the technical challenges with requiring 3D printers to screen every file it prints for gun parts. Nonetheless, it would be incomplete without a brief mention of how potentially invasive this sort of requirement is. 3D printers are general purpose machines that can be used for good or ill. Just as we do not require the phone company to monitor every phone call in order to prevent customers from using phones to commit bank fraud, we should be wary of requiring our 3D printers to monitor every print in order to prevent one possible type of print. That type of invasion might be reasonable if it was effective. However, for the reasons described, it is unlikely to prevent even a modestly motivated person from using their printer to create gun parts. If an intervention is both highly invasive and unlikely to be effective, it's probably not an ideal policy, which I think is putting it mildly. So I think Michael did a great job of detailing the specific 3D printing issues which would surround any attempt to manage or control what a 3D printer can and cannot print. And while I have no interest in ever owning or printing a firearm, you

A (45:06)

know, there it is again.

B (45:09)

Yeah, we. That sounded like a ground. It did. Came and went.

A (45:17)

Like when you plug in a guitar to an amp.

B (45:19)

Yeah, exactly. Yeah. Anyway, I. I will continue. Yeah, yeah. While I have no interest in ever owning or printing a firearm, I'm a proud Californian and I'm annoyed by the fact that the state I love is enacting such moronic legislation. I mean, it isn't yet a law, but, you know, maybe the California assembly is going to pass this. It would be nuts. But the broader concern is the large and growing degree to which modern technology appears to be outpacing legislators ability to understand what they can and cannot have. They cannot have a practical law, no matter how much they want one. To force 3D printers not to print gun parts, they just can't. No matter, as I said, no matter how much they want it. They also cannot have a law that absolutely preserves everyone's privacy while at the same time preventing child predators from abusing that privacy to commit their crimes. We all wish it were possible to have both, but we know it's not. I read some of the proposed new California bill. That's AB 2047. It's really quite awful. I have the link to the bill's full text in the show notes for anyone who might be curious. A bad law that hits the books can usually be challenged by those who have a vested interest in the preservation of the status quo. But in the case of 3D printing which is mostly a hobby interest. It's unclear who might have the deep pockets required to stand up against it and fight it out in court. If that doesn't happen, it might be that the sale or transfer of 3D printers would be outlawed in those states which enact these dumb laws. Here's just two lines from California's proposed legislation. It says the bill beginning on March 1, 2029, so that's, you know, next week, would prohibit the sale or transfer of three dimensional printers that are not equipped with firearm blocking technology and that are not listed on the department's list of manufacturers with a certificate of compliance verification except as specified. The bill would authorize a civil action to be brought against a person who sells, offers to sell or transfers a printer without the firearm blocking technology. Okay. Now as I said, we're approaching March 1, 2026. So the purchase ban, if saner heads do not prevail and it does come into effect, is still a full three years away. March 1, 2029. This means that no matter what, it will be possible for Californians to continue to purchase the 3D printer of their choice for the next three years. If you live in an affected state currently in New York, Washington or California. I don't know what the calendar states in the New York and Washington bills, but at least in California, if you've been thinking that you might like to explore 3D printing in your garage, you know, to print widgets of whatever, sort of keep an eye on the date, there may be a deadline coming for being able to do that, insane as that is.

A (49:06)

Yeah. Impossible, Leo.

B (49:08)

It's just so wrong headed. It's like, it's like some, you know, some non techie legislator heard that 3D printers, you know, people had 3D printers in their garage and they were printing guns. So it's like, oh, let's, let's have a law that makes printers unwilling to do that.

A (49:29)

Right? Well, I mean it's, I mean there is 3D gun printing going on. They make those guns.

B (49:37)

Yes. You know, we should have a law, Leo, that prevents resin from being willing to be formed into that shape.

A (49:43)

Right.

B (49:44)

How's that?

A (49:45)

That's the problem is, is, is it's not practice, not technically, it's not possible.

B (49:49)

Right.

A (49:51)

Luigi Mangione's gun was partially 3D printed, for example. I mean there, this has been an issue, but this isn't the solution, obviously.

B (49:59)

Yeah. And I mean, I get it, I get it, right? I mean I get it that printing a gun in an, in a non ferrous Substance will then render, you know,

A (50:15)

goes right through those machines.

B (50:17)

Detectors. Right. They can no longer be. I mean, it's not a good thing. But, but, but we're, we're back in the same problem we've often talked about. If crypto is, is made illegal, then only bad guys will use crypto. If 3D printing is made illegal, then only bad guys will. Will. I mean, we'll be using 3D printers to print guns and everybody else is.

A (50:42)

I understand the motivation. The real issue is you can't do it technically, as you pointed out, a spring is a spring. It's not. It could be for a variety of purposes. You can't really identify parts that are going into a gun.

B (50:56)

And imagine the frustration of designing a, a particular widget, you know, to allow your baby carriage.

A (51:04)

Right?

B (51:05)

Yeah, well, to allow your baby carriage to, to roll better. And your printer says, oh, that looks like the barrel of a gun. Sorry, can't print that.

A (51:14)

It's like what Darren also points out, you can't 3D print bullets. They're still metal. So you're going to be able to, you're going to see, you're going to see the ammunition, even if you.

B (51:25)

And actually there's been a lot of dialogue in the past about, okay, well maybe we need to control ammunition because

A (51:31)

that would be a better, more effective thing, right? Yeah. Yeah.

B (51:37)

Oh, well, as would. Following the advice of this next, this next sponsor, Leo.

A (51:42)

Yes. Now, I want to kind of a little bit bring you into this because the next sponsor is Bitwarden, who we love open source solution. And you're going to talk a little bit about this Eth Zurich finding about the risks of password managers if a bad guy could somehow get the vault right.

B (52:02)

Yes, that, that was one of the issues too. As, I mean, we spent a lot of time looking at client side vulnerabilities like, you know, while the, while the password manager is unlocked, if malware was on your computer, what could it do? These guys did a very different thing. They said basically if the, if the cloud provider's entire server infrastructure was subverted, what could happen?

A (52:33)

Right.

B (52:33)

And you know, okay, we'll talk about

A (52:36)

it in a lot more detail, of course, later the show. I just wanted to bring it up because I was really impressed by Bitwarden's response, which is, thank you for this research. It's going to help us lock down what we do. And this is one of the advantages of being an open source project, is you welcome this kind of stuff and you have other eyes looking at the security and I don't think anybody should be worried whether you're a last pass bit warden or a dash lane user about your security at this point.

B (53:08)

In fact, I would be less worried today than you might have been a month ago.

A (53:14)

Right.

B (53:14)

Because you know, the whole point is these three just were deeply audited by, by, I mean, and some of these hacks were wacky. I mean they were way out there. It's like, well, okay, if, I mean, so if, if these three tools pass through this gauntlet, the other password managers haven't because, because the, the, the researchers said, well, none of it's open source. We can't invest in reverse engineering these closed products. Right. So we're going to look at what we can.

A (53:48)

And now they're way better for it. Fully open source, fully GPL open source. You can inspect the source code. So can Eth Zurich and everybody else. And I think that's the other thing I like about Bitwarden, our sponsor is they enabled very early on this memory hard key derivative function argon 2. And this is another good solution. Right? I set my Argon 2 to the maximum number of iterations and that really secures it as well. So our show today, brought to you by Bitwarden. We love Bitwarden. I use Bitwarden. I certainly never thought of stopping. In fact, Bitwarden does let you host the vault yourself if you want, if that's something you desire. I'll talk about something they've just added which is really cool for this purpose, but there are even third party open source solutions for hosting a Bit Warden vault. I personally, I'm not going to do that because I think that their security is a lot better than mine. That's why I trust Bitwarden. The leader in passwords, passkeys and secret management. Consistently ranked number one in user satisfaction just but not by me, but by G2 software reviews. 10 million users love Bitwarden. 180 countries, more than 50,000 businesses. And whether you're protecting just one account, your own, or thousands for your business, Bitwarden keeps you secure all year long with consistent updates. The new Bit Warden access intelligence will let organizations detect weak and reuse and expose credentials. Now this is legitimately a real problem. We were talking about the, the, the threat is coming from inside the house. This is it. Your users are using the same password over and over again frequently or they're using a weak password. Bitwarden Access intelligence will detect that or a password that's been exposed in a breach and then walk the user through remediation immediately. So the user replaces the risky passwords with strong unique ones and understands why that's important. That closes one of the most important security gaps. Credentials are a top cause of breaches, but with access intelligence from Bitwarden they become visible, prioritized or corrected before the exploitation can occur. Another feature I'm just picking them at random here. Bit Warden Lite this is so cool. I was talking about self hosting. Bitwarden Lite delivers a lightweight self hosted password manager. It's great for people with home labs, personal projects or just an environment that wants a quick setup with minimal overhead. Bitwarden wants to work with you the way you want to work without compromising security. That real time vault health, the alerts and the password coaching features now are in every version of Bit Warden so every user can identify weak, reused and exposed credentials and take immediate action to strengthen their security. They've also made it really easy if you're using the as many people do, I think the password vault in your browser Bitwarden now supports direct import from Chrome, Edge, Brave, Opera and Vivaldi browsers. Direct import copies the credentials right from the browser into the encrypted vault without that separate plain text export, which not only simplifies migration, it reduces exposure associated with the manual export and deletion steps. If you don't delete that, you know in the clear password export well, so that's not good. But this way you don't even have one, which is fantastic. G2 Winter 2025 reports Bitwarden continues to hold strong number one in every enterprise category for six straight orders. Bitwarden's setup is easy. Steve and I moved over from those other guys in minutes. It supports importing from most password management solutions and again, I want to underscore this because it's open source you can look at it, but it's also regularly audited by third party experts and when something comes up, Bitwarden fixes it. That's what's great about Bitwarden. BitMorden meets SoC2 Type 2 GDPR HIPAA CCPA standards. It's ISO 270012002 certified. Bottom line, get started today with Bitwarden's free trial of a teams or enterprise plan or get started for free across as an individual user@bitwarden.com TWIT that's bitwarden.com TWIT and stay tuned because Steve will explain what that ETH Zurich report meant and what it means to use Bit Warden users. I don't think we're afraid we're switching.

