Leo Laporte

It's time for Security now. Steve Gibson is here. Lots to talk about this week. We need a caption for our photo of the week. Maybe you can help a social media company. Another one says no to strong encryption. That's not a good sign. There is a problem with proxies serving malware and it might even be coming from your router. We'll tell you how to find out. And then he's going to talk about his experience using CISA's Internet scanner. All that coming up next on Security now. This episode is brought to you by outSystems, a leading AI development platform for the enterprise. Organizations all over the world are creating custom apps and AI agents on the Outsystems platform. And with good reason. Build, run and govern apps and agents on one unified platform. Innovate at the speed of AI without compromising quality or control. Outsystems is trusted by thousands of enterprises worldwide for mission critical apps. Teams of any size and technical depth can use Outsystems to build, deploy and manage AI apps and agents quickly and effectively without compromising reliability and security. With Outsystems, you can accelerate ideas from concept to completion. It's the leading AI development platform that is unified, agile and enterprise proven, allowing you to build your agentic future with AI solutions deeply integrated into your architecture. Outsystems build your agentic future. Learn more@outsystems.com TWiT that's outsystems.com TWiT podcasts

Steve Gibson

you love from people you trust.

Leo Laporte

This is Twit. This is Security now with Steve Gibson. Episode 1070 recorded Tuesday, March 17, 2026. CESA's free Internet scanning. It's time for Security now every Tuesday. I know you're looking forward to this and I am too. We get together with this guy Right here, Mr. Steve Gibson, our security guru. Talk about the latest news and there is always a lot of security news.

Steve Gibson

It is true, Leo. A small, very small subset of the world looks forward to sometimes this Monday morning or I mean Wednesday morning, typically,

Leo Laporte

you know, well, it's, let's put it this way, we had when we were last a couple weeks ago@0Trust World, I think there were 1800 people in our audience. We have, you know, I don't know,

Steve Gibson

maybe

Leo Laporte

eight times that for every show. So it's a lot more people who are listening today than we're there in the although a live audience, you're very aware of them. A podcast audience, we don't know.

Steve Gibson

Yeah. Although I, I, as you'll see this week's Picture of the Week issued a caption photo contest. Ah, so what, you know, I, I invited our listeners to caption this photo early and boy did I get replies. Well, 20,191 pieces of email went out Sunday saying we got any ideas? Oh boy, did I, you know, yeah, I, I, I got ideas back, so.

Leo Laporte

All right, well, we'll see that in just a second.

Steve Gibson

This is episode 1070 for We're Crossing over the middle of March. It's the 17th. I decided that I wanted to share the results from my first successful interaction with SIS's free Internet scanning because I'm now in a position to be able to know it like what it is and to be able to recommend it without reservation to anybody who's got more than one IP that is, you know, DHCP issued by their isp Small Medium Large Enterprise. I qualified and as we know, I'm not running anyone's water filtering for the municipality or anything. I'm, I'm just grck. But so it turns out that, that, that barrier which, which they talk about as this is for, you know, government agencies and local, state and federal, you know. No, it's commercial enterprises are considered infrastructure in a, in a very broad definition. So anyway, I'm, I'm going to tell everybody everything that I came away with from that. And, and also what, what it found in GRC's network that, okay, I knew about it, but still it was interesting and it was a little bit of a cry wolf, but we're going to talk about the picture of the week, of course. Also, a mega social media company has decided to say no to their own strong encryption on their own messaging, which is interesting. Yeah. And what does that mean? WhatsApp is going to give parents more control, which we'll, we'll discuss that. I think that's also good consumer bandwidth proxying that we were just talking about in the context of that bright data sort of semi slimy. So smart TV API. Turns out it's becoming a big deal and I guess in retrospect, not that big a surprise. That is consumer bandwidth proxying. Also Meta has purchased the Malt the Mult Book founder duo. Try to say that three times. We'll talk about that. The EU has given up and is settling upon a compromise with that controversial chat control. Oh, there. It turns out that ransomware negotiation may not be always what it seems when. Which should come as a surprise. CISA is compelling federal agencies to submit their logs to them. What also, is that a VPN in your pocket or Maybe. Is that something more malicious? We're going to answer that question. Also be very careful about what you download, thinking that it might be AI. Once again, bad guys jump on anything that is popular. Taking advantage of the enthusiasm of the moment, we've got a super clever and also worryingly simple means of bypassing AV scanners that a security researcher came up with. I'm going to answer the question that I keep getting from our listeners, which is whether AI will be writing code for me. And I've got an interesting couple of well informed postings to share about that followed on the heels of another listener of ours discovering the joy of AI. And then I'm going to share my experience with CISA's free Internet scanning and unreservedly promote it to our listeners enterprises. I just can't think of a reason why. Why? Why? No, why anyone who was able to and was qualified wouldn't want to enlist another piece of, you know, another set of eyes looking at and confidentially reporting what they see from the outside. So I think, Leo, maybe it's worth tuning in this week.

Leo Laporte

Well, you've done so already, so it's too late. And I should mention it is St Patrick's Day, so I shall be disappearing from time to time to check my corned beef to make sure it is doing its thing.

Steve Gibson

And are four leaf clovers a result of Chernobyl radiation or do they occur

Leo Laporte

in nature, I wonder? Well, they do occur in nature. I know that because we had them before Chernobyl. But I wonder if there are more of them than there used to be.

Steve Gibson

Aren't they normally three?

Leo Laporte

And they get normally the three. They are a mutation, I believe. Yes.

Steve Gibson

You know, Mark Thompson went to Chernobyl with a group like he thought that would be a cool place to go walk around. And he did report that there seemed to be an abundance of fourleaf clothes.

Leo Laporte

So that's a very interesting experiment.

Steve Gibson

What made me think of it?

Leo Laporte

Yeah, we will get to our picture of the week and your caption contest in just a moment. But first a word from our sponsor. Delete me. Let me tell you folks, if you've ever searched for your name online, if you've ever wondered how much of your personal data is out there on the Internet, don't do is a lot more than you can possibly imagine. Your name, your contact info. Steve and I did this, I don't know, about a year ago after a big breach, a big data broker breach, found our Social Security numbers, home addresses. You know, it's not illegal to sell Somebody's Social Security number. That seems like that should be illegal. It's not. Last week we had Cindy Kohn, who's the executive director of EFF On. She's written a new book about privacy's defender. And we talked about why we do not have comprehensive privacy legislation in this country. We do not have that protection. Well, fortunately, we have Delete Me. Okay. I mean, the bad news, it's completely legal for data brokers to collect all this information about you, your family members, your employees, and then sell it online to anybody, anybody who wants it, including foreign nationals, law enforcement. It's not just marketers anymore, hackers. Of course, this can lead to terrible consequences. Identity theft, phishing attempts, doxxing harassment. But now you could protect your privacy with Delete Me. I think everybody should be doing this. We first became aware of Delete Me when Lisa was fished. There were text messages sent out on her behalf. So she. They used her name and phone number and her. She. They knew about her direct reports and what their phone numbers were, and they were able to text them, saying, oh, I'm stuck in a meeting right now. Can you buy some gift cards and send them out?

Steve Gibson

So impersonation. Attack.

Leo Laporte

Impersonation, that's the word. That was a eye opener. Because immediately I saw they know way too much about our corporate structure. So I think every business should have delete Me for their middle management, their upper management, to avoid this. This certainly helps a lot. And it's something we've been subscribing to for a long time. In fact, you know, every couple of weeks we'll get a Delete Me email, which is great, telling you what they found, what they've removed. Delete Me is a subscription service, so it doesn't just. It's not a one and done. It will remove the personal information you specify from hundreds of data brokers. There are more than 500 at last count. New ones every day. So it might even be more than that. You sign up, you provide Delete Me with just. You tell them what you want removed so they don't remove too much. Right? Just, I don't want my social out there, that kind of thing. I don't want my phone number out there. Their experts will take it from there. They will go one by one and get your stuff gone. And then, as I said, they'll send you regular personalized privacy reports telling you what info they found, where they found it, what they removed. And they will do this again and again because data brokers are like cockroaches. You you can't just exterminate them once they come back. And there's new ones all the time. You need Delete Me to constantly work for you. They always are monitoring. They're always removing the personal information you don't want on the Internet. To put it simply, delete Me does the hard work of wiping you, your family, your employees, your management's personal information from data broker websites. So take control of your data. Keep your private life private. Sign up for Delete me. We've got a special discount for our listeners. This is on the individual plans. You'll get 20% off your delete me plan. Joindeleteme.com twit so that URL is very important. Join Deleteme. Use the promo code TWIT at checkout. The only way to get 20% off is to go to JoinDeleteMe.com TWIT and enter the code TWIT at checkout. That's JoinDeleteMe.com Twitter CodeTWIT. We thank them so much not only for supporting security now and the good work Steve does here, but for helping keeping, keeping us private and safe on the Internet.

Steve Gibson

So, Leo, before you look at the photo, I will just tell you that all I wrote across the top of it was Security Now's caption, that photo contest.

Leo Laporte

Okay.

Steve Gibson

And when you scroll up, you'll see why.

Leo Laporte

Oh, boy, oh, boy. Now, we were talking about this. I don't know where this is, but Paul Thurrott and I were talking about this in Mexico. He lives in Mexico City. This is what the foam poles look like because if something doesn't work, they don't figure out what's not working. They just put a new one in. So many of these wires are probably non functional. Tell us what we're looking at here.

Steve Gibson

Well, when I was growing up, we would have called this a rat's nest.

Leo Laporte

Yes.

Steve Gibson

And it is someone atop a. It's hard to describe this as a telephone pole, although these look like phone lines coming in.

Leo Laporte

There's one in there somewhere, I think.

Steve Gibson

And look, there's like boxes hanging from wires and, and various size junction containers. And, and I do notice that a lot. There's a lot of loopage, you know, like, like, like rolls of wire that are hanging. I, it would be really interesting to actually to, to know where now. And, and as you noted, when something goes wrong, they just string another one. It's, it's, it's difficult to imagine that this actually functions. And one wonders how long ago this began. That, that, and to allow this to occur to it. It's just. Anyway, so in response all I said was I didn't even it, I, I didn't have a chance to talk about it on the email that I sent out, but our 2191 recipients said, oh, I gotta, I got a name for that. And so the responses have been pouring in in response to something that came in early that gave me an idea for what I think is gonna probably, I'm gonna suggest as the winning caption, but we will see next week. In the meantime, those who are just listening to this, I don't think I could adequately prepare you for what you would actually see if you saw the photo in this week's show. Notes is beyond insane. And, and, and Leo, how did he get up there? Like he must have like had a crane plant him on the top of this because you can't climb the. Well, I guess you could climb the side but then who knows how many wires you'd pull loose. So.

Leo Laporte

Wow, that's amazing.

