A (2:51)

I remember with the fortunately that I, I, I left hanging before the show began has to do with this. Fortunately anybody who watches this show knows how to make their own router as you do. Yes, yes, I'm sure talk about that too.

B (3:05)

Not concerned about that anyway, but we got a bunch of stuff to talk about as always. We got the fact that Apple's 20. It's sort of notorious now, 26.4. If you know, if you just say 26.4 to an Apple person, they go, oh yeah, it's caught many people by surprise. We've got LinkedIn's 20.

A (3:28)

Okay.

B (3:28)

2.7 megabyte privacy invading JavaScript blob which Kurt. Yes, Microsoft has just gone off the rails with this. We also have micro. I want quick note about them forcing Windows 1124H2 to 25H2 and the consequences of that. Cisco losing their source code to they were another casualty of this trivy supply chain mess that caught Light LLM that we talked about last week. Proton had a big fan, a big favorite of our of our listeners has introduced a what they're cons, what they're calling a privacy first Voice and video service known as Meet. GitHub is going to respond to the other this whole Trivi Cisco Light LLM mess by taking a closer look at the security of its Actions feature, which is what was abused to make this happen and change their rollout schedule. Cloudflare reaffirming the privacy of its DNS service and oh, Leo, they've recoded Cloudflare. That is recoded WordPress.

A (4:46)

Oh, to fix its security. Yeah.

B (4:49)

Yes. EM Dash, which is a cute name for that. It is.

A (4:53)

It's a little confusing. But now if you weren't into, you

B (4:57)

know, like, I guess. Yeah, exactly. Typography, N dash and M dash and so forth. So lots of stuff to talk about. We got a great picture of the week which has been explained by a couple of our listeners. This was actually submitted by a listener who was walking by, saw this and thought, okay, I got to take a picture of this for Steve because you know, this is, this is wacky.

A (5:21)

I can't wait to see it.

B (5:22)

And I love my caption if I do say so. So anyway, we will, we will talk about it. We will get there.

A (5:29)

It is coming up next as we continue with Security now for this Wednesday, April 7th. We are going to get to that in just a bit. But first a word from our sponsor. As they say this episode of Security now brought to you by. Oh, I love this company Meter, the company building better networks. I talked to these guys. It was two network engineers who started Meter and the reason they started it is. They were so unhappy with the state of networking gear, networking configurations, networking software. They said, we're going to have to do this ourselves. And they did. And this is why you want to know about it. If you're a network engineer, they feel your pain. You know, you know, legacy providers, inflexible pricing. Of course, everybody in IT suffers from resource constraints stretching you thin. And networking, as vital as it is to the business, is not immune to that. You've got complex deployments across fragmented tools. Look, the network is mission critical to the business, but you're probably working with infrastructure that just wasn't built for today's demands. Everything's changed, right? But that's why businesses are switching to Meter. Meter designed from the ground up for modern networks today and for tomorrow. Meter delivers, and this is the key. Full Stack networking infrastructure. They do it all. Wired wireless cellular, built for performance and scalability. That's because Meter designs the hardware. They write the firmware, they build the software, they manage the deployments, they provide the support after sales and service. They do it all. In fact, Meter will even do ISP procurement for you. They will do security, routing, switching, wireless, firewall, cellular. They do power, that's important, right? Clean power, critical DNS security. They do VPNs, they do SD WAN, multi site workflows. In fact, that's one of their specialties. I was talking to them and said a common problem is a company acquire another company and you know, they get this big warehouse 500 miles away and they have to join the network. The warehouse is 40,000 square feet. It's an impossible Faraday cage. And they can solve that. They can fix it and make it all work. Meters single integrated networking stack scales from major hospitals to branch offices to those giant warehouses, big campuses, even, even data centers. In fact, Reddit uses Meter for their data centers. Ask the assistant director of technology for Webb School of Knoxville. Talking about large campuses, they actually have two facilities, he said. We had more than 20 games on campus, athletic events on campus between our two facilities, each game simultaneously being streamed via wired and wireless connections. And the event went off without a hitch. He said we could never have done this before Meter redesigned our network. With Meter, you get a single partner. This is nice too. One phone number to call for all your connectivity needs, from first site survey to ongoing support, without the complexity of managing multiple providers, multiple tools. Meter's integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. I mean, it's clear everything has changed. The network is mission critical. Technologies move very quickly in this area. You need hardware, you need software built for the demands of today and tomorrow. And that is Meter. Thanks to Meter for sponsoring Security now. We appreciate that, and we appreciate it. If you go to meter.com security now and book a demo, you can thank me later. That's M e t e r.com Security now to book a demo. These guys have worked it out. Meter.com security now. Now it's time for the picture of the week.