B (58:20)

I was never worried.

A (58:21)

Never worried. On we go.

B (58:24)

Friday before last, under the headline FinTech lending giant. Figure, it's the name of the company. Figure Technology confirms data breach, TechCrunch reported. Figure Technology, a blockchain based lending company, confirmed it experienced a data breach on Friday. Figure spokesperson Althea Jadik told CheckCrunch in a statement that the breach originated when an employee. Get this. When an employee was. Was tricked with a social engineering attack. Yeah, imagine that. That allowed the hackers to steal, quote, a limited number of files. I love that. We'll get back to that in a second. The statement said the company is communicating, quote, with partners and those impacted, unquote, and offering free credit monitoring to all individuals who receive a notice.

A (59:19)

Oh, thank you.

B (59:19)

Oh, joy. Figure spokesperson did not respond to a series of specific questions about the breach. This is, you know, from TechCrunch, a legitimate reporting group, the hacking group. Guess who. Shiny Hunters took responsibility for the hack on its official Dark web leak website, saying that after the company refused to pay a ransom, they published 2.5 gigabytes of allegedly stolen data. TechCrunch saw a portion of the data which included customers, full names, home addresses, dates of births and phone numbers. Member of Shiny Hunters told TechCrunch. Notice that Shiny Hunters is happy to talk to TechCrunch but figure technology. Now, Shiny Hunters told TechCrunch that figure was among the victims of a hacking campaign that targeted customers who rely on the single sign on provider Okta. Other victims of the campaign include Harvard University and the University of Pennsylvania. You know, UPenn. Okay, so first of all, I love the quote from their spokesperson. Quote, a limited number of files. Right. Who cares how many files escaped? It's.

A (60:35)

Is it limited to one or a thousand or a million? It's still limited.

B (60:39)

Right, Right. Well, as they say, the size matters. In this case, two and a half gigabytes of customer personal data could do plenty of damage. Right. Even if it's contained in one file. So all it takes is one. Okay, then. Last Wednesday, Troy Hunt's have I Been Pwned? A site scooped up the deliberately posted leaked breach data and examined what had been exposed. 967,200. So nearly 1 million of figure Technologies customers. So first of all, it's a limited

A (61:20)

number of customers, Steve. That's right.

B (61:22)

It's not everybody on the planet. Come on. But Leo, I think you and I are in the wrong business. A blockchain based lending company.

A (61:35)

Oh.

B (61:35)

Has 967200 customers. What? What? I. I don't even. You know. Okay, fine, whatever they do. Nearly a million customers. Yes, of Figure Technologies customers. Troy Troy's have I been pwned site. They all, all 967,200 have had their names, physical addresses, dates of birth, email addresses and phone numbers released after Figure Figure Technology refused to pay up. Now, we know that not paying is the right thing for Figure to do, right? I mean, you know, the rightest thing is not to get breached by an employee being tricked by Shiny Hunters in the first place in a social engineering attack. But once. If. If you've been. If you've been breached and you're being ransomed, not paying is the right thing to do. But it makes you wonder what the Shiny Hunters group are themselves are thinking now. You know, presumably as a result of asking for too much money, they got nothing in return for their efforts, right? The Figure technology did the right thing, said no, and decided to just, you know, pay the. Pay the price in reputational damage. But as I've noted recently, Shiny Hunters have zero interest in this data. They don't care at all. Its only value to them is the value that Figure may place on keeping it private. And once Figure said no deal, the Shiny Hunters group had to release it, otherwise their threat to do so would be meaningless. That means that they're now unable to even resell the data since it's now freely available on the Internet. And it need to. It need to be made freely available in order for them to follow through on their threat that they would do that. And we've seen reports that in general, more victims now in the last year compared to last five years are being. Are declining to take it on the chin and. Or rather deciding. Sorry, they are deciding. They're declining to pay ransom, deciding to take it on the chin and just saying, no, sorry, we're not going to pay your ransom. So I think partly this could be because these days being attacked and extorted is no longer a shocking announcement, right? I mean, I skip over so many of these every week. Because they're just boring at this point. Well, if they're boring to our listeners, they're boring to the world. The world. You know, the world's just sort of like, okay, they got breached and now they're being ransomed and blah, blah, blah. So it's just not. You don't need to pay the ransom to save face to the same degree. And it's not. That also means that it is possible for them to recover from. They Just say, oops. They apologize to their affected customers, offer them, as we saw, a free year of credit monitoring, and then just get on with their business as usual. And as you, you know, Leo, you and I both discovered that through no fault of ours, all of our data, including our Social Security numbers, was already out there swimming around in that big Internet ocean. So Shiny Hunter's failure to obtain anything of value suggests that perhaps the value of stolen data property is falling and that if they don't wish to come up empty, as they just did here, they may need to drop the price of their ask. Because right now, you know, they're going through the trouble of doing this. They're saying, pay up or else. And people are just more way more often than before saying, no, we're not going to pay you well. We're just going to give our customers a year of free credit monitoring. And of course, with what. What this tells us is, and our listeners is freeze your credit. I mean, that, that's really what you want to do is, is get it frozen. Last Wednesday, Up Guard posted a curious headline. They and I mentioned this at the top, their headline was Social Insecurity, colon billions of Social Security numbers and passwords. That's all they said. Their headline was sort of a fragmentary sentence, but okay, now, okay, billions. That seems really bad, right? But given that Social Security numbers are first of all specific to the United States, whose current population is around 342 million, and that a grand total of around 450 million Social Security numbers have ever been issued since 1936, the claim of 2.7 billion Social Security numbers seem somewhat sketchy. But their posting explains what's going on, and it does seem legit. They wrote because they're a. They're, you know, a legitimate security firm. They said this the week of January 12, 2026. So you know what? Maybe six weeks ago, the Upguard research team detected an exposed elastic database with around 3 billion email addresses and passwords and 2.7 billion records with Social Security numbers. That amount of data suggests it was created by recombining prior Social Security number breaches, like the OPM breach in 2015 or the one we're all aware of recently, the National Public data breach in 2024. They said. On the other hand, if even a fraction of the records were real, if only 10% or 270 million records or even 1% were real, the exposure would be a dire bellwether for the state of privacy in America. And on this point, I say you get into the Party a little bit late. You know, like I said, Leo and I were our Social Security numbers and everybody else's are already out there. And here was an elastic database exposed with 2.7 billion billion Social Security numbers on. I think that probably is everybody. Several times over, they said. With the help of some unfortunate friends, we were able to confirm that at least some of it was real. And with the help of K Pop and some American presidents, we were able to approximate when the passwords were collected. Okay. While most exposed databases require investigation to determine if they contain sensitive data, this one was obvious. The database had one index named ssn. Oh good, so you can look it up by Social Security number. And another named SSN2, each containing millions of records with nine digit numbers in a field labeled SSN. What could that be? The database also had several indices that were collections of emails and associated passwords. On January 16th, we submitted the IP address and explanation of the issue to the FBI's IC3. We also submitted an abuse report to Hetzner, the hosting company. They replied saying they would forward the issue to the customer. After we clarified that their customer was in gross violation of privacy laws, all public access to the database was removed on January 21st. Hetzner replied once more. Dear sir or madam, thank you for your report. This is our customer's statement. And then they quote their customer's response. Hello, we contacted our client and explained what SSN database host that actually it does say what we explained what SSN database hosting not acceptable client now deleted this file from server. So problem solver for now.

A (70:58)

English is not their native language obviously.

B (71:00)

Okay, up Guard's report continues. Anyway, I'm not going to go into it. They poke around inside their database. Apparently they got a copy of it because they did a lot of like research. They poked around locating some people they know closely enough to confirm their Social Security numbers. The data is authentic. Unfortunately, since one of them whose data is present in the data happened to also have her identity stolen in the past, they drew these researchers the entirely unwarranted conclusion that this means that this breach was the source of the identity theft. No. Or unlikely. At least we know there's really not much personally identifiable information that is not by now loose on the Internet and available online. I wanted to share this specific story to drive home the point that there has been so much prior leakage of our personal data that we really have very little to no control over it any longer. That's all just an illusion. It's certainly the case that the use of services like one of Twit's sponsors, Delete me. Makes a lot of sense for anyone who wishes to be as proactive as possible, but my feeling is that beyond that, doing everything that's within our power to minimize the impact of any. The impact of the use of any personal data loss of ours that has almost certainly already occurred is what makes the most sense. These guys did recognize that the database appeared to contain a great deal of redundancy and also a fair amount of incorrect noise. So it wasn't the highest quality, which is what we'd assume when we learned that it was 2.7 billion records containing Social Security numbers when only 450 million have ever been issued since 1936 in the entire history of Social Security. At this point, protecting ourselves is the best we can do. I assumed that the GRC shortcut I would have previously created years ago would be GRC SC credit. And sure enough, that bounced me directly to the Investopedia page, which talks about freezing credit and provides the links to the three main credit freeze pages of the three main credit bureaus. Anytime you are not actively needing to have your credit queried because you're applying for credit or purchasing something or what, whatever, the best advice that exists is to keep it frozen. Because the sad truth is all of our data is. Is loose. It's out there as. As a. As a consequence of previous irresponsibility on the part of. Of entities that we gave it to, including the credit bureaus.

A (74:24)

You know, I think there are only a billion possible. Am I right? Social Security numbers. How many? You're right.