Steve Gibson

Yeah. And I've had this photo in my, in my pictures of the weak candidate pile for quite a while and finally I thought, okay, let's just, let's just see what our listeners think about this. Okay. So last week the news and we talked about this of course was that TikTok had decided and formally announced that it would not be adding end to end encryption to its already controversial enough short format video sharing platform. Right. They said that, that is TikTok said that we want to enhance our users security and doing that means being able to screen the content that our users are sharing and prevent illegal content from being shared. So they said that. Then what's somewhat surprisingly, last Friday the Hacker News reported that Meta, of all people or all groups, all companies had announced their somewhat similar plan to back encryption out of Instagram. What? So the Hacker News wrote, meta has announced plans to discontinue support for end to end encryption for chats on instagram after Met May 8, 2026. So I guess this was like a 60 day notice, right? March, April, May. They said the social media giant said in a help document, quote, if you have chats that are impacted by this change, you'll see instructions on how you can download any media or messages you may want to keep, which I thought was interesting. How is keeping messages relevant to ending end to end encryption? Maybe they're just going to start over, I don't know, like get rid of everything that has been in the dark that they haven't been able to see. So that from now on any new messaging will be without end end encryption anyway, they said. If you have an older version of Instagram, you may also need to update the app before or you can download your affected chats, unquote, Hacker News said when reached for comment. This is what Meta had to say. Quote, very few people were opting in to end to end encrypted messaging in dms, so we're removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end to end encryption can easily do that on WhatsApp, okay, they said. The Hacker News said the American company first began testing end to end encryption for Instagram direct messages in 2021 as part of CEO Mark Zuckerberg's quote, privacy focused vision for social networking, which we all remember at the time, they said the feature is currently only available in some areas and is not enabled by default then, they said. Weeks into the Russian Ukrainian war in February 2022, the company made encrypted direct messaging available to all adult users in both of those countries. The development comes days after TikTok said it does not plan to introduce end to end encryption to secure direct messages on the platform, telling BBC News that the technology makes users less safe and it wants to protect users, especially young people, from harm. Last month, Reuters also reported that Meta proceeded with plans to adopt encryption to secure messages in Facebook and Instagram despite internal warnings in 2019 that doing so would hinder the company's ability to detect illegal activities such as child sexual abuse material, you know, CSAM or terrorist propaganda, and then flag those illegal activities to law enforcement, they said. End to end encryption has been hailed as a win for privacy as it ensures that only communicating users, only communicating users can decrypt and read messages, thereby locking out service providers, bad actors and other third parties from accessing or intercepting the data. However, law enforcement and child safety advocates have argued that the technology creates a safe space for criminals as it prevents companies from complying with warrants to turn over message content, a problem referred to as the going dark phenomenon. This year, the European Commission is expected to present a technology roadmap on encryption. We'll have a little more to say about that in a minute. To identify and evaluate solutions that enable lawful access to encrypted data. Good luck with that by law enforcement while safeguarding cybersecurity and fundamental rights okay, so I think this is interesting and I wonder whether this signals the start of a gradual backing away from providing strong encryption to consumers on the mega popular generic platforms. I doubt whether Most lawful users of TikTok, lawful users of TikTok, Instagram or even WhatsApp really care all that much about encryption? Sure, if they can have it for free and if it's built in, and if it doesn't cause them any trouble or headaches, sure, okay, fine, they'll take it. But is even a single person going to walk away if it's removed? I doubt it. While there was an initial rush on the part of publishers to provide it, you know, like in 2019 with, with with Zuck's big privacy first business, I don't think it's ever been shown that there was any actual consumer demand. Anyone who really wanted secure messaging after all, could switch to Signal, which is also free and where Meredith's maintains unflagging vigilance at the gate. So the way we're seeing things shake out, I suspect that the right solution to all the mess and pushback to this messaging, you know, well to the increasing prevalence of fully encrypting everyone's random messages on consumer platforms by default is simply not to bother with it and no one will much care. I know this will make the privacy at all costs. People's heads explode. But again, Signal is always available, as is Telegram, and is free for anyone who actually wants it. For those who worry about grooming and csam, you know, removing always on encryption by default from the major platforms will tend to eliminate that opportunistic abuse. It won't be on and so the bad guys can't safely do that. And in fact eventually I think it won't even be an option. So I'd be interested Leo, to know that gal, you had an EFF person on recently wonder you know, what she had to say about all this. WhatsApp however, is also moving in a parent forward fashion. Meta also announced the addition of parent managed accounts for WhatsApp. The accounts are designed for for pre teen children where access to account settings will be controlled by a PIN set by the parent. Essentially parents can control settings, lock those settings on their children's devices, their underage teen, you know, pre teen children's devices and, and, and obtain some control over it. The message content on the preteen accounts will remain private. So this is not a privacy invasion, it's a, you know, setting controls lock. Parents will be able to approve to whom their children may speak, what groups they can join and review message requests from unknown contacts. So do a little bit of sort of at distance management of what their kids are doing, keep their kids from changing that stuff. Basically parental controls for WhatsApp. And I think, you know, that that seems to make a lot of sense to me and seems like a good thing. Last week we looked in some depth at the company Bright Data, whose unfortunate business model involves arranging to offer end users the like not directly from them, but by virtue of of streaming partnerships and smart TV partnerships, to offer end users the ability to lower their costs either for streaming and or see fewer advertisements in return for for for the privilege of routing third party Internet traffic through their ISP purchased or subscribed bandwidth and thus using their residential consumer IP address. And as we noted last week, there's only one conceivable reason for doing this, which is to allow those third parties to mask their identities and hide whatever their purchase may be among the world's broadly distributed consumers. The issue of consumer proxies was again in the news after we talked about it last week for another reason. The Risky Business news late last week opened by writing American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named Sox Escort, the latest such crackdown against proxy providers over the past years. And again, this is like a growth interest on the Internet, this idea of proxies because the Internet is getting much better about filtering and proxies are a way to bypass filtering. Risky Business News wrote the service that this SOX Escort service had been running since 2021 and rented access to more than 369,000 so more than a third of a million 369,000 different IP addresses not all at once but across its entire lifetime. So that you know, they came and went over time. Generally there were several tens of thousands at any given time time. According to the FBI, they write Europole and Dutch Police Sock Escort was a front for a malware operation that infected modems and home routers. In other words, unlike Bright Data, which is is hopefully an above board only with user permission and hopefully with user understanding asking to reuse consumer bandwidth. This is malware. These are, you know, leveraging router vulnerabilities in order to get these proxies installed and then obtain persistence. So in other words, malware proxies, not not benign bandwidth bouncing proxies. They were maliciously installed without their host's knowledge or permission to form a proxy botnet. Of course we've talked about proxy botnets through the years because this IP IP based blocking, as I said, has been growing and the bad guys are needing to obscure their bandwidth. The the article continues writing Lumens Black Lotus Labs linked this group to a botnet it discovered in 2023. Named AV recon, the botnet never grew to an extremely large size, but managed to maintain, they write, a healthy pool of IP addresses it could rent out to its customers, most of which were other cybercrime operations needing ways to hide their attacks inside the infrastructure of residential Internet providers. Europol linked the service to ransomware deployments, DDoS attacks and the distribution of child sexual abuse material. It also estimated that SOX escort operators made more than 5 million euro from renting their infected IPs, which they noted is quite the sum for a service as simple as, you know, proxying. On the day of the takedown, they write, the FBI published an advisory with tips on how telcos and consumers can protect their devices and prevent them from ending up as nodes in proxy networks. It also published advice on spotting and removing specifically this AV recon from residential devices. Over the past few years, they said the US has mounted a war against against residential proxy networks after several reports concluded that foreign adversaries were using infected American routers to hide their tracks. Law enforcement takedowns have targeted both private proxy networks like orbs or operational relay box networks, but also residential proxy providers. The difference between the two is that orbs are typically built and managed by by the threat actors for their sole use. So those are essentially proxies installed somewhere, while a residential proxy provider is a service built for an operator's financial gain, typically rented out to whoever has the money. And they finished saying past proxy using botnets that were taken down include 911S5, any proxy, 5socks, R socks, flax, typhoons, raptor train, volt typhoons, KV botnet, APT28s, mubot, VPN filter and others. So in other words, the idea of proxying is a hot commodity on the Internet today. Our takeaway is that while bad guys, again, probably have very little interest in the contents of any random person's internal network, and for that we can be thankful and let's hope that doesn't change soon. There is substantial interest in using and abusing any distributed bandwidth they are able to obtain. Being able to hide and emit their junk, whatever it is, attacks, probes, whatever from residential ips, from, you know, the IPS of users who have no idea that's what's going on. That's of huge value to them. In fact, way back in time, when I tracked down that that kid that had been dosing grc, it was a I got the FBI to work with me. I had the IP address of a source of the attacks because the source IPS were not spoofed. We located a family a few miles from me and I made a house call at, and looked at their computer. It was infected. They had no idea this was going on behind their back. They were horrified. And of course I, I was interested because I wanted to get a sample of this thing in order to reverse engineer it, which I did. And in return for that, I disinfected their computer for them. But that's an example of, you know, this happening behind people's backs and nobody had any idea. So we've also learned that substantial interest in, you know, I said there is, there is substantial interest in a, in using and abusing any distributed bandwidth the bad guys can obtain. And what we know is that substantial interest in equates to substantial pressure to get in. That is, you know, bad guys want in to people's NAT routers. So keeping the bad guys out means resisting any temptation to rely on, on a border router's authentication mechanisms. We see time and time again you just can't. Any NAT router without any deliberately exposed WAN side services is going to be inherently bulletproof if traffic is only originated from inside and is only allowed to come back in from outside when it matches what first went from inside out. So it's a firewall unless you poke holes in it. Poking holes in it means unsolicited connections from the outside in. Because, for example, you just couldn't resist turning on remote web access to your router's management interface.

Leo Laporte

I can't resist that.

Steve Gibson

Please resist.

Leo Laporte

So I use tail scale to open up 100%. That's okay, right?

Steve Gibson

Yes, because tail scale is outbound NAT penetration and you are not opening, you know, you, you are not able to, from Starbucks, you know, put, you know, go HTTPs://, slash, slash, and then your home IP and, and be looking at your, your routers. Oh, log into your asus. No, no, don't do that. No, no, it's only guide to deliberately expose external management, you know, access to their router hosted services that authentication bugs in the router's firmware can be leveraged to install and maintain proxies. So, and again, it's like everyone's false thought is, well, who would want to get into my router? I, who would want to get into my network? I don't have anything. The fact that you have a router is valuable. That creates pressure to get in because they want to set up shop and use your bandwidth and use your ip. And also you don't want your IP associated with all kinds of dastardly deeds on the Internet. That's not good for you either.

Leo Laporte

And there's some interest in when. What does it take to get a house call from Steve Gibson asking for a friend? That's special treatment, let me tell you, folks. So if I. So does the proxy server run on a PC or does it run on the router?

Steve Gibson

It's on the router. So, so it is. Yeah. So it's a little. Sir, it's a little demon that is set up in the router. It, it, it's added to the router's boot code so that it comes back alive and reaches out to a remote command and control server to establish a contact. So even, even with it there, it doesn't open a port. It's. It maintains its own stealth because it reaches out to the external command and control. And then, so, and then so basically it, it phones home to establish a connection and then to, to await orders.

Leo Laporte

How, how is, how do you detect it?

Steve Gibson

You've got to look at the actual. You got to, you know, like a

Leo Laporte

traffic map or something.

Steve Gibson

Well, traffic or. I mean it. Unfortunately, and this is the problem is most. The re. The reason I pause there is that all the ways I could think of required you to know Linux. You know, I mean, you need, you need to, to look at the, the, the shell script startup stuff and go what the heck is that? That's not.

Leo Laporte

In other words, you need Steve to come over.

Steve Gibson

So attack me.

Leo Laporte

If you reboot the, the router, is that sufficient?

Steve Gibson

Oftentimes rebooting because a lot of these things are unable to establish. Yes. They only live in ram. So, so rebooting is the first thing. Reflashing is that will also do it. So like, you know, if, if you're able to just update your firmware or re. Update your firmware, that will also clear things out.

Leo Laporte

Good to know.

Steve Gibson

You know the other thing that's good to know? Leo?

Leo Laporte

What's good to know?

Steve Gibson

I know. You know.

Leo Laporte

I know. I know.

Steve Gibson

This next sponsor is good to know about.

Leo Laporte

Everyone should know about our next sponsor. I completely agree with you and I would tell you about them if I just had put the right copy in there. So hold on just a, just a moment while I get that.

Steve Gibson

Mesmerize our viewers.

Leo Laporte

Everybody look at Steve's coffee cup. Steve's coffee cup. It's so good. Our show today brought to you by Material, the cloud workspace security platform built for lean security teams. I love Material because it's not there to replace you security teams. It's there to augment you to make your life better. Managing security in the cloud is tough, especially in those cloud workspaces we all use now. We're a Google Workspace customer. Maybe you're a Microsoft 365 customer. It's not just phishing anymore either. It's not the only way in. Today's email security, you know, tends to stop at the perimeter. And new attacks are hard to detect with siloed email and data and identity security tools. So material goes that extra step. They protect the email, the files, the accounts that live in your Google workspace, or your Microsoft 365. Because effective email security today needs to do more than just, you know, block phishing and other inbound attacks. It needs to provide visibility and defense across the entire workspace. Threat surface Material ingests your settings, ingests your contents, your logs. It's smart, it looks at it and it gives you a holistic visibility into the threats and risks. Not just email, but across the workspace. And then of course, it gives you the tools to actually remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. You get phishing protection and email security, combining advanced AI detections with threat research and user report automation. So you've got all these signals coming in and you can coordinate those. You also have detection and protection of sensitive data not just in your inbox, but shared files too, because it understands the whole workspace. You also get account threat detection and response. Somebody's trying to get Lisa's Google Workspace account pretty much every day. This would give you comprehensive control over access and authentication of people and third party apps. Material empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication for that really sensitive content, blast radius visualization for accounts, and the ability to detect and respond to threats and risk across the entire cloud Workspace Material enables organizations to scale their security without scaling their team. It's not there to replace you, it's there to make your life better. Material drives operational efficiency with its simple API based implementation and flexible automated one click remediations for email file and account issues. Including an AI agent that automates user report triaging and response makes your life easier. Material protects the entire workspace for the cost of just email security alone. With a simple and transparent pricing model, you'll be very impressed. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See Material Security to Learn more or book a demo. Easy to remember. Material.security. we thank him so much for supporting Steve and the work he does at Security. Now that's Material Dot Security. And now back to a fully caffeinated Steven.

Steve Gibson

Recaffeinated.

Leo Laporte

Recaffeinated.