B (9:55)

Okay, so the caption. You have to have the caption first because. Because I love this caption. I wrote, in electronics, this symbol is a resistor which resists the flow of electrons. When used as it is here, it also resists the flow of people.

A (10:15)

So I'm thinking it's a line with like a. Like a spiral squiggle. Right. Is there. Is that a resistor? I think that's.

B (10:20)

That's a coil, actually.

A (10:21)

That's a coil.

B (10:21)

What's the resistor? Oh, it's the zigzag.

A (10:23)

The zigzag.

B (10:24)

Right, right, right. Yep.

A (10:25)

Right. Yep. Well, why is, I guess, the question.

B (10:34)

So the. And so this is not. I know. It's so. It's. It's a. Clearly, it's a resistor. Right. I mean, that's what it is. It is a. Is a walking path resistor. This. Several people wrote saying, I think this is AI generated. This is nonsense. Well, of course, in this world, unfortunately, it could well be AI generated work. I'm afraid that's just going to be the standard response to anything that looks bizarre from now on. But this was actually. This is a photo taken by a listener who, as I said, was walking by, saw this and thought, oh, Steve's gonna have fun. So. And this was Seth Smith, our. Our listener sent it to me. Anyway, the. The best explanation I've had is that a straight line may have been too steep for getting by, like, wheelchair or some. Some.

A (11:35)

Because it is a little bit of a grade.

B (11:37)

It looks like there is a grade.

A (11:39)

So this is a switchback.

B (11:40)

And so code might require. Yes. That. That they switch back and forth in order not to encounter a grade which is too steep in order to roll themselves if they were in some fashion handicapped up to that little table. So that, you know, sounds right, but it's not very well done.

A (12:03)

It feels like there was some. There's something missing. Like there might have been a reason for this at one time that no longer.

B (12:09)

And it's not rounded. It'd be nice if it, if, if the corners, the points were rounded and it looks like it's kind of pinchy up there at the very far one on, on, on the far right is like, just doesn't look great. But anyway, it is indeed a path resistor.

A (12:28)

So weird.

B (12:30)

Yeah, very weird. Okay, so last week's Apple Upgrade to release 26.4 has sent age confirming shock waves through the UK and in fact I even got one. I'm trying to think what it was I was doing. I was doing something I, I was logging into some app. Oh I think I might have been installing Claude on, on an iPhone and I got a short little popup that just notified me that, that the app had been informed that I was over 18 and I oh interesting. Oh yeah. And, and you know I had occasion as a consequence of all this to go into my settings and I, you know, I am there. It shows my name under my Apple account for Steve Gibson shows my name and my birth date is. No, it's in the phone. So the phone knows how old I am. So anyway, so a listener of ours, Dan Bright in Scotland, he sent an email, said Hi Steve, just FYI, although you likely already know I'm in the UK and updated my phone to 26.4 to be immediately presented with an age verification process which I'm instructed needs to be completed to enable age restricted content settings to be changed. Please find screenshot attached. And he sent me a screenshot and this is you know an I clearly an iPhone and good for you Dan. It's your. Your phone is being kept charged. We know that our lithium ion batteries appreciate you keeping the phone charged. So it Sundays confirm your 18 plus UK law requires and I'll just note that it actually doesn't but okay. UK law requires you to confirm you are an adult to change content restrictions by continuing your ID or credit card may be used to confirm you're an adult. And there's a, you know a big group, a big bleep blue click to continue or you can defer that and confirm later and or learn more about that. So also somebody using the handle red over in GRC's security now News Group posted I am in the UK have had an Apple account for more than 18 years as I had an original ipod touch and he said electronic similar to original iPhone and after installing IPADOS 26.4 the system said quote your Apple account is older than 18 years. You are good.