B (74:34)

Nine digits.

A (74:35)

So, yeah, so they got them all. The problem is if you don't have a name associated with it, it's just a number.

B (74:44)

That's a very good point, Leo. Start at 000. I know them all.

A (74:49)

I know every single Social Security number. Every one of you. I just don't know whose they are.

B (74:55)

You brute force, are you? Oh, Lord. Okay, before I go on, let's take another break. Said we had a long run the first time.

A (75:06)

Yes, and I think we should talk about Zscaler now. This would be a good time, actually. Anytime on Security. Now is a good time to talk about the number one largest cloud security provider. Basically, that's the whole show right there in a nutshell. This episode of Security now brought to you by Zscaler, the world's largest cloud security platform. Actually, Zscaler is very timely because Zscaler works with AI now. So do you, probably. Right. The rewards in business of AI are frankly Too great to ignore. Every business is looking at. We are, everybody is. But let's not forget the risks. Loss of sensitive data, attacks against enterprise managed AI. And then of course the fact that the bad guys are using AI as well. Generative AI increases the opportunities for threat actors, lets them rapidly create phishing lures that are impeccable. Really good. Much better than that email from Hetzner. Anyway. They can use it. In fact, maybe that's why Hetzner had all those typos. Just to make it look like a human did it. That was probably the reason the problem with these AI created phishing lawyers. They're good bad guys are using not only the AI to credit the phishing emails, but they're also using it to write malicious code. We've seen that, we've talked about it. They automate data extraction. The speed with which data extraction is happening is increasing dramatically thanks to this. There were 1.3 million instances of Social Security numbers, real ones linked to AI applications. Last year, chat, GPT and Microsoft Copilot saw nearly 3.2 million data violations. I'm not trying to scare you, just trying to remind you that while you're using AI, you got to also protect yourself. And that's why it's time for a modern approach with zscalers, Zero Trust plus AI. Zero Trust removes your attack surface, right? You're not putting out VPN addresses that give people something to hook on to. You're not you. You don't have to worry about securing your data because Zero Trust secures your data no matter where it lives in the cloud, on Prem everywhere. Zscaler safeguards your use of public and private AI. It protects you against ransomware and it protects you against AI power phishing attacks. But don't just listen to what I have to say about it. Check out what Siva, the director of Security and Infrastructure at Zuora, says about using Zscaler Watch. AI provides tremendous opportunities, but it also brings tremendous security concerns when it comes to data privacy and data security. The benefit of Zscaler with ZIA rolled out for us right now is giving us the insights of how our employees are using various gen AI tools. So ability to monitor the activity, make sure that what we consider confidential and sensitive information according to, you know, companies data classification does not get fed into the public LLM models, et cetera. Thank you, Siva. With Zero Trust plus AI, you can thrive in the AI era. You can stay ahead of the competition, you can remain resilient even as those threats and risks evolve. Learn more@zscaler.com security that's Zscaler.com security. We thank them so much for their support of security now. And now back to Steve.

B (78:32)

Okay, so just a quickie. Apple watcher and insider Mark Gurman has reported that Apple is believed to be working on a smart pendant, smart glasses and new AI based AirPods and that all products will be equipped with a camera that will feed data into an AI system. And I'm sure you're up on this more than I am, Leo, since you've, you've spent a lot of time over and with your Mac guys.

A (78:59)

As long as it doesn't feed it to Siri, I'm okay.

B (79:02)

Well, apparently he said it's unclear what the AI will be doing for its user and it does seem like, like, you know, like a strange thing to, for Apple to be doing since people almost universally object to being surreptitiously recorded. You know, I mean I loved listening to Alex when he realized that some guy he'd been talking to for half an hour was like, you know, had a camera in his glasses and he said, hey, are you, are you recording this? The guy said, well, yeah, course.

A (79:37)

I think Apple recognizes that this is just going to be the next thing and everybody's going to do it and they need to develop it. And then I think their hope is that people will trust Apple to keep

B (79:48)

it private of any company out there. As I said, they. And, and boy, it was also I just as, as an aside, it was nice to hear you guys on or on Mac break talking about the, you know, as I had been saying how frustrating it is with Apple's upselling and it just, you know, everybody does it now. It's, yes, you're right, it is, it is everybody. And the problem is some percentage of people it works on. And so that encourage, that encourages everybody else to do it.

A (80:20)

Oh yeah.

B (80:22)

Okay.

A (80:23)

Turn it into Amazon.

B (80:24)

Anyone who has continued to use Firefox on a Windows 7 or 8 machine will no longer receive security updates after this month. This month is it. Firefox support for the browser itself officially ended three years ago. You know, in terms of monthly updates or occasional updates to the browser itself. That was in January of 2023. But security fixes have continued to be provided those. And now this month, with the end of this month, that's it for Firefox. So that's good that I don't, it's, it's good that I'm leaving Windows 7 and Firefox on. I think it's like version 115. ESR is the.

A (81:15)

We're up to 145 now, by the way. Good news. They've added a switch in 145 that says disable all AI features. You just click that switch, you're golden.

B (81:27)

Nice.

A (81:27)

They were smart. I think that's that. They listen to their customers on that one.

B (81:31)

Yeah. And of course, I think it was. It was. I'm sure it was. It was Vivaldi who made a marketing point.

A (81:39)

That's right.

B (81:39)

Saying we're not doing AI, period. And then they said, well, until it shows its value, it's like, oh, okay, fine. Well, at least.

A (81:47)

I'm sorry, 148. Thank you, David. David in our. Twitch says it's 148. That's the one just came out today with the, with the no AI switch.

B (81:55)

Wow. Ross Komnadzor, our favorite Russian group apparently got a bit trigger happy recently as part of its recent accelerated Internet crackdown, which we've been talking about the last couple weeks. This time it appears that Russia's Internet watchdog blocked the official website of the Linux kernel. The block was quickly lifted after upset Russian IT engineers reminded Russ Kor that all of the country's native OS distros run on Linux. So. Yep, Cam. Can't disconnect from that one, guys. They're going to have to. Even if they do disconnect from the Internet, they're going to have to have a little back door there where they're still able to be in touch with Linux.org apparently. So. Leo, this raised. If it wasn't Reuters, I would. I would wonder. Washington, February 18th Reuters. The US State Department has. The US State Department is developing an online portal that will enable people in Europe and elsewhere to see content banned by their governments, including alleged hate speech and terrorist propaganda, a move Washington views as a way to counter European censorship. Three sources familiar with the plan said. Okay, so wait, what triple source reporting says that the US is planning to do what? Exactly. Yes. And that. Leo, move your cursor over that. That blurred out area. Oh yeah, there we go.

A (83:53)

Freedom is coming. And there's Paul Revere bringing freedom to those poor unfree people in France and Germany.

B (84:03)

So yes. Freedom.gov so I get this. You get this. I'm wondering what our. What our listeners in the UK I've got. We know we have a bunch of them. Wonder what they're gonna see.

A (84:18)

It's just gonna be an X feed, isn't it? That's what it's gonna be.

B (84:22)

Essentially. That's what we're talking about. So here's what Reuters reported last Wednesday. They said the site will be hosted@freedom.gov. one source said officials had discussed including a virtual private network function to make a user's traffic appear to originate in the US and added that user activity on the site will not be tracked. Headed by Undersecretary for Public Diplomacy Sarah Rogers, the project was expected to be unveiled at last week's Munich security conference but was delayed, the sources said. Again, triply sourced reporting. Reuters could not determine why the launch did not happen, but some State Department officials, including attorneys, have raised concerns about the plan. Imagine that, two of the sources said, without detailing what those concerns were. The project could further strain ties between the Trump administration and traditional US allies in Europe, already heightened by disputes over trade, Russia's war with Ukraine and President Donald Trump's push to assert control over Greenland. The portal could also put Washington in the unfamiliar position of appearing to encourage citizens to flout local laws. In a statement to Reuters, a State Department spokesperson said the US Government does not have a censorship circumvention program specific to Europe, but added, quote, digital freedom is a priority for the State Department, however, and that includes the proliferation of privacy and censorship circumvention technologies like VPNs. The spokesperson denied any announcement that that denied any announcement had been delayed and said it was inaccurate that State Department attorneys had raised concerns despite again Tripoli sourced reporting. I think that one was dual sourced. The Trump administration has made free speech, particularly what it sees as the stifling of conservative voices online, a focus of its foreign policy, including in Europe and Brazil. Europe's approach to free speech differs from the US where the Constitution protects virtually all expression. Uhhuh. The Europe their European Union's limits grew from efforts to fight any resurgence of extremist propaganda that fueled Nazism, including its vilification of Jews, foreigners and minorities. US officials have denounced EU policies who say they are suppressing right wing politicians, including in Romania, Germany and France, and have claimed rules like the EU's Digital Services act and Britain's Online Safety act limit free speech. The EU delegation in Washington, which acts like an Embassy for the 27 country block, did not immediately respond to a request for comment about the US plan. In rules that fall most heavily on social media sites and large platforms like Metas, Facebook and X, the EU restricts the availability and in some cases requires rapid removal of content classified as illegal hate speech, terrorist propaganda or harmful disinformation under a group of rules, laws and decisions. Since 2008, Rogers, the person we spoke of before of the State Department has emerged as an outspoken advocate of the Trump administration position on EU content policies, and she's visited more than half a dozen European countries since taking office in October and met with representatives of right wing groups that the administration says are being oppressed. The department did not make Rogers available for an interview to Reuters. In a National Security Strategy published in December, the Trump administration warmed that Europe faced, quote, civilizational erasure, unquote, because of its migration policies. And it said the U.S. would prioritize, quote, cultivating resistance to Europe's current trajectory within European nations, unquote. EU regulators regularly require US Based sites to remove content that can impose bans as a measure of last resort. X, which is owned by Trump ally Elon Musk, was hit with a 120 million euro fine in December for non compliance. On the other hand, last week we talked about how 2.2 billion of the 2.4 billion euros that had been fined remained unpaid. Anyway, it's going to be interesting to see what happens next. As I said, the site does not currently show me what's described there. There was some language in their reporting that suggested that what you and I see, Leo, is not what Europeans see currently. So I'm sure that our listeners will let us know when they see this. I I don't know what to make of this. I guess we'll follow it and see.