Steve Gibson

Okay, so in case anyone was wondering, Mult Book, which was that weird facility that was affiliated with OpenClaw, where open only open clause autonomous AI agents were able to talk amongst themselves and we lowly humans were only able to look on, gawking in wonder at the interagent AI dialogue that was just purchased by Meta. I assume. Actually the guys started work there yesterday. I assume meta's entire interest is in obtaining those two creators of Mult Book,

Leo Laporte

Matt, one of whom is a good friend, by the way, Steve, Ben Par, who's been on Twitter many times, and Ben. Yeah, I didn't know Ben was Malt Book or I would have had him on the show to talk about it all this time. He was kind of more stealthy than the other guy. The other guy got all the attention.

Steve Gibson

Yeah.

Leo Laporte

Anyway, congratulations.

Steve Gibson

Yes, they. And I'm sure they're being well compensated. They both started working at Meta Yesterday on the March 16th in Meta's MSL, which modestly stands for not. M is not for modest. M is for Meta. Like literally, this is what they call themselves. Meta Superintelligence Labs, MSL. Anyway, Matt has been working on autonomous AI agents since 2023, and he launched Malt Book in late January as an experimental third space, as they put it, for AI agents. And Molt Book was built largely with the help of his own, Matt's personal AI assistant, which. Which he named Claude. Clauderberg. Okay. And of course his partner in Malt Book. And now also at Meta, as you said, is Ben Parr, who is formerly an editor and columnist at Mashable and

Leo Laporte

cnet and a good friend and a

Steve Gibson

good friend of the show. Yeah, of. Of twit. So apparently Molt Book continues to be available through Meta, although they indicated that they weren't certain what its future might be. So it's not clear whether they're going to bother to keep it going. But for now, it is. The typical corporate speak statement from Meta, as reported by Axios, was that, quote, the Mult Book team joined msl. Joining MSL opens up new ways for AI agents to work for people and businesses, unquote, which of course says nothing. And I doubt that even they know what they mean by that, but that's how these sorts of, you know, acquisitions go, where it's the people that are actually being acquired. Meta doesn't care about Book at all. They just want those guys.

Leo Laporte

Although I imagine that they want to somehow capitalize on this agentic future and. Yes, and extend Facebook to agents.

Steve Gibson

Why not? God help us, Leo.

Leo Laporte

I know. I mean the real problem with Mole Book, besides the fact that it has had a terrible security model, was that humans could get in too. So we never really knew if it

Steve Gibson

was only AI generated dialogue. Right, right. Okay. So the good news is that the EU was unable to secure the votes needed to pass its most recent attempt to force all communication services to monitor their users communications. I mean we were balancing on a, on a razor's edge there for quite a while. It's like this could almost happen. And finally Germany reversed their previous. Yeah, we think that we probably should vote. And they said okay, no, we're not gonna. And that, that killed the whole thing. So what we have instead is an extension of the previous, what's been called voluntary chat control, which, you know, as I said, that's what's already been in place. Last Wednesday, 11th March, Heists Online covered this news writing the EU Parliament approved a renewed extension of voluntary chat control, which is in quotes because that's not really the official name, but that's what we all call it. To combat child sexual abuse In Straussburg on Wednesday, after the initiative surprisingly failed in the responsible committee a week ago, MEPs are now attaching clear restrictions to the extension. The regulation creates a temporary exception. This is, again, this is. Remember we were just talking about how COPPA would need to be amended, Leo, in order to allow like kids to disclose that their children. But that would be a breach of coppa because you're not supposed to know that.

Leo Laporte

Right?

Steve Gibson

Well here we have to say that

Leo Laporte

would kind of be a hint that something's wrong here.

Steve Gibson

Yeah, we got, we gotta, we got the same thing happening here because you can't, you can't even voluntarily look at people's data under EU regulations. So what we have is an a, an amendment to the regulation creating a temporary exception to the European Data Protection Rules allowing messaging services to scan chats for depictions of child sexual abuse. There is currently no agreement on, on a long term solution, which is, you know, which is what the EU Commission and member states were hoping to get. Providers of messaging services, Heiss wrote, may automatically scan their platforms for digital traces of child pornography. The search for adults who prey on minors, known as grooming, is also under debate because this violates the EU Directive on the Protection of Privacy, the EU hastily created an exception regulation in 2021. This exception regulation, which has already been extended once, now again is valid until the beginning of April and was supposed to be renewed until April 2028 at the request of the EU Commission. Last week, however, the Commission's proposal surprisingly failed in Parliament's Committee on Civil Liberties, justice and Home affairs. In a They're just having all this trouble with this. In a new compromise, Parliament was has now agreed to an extension until August 2027. At the same time, MEPs voted for a clear limitation of powers to search for already known material and only for users or groups suspected of concrete wrongdoing. Thus not just a blanket search, everybody. Furthermore, encrypted chats should not be affected. Well, actually practically they can't be because they're encrypted. A spokesperson for the Committee on Civil Liberties, justice and Home affairs said, quote, this exception is a temporary, strictly limited instrument that allows providers to continue their voluntary detection measures under certain conditions. The extension must also maintain end to end encryption. These restrictions correspond to Parliament's draft for a long term solution. These will be the subject of upcoming negotiations with the Commission and Member States. Only when an agreement is reached here can the renewed extension come into force. There's currently no majority in Parliament for far reaching surveillance power such as arbitrary chat control. That's what we were talking about before that Germany vacillated on and then said no. The Council of Member States has also moved away from this after a long struggle. Right. However, this does not make a permanent voluntary solution any easier, especially since it also affects the fundamental rights of EU citizens which are protected from this. While the Commission and Member States want to make the controversial exception regulation permanent, the EU Parliament insists on significant restrictions. For example, error prone technologies such as AI should not be used in the church in the search for child pornographic depictions. Scanning text messages for grooming attempts should also remain prohibited. So if, if anybody thinks this sounds like a huge mess, then you have been paying attention because yes, this is the eu just they're in a big scramble and pickle fusion, they're in a pickle boy. Yes, the good news is that saner heads prevailed and since they weren't able to push anything forward, they at least didn't move anything backward. And companies that have been doing some of their own platform based CSAM screening, as we know some major providers have, this gives them the COVID to continue to do so without requiring that without requiring them to do it, nor requiring them not to offer their own internal encryption for their Users to whatever degree they wish to. So, you know, for now that's what we have and it's probably the best that we could hope for. They, you know, they, they're unwilling to, to drop it, but they are unable also to push it forward. So they're just extending the voluntary jack control and maybe that'll calm down over time.

Leo Laporte

It's so telling that in both the US and the eu, any attempts to do this have to require exceptions to existing privacy laws. It's like the age verification stuff. In the US they have the, whoever it is, the Department of Commerce had to give an exception to the COPPA rules, the Child Online Privacy and Protection act rules, because, well, if you're going to ask people's ages, that's a violation. Isn't it telling that the thing you want to do is a privacy violation? That should tell you something. Oh, well, I'm asking too much.

Steve Gibson

Yeah, I, I, there, there was a piece that one of our listeners sent me that I looked at which, and I can't remember now where the, what the publication was in, but the, the people were just going crazy calling any indication of, Oh, I know what it was. It, it was that Meta had secretly been supporting the nonprofits to the tune of $2 billion. I think that was the number across the country for them to be pushing on behalf of, of the need for age determination.

Leo Laporte

Oh yeah.

Steve Gibson

And pushing Google and Apple to push this onto their platform.

Leo Laporte

They were doing this secretly because they didn't want anybody to know. Yes. That they were behind this. Yeah. Yes.

Steve Gibson

And my take is that this is where that should happen, that it should be Apple who simply allows an API to be, I mean, the user still has control. If, if, if you want to go to an age restricted site before that happens, a dialog pops up and says the site or the app or whatever it is wants to know if you are an adult, do you want to give them any indication? You can say no, in which case if, if you, you may not be able to go there or you can say yes, I, I'm an adult and I, I, you know, tell them that to me. I mean, the, this, I get it, that there are people who want to give nothing, but it's just not. We also have laws throughout the world where age matters.

Leo Laporte

Yeah.

Steve Gibson

You know, children can't drink alcohol. Children, we've decided, cannot be exposed to aspects of human sexuality. You know, children, you know, I mean, there is behavior that's regulated based on age that needs to get extended out to the Internet because the Internet is here to stay.

Leo Laporte

I think that's fair, I really do. I've come around a little bit on that. Yeah, I have to find a way to make it work. And I think you're right. There is a choke point. It's Android and iOS and that's where this should happen. Yeah.

Steve Gibson

And the beauty then is that, and this is meta's point and they're right, then every individual provider doesn't have to keep, you know, coming up with their own solution because everybody, every independent solution is another opportunity for a privacy breach. And so, you know, doing things like looking at the camera and saying, oh, don't worry, we're not going to keep your photo. Well, we've already seen examples where, where third parties did keep people's photos and then they got breached. So yeah, I, I, I, I trust Apple and I would trust and Google to engineer something for Android that, that's as good as we can get. And, and yes, that, you know, you could still have absolute privacy but then you're going to lose some access to some to content which your government has decided should, you know, only adults should have. So you, you get to choose.

Leo Laporte

Yeah, yeah, I think that's fair. And it's privacy forward.

Steve Gibson

Yes, yeah, and it's as good as we can get. I mean, yes, you're, you're going to lose some if you want access to adult restricted content that your government has said, the government that you're, that you are subjected to has said no, children, children can't have that. You just need to tell us that you're an adult and, and you, the platform you're using needs to, you have to have shown that to the platform one time, let them check it and then the platform remembers and can make that assertion on your behalf. Okay, Leo, get this, this next bit of news just made me shake my head. I'm not going to spend too much time on it, but I didn't want to let it pass without comment. Cyber Scoop informs us that ransomware negotiators, right, working for the ransomware negotiation firm Digital Mint, that is like that, that, that companies that have been breached and have been, that are under ransom, they bring Digital Mint in to negotiate on their behalf. They were also the ransomware attackers that they were negotiating with.

Leo Laporte

Oh,

Steve Gibson

so Cyber Scoop wrote. A 41 year old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined 75 and a quarter million dollars in ransom payments while he was working as a ransomware negotiator for Digital Mint.

Leo Laporte

Oh, this has to be a movie. Somebody has to option this. This is too good.

Steve Gibson

According to federal court records unsealed last Wednesday, five of Angelo John Martino III's alleged victims hired Digital Mint, which assigned Martino to conduct ransomware negotiations on their client's behalf, putting him in a position to play both sides as the criminal responsible for the attack and the lead negotiator for his alleged victims. Really? You can't make this up.

Leo Laporte

You know, these ransomware guys, they're really hanging in there tough. I think you're going to need to give them some more money. I. I don't know.

Steve Gibson

Yeah, they're just not. They're. They really sound like they're not going to give me hanging in there. Martino allegedly. They wrote. Martino allegedly obtained an affiliate account on ALF V, also known as Black Cat, a criminal ransomware as a service group and conspired with other, get this. Other former cybersecurity professionals.

Leo Laporte

So. Oops. Oops.

Steve Gibson

To break into victims networks, steal and encrypt their data and extort companies for ransoms. Over a six month period, prosecutors accused Martino of providing confidential information regarding ransomware negotiations to ALF v. Co Conspirators to maximize the ransom payment. The five US based victims that hired Digital Mint and unwittingly tapped Martino to allegedly conduct RA ransomware negotiations with himself and his co conspirators include a not

Leo Laporte

a movie man.

Steve Gibson

I know a non profit. And companies in the hospitality, financial services, retail and medical industries. All five of those victims paid ransoms.

Leo Laporte

Wow.

Steve Gibson

So anyway, Cyber Scoops coverage of this continues at some length, but everyone gets the idea here. On the one hand, this obviously puts the guy who's negotiating both sides of the deal, as you noted, Leo, in the position to know exactly how much ransom his victim will actually pay.

Leo Laporte

Now just between us guys, what's the maximum you'd be willing to pay? I won't. You know, we just want to find out.

Steve Gibson

Yeah, exactly. Not we probably know. You know, we don't want to go there just so you. Just so we know what? You know what, what do we have to work with now?

Leo Laporte

The.

Steve Gibson

On the flip side, the upside, such as there is, is that the negotiator is also in the unique position to know for sure.

Leo Laporte

Oh.

Steve Gibson

Whether the attackers, since that's also him, will actually honor their promise to restore the victim's data and delete any copies they might have.

Leo Laporte

I'm pretty sure if you give these guys a million dollars, they're going to give you the key I'm pretty sure that's right. I can't promise, but I have a good feeling about it.

Steve Gibson

Seems like, yeah, the way they're talking, I, I, they seem like, you know, they're obviously, they're bad guys, but they seem like good bad guys.

Leo Laporte

This is a gutsy fella that's, well,

Steve Gibson

he's a gutsy fella in chains right now. Yeah. And, and boy, the, the article had pictures of aerial photos of his estate in South Florida, you know, and a 224 foot yacht that was working for him. So. Yeah, he wasn't, he wasn't hurting and he was married. You got to wonder what his wife thought. Like, honey, you know, he doesn't really work that much.

Leo Laporte

What do you do for a living?

Steve Gibson

He closes his office door and mumbles into the.

Leo Laporte

Yeah, don't know. I got a very important meeting with myself. Just be back later.

Steve Gibson

Yeah, well, how, Let, let you know how it goes. So. Three weeks ago, during episode 1067, we covered the news of yet another horrific CVSS 10.0 in Cisco, courtesy of Cisco, Cisco's SDWAN production. This is that bug behind CVE 2026 20127. Another critical authentication bypass in Cisco's Catalyst SDWAN. And the reason I say another is it had, it had an additional one back in 2020. It's hard to get those right, especially for Cisco. It, it in this case. This allows unauthenticated remote attackers to gain admin level access to SD WAN controllers to compromise entire WAN infrastructures. Last Wednesday, CISA revised their previous orders, which we covered three weeks ago. Three weeks ago, CISA was saying you needed to update by such and such a time. They had a whole, you know, calendar laid out. CISA has now ordered all federal agencies to upload their logs from Cisco's SD wan devices to CISA's own cloud platform. By next Monday, March 23, these Catalyst SD WAN devices had been under attack. As we know, using a zero day since, as we said at the time. Still true. 2023. Wow. And a great many of Cisco's customers have done nothing about it in the past three years. While CISA has no jurisdiction over private enterprises, it does over federal agencies. It has been given that jurisdiction. This uploading and aggregating of the logs on CISA's platform will allow CISA's people to investigate which agencies have been compromised. So, Leo, you were wondering, you asked the question, like, how would a consumer know if their router. Well, not easily, but in the case of sdwan logs, look, you morons just send have you configure your device to send your logs to our cloud platform. We will look at them from for you and let you know if you've got a problem. So and I imagine the first thing they'll do is like why have you not updated your firmware on your SD wan? So agencies will have to configure their Cisco SD WAN to send future logs to the same cloud logging aggregation warehouse which is known as cisa Claw Claw the cloud logging aggregation warehouse.

Leo Laporte

Interesting.

Steve Gibson

Clawing back the data now the past year as we've talked about, has seen a huge upward trend in the use of VPN services for geo relocation. Why? Well right this increase in VPN use has been driven by new regional legislation which forces providers of age restricted content to block access based on the geolocation of their would be visitors thus appear to be somewhere else. Unfortunately a new demand and a rush to something, whatever, anything, AI, geo relocation, you name it. What is the current enthusiasm creates? You know that that rush creates new opportunities for bad guys to take advantage of of the inexperience of newbies who are entering a market that's new to them. We've previously noted that this has been happening with VPN add ons for Chrome. Microsoft Security has been tracking a group they identify as Storm 2561 which has been using search engine optimization SEO poisoning to provide malicious links to unwitting Windows users who are looking for VPN client software, Microsoft writes. In mid January 2026, Microsoft Defender experts identified a credential theft campaign that uses fake virtual private network clients distributed through search engine optimization poisoning. The campaign redirects users searching for legitimate software to malicious zip files on attacker controlled websites to deploy digitally and here's interesting Digitally signed Wait, what? Digitally signed Digitally signed Trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the Cybercriminal threat actor Storm 2561. Active since May of 2025, Storm 2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious zip files that contain fake installer files are hosted on GitHub repositories which have since been taken down. But of course GitHub, you know engenders trust. Additionally, they said the trojans are digitally signed by a legitimate certificate that has since been revoked. This blog shares writes Microsoft shares our in depth analysis of the tech tech tactics, techniques and procedures, the TTPS and indicators of compromise in this Storm 2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion and evade detection. We also share protection and mitigation recommendations as well as Microsoft defender detection and hunting guidance. In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products, but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they're redirected to a malicious GitHub repository they say again, no longer available, that hosts the fake VPN client for direct download. Okay, so I'll note that while Microsoft keeps reinforcing that the malware has been taken down, they know as well as we do that no sooner will one set of malware be taken down than its replacement will appear. In fact, it's more often the case that multiple sets of redundant malware have already been staged in place of on GitHub and are just waiting to be linked to when the current malware in use is removed. This allows that malware to age a bit on the platform to increase its appearance of authenticity. So a takedown of one set, while certainly useful and necessary, should by no means suggest to anyone that the threat has been, you know, in any way diminished. This is a classic case of whack a mole. And while it's true that the game must be played, it can never be won by playing catch up. You know, another mole will always be ready to pop up somewhere else. Microsoft continues to explain the GitHub repo hosts a zip file containing a Microsoft Windows installer inside Microsoft Windows installer. You know, an MSI installer file that mimics a legitimate VPN software and side loads malicious DLL files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application. So, for example, a an unwitting user believes they're getting a vpn. They download the vpn, install the client, activate the client. It says it's connected to the remote VPN server and they then they. They then go to wherever they are wanting to VPN to and log in. None of that is true. So the bad guys obtain the credentials they use to log into wherever they were trying to VPN to. So it is Very crafty. And I mean, this is the way enterprises end up getting penetrated and being ransomed by somebody from Digital Mint who's working for the bad guys or themselves. So Microsoft said this campaign exhibits characteristics consistent with the financially motivated cybercrime operations employed by Storm 2561. In other words, ransomware. The malicious components are digitally signed. This was interesting. By Taiwan Lua Near Information Technology Co. Ltd. Okay. The initial access vector, they said, relies on abusing SEO to push malicious websites to the top of search results for queries such as Pulse VPN Download or Pulse Secure Client. That's so you put that into Google and the first link is this bad one, they said. But Microsoft has observed spoofing of various VPN software brands, not just Pulse, and has observed the GitHub link at the following two domains, VPN hyphen, Fortinet.com and Ivanti. VPN.org Once the user lands on the malicious website and clicks to download the software. And again, when you go to this malicious website, you know, if you're not paying attention, if you don't know who, what the domain should be, it looks legit. I mean, it looks a hundred percent like, oh good, I just got to the home of Pulse VPN Secure. I'm going to download this secure client. Why wouldn't you? They said once the user lands on the malicious website and clicks to download the software, the malware is delivered through a zip download hosted at GitHub.com latest ver/vpn/releases/download/vpn client2/vpn client zip looking at that URL is like, okay, what's bad about that? Looks fine. So they said when the user launches the malicious msi, masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded zip, the MSI file installs pulse exe along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path. It's, you know, it's common files backslash pulse space secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion. Alongside the primary application, the Installer drops malicious DLLs, DWMAPI DLL and Inspector DLL into the Pulse Secure Directory. The DWMAPI DLL file is is an in memory loader that drops and launches an embedded shell code payload that loads and launches the Inspector DLL file, a variant of the Infostealer Hyrax. The Hyrax Infostealer extracts URI and VPN sign in credentials before exfiltrating them to attacker controlled command and control infrastructure. Which is how the bad guys learn how to log into like your enterprise that you're intending to VPN to securely. In other words, no one wants this software, any of this software anywhere near any of their computers. It's all bad. Microsoft noted that the files were all signed. As I've been saying, no code these days can get off the ground any longer without being signed by someone. In this case, Microsoft also explains writing the MSI file and the malicious DLLs are signed with a valid digital certificate which is now revoked. The Taiwan Lua near Information Technology Co. Ltd. This abuse of code signing they wrote serves multiple purposes. It bypasses default Windows security warnings for untrusted code, might bypass application whitelisting policies that trust signed binaries, reduces security tool alerts focused on unsigned malware, and provides false legitimacy to the installation process. They said Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software. Okay, so Microsoft described this as an abuse of code signing. Okay, I suppose it's an abuse of the intent of code signing, but I'd be inclined to call it a failure of the code signing requirement to prevent the use of malicious software because, right, the bad guys didn't abuse code signing. They used code signing to abuse the process code signing was designed to prevent. Maybe I'm splitting hairs, but what we don't know and what Microsoft chose not to reveal here is whether this Taion Lua Near Information Technology Co. Ltd. Is an authentic firm whose valid signing certificate somehow got loose. But that's difficult to understand because as we know, code signing certificates now must reside in hardware or whether the company was always a facade which bad guys used to obtain a valid code signing certificate. Microsoft also chose not to reveal who signed their certificate. It would be interesting to know which certificate authority allowed themselves to be spoofed and how and where exactly the required chain of of enterprise existence proof failed how this happened. Hopefully somebody at Microsoft is pursuing this because this is what's not exactly what's not supposed to happen. It's because of all these hoops that I had to, you know, go through everything I did in order to update my code signing certificate because you're not supposed to be able to do this. But here's a clear instance of very, very malicious software having a valid code signing certificate and Microsoft mentions it a number of times in their write up. The only actionable takeaway we can have from this is the annoyingly Diffuse imperative to remain ever vigilant. There are bad guys scattered all around the world focused upon taking advantage of our trust or in any momentary lapse of our attention. All we really can be is as well informed and careful as possible. While we're on the subject of bad guys taking advantage of the passion of the day, I wanted to note that Bitdefender, Kaspersky and Threatbook all recently posted Independent examinations of the dramatic rise they all noted in malicious web pages offering instructions for installing AI agents like Claude and Open Claw. I have a picture here in the show notes of what somebody would receive if they put into Google download Claude code. The first response that comes up is it looks it's from developers.squarespace.com oh my God.

Leo Laporte

And it's like sponsored results, huh?

Steve Gibson

Exactly Leo. And it says install Claude code. Claude code docs use the AI powered sidebar, generate snippets, refactor logic and explore ideas in a clean interface. So you put download Claude code into Google. The first sponsored result that comes up is malicious because. And because Google. Yes it. Who would not trust this? Now we know that we should not be getting Claude code for from developers squarespace.com but your typical user.

Leo Laporte

Yeah.

Steve Gibson

Doesn't know that.

Leo Laporte

I wonder how many people have been bit by this. That's awful.

Steve Gibson

Google labels it as a sponsored result and the branding looks authentic. Users tend to trust it, you know, so, you know, no more needs to be said other than to be careful and always go to the original source of anything you obtain from the Internet. And again, perfect instance. Why is this being done? Because right now AI is the rage and the bad guys are going to take advantage of what everybody wants.

Leo Laporte

Oh, and when you install this stuff, you really give it full access to everything. Yeah, it's like great way to get malware in a system. Yeah, you should never Google support numbers either. For the same reason, right?

Steve Gibson

Yep.

Leo Laporte

But everybody does what you should Google. Leo. Oh, our next sponsor.

Steve Gibson

Yeah, how did you know?

Leo Laporte

You're getting good at the segues, Steve Gibson. You better watch out. You're going to be a DJ soon. This episode brought to you by my thinkst canary. I love this little guy. I do love this little guy. This it looks like, I don't know, it looks like a little USB hard drive. Like external hard drive. It's not sure it has a USB cable, but also has an ethernet port. And that should tell you something. This here is the best darn honey pot anywhere in the world. Honey pots are phenomenally useful, but as we learned when we talked to Bill Cheswick who wrote Is stalking the Wily Hacker and wrote the very first, as far as I know, honeypot. They are also devilishly difficult to create because you want your honey pot to be secure. You don't want it to look like a honeypot, you want it to look like something you know, a bad guy would want to get into. And so it takes a lot of skill to write a honeypot. Fortunately, the people at thinkst Canary have that skill. They've got decades teaching companies and governments how to break into systems. That's their expertise. They know how hackers think. And they have developed the best honeypot ever, the thinkstone Canary. This is a honeypot you can deploy in minutes. It's absolutely secure, it's written, bulletproof, and it looks like the real deal. You can go into the configuration utility. It's so easy to set it up as this one's a Synology nas, that's mine. But it could be a Windows server, a SharePoint server, it could be a Linux server, you could turn on all the services, a handful of services. It could be a scatter device, it could be anything you want. And when it impersonates those devices, it really looks real. For instance, this has a Synology Mac address. So that's probably the first thing to look at. Well, let's see is what's the Mac address? Oh yeah, this has the exact login screen. It looks exactly like the real deal. The folks at ThinksCanary take great pride in making very effective honeypots. You could make it a SSH server. The other thing you can do with it, which is really cool, is you can create files with it so that look like the real deal, like Excel spreadsheets or PowerPoint documents or even things like WireGuard configurations, you know, Cisco SD, WAN configurations, anything, anything that a bad guy might want to get into. And then you could sprinkle those, as many as you want, unlimited, all over your network. Even on your. I have on my cloud, like my Google Drive has a few, you know, they look like spreadsheets labeled employee information, that kind of thing. The kind of thing that a hacker cannot resist. Now this is why this is great. If someone is accessing one of those Lore files or brute forcing your fake internal SSH server, your Thinks Canary will immediately tell you you have a problem. You don't get false alerts. If you get that alert via text, Slack Web Hooks, Syslog, there's an API you can get any way you want, email. When you get that alert, you know, there's somebody in my network. Just choose a profile for your ThinksCanary device, register it with a hosted console for monitoring and notifications. Then you sit back and you wait. You relax. Because the minute an attacker breaches your network or a malicious insider starts looking around your network, they won't. They can't help but make themselves known by accessing your things Canary. Now, you should have one for every network segment. You know, big bank might have hundreds of these scattered all over the place. Small operation like ours, just a handful. But let me give you an example. Go to Canary tools twit. For 7,500 bucks a year, you'd get five. You get your own hosted console. You get upgrades, you get support, you get maintenance, of course. Oh, and if you use the code TWIT in the how did you hear about us? Box, you'll also get 10% off the price for life. Now, you can always return your thinks Canary with their two month money back guarantee. And you get a full refund. That's 60 days. And I should tell you, next month It'll be the 10th year that we've been talking about these things. Canary. A whole decade. I should say that during all of those years, nobody has ever asked for that refund. Ever. Because once you get one of these, you know, how did I live without it? Visit Canary Tools Twit. Enter the code TWIT in the how did you hear about us? Box. 10% off. And not just for the first year, but for as long as you have your things. Canaries. This. Every network needs at least one of these. Many of these, really. One for every segment, I would say, at least. How else will you know if there's an intruder? This is your intruder alert. Intruder alert. Thinkst Canary at canary tools./twit. Don't forget the offer code twit. Thank them so much for their support. Yeah. Steve, we're going to the RSA conference next Tuesday. I'm very excited.