A (89:47)

I just love it that they're spending my tax dollars on such important initiatives. By the way, they killed Radio Free Europe.

B (89:55)

I was gonna say that had occurred to me also.

A (89:59)

It's like, wait a minute, this is

B (90:01)

in lieu of okay, so I hope I don't need to tell anyone listening not to ever, ever use an LLM to directly generate a password. In other words, never ask an LLM for a password. Never say, could you please generate a highly secure Long password with 20 characters of all kinds, including a mixture of upper and lowercase alphabetic numbers and special characters? No, don't do that.

A (90:48)

What? You will get such a good idea.

B (90:50)

You'll get one. It'll look wonderfully strong. But the LLM is quite likely to give the same password to others because this is not what they're for. Gosh, we've spent so much time through the years on this podcast examining just how very difficult it is to actually generate and obtain high quality passwords. I even have a page on GRC grc.com passwords that is very popular that that does does this because it's difficult. So the idea of asking a parrot for a password is almost painfully bad.

A (91:37)

Monkey 123 monkey 123 everybody use monkey 1, 2, 3.

B (91:44)

Having apparently run out of useful things to explore the site Irregular that's the name of the site gave they did a detailed in depth exploration of large language model password generation under the headline Vibe password generation colon Predictable by design. Well, at least they got the headline right. Okay, so this is so nuts that I'm not going to spend much time on it there. But their posting is long and they've got charts and graphs and stats and blah blah, blah. But they were kind enough to give us an executive summary at the beginning. They wrote LLM generated passwords which should be just outlawed. An oxymoron generated directly by the LLM rather than by an agent using a tool.

A (92:37)

That's key by the way, that clause

B (92:40)

yes, generated exactly by the agent rather than using a tool appear strong but are fundamentally insecure because LLMs are designed to predict tokens, the opposite of securely and uniformly sampling of random characters.

A (92:59)

Exact opposite.

B (93:00)

Despite this. Yes, the exact opposite. Despite this, LLM generated passwords appear in the real world, used by real users and invisibly chosen by coding agents as part of code development tasks instead of relying on traditional secure password generation methods. So think about that. You vibe code something and part of that is the need to generate a password. And the LLM says, oh, here's a password and plugs it in to your code somewhere deep. They said. We've tested state of the art models and agents that analyze the strength of the passwords they generate. Our results indicate or our results include predictable patterns in password characters, repeated passwords, and passwords that are much weaker than they seem. As described in detail in this publication, we recommend that users avoid using passwords generated by LLMs that developers direct coding agents to. To use secure password generation methods when needed. Have them come to grc.com passwords and that AI labs train their models and direct their coding agents to prefer secure password generation out of the box. And what I loved somewhere down in the text Leo, it, it actually, I mean it talked about how non. I mean I, I know not. No one of our listeners would do this, but think about the common Joe. They're they're chatting to chat GPT and they say, hey, you know, I'm trying to log into this site and it keeps complaining about the passwords I'm using. Could you give me, you know, a good long, strong password? And it'll, it'll probably say, yeah, here you go.

A (95:03)

Of course it will, yes.

B (95:05)

Yep.

A (95:06)

But. And that's the thing is that it's an. It's a. It's a kind of naive and I understand. I mean. Oh, yeah, it's. The computer is going to generate a really good password.

B (95:17)

It's Leo. It's artificial intelligence.

A (95:20)

What could possibly.

B (95:23)

It's generative. It's going to generate. That's what generators do.

A (95:28)

It would actually be fairly trivial. I could write it right now in Claude and say I would like a strong password. Go to GRC.com passwords and get one and it would use your code to generate the password and it would be a good password. Yeah, I mean, that's probably preferable to saying write a Python, you know, script that will generate a true random password. It's very entropy that you get from. It's hard to do. Let Steve do it. And I mean, you could, you know, you could do it, but it's actually would be trivial to say, just go and get it from GRC.com passwords. The problem is that most people are using chatbots. They're using. And they're just going to ask it and think it's smart.

B (96:12)

Yes, they're just going to ask it. This website needs me to give it a long password. What do you recommend? Right.

A (96:19)

What do you do for entropy in your password generator?

B (96:24)

I've. I've got a algorithm that's been running for 10 years or something which uses crypto in order to roll passwords forward.

A (96:37)

Okay. Yeah. So I'm just gonna. Let's just see. I'm going to ask Claude code to go out. Can you fetch me a Strong password from GRC.com passwords? And presumably it's going to actually run your page because it can do that. It can control a browser. And there you go. Here are fresh passwords from GRC's perfect password. Skip. It calls me Skip because it's my buddy.

B (97:01)

And there. Yes.

A (97:02)

And this is exactly the format you would get. Right. These are legit. This is not.

B (97:06)

Nobody will ever get those again. Although now you don't want to use those, having shown them. But aside from that, by the way, it's smart.

A (97:13)

Look, it says GRC regenerates these on every page loads. So these are unique to this fetch. For a fresh set, just ask again or visit the site directly. Said that's. That's the intelligent way to use it. But I understand why, you know, naive users are just going to say, well, it's smart.

B (97:31)

Yeah. They're just going to say, hey, it's AI. It's AI smarter than I am. So just give me a password, right? Don't do that. Okay. I've been saying recently that the technique of asking a user to authenticate themselves by what they think is a captcha, where they're instructed to press the Windows R key to open the Windows run dialog, then press Control v to paste followed by the enter key is terrifying because it is, it is. It is so powerful and potent and because I could see so many people falling for it. Because just like asking ChatGPT for a password, most people have very little idea how their computers actually operate. So they just follow instructions, right? They're following instructions in order to just get by.

A (98:27)

It's all an incantation for them.

B (98:29)

Yes.

A (98:29)

They don't understand.

B (98:31)

Yes. So this highly potent form of attack has been dubbed Click Fix. It's called the Click Fix Attack. Recall that I recently shared exactly such a pop up that one of our listeners had encountered and emailed to me saying, I didn't do this, but I wanted to show it to you, Steve. And that sent me off on a rant about how irresponsible I felt Microsoft was being about not tracking the source of anything pasted into the system's global clipboard. A web browser is a very clear security boundary with all manner of creepy crawly things clamoring to escape from it. So it would be utterly. It should be utterly impossible for automation in the browser to place anything onto the system's global clipboard that can then be pasted outside the browser's security perimeter, especially into the Windows Run dialog. Seeing how obviously dangerous and effective this form of attack promised to be, I wasn't surprised to read the report that Huntress Labs published one week ago. Last Tuesday, Huntress set the stage for their lengthy report. And I'll just share the beginning, they wrote. Columbia, Maryland February 17, 2026. Cybercrime has become the world's third largest economy with costs projected to reach $12.2 trillion annually by 2031. Today, Huntress exposes the tactics, techniques and procedures the TTPS fueling this multi trillion dollar illicit market in its 2026 Cyber Threat Report. The in depth analysis sheds light on the playbook used by organized profit driven cybercriminals, uncovering how they weaponize legitimate tools, exploit everyday behaviors and leverage a vast underground network to exploit people, businesses and employees across the globe. To produce this report, Huntress analyzed proprietary telemetry over, sorry, telemetry from over 4 million endpoints and 9 million identities across the 230,000 plus organizations it protects worldwide. So again, Huntress has instrumentation on over 4 million endpoints, 9 million identities within 230,000. More than 230,000 organizations that are under its protection as part of its services. They said this robust data set served as the foundation for uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft and actionable strategies to help organizations prepare for the year ahead. Okay, so that's where this all came from. Under the topic of key findings, the item that caught my eye was this. They wrote over half of all malware loader activity came from click fix. Hear that? Over half of all malware loader activity came from that, that single exploit, the captcha, the fake captcha that tells people who don't know how to use a computer or what they're doing, but follow instructions to press. You know, thank you very much. To continue authenticating, press with the Windows R key. Press Control V, press enter. Over half of all malware loader activity. They wrote in 2025. Attackers did not need to break in when they could just trick users into giving them access. No technique did this more effectively than than click fix, which fueled 53% of all malware loader activity by masquerading as routine tasks like solving a captcha. Click Fix and its variants tricked users into becoming unwitting accomplices, facilitating the silent installation of info stealers, ransomware and remote access tools. So I've specifically and explicitly reached out to many of my friends to warn them of this attack because it's so obvious to me that it's going to happen. It's just, it's too diabolical and too likely to succeed. One of my friends, who works for a very large nonprofit charitable organization, receives regular employee level security training as, as part of her role. When I told her about this, she commented that they had never been warned about this type of attack. No, there's likely a delay between the growth of an attack and its inclusion into a training program. But that leaves a very dangerous gap. And as Huntress found from their analysis, 53% of all successful breaches that occurred during 2025 were attributable to the success of just this one class of attacks. So please warn your friends to be careful. It is, it is just such an obvious way for bad guys to get in. And Microsoft has got to do something about this. This is their responsibility for, for not allowing pasting into that run dialogue. That's just if, like pasting something that came from the browser, that is just insane.

A (105:05)

But you know, Leo, what's not insane.

B (105:09)

Not insane.

A (105:10)

I knew where you were going with that.

B (105:11)

As we head into our listener feedback is for us to take a break.