Steve Gibson

Very.

Leo Laporte

Gonna have a lot of fun sometime. You have to come up for that. Have you ever been?

Steve Gibson

That's where I met Stina.

Leo Laporte

Oh, you met Stina coming down the escalator. That's right. That's right.

Steve Gibson

Yep.

Leo Laporte

Stina from Yubikey. Yeah. On we go with the show, sir.

Steve Gibson

Okay, so this is so. I don't know what this is.

Leo Laporte

It's so.

Steve Gibson

Is it frightening? Is it clever? Is it genius?

Leo Laporte

Is it a movie of the week?

Steve Gibson

Okay, so a security researcher by the name of Christopher Aziz of Bombadil Systems discovered a very, very clever. I say new Technique. I mean, it's always been there, but nobody thought to do this. That allows for the creation of malware containing zip files that slide right past endpoint security tools. You know, Windows Defender and so forth, all the various AVs. In his testing, Christopher found that his simple, I mean horrifyingly simple zip format hack would evade 98% of of antivirus engines. I think one out of 55 caught it, the other 54 didn't. When Chris packaged something, a piece of known, very well known malware in a regular zip file, it was almost universally detected by the AV engines at VirusTotal. But when he simply then tweaked the zip files header to claim that its file contents had been directly stored rather than compressed, nearly all existing AV tools were fooled into believing that the contents was just gibberish. In other words, they didn't attempt to decompress the contents because the header said it wasn't compressed. It's almost too easy. Christopher put up a page on his GitHub account to draw attention to this obvious in retrospect vulnerability. It's@GitHub.com bombadil b o m B a D I L hyphen systems forward slash zombie zip he wrote under how it works. He said AV engines trust the zip method field. When method equals zero, meaning that the file was stored, not compressed, they scan the data as raw uncompressed, as if it was raw uncompressed bytes. But the data is actually deflate compressed, which is zip standard compression format deflate compressed. So the scanner instead believing it's not compressed, just sees it as compressed noise. He writes and finds no viral signatures. The crc, the cyclic redundancy check. The CRC is set to the uncompressed payloads checksum, creating an additional mismatch that causes standard extraction tools 7 zip, unzip and WinRAR to report errors or extract corrupted output. He said. However, a purpose built loader, meaning a loader that knows what has been done, that ignores the declared method and decompresses as deflate, recovers the payload perfectly, he said. The scanner the vulnerability is scanner evasion. Security controls assert no malware present here while malware is present and trivially recoverable by attacker tooling. As for the attack vector, this is not an end user extraction vulnerability. This is a staged delivery smuggling technique, meaning that you would, you know, malware, some script or something running all that's already running would download this because of this simple hack. It would get into the system P by passing all AV screening and then it would know how to decompress this back into its full fully malicious uncompressed state. So he said it's a stage delivery smuggling technique. First, a malicious payload packaged in what he calls a zombie zip with a modified header. The zip transits security boundaries, email gateways, network scanners, endpoint, AV scanners, read method equals zero, scan compressed noise and report Yep, all clean. A purpose built loader or dropper decompresses the payload programmatically, the payload materializes and executes. He says this is consistent with established malware delivery patterns known having previously been seen in ISO smuggling, HTML smuggling, cab abuse and so forth, where attackers use custom loaders rather than consumer extraction tools. So what was affected? He said 50 out of 51 AV engines on virus total were fooled. Also fooled Microsoft Defender, Avast, Bitdefender, eset, Casper Ski, McAfee, Sophos D, Trend Micro, and so forth. He said only something known as Kingsoft detected it. So anyway, this just goes to show how some of the simplest hacks, even after all of this time, can still be among the most effective. You know, sometimes there's just no need for something to get overly fancy. There's, you know, some assumptions were made and those assumptions can be abused to the benefit of the attackers. Okay, so Will AI wrote Write Code for Me? Our listeners, understandably curious because I've been so impressed with things like what Claude code is doing for people, continue to express their curiosity over my own plans for AI coding. I mean this is like until this week when where I asked what the caption for that photo should be. It was probably the most often asked thing like well Steve, when are you going to start using AI? And I'm sure that this is partly due to my having previously made T shirts for myself which would which say in white block letters on a black Born to code. You know, and also due to my having been completely open minded about a topic that has perhaps been more near and dear to me than anything else in my life. I have many times, as we know Leo, celebrated your successes and experiences embracing Claude code, and I've shared many of our listeners similar stunned mouth left hanging open experiences when AI produced code for them that made their computer do things they never imagined they'd be able to obtain for themselves. And in fact I'll be sharing another instance of that here after this. Obviously something huge has happened. The question remains what that is exactly. As I settled down last Saturday morning to begin assembling today's podcast, I decided to to log into X to see whether any of our listeners might have posted a candidate picture of the week. That's where I used to get them. The good news is everyone has largely switched over to using email as I have. But you never know. So it was serendipitous that when I happened to check, my feed contained several posts that were completely on topic for the question of AI and coding. I don't know. Presumably Elon's X system knows of my interest in the topic and therefore dropped those into my feed. So the first post I want to share was written by a guy named Akash Gupta who posts frequently on Medium of Akash Gupta medium.com if anyone's curious, I've got a link in the show Notes with the with the spelling. His short bio says that he helps product managers, product leaders and product aspirants to succeed, and that clearly is his focus. His posting quotes somebody who Posted on the 13th an Arvid call who just wrote devs are acting like they didn't write slop code before AI. So sounds like this guy is defending, you know, AI produced code against people who are saying, you know, it's sloppy. So Akash Gupta, who has a lot of experience with AI and product managers, says in his posting he writes 41% of all code shipped in 2025, meaning last year, was AI generated or AI assisted. The defect rate on that code is 1.7 times higher than human written code, and a randomized controlled trial found that experienced developers using AI tools were actually 19% slower than developers working without them. Devs, he says, have always written slop. The entire software industry is built on infrastructure designed to catch slop before it ships. Code review, linting, type checking, CICD pipelines, staging environments. All of it assumes one one thing. The person who wrote the code can walk you through what it does. When the reviewer asks that assumption, that is that the person who wrote the code understands it, he says that assumption held for 50 years. It broke in about 18 months, he said, when 41% of your code base was generated by a machine and approved by a human who skimmed it. Because the tests passed, the review process becomes theater. The reviewer is checking code neither of them wrote. The linter catches syntax, not intent. The tests verify behavior, not understanding. The old slop had an owner. Someone could explain why temp underscore fix,_v3_final existed, what edge case it handled and what would break if you removed it. The new slop instead has an approver different relationship entirely, he says. Arvid's right. The guy he was originally quoting Arvid's Right. That devs wrote bad code before AI. The part he's missing. The entire quality infrastructure of software engineering was designed around a world where the author and the debugger were the same person. That world ended last year and nothing has replaced it yet. So I just, I like that, just as a statement, you know. And his post captures aspects of my own discomfort with using AI to create code that I'm going to put my name on. So the answer to the question of whether AI will write code for me would be not the AI we have today. Even before this. Consider this. Even before this AI coding revolution arose, I should objectively have at least been using C, right? But I'm so com. Right gone. I'm so comfortable with assembly language and I now have so much solid boilerplate written by me in assembly language through the years. That moment to moment, the path of least resistance is just to keep using assembly. When I face the possibility of using something to write code for me, I'm immediately brought up short, wondering how can I possibly know the code it creates is correct? The code I'm ready writing is never for a lark. You know, I'm. I'm not writing it as a hobby. I'm always writing production code that I and others will depend upon. Either it's server side code running on GRC's servers, or code that will form a product that bears my name. In either case, the code needs. I need the code to be as correct as I'm able to make it. It's true that I have, we know, strong perfectionist tendencies. I know that's one of the reason people listen to this podcast. I don't ever judge my work by whether it's good enough. I don't have a good enough. I. I know. You know. You know that I judge it by whether it's as good as I am capable of making it. That is my standard. Can it be better? So if I don't actually write the code I'm using, you know, and offering for sale, how can I ever definitively make that judgment if no one or nothing sentient and personally responsible creates it? If the code just magically appears, and if there are large swaths of code that is never carefully inspected by anyone, how can I ever have confidence in what the code does? Sure, I know. Test, test, test. I get that. You know, that is. After all, you know, the, the model that many of our development testers know quite well. That's the development model that has evolved with the code that I currently offer by hand is. Is validated but is the appearance of the code working or the code no longer being seen to fail an adequate replacement for someone actually writing the code for a purpose? I don't know. But I do know that the entire world is objectively going nuts over AI written code. Perhaps the reason for this is that there is tremendous pressure within the larger code creating universe to create more code with fewer human coders. So perhaps it's the fact that I truly love writing code myself and that I feel very little pressure to produce more code faster. Maybe that's, you know, why there, why the balance, for me, the scale hasn't tipped. I've talked about days past when my little company employed many more people, many of whom I was actually jealous of since they were getting to do the work I wanted to be doing instead of just managing them doing that work. If that's the case, why would I want to have an AI producing code that I would then not have the joy of writing for myself? You know, all of the foregoing suggests that the answer to that question, when will Steve be using AI to author his code? The answer is at least not yet.

Leo Laporte

But we should point out, Steve, you're kind of a unicorn.

Steve Gibson

You're kind of a. I'm just talking. Yes, the question is me, me. I mean, our listeners have been asking Steve, you're all, you're, you know, you're, you're talking about Claude code and how great it is. When are you going to use it? And I'm explaining why maybe never.

Leo Laporte

But nobody. The, how many people work like you? I mean, you're really an anomaly. You weren't in the past, there were a lot of people like Peter Norton and stuff who wrote their own stuff and shipped it and so forth. But most code these days is written by large teams with all sorts of layers of review and architecting. I think for a lot of what is written today, AI makes perfect sense. Not for you, but because you're, you

Steve Gibson

know, and Leo, you'll notice I didn't, I didn't say otherwise.

Leo Laporte

No, and no, I, no, yeah, and you're right. I agree with you. 100.

Steve Gibson

Yeah. And I, but I, I do.

Leo Laporte

Anybody who loves to write code should write code. If you love it, you should write it. Why not? That's not. But I have to say I'm not sure I fully agree with this tweet because one of the things you're not going to see, frankly, if you have a I written code is temp. Whatever was it that temp fix underscore.

Steve Gibson

Because it won't get patched, it'll be created.

Leo Laporte

Whole code is so cheap that you refactor, you redo it. You don't. You don't do that kind of. That's what humans do. They apply a little Spackle, a little Bondo to the code. That's not what happens or shouldn't with AI if it's being done right. I think really the experience people have with AI coding depends a lot on their own mindset and how they've gone about it and how it really, you become. Instead of the coder, you become the kind of. More like the project manager. Yeah.

Steve Gibson

Yes.

Leo Laporte

And. And a good product manager really thinks deeply about specs, is willing to throw out code and start over.

Steve Gibson

I mean, and Leo, I. I remember, I always say, when what we have today is not what we're going to

Leo Laporte

have tomorrow, it's going to very much change. That's the other thing he says. 41% of code written in 2025. Well, the thing that changed everything was November 24th, 2025. So when Opus 4.6 came out. So 4.5.

Steve Gibson

So I. I have one more thing I want to share, but let's take a break. I'm looking at the clock, and now would be a good time.

Leo Laporte

I'm sorry.

Steve Gibson

And then I've got Uncle Bob Martin's post.

Leo Laporte

Oh, Uncle Bob. Good old Uncle Bob. He's quite the character.

Steve Gibson

Y.

Leo Laporte

But a legend in the business for sure. Yeah. Oh, I look forward to that. That's coming up. You're watching Security now with the great Steve Gibson. You know, I'm really glad that there are people like you, Steve, that cherish. That are artists. You know, you wouldn't expect a machine to paint the Sistine Ceiling. You're an artist. That's absolutely great, but I. But I am not. So I appreciate having an AI to do some of that.

Steve Gibson

And there's a whole different side of just getting the job done.

Leo Laporte

Sure.

Steve Gibson

You know, like, you know, and that's

Leo Laporte

what most people are doing.

Steve Gibson

And I'm going to share a post from a listener after this that takes the exact reverse. This has changed his life.

Leo Laporte

Yeah. Yeah. And then, you know, and I will say, you know, when I. When I do coding puzzles, like Advent of Code, I'm not. I have no interest in having AI do it now because the whole point of it is me having the fun of writing a script.

Steve Gibson

In fact, I ruined the whole challenge.

Leo Laporte

It really did. It actually hasn't been a very good influence on it. He had to change everything. Let me talk about Our ad for this segment of security now this episode brought to you by Adaptive. Yes, it's a security platform. It's the first security awareness platform built to stop the thing that is perhaps pestering you the most. AI powered social engineering. Here's the shift. Attackers don't need malware anymore. They just need trust. They need a cloned voice, a convincing deep fake on Zoom, or maybe just buy an ad in Google Search or an AI written fish that looks exactly like it came from your IT team. And as you. As we were saying when we were at Zero trust world, as you said, the threat's coming from inside the house. That's why you need Adaptive. Adaptive prepares your organization with simulations not just in email, but across email, SMS and voice. You yes, deep fakes vishing voice phishing and AI generated phishing, including scenarios that can mirror your own brand and executives. Imagine if your CEO is on the phone saying, simpson, I need you now. You know, this is how the bad guys work nowadays. And when employees report something suspicious, is that the boss? Adaptive can help you triage it fast. Hey, I think I might have done something wrong. Something bad. So security teams aren't buried in false alarms, but actually can fix the problem before it propagates. If you need training fast, with Adaptive's AI content creator, you can turn a breaking threat. Something just happened yesterday in the news, right? Something Steve just talked about today. An incident report, a compliance doc instantly into interactive multilingual modules. I mean, I'm talking minutes, no design team required. Adaptive does it. Adaptive will let you build, customize and monitor every part of your training with complete personalization. The result is a more resilient security culture, which is essential. Take a company like Plaid. Right? I use Plaid every day to log into my finance platforms. Plaid's platform powers thousands of digital finance apps, links consumers, developers and institutions together with sensitive data. At its very core, Plaid's security and compliance are non negotiable. What do they use? Yeah, they use Adaptive security. Plaid's head of security, grc, says Adaptive has equipped our teams with cutting edge tools and built a smarter, more resilient security culture across the company. Actually, that makes me feel good because I use Plaid. I'm glad to know they're on it. They're on it. Trusted by Fortune 500, backed by Nvidia and OpenAI. Adaptive is building the defenses we need for the AI era. Learn more at adaptivesecurity.com that's adaptivesecurity.com you want your customers to feel like I do as a customer of plaid. Oh good. They're doing what it takes. Adaptivesecurity.com we thank them so much for supporting security.

Steve Gibson

Now, Steve okay, so before we leave this topic, actually we have another note from a listener too, but I wanted to share another X post that appeared in my feed directly underneath the previous one. It was written by someone who we obviously know. Leo, you are aware of Uncle Bob. He's got a Wikipedia page which, you know, was created to capture and describe his life's work. His given name is Robert Martin. Uh, although he goes by Uncle Bob Martin. Uh, Wikipedia informs us that he's an American software company engineer, instructor and author who is most recognized for promoting many software design principles. And by the way, he's a lover of Lisp and for being an author and signatory of the influential Agile Manifesto. He's authored many books and magazine articles and was the editor in chief of the C Report magazine and served as the first chairman of the Agile Alliance. Yeah, Wikipedia says he joined the software industry at age 17. So like many of us, it's been his life. He's credited with introducing the collection of object oriented design principles that came to be known as Solid. And Wikipedia mentions that he's authored many books. That's right, 13 books. Since I'm going to share his, what I think is an interesting observation which really made sense about the current state of AI generated code, I want to first clearly establish his bona fides. So here are the titles of the 13 books he's authored across the past 30 years. And these are, you know, real books published by Prentice Hall, Cambridge University Press, Addison Wesley Professional and Pearson with titles Designing Object Oriented C Applications Using the Booch Method More C Gems Extreme Programming and Practice Agile Software Development Principles, Patterns and Practices UML for Java Programmers Agile Principles, Patterns and Practices in C Sharp Clean Coding A Handbook of Agile Software Craftsmanship the Clean Coder A Code of Conduct for Professional Programmers he's all into Clean Clean Architecture A Craftsman's Guide to Software Structure and Design Clean Agile Back to Basics Clean Craftsmanship Discipline Standards and Ethics Functional Design Principles, Patterns and Practices We Programmers A Chronicle of Coders From ADA to AI okay, so here's what Uncle Bob Martin posted last Saturday morning. He wrote two months ago while working on my Empire game with AI, I had that quicksilver experience. When you push on a blob of Mercury, it slips out in some random direction. Every time I added a new feature, some older feature would shift behavior. This was true even after I added unit tests and acceptance tests. The AI always Took the path of least resistance on the current feature and was willing to sacrifice older features. It would change tests, including acceptance tests, in order to get the latest feature done. Telling the AI not to do that was ineffective. AIs are stochastic and so are any rules you feed them. Rules bias their behavior, but do not absolutely constrain it. When I called them out on breaking rules, they apologize and swear they won't do it again. But they can't really make that promise. They are, in the end, liars and cheats. The solution is to massively over constrain them. Force them to write so many tests that changing a test feature breaks many tests. They feel that force and retract the change. It's like peer pressure with a lot of peers. At the same time, I reduced the chances for collateral damage by continuously forcing the AI to partition everything into small decoupled units. That way it's not easy to break one feature while implementing another. It also keeps the AI from getting confused by its own messes. The final goal is is semantic stability in the face of continuous development. The things that worked before keep working as they were while newer things get added. This is a continuous effort. Acceptance tests, unit tests, TDD crap analysis and mutation tests are run after a reasonable batch of changes and are tasked with reducing crap below 8, covering any untested behavior and killing all surviving mutants. The size of the batch of changes is a judgment call. Too big and the analysis and repairs take a long time. Too small and the verification effort overwhelms the development effort. And then he finishes with side note. The mutation tests consume the massive amounts of computer power. My cores are running full bore all the time. And that's even with differential mutation. There's something poetically just about all this. The AIs require a massive amount of computer power to create. What they create for us. Takes a massive amount of computer power to keep stable. So, okay, I think this has to do with the size of what he's trying to accomplish, right? Like, you know, he. He's building something big and it's tending to get slippery. Like, you know, like liquid mercury where you push on it and it slips away. And, but, but from the start of our discussion of AI, I've been saying that I firmly believe AI will have a very bright future encoding. I still believe that's true 100%, but not today's AI. Today's AI is still general purpose AI. It's like asking AI for that list of of very high quality random numbers. Doing that perfectly, which we Know how to do requires specialization, not generalization. This is every bit as true when it comes to writing code correctly. The laughable catastrophic mess Bob describes in his posting, commonly referred to as attempting to herd cats, is not the way to Write code. These four sentences from Bob's posting say it all. He wrote, AIs are stochastic and so are any rules. You feed them rules bias their behavior, but do not absolutely constrain it. He says, when I call them out on breaking rules, they apologize and swear they won't do it again, but they can't really make that promise. They are in the end, liars and cheats. I believe that in those four statements, Uncle Bob exactly and perfectly captures the state of play today. But that's only today. I'm always as, as I keep saying and noting, very careful to state that nothing we have or believe we have today regarding AI will hold tomorrow. And Leo, your November 28th date is a perfect example. On November 27th, we had one thing. On the 29th, we had the world changed. It's not at all done changing. You know, we're like in that first round of home computers that were interesting and a lot of us got them, but they never got off the ground. It took another, you know, a bunch of more evolution and time for it to finally reach critical mass. And so the way I think this will shake out is that someday we will have many differing forms of application. Specific AI. I suspect that's where the answer lies, at least the most. The, the practically economic answer. As I understand today's AI operation, having a single super genius AI that contains all knowledge and does everything perfectly may be possible, but is incredibly wasteful. As in way too expensive to contain and operate if all you want is high quality code. Instead, employ the far more cost effective services of a specialist code generating AI whose model can be far smaller while also containing far more concentrated knowledge about code and only about code. It knows nothing about the works of Shakespeare, it just knows about code.

Leo Laporte

That's why our old model, prior to November 24, 2025, was asking a question of a chatbot and then taking its code and pasting it in. We've gone way beyond that in a very, very brief period of time. I, you know, I think AI, especially AI coding, is kind of like the blind, the blind man and the elephant.

Steve Gibson

Yep.

Leo Laporte

You know that adage, everybody is seeing a different part of it. And I think especially we can't use our notions of coding from prior times in modern times. It's just so different now. And everybody has a different take because everybody has a different experience.

Steve Gibson

I think your analogy is a great one.

Leo Laporte

A huge period of flux and I think that's the only true thing and really the best advice I think for anybody is just try it, play with it, get to know it, give it a tough problem. Read and learn. There are everybody's talking about it, not everybody's right. There's a lot of points of view

Steve Gibson

about this and not everyone can be right when the target keeps moving. I mean we are. I cannot say enough the world will be different again next year. As regarding AI and code, there's just, there's no question about it.

Leo Laporte

Yeah, but we're in an interesting time. I mean I guess the bottom line, we've talked about this before and I think we both agree on it is that what the job is is taking human thoughts and ideas and translating them into computer. And what we're trying to make is a computer program that's very adept at that. The easy part is translating it into computer. The hard part is translating us. But for somehow something happened that it got really good very rapidly at understanding what we're saying and putting it into action. But there's still, you know, miscommunications and gaps. It's very, it's. Well, we live in interesting times. Uncle Bob's very prolific, talks a lot about this. I actually saw this tweet. He's very active on X and talks a lot about this. Very interesting.

Steve Gibson

So here is an example of AI. On the flip side, our listener Craig, his subject of his email was hard to describe. He wrote, first, I'd like to say thanks for mentoring me throughout nearly my entire career. Now retired, I ran the IT department for a 50 employee DOD DOE subcontractor. What I learned from you and implemented over the years made NIST 800171 compliance easy. And I can proudly say that my company was never hacked. Oh wait, aside from that, where's Kitty who created a hidden FTP site on my public FTP server. Remember those days? Lol. But aside from that, never once was my network taken down. I had weekly security awareness training for my users, almost always from your show. I was tight a decade before anyone was even thinking about security. Thank you. My entire career was hobbled by my poor coding skills. I never attended college for computers, just drinking and failing out. I learned everything.

Leo Laporte

I majored in that too.

Steve Gibson

I Learned everything building PCs in those box shops in the late 90s. Netware Lite, FTW, LOL. Computer shopper for the win. I Used to tell people I can code, but I can't develop. I could write a simple script after hours of scouring Stack Exchange or spiceworks to figure it out. The places I could have gone if I had properly trained as a developer. Now all those tools I wish I had over my 30 years of career are at my fingertips. The best analogy I can give is that I spent my career in 2D, black and white, and all of a sudden I can see 3D in color and infrared and ultraviolet and X ray. And he's talking about AI. He said I now have an entire agent infrastructure team, a CISO architect, audit monitoring, hardening infrastructure, etc, managing my entire home lab. My kitchen module has an AI chef running from local ollama to help with the current recipe. I just got done having ciso build a 3D desktop for my platform inside of my Quest 2. It made downloading 20 years of Google account and then organizing it into my own system easy. It's working on building out a complete voice system around my house. It can talk to my 3D printers. All of this is possible and I just have to ask for it in natural language. My jaw is still on the ground. I hate to say it, Steve, but commercial software is dead. I don't need to buy what I can have my agents write. All I need are GPUs. So anyway, I just thought that was a great snippet from one of our customers whose life has been changed thanks to AI.