A (105:16)

It's Hawks Hunt. That's not insane.

B (105:18)

Ah, good. No, not at all.

A (105:20)

In fact, it again ties right into our conversation that we're gonna have at Zero Trust World next week. The problem is inside the house. This episode of Security now brought to you by HOX Hunt. You know, many of our listeners are security leaders. As security leaders, you are paid to protect your company against cyber attacks. It's getting harder and harder with more cyber attacks than ever. And lately these phishing emails generated with AI, they're so good, they're so persuasive. I fell for one just the other day. Legacy, one size fits all awareness programs. In this environment, they don't stand a chance. They send at most 4 generic trainings a year and most employees ignore them. When somebody actually clicks, they're forced into something embarrassing. Training programs that feel more like punishment. And that's no way to learn, right? That's, that's when you get malicious compliance. You get people actively not learning, right? That's why more and more organizations are trying HOX Hunt. HOX Hunt. So much better. H o x h u n t like Fox Hunt with an H goes beyond security awareness and changes behaviors by rewarding good clicks and coaching away the bad in a way that employees love. It's fun. It's gamified. Whenever an employee suspects an email might be a scam, they click that HOX Hunt button and HOX Hunt will tell them instantly. And in a way that gives them a dopamine rush, which gets your people to click learn and protect your company. They they, it's a game to them. It's fun. And for you, as an admin, HOX Hunt makes it easy to automatically deliver phishing simulations, not just email slack teams. Everywhere attackers are going, right? Using AI to mimic the latest real world attacks. By the way, you can, just as the bad guys do, personalize these simulations to each employee with knowledge you have like department location and more. And the trainings, instead of being this long drawn out thing, are instant micro trainings which solidify understanding and drive lasting, safe behaviors. They're not punishment, they're fun. You can trigger gamified security awareness training that awards employees with stars and badges. Again, I got a gold star. It sounds dumb, but you know what? It works. And this really boosts completion rates. It ensures compliance, and it really makes your employees learn. They're really learning. Choose from a huge library of customizable training packages. You can use AI to generate your own too. They've got all the tools there you need. Hawkshunt it has everything you need really, to run effective security training in one platform. Meaning it's easy to measurably reduce your human cyber risk at scale. But you don't have to take my word for it. Just check G2 over 3,000 user reviews. They make Hawkshunt the top rated security training platform for the enterprise. Easiest to use, best results Also recognized as customer's choice by Gartner and it's used by thousands of companies. Qualcomm uses Haxon, AES, Nokia. These companies use it to train millions of employees all over the globe. They use it because it works. Visit hoxhunt.com securitynow right now to learn why modern secure companies are making the switch to Hawkshunt. That's Hawkshunt.com SecurityNow H-O-X H-N-T.com SecurityNow we thank them so much for their support of SecurityNow.

B (108:53)

Now back to Steve so Doug Smith wrote, I have enjoyed you touching on AI coding topics over the last few episodes of the podcast. Although the capabilities of Aisle, that's the firm we talked about that had developed that really amazing agentic coding system, the one that found all the bugs in open SSL that had already been deeply scrutinized, he said. Although the capabilities of ielts that you covered recently sound fantastic, they aren't available to everyone yet. However, some aspects are available in other forms. For example, Claude Code has a built in security review command that does a really great job. Although it's good at checking the latest changes before a git commit and push, I've taken to using it for things like checking WordPress plugins before installing them on my sites. In one case, this turned up multiple severe security issues in a plugin for connecting to a specific service I required, I was able to present the results and a working test exploit to the vendor and work with them toward fixes. That is. That's very cool, he said. I also saw that Anthropic has a new Claude Code security feature in limited testing right now that looks like it will continue to move security reviews significantly forward. You recently suggested that the way to work with AI coding might be with test driven development. That and more is exactly what the superpowers add on for Claude Code does that Leo mentioned a few episodes ago. It forces good planning, test driven development, and code reviews by multiple AI agents, and each with particular specialties. Here's the description of the workflow from the GitHub readme and he goes into detail brainstorming using git work trees, writing plans, sub agent driven development or executing plans, test driven development, requesting code review and finishing a development branch. Anyway, so very cool to see that this is happening and evolving. I wanted to share this because it so nicely chronicles I think the evolution that we're seeing in our understanding of how to employ AI. What we have today will bear no resemblance to what we have a year from now. I I think that's really clear to everyone. This is just happening so fast and we arguably have quite a way to go. You know, we've learned that that as an AI's context window nears full, the its hallucinations increase. So now we work to prevent that. We've learned that rather than using a single AI and a context window, we get far better results from using multiple AI agents, each with their own smaller contexts and thus each bringing their own perspective. And I have no doubt that a year from now will have learned way more. You know, we didn't know this a year ago. We know it now. Who knows what we're going to know next year? Eric wrote hello Steve, I wanted to share an issue I recently ran into that makes me believe some malicious application has gotten into my PC. Now understand, while he wrote this, you know he believed this. He said, I'd value your advice on whether I should completely reinstall Windows and all my applications. You're welcome to share this if you think others could benefit. Indeed, it turns out others could. He said, thanks for everything you do. Best wishes, Eric Richardson So he said. Description of Issue Last week, while examining logs on Next DNS, I decided to download them for a better review of activity. Upon examining the logs, I saw my DNS queries for 26 character long domains and then he lists four of them. Xdu1xjw0lnf pq4zdtoz1brlh.com that's one of them. And there's he in his email three more. Just gibberish like that. And he said these DNS queries only came from my PC. My wife's and daughter's laptops were not affected. I looked up some of the domains on ICANN's DNS lookup but found no entries. Google confirmed my suspicion that these lookups were likely malicious DGA Domain Generation Algorithm Activity. I checked the entries in my next DNS logs and noticed these queries were not blocked. Exclamation point. I confirmed that Domain Generation Algorithms DGA'S protection was enabled, so I don't know why the query would not have been blocked. Okay, so as I'm reading along so far, I'm looking at Eric's evidence and I'm in complete agreement with everything he's seeing.

A (114:17)

By the way, this is one of the great things about Next DNS is these logs, because you can see exactly what Dear Net like, Look at that DNS query. What the hell is that?

B (114:28)

Huh? You better.

A (114:30)

You better explain this, Mr. Gibson.

B (114:33)

Yourself explain to me. So I'm thinking that yeah, this really does look pretty bad and quite suspicious. Then I get to his next sentence. Tracing entries in my next DNS log, I see that queries to isc.org seem to precede queries to these 26 character domains. I also see several queries to rebindtest.com which do appear to be blocked by next DNS. Okay, his mention of isc.org stopped me in my tracks because I suddenly knew exactly what was going on with Eric's machine and his next DNS logs. And this was further confirmed by his mention of Rebind test.com Since Eric was understandably concerned and wondering whether he would need to wipe his machine and reinstall windows, I immediately wrote back saying, oh, Eric, that's the DNS benchmark.

A (115:45)

Familiar.

B (115:46)

Hey, I said, those are the queries generated by running the benchmark.

A (115:54)

Oh, that's. Those are random. In other words, random queries.

B (115:58)

Yes, your machine is not infected and

A (116:01)

you do that so they won't be cached, probably, right?

B (116:04)

Yes, yes, I said. Instead, you have great DNS, I said. The tip off for me was your mention that queries to isc.org appear to precede them. And the clincher, though we already had sufficient evidence or was queries to rebind test, which is my domain that I maintain for the benchmarks use. Eric replied, oh, thank goodness. Thank you for replying so quickly. Okay, so the first thing that the DNS benchmark does in the process that I call characterizing any DNS resolver, which you may then want to benchmark, is to check whether it's online at all by asking it for the IP of the isc.org domain. ISC is the Internet Systems Consortium. The ISC has been around since 1994 and basically the birth of the Internet. I chose to have the DNS benchmark check for a resolver's online status by querying for the IP of isc.org since even Ross Kabnad Zor would not have any problem with isc.org nor feel any need to block it. Although maybe I should switch over to the linux.org as a because we know that Rockscom knobs or cannot block that. Anyway, as you as you guess Leo, those wacky 26 character long.com domains are randomly generated, though not one of them will ever exist. And that's the point. They are therefore prevented from ever being in any DNS cache since none of them will have ever been seen before. More importantly, queries for the IP address of each of them will be guaranteed to generate an NX domain a non existent domain domain error status. The benchmark absolutely knows that's the result it's going to obtain, but the resolver it's asking that is the one being tested has no way of knowing that. So it must forward each and every one of those queries to the Internet's upstream.com servers to ask the IP of that when the.com name server receives the resolver's query it's going to think what the heck are you talking about? That's not a valid domain and send back the expected non existent domain reply. But it's the length of time that's required for us to receive that reply from the server that's being benchmarked and that's what we care about. This tells us how well connected the resolver we're testing is to the Internet's.com name servers. How quickly it could obtain a valid.com address is the same as a non existent address. Basically it's inner it it's it's connectivity. The the the ICANN registry also shows that I registered Rebind Test.com nearly 16 years ago in August of 2010. As I said, it's my own domain which returns IP addresses for the various private networks such as the 10.network and 192168.something.something. a DNS resolver should really never return a private network address for a publicly queried domain. We've talked about this in the past. It's called a rebinding failure. Bad guys can use that to probe around inside a user's local lan. Their browser will will believe that it's connecting to a server, for example in at the domain tricky bad guy.com but if if the DNS for tricky bad guy.com resolves to 192.168.0.1 then the browser may actually be connecting to the land's internal gateway router, which is not what you want a bad guy's JavaScript to be able to do. So this is just one of the many things that the DNS benchmark is able to show its users about the DNS resolvers they're currently using and others they may be considering switching over to. So in any event, if anyone else might think to look at their DNS provider's logs and see the sorts of admittedly suspicious looking DNS lookups that Eric spotted, if you do not own and have run GRC's DNS benchmark, then I would agree that is definitely a cause for concern. But assuming that you're an owner of my latest utility software, you have no cause for concern. Very, very cool. False positive.

A (121:32)

I love that he wrote to the right place.

B (121:36)

Yes, he did.

A (121:38)

What is this?

B (121:39)

Yeah, because anybody else would have said, oh, that looks really bad.

A (121:42)

Suspicious. Yeah.

B (121:44)

So Stephen Clark Wilson said, I was reading this ACM article and hit a paragraph that made me instantly think of you and defaults. The paragraph says, before version 4.0.0 published in 2017, Redis, the extremely popular key value store, offered no access controls in its default configuration. Oh God. Frequently new users of Redis would unintentionally expose their instance publicly, and this insecurity would result in data spills or become a vector for host exploitation. Yes, that's where all of our Social Security numbers got leaked. As of version 4.0.0, Redis enters a protected mode when run with its default configuration and without password protection. This limits access to loopback interfaces that that. Which is to say that this limits access to the loopback interfaces, meaning not an interface with a public IP, just 127001 it says, as the Redis company itself has since touted, the introduction of protected mode has caused the number of publicly accessible Redis instances tracked on Shodan IO, a popular Internet host aggregator, to decline substantially. We would Hope so. In 2017, it had identified roughly 17,000 exposed reddest instances. Right, because that was the default if you didn't do something. In 2020, that number had declined to 8,000 still in an audit by security company Trend Micro. And this person said, I like how simple the solution was Limit access to the loop loopback interface. Very nice. So, okay, yes, they've certainly improved the situation by dropping the clearly exposed instances to 47% of what they were. So at this point, either those still exposed Redis key value database stores have been sitting there for the past nine years, since before the introduction of version 4, or they were configured with some authentication and therefore, again, misconfigured. As we all know, authentication should never be depended upon to block malicious access. And I believe that a misplaced reliance upon authentication and a lack of adoption of backup measures, such as never binding to a public facing interface on unless it's truly necessary, remains an easily remedied source of security. And it occurs to me that it is also a shame that one of my favorite tricks has never been adopted. One of the most ironclad rules of Internet routing is that any packet which is received by an Internet router will have its incoming TTL. It's time to live decremented. It's it's an 8 bit byte and maximum value 255. Typically it's 127. The first thing that the router does upon an in receiving an incoming packet is decrement that TTL byte in the packet header. And if in doing so that value is decremented to zero, that packet will never be forwarded toward its destination. A router might simply drop it if it wanted to, you know, like a, like a, you know, dead packet, which is what has happened essentially. Or it might elect to send an ICMP time exceeded message back to the packet's originator to let it know that for whatever reason, that packet died while it was on route to its destination. For some reason, maybe it stumbled into a routing loop or the TTL was too short and so it couldn't make it to its destination. Because the Internet diameter as it's called, has grown over time. There are many, many more routers and you a packet may have to go across many more router hops in order to get to its destination. Some of the early protocol stacks used a a TTL of 32 and at some point there were places they couldn't get because there were more than 32 hops between the source and the destination. So now all of today's stacks are typically 2,127 or 255. So the point however is if this rule were not absolutely obeyed by every router, the Internet could conceivably fill up with zombie packets that live forever, refuse and refuse to die and are just circulated around and that would be a big problem. Thus this rule is absolutely obeyed. So as a security tool, if there was some need to expose a server to the Internet in for example, some sort of cloud hosted configuration, as, as a listener of our of ours recently shared, you know, he had to do that. He did so deliberately with foreknowledge, but because he had no choice. And if it were possible to set the TTL for that servers, that publicly exposed servers outbound packets to a low number like two or three, then any other nearby clients of that public server, for example, within the same cloud infrastructure that that they were sharing, could connect and use it without any trouble, while at the same time no one in far away China or North Korea or wherever could possibly get to it. Since a TCP connection requires round trip verification from each end, any of the packets sent from the server would die after two or three router hops. No one probing that server from a distance would even ever be able to detect that its services were available. Unfortunately, Packet TTL has never been adopted to my knowledge, as a security measure. It's considered to be part of deeper Internet infrastructure, thus not something to be messed around with and not subject to application level manipulation as a result of, you know, the interface, the, the, the interfaces that are provided for setting a connections ttl. You know, you can, you can use raw packets to do it, but it's not something that's commonly available at the application level, even if they might have an interest in employing them, which I think is too bad. So anyway, that's feedback from our listeners. And Leo, after this last message from a sponsor, we're going to get into what the what the researchers found about Dashlane, LastPass and Bitwarden when they took a very deep dive into what would happen if the infrastructure at the cloud end were to be subverted.

A (129:52)

Very good. Coming up on security now, while Steve hydrates, I'm going to tell you about Material, our sponsor for this section of security now, the Cloud workspace security platform built for lean security teams. You know, a lot of security assumes that you're on and your emails are on prem, your files are on prem. But so many of us, including by the way, twit, are not. We use Google Workspace for everything we do. And managing security we know in the cloud workspace is tough. Phishing is not just the only way in, but today's email security typically stops at the perimeter. New attacks are hard to detect. Your email siloed, your data, your identity, security tools, all siloed. Oh, Material can solve this. It could protect the email, it could protect the files, it can protect the accounts that live in Google Workspace or Microsoft 365 works with both. Because effective email security today needs to do a lot more than just blocking phishing and other inbound attacks. It needs to provide visibility and defense across the entire workspace threat surface. So Material works by ingesting your settings, your contents, your logs, does this all automatically to provide holistic visibility into threats and Risk across the entire workspace and then gives you the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. It's fixed before you even know it. Phishing protection and email security Combining advanced AI detections with threat research and user report automation. They do detection and protection of sensitive data. But there's a lot of sensitive data in your cloud, right? There is in ours. Across not just the email inboxes, but shared files as well. Account threat detection and response with comprehensive control over access and authentication of people and third party apps nowadays. You know, I know this is the case with our Google workspace. We've got a lot of third party apps hooked in to the workspace. Same with Microsoft 365. Material empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication for particularly sensitive content. That's really nice. Blast radius visualization for accounts and the ability to detect and respond to threats and risk across the entire cloud workspace. Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API based implementation and flexible automated and one click remediations for email file and account issues, including an AI agent that automates user report triaging and response. Material protects the entire workspace for the cost of email security alone. And with a simple and transparent pricing model, secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See Material Security to learn more or to book a demo. That's Material dot Security. We thank them so much for supporting security now. Material.security I love. You know, I love our advertisers because I can tell people about something that's really of real value and use to them. You know, it's not just another toothpaste. It's great. I love it. All right, Steve, let's find out about this ETH security report. Because I have to admit, when I sent this to you the day before the show last week and I was a little nervous, I was a little worried.

B (133:33)

Okay, so way back in the early days of this podcast, we talked about the technology to securely backup and securely store our data in the cloud. Of course, back then what we had were remote storage providers and clouds were white, puffy things that slowly drifted across the sky. No one was calling anything and everything that was remote a cloud back then, but that's what we have today. At the time, I crystallized the concepts surrounding the only sort of Encryption that made sense using the abbreviation which has kind of become famous on the podcast tno, which was short for Trust no one. This was repurposed from a prominent poster on the wall of the of X Files Agent Fox Mulder. Of course Mulder was famously paranoid, so a poster reminding him to trust no one made sense. It also made sense for anyone who might be considering sending their personal and private contents of their PC off to a remote server. And of course these days what could be more personal and private than our passwords? Like all of our passwords. But the underlying concept behind TNO encryption was simplicity itself, which was, you know, part of the reason that it took hold and there was some appeal there. The idea was that any and all data that was going to be sent off site would first be encrypted using a secret key which would never be shared. So that all of the, all that the remote storage provider would be receiving and storing on our behalf would be a massive blob of pseudo random data. You know the alternative we was sort of the simpler approach, right? We, we send our data and we trust them to encrypt it for us. It's like, oh no, we'll be storing it encrypted, don't you worry. No, no, we're going to encrypt it here and then we're going to send you a blob of noise and you just hold that for us in case we need it later. So as we know, right, regardless of what is fed into properly designed encryption, what emerges is indistinguishable from that pseudo random noise. Then later we used another abbreviation, PI pie, which stood for pre Internet encryption. Same concept, you know, you would all, you would always encrypt anything you cared about before it ever left the domain of your machine to be sent out over the Internet. And along the way we also examined the more technical details of how all of this should be done. We looked at the need for the user's password to be strong and at the use of PBKDF password based key derivation functions to significantly impede the use of brute force password cracking technologies and techniques. What I want to point out is that all of this is extremely straightforward. We talked about it 20 years ago. It's, it is simple to do and it is utterly bulletproof. It works and it works perfectly. Nothing we talked about back then was difficult to implement then or now. So what's the problem? How did we, how can today's contemporary password managers that all rightly require the most state of the Art security available still be having trouble of some sort today with something as simple as those concepts of TNO and piece. That question has two answers, practicality and feature ITIs. In the in the case of today's password managers, it's the need to go from a dead simple, rudimentary and utterly secure system concept, which is what we had with our TNO piece, and evolve it into a workable and practical solution. Suddenly it's not so simple. For example, in the pre Internet Encryption Trust no.1 backup solution which we discussed in the early days, what would happen if our user's hard drive crashed, they needed their backup, but they'd forgotten their password. Trust no one cuts both ways. If you have truly trusted no one else with anything, then the well known abbreviation that comes into play is sol. You know Leo, you'll be able to relate to this. You have a bitcoin wallet containing a now valuable bitcoin that's protected by a long forgotten password. The good news is that it is super secure. No one is gonna open the wallet without its password. And that's also the bad news, you know, since. Since that no one includes you. Exactly. So what our original super secure system back then is missing is any form of password recovery. You know, yes, this super simple system is completely secure, but it is also completely unforgiving. We know that any practical password manager for the masses must necessarily provide some means for dealing with the inevitable I forgot my password for my passwords. But what's also inevitable is that the moment we start adding such get out of jail features, we invariably start chipping away at the pristine security we originally enjoyed. It is exceedingly difficult to have it both ways. There's also the pressure to maintain feature parity among the competing password managers by offering some form of friends and family sharing. And if all that wasn't challenging enough, the password managers have also been confronted with rapidly evolving cryptographic cracking technology. This often requires backward compatibility with earlier releases. We saw LastPass stumble badly over this with the need to increase the their client side PBKDF iteration count while being reluctant to force their original users to

A (140:57)

keep up with the times it was one iteration.