Leo Laporte

That's nice. Really nice.

Steve Gibson

Yeah. Okay, our last break, and then I'm gonna share my 100% positive experience with CISA's free Internet scanning and pose the question, why are we not all doing it too?

Leo Laporte

Yeah, well, I'm going to try. I mean, I. I guess you're. You're. I don't have multiple ip. Well, I guess I do have two IP addresses. I guess. I don't know. I have one static and one theoretically changeable. That never changes.

Steve Gibson

You have resources for twit, right? Or are they just.

Leo Laporte

No, no, it's all. It's all cloud. Yeah.

Steve Gibson

All distributed stuff.

Leo Laporte

Yeah, it's all over the place.

Steve Gibson

So it would be a small enterprise that has, you know, a block of network space.

Leo Laporte

Russell can do it. I'll have. Russell. Russell. He's in Florida. Okay. He could do it for Florida. What do you mean? He doesn't work when he's in Florida? Let's do the final commercial and then we'll get to the topic of the day. Sisa.

Steve Gibson

Free Internet scanning.

Leo Laporte

SISA has been decimated. In the recent budget cuts and I'm very nervous.

Steve Gibson

I'm glad they still have their bots running because.

Leo Laporte

Yeah, well, yeah, I mean we are the, I'm sure cyber warfare, if not now, soon.

Steve Gibson

They've lost a huge bunch of staff

Leo Laporte

and they had a, what I consider to be a terrible administrator for a year. He's gone now. But that doesn't mean everything's better. It means there's no administrator. We're in an interesting time. Let's just say that this episode of Security now brought to you by Meter. I'm going to go see these guys at rsa. I'm very excited about seeing, seeing these guys at RSA next week. Meter is the company building better networks. I want to talk to the founders because I mean I talked to him on, I talked to him on the phone a couple of months ago and I was so impressed because they were network engineers, right? Who felt your pain. If you're a network engineer, you know, they know the headaches, you know the headaches. Legacy providers with inflexible pricing, everybody's got it. Resource constraints, stretching a thin complex deployments across fragmented tools. You, Mr. Network and Ms. Network Engineer are critical, mission critical to the business. But you're working, you know, with infrastructure that wasn't built for today's demands and insufficient resources. That's why so many businesses are switching to Meter. And this is so cool. Meter delivers full stack networking infrastructure, wired, wireless and cellular that's built for performance and scalability. These guys realized there's only one way to build a reliable network and that's to own the whole stack. So Meter designs hardware. That's why I can't wait to see him at rsec. I want to see this stuff in person. Meter designs the hardware, they write the firmware, they build the software, they manage the deployments, they provide support after the fact. Meter even does ISP procurement. They will help you every step of the way, covering security, routing, switching. They do wireless, they do cellular, they do firewall, they do power. Power is important, right? DNS Security, they'll help you with VPNs, with SD WANs, with multi site workflows, all in a single solution. One of the things they said we they commonly see is a company acquires another company or acquires their warehouse. Now suddenly you have another site with completely incompatible software and hardware solutions. You got to get it on your network, you got to get it reliable. Some of these warehouses are 100,000 square feet. So there's all sorts of challenges with wireless and they go in and they get it all working. They get it. They fix it all with their own hardware and software. Meter's single integrated networking stack scales. They are in major hospitals. There's. That's another challenging environment because of all the equipment. Right. They're in branch offices, warehouses, large campuses. They're in data centers. You know who uses Meter in their data center? Reddit. There's a network that must perform. Right. The assistant director of technology for Web School of Knoxville loves Meter. They said we had. This is a direct quote quote. We had more than 20 games going on on campus between our two facilities. Each game was streamed via wired and wireless connections. The event went off without a hitch. We could never have done this before Meter redesigned our network. With Meter, you get a single partner for all your connectivity needs, from first site survey to ongoing support, without the complexity of managing multiple providers or tools. Tools. Meter's integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. And isn't that the job? Right. Meter is built for the bandwidth demands of today and tomorrow by people who know your pain. They've been there and they're here to help. We love Meter. Thank you so much for sponsoring. I can't wait to meet you, Meter. Next Tuesday at rsec. Go to meter.com securitynow to book a demo today. Or if you're going to rsec, go on over to the booth M e t e r.com SecurityNow to book a demo. And that reminds me, Steve, I will not be here next week. Mike will be doing the show. Yeah, I'm going to miss Tuesday's shows so that I can go to the RSA conference, which I have never been to. So I'm really excited I get to go to this. This is going to be so much fun. We're going to see a lot of sponsors, so that'll be neat, too. All right, let's talk about sisa.

Steve Gibson

Okay. So last week I shared feedback from a listener who shared with us that his organization uses CIS's free Internet network scanner to keep an eye on his organization's network security exposure. He explained that when he first had CISA scan their network, what they found was quite bracing and brought their other IT people up short. And as I also noted, his sharing that with me raised my own curiosity about just who might qualify for CIS's periodic scanning. It's formerly known as CIS's Cyber Hygiene Service, and its page says reduce the risk of successful cyber attack. Cyber threats are not just possibilities, but harsh realities, making proactive and comprehensive cybersecurity imperative for all critical infrastructure adversaries. Use known vulnerabilities and weaknesses to compromise the security of critical infrastructure and other organizations. CISA offers no cost cybersecurity services to help organizations reduce their exposure to threats by taking a proactive approach to monitoring and mitigating attack vectors. By taking advantage of CIS's cyber hygiene services, you can, and we have some bullet points here, significantly reduce risk. Organizations typically reduce their risk and exposure by 40% within the first 12 months. Most see improvements in the first 90 days. Avoid surprises because the services look for assets exposed to the Internet, they identify vulnerabilities that could otherwise go unmanaged. Sharpen your response. By combining the vulnerability insights gained with existing threat detection and risk management efforts, enrolled organizations can increase the accuracy of and effectiveness of response activities. This means fewer false alarms and less chance of real danger slipping through the Net. Broaden your security horizon Sys scanning is about more than pinpointing vulnerabilities. It's about expanding your organization's security boundaries. From basic asset awareness to daily alerts on urgent findings, you'll be in a better place to make risk informed decisions, they said. CISA's Cyber Hygiene Services include vulnerability scanning. This service continuously monitors and assesses Internet accessible network assets public static IPv4 addresses to evaluate their host and vulnerability status. In addition to weekly reports of all findings, you'll receive ad hoc alerts about urgent findings like potentially risky services and known exploited vulnerabilities and web application scanning. This service deep dives into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit. This comprehensive evaluation includes, but it's not limited to the vulnerabilities listed in The OWASP top 10, which represent the most critical web application security risks. This service provides detailed reports, monthly as well as on demand reports to help keep your application secure. Okay, so I've I've brought all this up again because my experiment to see whether GRC's little decidedly non governmental, non tribal, non 16 IP network block might qualify to receive CIS's automatic periodic background security scans and reporting. And it was a resounding and surprising success. Based upon my experience, I would hazard to imagine that a great many of our U S based listeners who are in charge of their own small, medium and even large enterprise networks like the Listener that that put me on this would be able to similarly qualify to receive this free service. Much as I have. And if so, why wouldn't everyone wish to avail themselves of this entirely sane zero cost service offered by an agency of of our federal government? Now, I suppose I can imagine that it might make some listeners a bit queasy to invite Uncle Sam to scan and report on the state of their networks, but stop to consider that anything that might be discovered and reported is already public information. It's not as if, you know, we're making an exception for cisa, allowing them through our firewalls to rummage around inside our networks. That's not happening. They're on the outside attempting to look in, just like would be attackers and hackers in Russia, North Korea and China. The difference is that CISA is on our side with the goal of strengthening North American networks against attackers in Russia, North Korea and China and elsewhere. They email password protected PDF reports that's only whose only its intended receipt is able to decrypt, open and view. I don't see any possible downside, whereas I see potentially huge upside. Okay, so what happened with GRC? That CISA Cyber Hygiene Services page? It's at CISA c I s a.gov dov cyber hyphen hygiene Hyphen Services. I've got a link in the show Notes invites candidates to indicate their interest and open a dialogue by sending an email to vulnerability@cisa.dhs.gov with the subject, with just the subject requesting Cyber Hygiene Services. So I addressed an email and I wrote simply to whom it may concern. I own a small commercial network which I would like to have scanned. Thank you Steve. That was on the morning of Saturday, March 7th.

Leo Laporte

Did you say do you know who I am?

Steve Gibson

No. Just, just, just do what may concern. I want to have my network scanned.

Leo Laporte

Thanks.

Steve Gibson

That was Saturday, March 7, so nobody was working at CISA. I received a reply to that email first thing Monday morning. So immediately after the weekend at 5:32am Pacific, so 8:32 in the east where CISA is. That email response said steve, thank you for your interest in our Cyber Hygiene. And then they of course Abbreviated CYHY Vulnerability Scanning. Abbreviated versus because they like abbreviations, they said so thank you for your interest in our Cyber Hygiene Vulnerability Scanning service. Period. Enrollment in our SCI High VS service must be done by a person in your organization who has ownership or authority over the IP addresses to be enrolled. This individual should hold a position such as Chief Information Officer, Chief Information Security Officer, or a similar official capacity. If you are in this role, please proceed to navigate CISA's cyber services cyber Hygiene Services the beta version of our web based enrollment system to complete the following steps. First, create a login.gov account. Login.gov is our trusted partner for secure and private access to CIS's online services including cyber hygiene. The login.gov account must use the same organization business email that will be used to complete the remaining enrollment steps and actually I don't think it does but didn't seem to matter. Second, return to CIS's Cyber Services Cyber Hygiene Services page after logging in. You will now be redirected to the CISA Services portal for Ready Set Cyber Use the navigation ribbon to go to Cyber Services. Enroll in Cyber Hygiene to return to the enrollment process. Third, complete account registration and Organization's Profile Complete your organization's profile, enabling your organization to receive Cyber Hygiene and access other CISA services. And then finally, once you've completed the Organization Information page, you'll be redirected to a thank you page. Select the Enroll now option to continue the SCI High VS enrollment process. This step includes collection of the necessary information to enroll in the SCI HI VS service and services as the authorizing document allowing CISA to perform the SCI High VS service for your organization. For the IP address validation process, you will need to input and successfully verify the formatting of your IP addresses before continuing to the next page. Multiple IP addresses must be separated by comma or line break. If there are errors with the formatting, the system will display a model noting or modal meaning dialogue error I guess noting how many errors. You will have the option to either go back and correct the errors or download a CSV file for editing if you have input numerous errors. If you have questions regarding your enrollment, please reach out to us at this email address. Best Regards, Matt Leon, CISA vulnerab Vulnerability Management Intake Team blah blah blah. So I went back to CISA and logged in@login.gov where I already had an account. You know, since I'm I'm 70, soon to be 71 and I use login.gov for managing Social Security or renewing my Global Entry certification and driver's license. So I was then bounced back over to CISA where I filled out a modest and not very intrusive questionnaire. Just I mean it wasn't a lot to tell them. Around 10 minutes after completing that process, I received another email with a subject CISA Organizational Account Confirmation and an invitation button to complete the signup process. I may have done something there, I don't recall, but either way, you know, the email trail shows that 13 minutes later after that one I received a final email with the subject Cyber Hygiene Vulnerability Scanning Acceptance Letter. I thought huh, that was easy.

Leo Laporte

Congratulations you got in.