B (141:01)

Yeah, every additional feature increases the complexity of the system, and we know that complexity is the enemy of security. Today's password managers are not only bristling with features, but they're also under continual pressure to match each other's features, since many users will make their choice of password manager from a feature comparison grid while considering little else. All of this made password managers a terrific subject for the group of Swiss security researchers who decided to dig into the operation of three password managers to learn whether and to what degree the addition of all these extra bells and whistles may have come at the cost of their users security. So here's what the team wrote in the overview abstract of their 28 page research findings. They said zero knowledge encryption is a term widely used by vendors of cloud based password managers. Although it has no strict technical meaning, the term conveys the idea that the server who stores encrypted password vaults on behalf of its users is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches as evidenced by history of attacks upon them. And we saw that LastPass lost control of theirs right? They wrote. We examined the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge encryption claim Bit Warden, LastPass and Dashlane. Collectively they have more than 66. 0 million users and a 23% market share. We present 12 distinct attacks against Bit Warden, seven against LastPass and six against Dashlane. The attacks range in severity from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organization. And I need to say with lots of conditions which you know, they don't want to talk about in their abstract but you know they had to really it required a whole bunch of other things to be true, they said. The majority of the attacks allow recovery of passwords. We've disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud based password managers despite vendors attempts to achieve security in this setting, which again I've said is difficult because we're asking so much of them, they said. We uncover several common design anti patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end to end encrypted systems. Okay, so the malicious server model certainly is the one we want. It's the model that was explicit in our original foray into TNO. The no. 1 who we were not trusting was the entity who was holding our encrypted data backed up, although all of the responsibility for not losing the decryption key was ours. In return for that responsibility we obtained the warranted guarantee of our invulnerability. The beginning of their introduction sets the stage and also shares some additional statistics about the market share of the native built in browser based solutions which these guys are competing with, right? They wrote despite the rise of alternative authentication methods, meaning for websites, users today still have to deal with passwords often numbering in the hundreds. Password managers help to tame the problem by providing a tool to securely store passwords, reducing the challenge of remembering many passwords to remembering just the one master password for the password manager. Cloud based password managers outsource the storage to a remote server under the control of a service provider. At an abstract level, a user's passwords are collected in a single object, which is then encrypted by the user's client under a cryptographic key derived from the user's master password, creating an encrypted vault. The client then uploads the encrypted vault to the server. When a user wishes to access a password for a particular service, their client authenticates to the service, retrieves the encrypted vault, and decrypts it locally with a user provided copy of the master password. Importantly, in solutions of this type, the service provider does not see the vault plain text and therefore does not immediately learn the user's passwords or other sensitive data. This is akin to the situation with end to end encrypted cloud storage, and while the terms end to end encrypted or client side encryption are sometimes used by vendors in this space, the most commonly used term is zero knowledge encryption. The term zero knowledge of course has a specific technical meaning in the context of interactive protocols, but here the term is being used with a different meaning. As we shall see, the cloud based approach has multiple advantages. Users can access their encrypted vaults from multiple devices. Vaults can store other sensitive information beyond passwords, for example Credit card data, personal documents, and so on, and the service can be extended to allow sharing of sensitive data within a family or group or organization. The Access from anywhere feature creates work for vendors who have to support access from web browsers as well as standalone applications running on different operating systems. Many vendors have offerings which allow the cloud storage element to be self hosted by an organization instead of by the vendor. Three prominent providers in this space are Bit Warden, Dashlane, and lastpass. At the time of writing, Bit Warden claims to have 10 million users, Dashlane 19 million users and 24,000 business customers, and LastPass 33 million users and 100,000 business customers. A 2024 report based on a survey of 1,000 U.S. consumers gives further insight into into the popularity and market share of password managers. The built in password managers of Google and Apple, right? Meaning Chrome and safari now represents 55% of the market, up from a combined share of only 15% in 2021. So the built in browser password market has that's in five years gone from from 15% to 55. Bid Warden and LastPass were the next two largest according to the study, with 11% and 10% market share respectively. Dash Lane now has only 2% market share, down from 7 in 2021, so it's dropped 5 points when it was among the market leaders. There's a long tail they write of smaller players in the market. So I thought it was interesting to see that the password managers built into Safari and Chrome are enjoying a 55% share of the market. And that makes sense to me, right? While I while I require strong cross platform support from my chosen password manager and the ability to store all kinds of other things, my wife doesn't. You know, she lives in Chrome on both her PC and her iPhone. I don't think she ever uses Safari and she despises Edge so her needs are fully met without the use of any additional password manager. But I use many more features of my third party password manager and I can't imagine operating without it. Okay, so what did their detailed research reveal? They wrote we give a detailed analysis of Bitwarden, Dashlane and LastPass, presenting a cornucopia of practical attacks. In the artifacts that accompany our paper we give proof of concept implementations of all of these attacks demonstrating their feasibility. The attacks allow us to downgrade security guarantees, violate security expectations and and even fully compromise users accounts. We provide a table listing the various attacks and their impacts. Worryingly, the majority of the attacks allow recovery of passwords, the very thing that a password manager is meant to protect. We group the attacks into four categories. Attacks exploiting the key escrow features used for account recovery and single sign on login attacks based on lack of integrity of the vault as a whole, attacks enabling enabled by the sharing features and finally attacks exploiting backwards compatibility. You know basically those are the categories of things I talked about. Features that that practical users want that the browsers need to provide. They said these attacks reveal common design anti patterns and cryptographic misconceptions. Lack of authentication of public keys is widespread when combined with key escrow and sharing features. Key escrow meaning account recovery. This results in the adversary being able to fully compromise vaults. Another recurring failure mode is wrongly assuming origin authentication of public key ciphertexts, leading to key substitution attacks against bit warden which have been fixed. LastPass stands out for lacking any form of ciphertext integrity using AES CBC as its main encryption mode. Okay, so by that they mean that LastPass is not authenticating its decrypted results. AES in CBC remember cipher blockchaining we talked about years ago? It provides state of the art encryption, but after decrypting there's no means for authenticating the decrypted result. That is for essentially verifying that the password you use decrypted something back into its original form. Our longtime listeners will recall the early days when we talked about the importance of authenticating and assuming that decryption and authentication would be separate steps. The question was in which order should decryption and authentication be performed today? There are very good solutions for this, you know. For example, for Squirrel's design, I chose to use AES in GCM mode, which is a lovely protocol that simultaneously provides for encryption and authentication at the same time. But today, LastPass may be stuck with their original decisions way in the past. The researchers finished their introduction by writing, thanks to legacy code and backwards compatibility exploits, we can downgrade Bitwarden and Dashlane to similarly hazardous states. We also show that integrity is only achieved for single fields in individual items instead. At the vault level. This enables cut and paste attacks within items and across the vault. Such attacks can often be chained to compromise the confidentiality confidentiality of the vault as well. These attacks work even when proper authenticated encryption is used. They're possible because of insufficient key separation and vaults with complex structures and are lacking and or a lack of cryptographic binding between data and metadata. So what all of that means is that no matter how much you may want to, and no matter how well intentioned you may be, just it's just not possible to check your own work. It truly is necessary to have highly motivated, high, highly skilled and highly creative security researchers who want to find problems, and who have no ego stake in not finding any problems. Which is why it's virtually impossible to check your own work. Scrutinizing these products that have become as complex and feature laden as today's password managers have requires an extreme level of focus and desire to find problems. What they found were extremely complex, and I don't see any point in spending more time digging more deeply into the specific problems they found since they've been corrected. But we're all better off as a consequence of that. The problems were always predominantly theoretical in the first place. Since they depended upon some form of deep compromise of the provider server side infrastructure. We know that that did happen with LastPass, so it's not like it's impossible. But even those issues have now been addressed. To my mind, this is a classic case of the safest security solution is the one that's been heavily challenged and audited by the industry's top security researchers. So I feel more confident than ever with my choice of bit warden as my password manager. All three of these password managers are better today as a result. And I should mention that the reason those three were chosen, as I said before, was due to the availability of, of at least some of their client side code being made available by their publishers. They, that's one of the things that they mentioned in their 28 page paper was that's why these three were chosen. So you know, Leo, I agree with you completely. It, it absolutely does make sense to, to use a, a, a password manager. That's, that makes it easy for security researchers to deeply and fully understand and scrutinize. And none of them does that more than bit warden.

A (157:16)

What, so what kind of remediation can they pursue for this? I mean, is it obvious how to fix this problem? I mean it seems to me that if somebody has a malicious server with your vault on it, there's all sorts of mischief, right?

B (157:33)

So, so they're, they're making changes in, in the way that their lower level protocols were working. They were not doing some verifications that they could have been doing. So they, you know, what they were doing was secure. But they didn't, they, they themselves didn't have an, they, they weren't thinking of being an adversarial server because they're not.

A (158:03)

Right?