Steve Gibson

The letter said, welcome to CIS's cyber hygiene. You know SCI high vulnerability scanning VS so these people really do love their abbreviations. The letter says your SIHI VS acceptance letter has been processed and a copy of the letter has been attached for your convenience. Your organization has been placed in queue for inclusion into the CISA SCI High VS service. Scanning will begin as soon as your request file is processed in alignment with with your requested scan start date and that's so and if not otherwise specified, scanning begins immediately. The letter continues, Please keep an eye out for traffic and actually I did. My logs showed the scanning. Keep an eye out for traffic From Sci High Vs scanning IPs which will signal to you that scanning has begun. You will receive your first SCI High VS report report via email on the Tuesday following the initial scan, which is based on your requested scan start date. The SCI High VS report will come from reportsyber.dhs.gov and then here's what was interesting they said Overview of CIS SCI High VS Methodology Cyber Hygiene defines a host as having at least one port on open and service. Scanning of hosts occurs continuously between each weekly report. Cyber hygiene scan prioritization is as follows. Okay, so we have addresses IP address IPv4 addresses with no running services detected and they say parens darkspace are rescanned after at least 90 days. So if if there's an IP that seems dead, nothing responds that they could find. It only checks every three months. Or Hosts with no vulnerabilities detected are rescanned every seven days. Hosts with low severity vulnerabilities are rescanned every six days. Hosts with medium severity vulnerabilities are rescanned every four days. Hosts with high severity vulnerabilities are rescanned every 24 hours. Hosts with critical severity vulnerabilities are rescanned every 12 hours. A single host may have multiple vulnerabilities of varying severity which informs the frequency that a given host is scanned. Presumably, the highest severity vulnerability found defines how often it is rechecked and it finishes. Need assistance? If you need to make changes to the information submitted in the acceptance letter to include updated IPs to be scanned, or you have any other questions pertaining to your SCI High VS service, please email us@vulnerabilityisa.dhs.gov Then last Wednesday, the day after last week's podcast, when I didn't know if any of this was going to work, I received my first SCI HIGH VS REPORT Now I'll admit I was actually somewhat surprised to see that CISA had not found anything critical to complain about. You know, like I thought maybe. But that's not to say that CISA did not find anything. They did complain that GRC's web servers were would still negotiate and accept SSL TLS connections using old and deprecated 64 bit block ciphers. Things like triple des and blowfish. Although not blowfish, that was open SSL but not in my case, that that just is the what people generally have really old copies of open ssl. I'm sorry open open SSH can use Blowfish and should no longer. So what caused my heart to initially skip a beat or two was that their report's headline was Urgent Vulnerabilities detected. And I thought what? So obviously that commanded my attention. Their report enumerates their findings by vulnerability description. Also whether it is known to be exploited. Because as we know that sisa's kev, right, Kev known exploited vulnerabilities, that's one of their big deals. So they've got a column in the report for that. Whether it's known to be exploited. Also whether ransomware is known to be exploiting it. Because obviously that that drives an interest in that vulnerability vulnerability and in being compromised by ransomware. There's a column for its severity. The host IP address and port where the where they found the vulnerability and the date and time of its initial discovery. In this case all of GRC's web server IPs at the HTTPs port 443 share the vulnerability that CISA identifies as quote SSL medium strength cipher suites supported and then in parens they said suite 32, that's the vulnerability's name. It is not however known to have ever been exploited. So on in the column of known to be exploited, it's no all the way down. The reason is that the Sweet32 vulnerability and attack is theoretical. It's called Sweet32 because the theoretical attack has a complexity of 2 to the 32, meaning 1 in 4 billion or 4.3 billion. The Sweet part of the name comes from the pun. Sweet 16 because it's a birthday attack. You need to do a whole bunch of things, recording all of them and then looking for any collision between any two. Thus the birthday attack. The vulnerability has its own website at suite32.info which explains the nature of the attack writing an important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore we need to find clients and servers that not only negotiate the use of triple des, but also exchange a large number of HTTP requests during a single TLS connection without ever re keying. This is possible using a persistent HTTP connection as defined in HTTP 1.1 with Keep Alive on the client side. All browsers that we tested, Firefox, Chrome, Opera will reuse a TLS connection as long as the server keeps it open. Okay, so it says a large number of requests during a single TLS connection, but exactly how large in their own testing to recover a 16 byte authentication token, you know, which might be an HTTP cookie, for example a 16 character cookie which would be two 64 bit encrypted blocks. Because this is an attack on 16 bit block encryption, they needed to keep a single TLS connection established for 18.6 hours, during which their client pounded on the server with a storm of continuous small HTTP requests, finally transferring 705 gigabytes of data in the process. In short, at least for grc, this is not a real problem. But that does not mean there's any way for me to defend GRCs now totally unnecessary support for this old and admittedly weaker than it needs to be Triple DES cipher today. So I very much appreciate the reminder nudge from CISA. And I've already tweaked the cipher suite configurations of GRCs various web servers so that the next time they're rebooted, their support for that long ago deprecated triple DES cipher suite will disappear. You know, it hasn't been useful for a long time. It's only there because of inertia. But we know about inertia and security. So that's the story of GRC's establishment of an ongoing, very valuable free vulnerability scanning service courtesy of cisa. As I said, I cannot imagine why anyone listening to this podcast who's responsible for anything more than a single ip, home network or any sort of, you know, truly Fixed pre assigned IPS which are pointed to by DNS, would not wish to immediately avail themselves of SIS's free scanning service. You won't know what might surprise you until you do. And if, and even if you find nothing, that would be super useful to know too. You know, if you do find something, it might be very important. And you know, the more that's going on within a complex networking environment involving multiple departments and overlapping responsibilities, abilities and people who've been terminated and blah, blah, we don't know what, what equipment they left running and different configurations, you know, the more of that there is the more chance that something unsuspected may be there. So win, win, win, win, win.

Leo Laporte

That's my motto for the day. You won't know what might surprise you until you do.

Steve Gibson

That's why it's a surprise.

Leo Laporte

Surprise. SciPase found the GitHub repo for all this stuff. So I don't know if that means it's open source. I don't know if you could take the GitHub repo and compile it and make it be.

Steve Gibson

Why not have it done for you?

Leo Laporte

Yeah, well, why not exactly. But it's kind of cool that they've put this all online. 41 repositories on GitHub under CYHY.

Steve Gibson

Nice.

Leo Laporte

So you can at least see what they're doing. That's. It's. That's pretty cool because it's a lot of shell scripts. There's Shell and Python.

Steve Gibson

Yeah. It's running on their infrastructure. And you know, I'm. I did get. So I got that one report that had that one vulnerability. Then a couple days later I got a. Like a 34 page beautiful PDF.

Leo Laporte

Wow.

Steve Gibson

That had charts and graphs and it was tracking vulnerabilities and like bar graphs and how long has this been around? I mean it is really valuable. And the listener who put me onto this noted that this replaced for their insurance provider, a service that they'd been paying $6,000 a year for.

Leo Laporte

Right.

Steve Gibson

And that was a annual scan. So something could be bad for a year before it would get seen.

Leo Laporte

So this is some, some enterprising person taking all this code, getting it running and making their own commercial version of this. It's open source though. Yeah. CISA has its own. I love this GitHub repository. CISA gov.

Steve Gibson

Commit today, secure tomorrow.

Leo Laporte

Oh, I like it. Oh, that's what they say. It's their motto. Yeah. Commit today, secure tomorrow. I've got another motto now. I've got two mottos from the last section of this show. That's pretty impressive, Steve. You are pretty impressive. We appreciate.

Steve Gibson

You won't know what might surprise you until you do.

Leo Laporte

You do surprise. Steve Gibson's@grc.com if you go there right now, you will find spin. Right? The world's best mass storage, performance enhancing, repair and maintaining maintenance utility. I mean just a really. Everybody should have it. If you've got mass storage, you need spin. Right. You'll find six one there. That's Steve's bread and butter. You'll also find another new program he just wrote. For a mere $10 you can get the DNS Benchmark Pro, all of that@grc.com that's also where you'll find copies of the show. We. We have copies too, but Steve's got some un unique versions. A 16 kilobyte audio version which makes it 16 kilobit, I should say audio version, which makes it a very compact. And a 64 kilobyte audio version, which sounds perfectly fine. He also has the show notes, which he composes in a mass fit of energy every Saturday and Sunday.

Steve Gibson

Caffeinated energy.

Leo Laporte

Caffeinated energy. Working very hard to get it out. And it's worth getting that 20 pages thereabouts every every week. You can, of course, download it from the site, but Siebel also has a mailing list. I'll tell you how to get on that in just a second. If you want to have it mailed to you automatically, get your little kick on Monday, see the picture of the week before everybody else does.

Steve Gibson

Or if, if you want to, in this case, submit your suggestion for the caption contest. That's right, baby. Yep.

Leo Laporte

Transcripts created by a nice human being named Elaine Ferris available a few days after the show, also@grc.com now if you go to grc.com email you can get your email address whitelisted. So you can send Steve pictures of the week or questions or suggestions or comments. Many people do that. You'll also see right below the place where you put in your email address two check boxes, unchecked by default. But one is for the show notes, which he mails out automatically every Sunday or Monday before the show. And then below that, a very infrequent email that he sends out when he's got a new product. Have you used it yet? Not for this product. Not for DNS Benchmark Pro.

Steve Gibson

No. I'm wrapping up some changes to get rid of that old ridiculous. Buy four copies and you're entitled to be a consultant. I'm replacing that with an explicit consultant license.

Leo Laporte

Nice.

Steve Gibson

And so I'm in the process, in assembly language, of updating our E commerce system. And then I will let everybody know because this final release of the Benchmark, which everybody gets who's purchased it before,

Leo Laporte

there's a very excited puppy here.

Steve Gibson

Yes.

Leo Laporte

Who can't wait to get a copy of that. He says, quick, give me a credit card.

Steve Gibson

Dad. Perfect diamond.

Leo Laporte

We also have copies of the show at our website. Twit tv. Sn. That's Burke's beautiful little Lily who's just a sweet poodle. Miniature poodle. She's very Sweet. But Lisa came home and she started barking at Lisa. You can get it at Twitter, TV, SN. You can. There's a YouTube channel with a video. We have audio and video on our site. And there's also, of course, best thing to do, subscribe in your favorite podcast client. You'll get it automatically, audio or video or both. And give us five stars. Give us a good review. Tell the world about security. Now. Everybody needs to be listening to this show every week. It's really vital, especially on this week

Steve Gibson

before the release of Hail Mary.

Leo Laporte

I have tickets to see it Thursday night. And I'm a little worried because our local theater. You know, I have mixed feelings about imax. I don't actually like imax because it takes me out.

Steve Gibson

I had a bad experience with it. I was like, way. It was like, just hard to see everything.

Leo Laporte

Well, even if you're sitting in the right spot, it's still big. And it becomes more about the movie theater than about the movie. So I'm gonna see it in something called Screen Z with a Z, where it's on the regular screen.

Steve Gibson

I've done that, too. It's bad, Leo.

Leo Laporte

I have a feeling it's going to. It was really easy to get tickets.

Steve Gibson

Space SpaceX or Space Z or where it's on the side of the theater.

Leo Laporte

On the side.

Steve Gibson

It's not good.

Leo Laporte

They have special walls.

Steve Gibson

I think you can ignore it.

Leo Laporte

Well, if I can ignore it, then it's just like seeing the movie, right? You just go like this.

Steve Gibson

Yeah, there. There's no real. There's no necessary content there. Laura and I are going to go on Monday in the. In the early afternoon so that I will have seen it before Tuesday's podcast.

Leo Laporte

Yes, that was my thinking, too. I have to seen it before. Twit. Yeah, we both love the book. We love Andy.

Steve Gibson

Weird Twice.

Leo Laporte

Should probably get Andy on the. On the show to talk about the movie. We'll try to get Andy because he's been. I've interviewed him for every single book he's put out, so I love Andy.

Steve Gibson

And so anyway, for our listeners, Project Hail Mary opens on Friday or Thursday night, if you're. Oh, it is.

Leo Laporte

Oh, the reviews are fantastic.

Steve Gibson

Oh, good. I didn't know that.

Leo Laporte

Oh, I've been looking at him super positive. I haven't reading them because I don't want any spoilers. Even though I read the book, I know what's going to happen.

Steve Gibson

I've read the book twice. Yeah, I had. I had a pressure.

Leo Laporte

Yeah. Oh, yeah. The reviews are very positive. Oh, people are saying this is. This is the best movie. You're going to love it. I'm so excited. So excited. All right, Steve, we'll talk about it next Tuesday on.

Steve Gibson

Well, no, I won't.

Leo Laporte

You and Michael will.

Steve Gibson

Yeah, but are you going to talk about on Sunday?

Leo Laporte

Yeah, probably. Sure.

Steve Gibson

Okay.

Leo Laporte

You know, as much as I can without spoiling it for anybody. Yeah. I'll give you my review.

Steve Gibson

Okay.

Leo Laporte

On Twitter.

Steve Gibson

Yep.

Leo Laporte

Steve, we'll see you next Tuesday. We do the show every Tuesday right after Mac Break Weekly, 1:30 Pacific, 4:30 Eastern, 20:30 UTC. YouTube, Twitch X, Facebook. I gotta hurry because he's just can't hold his hand. YouTube, Twitch X, Facebook, LinkedIn and Kik. Or of course, for our club members in the Discord. Thank you, Steve Gibson. Have a wonderful week and see you

Steve Gibson

in two weeks, my friend and Micah, next Tuesday. Bye.

Leo Laporte

Hey, everybody. Leo laporte here and I'm gonna bug you one more time to join Club Twit if you're not already a member. I to want. I want to encourage you to support what we do here at Twit. You know, 25% of our operating cost comes from membership in the club. That's a huge portion and it's growing all the time. That means we can do more. We can have more fun. You get a lot of benefits, ad free versions of all the shows. You get access to the Club Twit discord and special programming like the keynotes from Apple and Google and Microsoft and others that we don't stream otherwise in public. Please join the club. If you haven't done it yet, we'd love to have you find out more at TWiT TV Club TWiT. Thank you so much.