B (158:03)

It's, it's very much like the interpreter. You know, we've always talked about how dangerous, how difficult it is to, to deserialize a JSON object, for example, or, or, or, or to decrypt an, an MP4. It is an interpreter and the people writing it are assuming that you're, you're, you're, you're feeding in a valid file, not something that's malicious. So they implemented their server side infrastructure knowing they weren't the bad guys. And so it's just impossible. It's just, it's impossible for them to imagine. But what if we were the bad guys? You know, and it took, so it took a third party research group to say, oh, we are the bad guys. What kind of mischief can we get up to? Right? And so, so what was needed was additional Additional steps of validation and verification to prevent something that Bitward knew they would never do.

A (159:07)

Right.

B (159:08)

But they didn't ever consider, well, what if somebody else did?

A (159:12)

It's, it's the same thing as zero trust. Right?

B (159:15)

Yes.

A (159:15)

You should never assume that you have full control of the, of the environment.

B (159:21)

But it's so difficult to put yourself in that mindset.

A (159:26)

Right.

B (159:27)

And I've talked about like debugging my code where my code, you know, has a bug. I'm staring at it and I'm, I'm like looking at it and it's good to me that much there. I, I cannot see it and it's not until I step to the problem and it goes, I go, oh. Then I see it. They're just a, there's a weird mental block. And so it really does take a, you know, a third party. And so I'm delighted these guys, you know, went to all the trouble and more power to them. Thank you for the research. I hope you get lots of credit because you know, you, you did, you did the industry a favor. You did all of, all of we who are using Bitwarden, you know, a great service and Bit Warden, as you said, stepped right up and thanked them for their, the research and are implementing fixes for, for the, the, you know, the lack of verification that they didn't need but they could understand would be necessary if a bad guy took their place.

A (160:35)

Right. Good. So there's not cause for concern. In fact, this is cause for celebration. This is a. Yeah, this is a useful piece of a better result that all of the three. I hope all the three companies will act on and improve it. Is there anything I as a user can do to protect.

B (160:54)

Nope.

A (160:55)

Not using Argon 2 or increasing the iterations or anything like that. None of that's going to help.

B (161:01)

And it's interesting too. I wonder if you'd be better off self hosting like doing your own server infrastructure.

A (161:10)

I don't think so. Only because I don't think I'm a as this is not my full time job and presumably the people running the networks for these companies are. This is their full time job and they know what they're doing.

B (161:22)

Yes. You have to imagine that, that the security that they have surrounding their infrastructure.

A (161:29)

Right.

B (161:29)

You know, they've thought of, you know, everything they could possibly, possibly do and now even more.

A (161:36)

Yeah, I mean self hosting and in effect that's what you're doing. If you're using the browser's password manager, you're assuming that your system is secure for a Long time. Chrome didn't even encrypt the passwords. They said, well, if somebody has access to your system, it's game over anyway. Game over anyway. They do now. Yeah. It's an interesting question. I mean, honestly, if you know nobody's going to ever be in your house, writing them down in a little book is probably the best thing to do.

B (162:05)

But you can't write those down anymore.

A (162:07)

They're too. Yeah, exactly. That just tempts you to make something easy to write, which isn't going to be a good password. Can we just get rid of passwords, Steve? What about that Squirrel thing? I think we need to all implement that.

B (162:18)

Yeah. It's funny how passkeys just kind of half, I mean, they're around.

A (162:24)

I use them whenever I can. They're so convenient when they're in place.

B (162:28)

I love, they are magic. But, you know, I, I, you know, they're still not the standard. It'll, you know.

A (162:35)

Now you'd have the same problem as with a password if the password vault were compromised. A pass key isn't inherently more secure than a password. Is it because there's a secret stored there or is that not the case?

B (162:47)

No, you, you do have a secret, but you're not having to share it with the server. So in, in, in the case of a password, you're giving it something that the secret that you, that you want it to keep. And with a passkey, all it can do is verify that you know the secret.

A (163:05)

But if I store it, what I'm saying is if I store it in the password manager, as I do. Oh, yeah. It's vulnerable, just like a password would be. Yeah.

B (163:13)

Yeah. Okay.

A (163:16)

Would Skrill have had that same issue? Yeah, I guess it would.

B (163:19)

Yeah.

A (163:19)

Because there's a secret. The password manager is storing a secret in effect.

B (163:22)

Yeah, yeah. In fact, Steve Gibson, they were pass keys. The secrets are more distributed with Squirrel. I mean, you had one master that ran the whole galaxy and, but on the other hand, I went to extremes to protect it, so.

A (163:39)

Right. Steve and I are going on the road. So a couple of program notes. We will be doing the next security now, Sunday, right before Twit. Is that noon? We're going to do that? I don't remember what time.

B (163:50)

I think it's 1pm I better check. I think Lisa said 1pm When I

A (163:56)

asked her for Sunday. Yeah. Unless you make it a very short show because twit's at 2, so I better check.

B (164:04)

Maybe it's 11.

A (164:06)

Might be 11. That would make more sense. That would give us a time to do a full two and a half hour show and still have time for twits. So let's make an 11 shall.

B (164:16)

She's gonna kick me because I asked her. She said we already decided this. I was like, oh, okay. Right now. Now I remember.

A (164:23)

So we will stream it. We'll do it just like we do security now. It just, It'll be Sunday, March 1st

B (164:28)

at 11am There it is.

A (164:30)

March 1st, 11am we'll celebrate a new month.

B (164:32)

Just kidding, Lisa.

A (164:36)

I'm not worried about Lisa. I'm worried about Lori. But anyway, thank you Lori for letting us steal steal Steve's brunch time. Okay, I'll have, I'll have mimosas ready for you, Steve.

B (164:46)

And then email will go out to all 20,000 plus listeners who are on the security now mailing list before that.

A (164:53)

Right. And then we're going to get in an airplane, a big old jet airplane and go to Florida, Orlando for Zero Trust World Threat Lockers. Really great security conference. I'm looking forward to it. Some great keynote speakers, including I'm really excited to see a guy we spent a lot of time talking about. Oh, what's his name? Well, first of all, Adam Savage. Marcus Hutchins will be there. Oh cool. Yeah, so we can talk to Marcus Hutchins. Adam Savage is speaking. My friend David Spark, Linus of Linus Tech talks. So in fact the whole Linus Media Group I think is going to be there. So now I'm thinking we maybe aren't going to be the stars of the show but we, we will be doing a presentation. The last event on Tuesday, March or sorry Wednesday, March 4th. Yep, we're the last event of the day and then there's a nice party afterwards, cocktail party afterwards. So we will see you at Zero Trust World. I hope you are going and otherwise we will back be back here a week from Tuesday or the next screen now after the next one. So 1068 will be back on Tuesdays. We normally do these Tuesdays right after Mac break weekly, which is 1:30, usually 1:30 Pacific, 4:30 Eastern, 21:30 UTC. Although now that I think about it, 10:68 will be on March 11th which will be after we switch back to daylight saving time. So it'll be 2030 UTC. I know.

B (166:39)

And are we going to increment the podcast number for the threat logger?

A (166:44)

Maybe it'll be 1069. I don't know. Yes, because we are going to do a, we are going to make a podcast out of the presentation Steve's doing at Zero Trust World. So you'll get to hear it even if you're not at Zero Trust World. I don't think we'll give it a security now number. We'll give it a twit.

B (166:58)

Everybody or club only.

A (167:02)

You know, we should have probably had the conversation. I'm going to say everybody, I'm going to make an executive decision. I think I have the power to do that.

B (167:13)

Everybody should make everybody else happy.

A (167:15)

Yeah, yeah, everybody should get to hear it. So I'm not. But I, I, I'll tell you, we'll tell you next week what, where it's going to be so you can hear it. You can also get the show after the fact. Steve's got unique versions at his website. He's got the 16 kilobit audio, the 64 kilobit audio. He's got the show notes that he writes, very extensive show notes. That's a great thing to have. He's also got the transcript, very nice transcripts written by humans, a human in particular, Elaine Ferris. So thank you, Elaine, for doing that, all of that. @grc.com, while you're there, pick up a copy of Spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. Version 6.1 is out. You'll also be able to stuff your next DNS with weird long random numbers if you get the DNS Benchmark Pro, which is now available. A great way to see if you're using the fastest DNS server available to you. And it's different for everybody. That's why you need a copy of it on your own, where you are. Yep, all of that. @grc.com you can come to our site for the 128 kilobit audio or the video of the show. That's TWIT TV SN. There is a YouTube channel dedicated to the show. And if you do want to share a clip of the show with friends, family, co workers, bosses, that's probably the easiest way to do it. You just clip it on YouTube, you know, send them a link with that time code. Makes it very easy for them to watch it. So we encourage you to do that, spread the word. And of course you can subscribe. Best thing to do is subscribe in your favorite podcast client. That way you'll get it automatically the minute it's available. And if you do that, please leave us a nice review. Tell the world about security now. Yes, Ms. Laporte. So it's 11:00am yes, we figured that out.

B (169:01)

And 1068 will be the special.

A (169:04)

Ah, so Lisa has clarified. 1068 will be the special. 1069 will be this episode on March 11th. What?

B (169:14)

And we do need a mic check on Tuesday.

A (169:18)

Tuesday, mic check. I figure she'll drag me to that. I don't need to remember that. Thank you, Steve. Have a wonderful night. We'll see you all, everybody. Next time on Security Now. Bye.

B (169:29)

Bye.

A (169:30)

Hello, everybody. Leo laporte here. You know what a great gift would be, whether for the holidays or at just any time? A birthday, A membership in Club Twit. If you have a Twit listener in your family, somebody who enjoys our programming and you want to give them a nice gift and support what we do, visit TWiT TV club TWiT. They'll really appreciate it and so will we. Thank you. Twit TV Club Twit security Now.