A (15:22)

That's great.

B (15:25)

And he said I wonder if that's a good method of doing age verification. Lots in the UK report problems. Lots of people don't have credit cards, as you need to be 18 to have credit, so that's a common check, he said. And Apple's system doesn't accept a UK passport as proof of age. And there was I think that might have just changed app. Apple's been iterating on this because of the problems and the feedback that they've been receiving. Once this went out to a much wider audience, I poked around the Internet, reading feedback on the Guardian 9-5 Mac and elsewhere. Nothing stood out as worth sharing in greater detail. If I were to sum it all up with a generalization, I'd sort of call the nature of the reactions get off my lawn. You know normies who don't listen to this podcast and who have not had any reason to track the rapidly changing landscape of online age verification, certainly as we have been, they'll be understandably surprised and annoyed by this apparently sudden need for their eye devices to need proof of their ages. It's like what? Why? What? Huh? So for those who've been paying attention, of course, or listening to this podcast, this won't be any surprise at all. One way or another, it will be coming to every device we own. As I noted last week, even reliably re identifying an anonymous user remotely across a network, known as authenticating, has proven to be a challenge. Now we're needing to reliably and anonymously assert anyone's age, which is, you know, another like whole level in my opinion. As I've said what Apple I believe what Apple has done is exactly the right thing. You know it's true. This will annoy some people. 9 to 5 Mac quoted a reader of theirs who commented on their coverage. This guy wrote this is quite a big failure by Apple. I use a debit card rather than a credit card. I've had one from the same bank for almost 40 years. I don't have a photo driving license. My Apple account is about 14.5 years old, meaning not 18 like Reds was who I shared before he said I I can't verify my age despite being just over 60 years old. Even if they had a passport which should have been usable from the start. I don't have one of those either. As far as I understand, age verification is not required at device level, at least not yet. So Apple could either remove it or make it opt in whilst I can see how it's easier to have it on your device. So not having to verify age for all Restricted websites and age related purchases. It needs to work for all or not be forced on us. Besides, kids will find ways around it. And for now, from what I've seen, you could still get separate age verification for websites outside of Apple. Unless they try to block people doing that. Right? So as I said, get off my lawn. You know, he, he said it needs to work for all or not be forced on us. Right? 100%. That would be great. But there's no magic solution, right? Partly people are freaked out over any perceived loss of their largely fictitious an anonymity online. Partly people are upset over the imposition of any restriction of any kind over what they can do online. They've never had any before. So now why all of a sudden, you know, are some freedoms being taken away from us and some restrictions imposed? Yeah, they are. But everyone should blame their democratically elected politicians. The old adage, you know, I'm not shooting the messenger applies here. The technologies are just doing the best they can to implement what the emerging regional laws require. As societies, we want to protect our children from all the nastiness the world harbors. The anonymity that the Internet offers to criminals means that the Internet is likely to always contain more than its fair share of bad actors, just as it does today. That's unlikely to change. So might some of us, like this guy who grumbled to 9 to 5 Mac be inconvenienced by our collective desire to manage what kids can access online? Uh huh. Yes, that's going to happen. But that's the relatively small price we need to pay. I don't see any way around it. And I love the idea that Apple is finally stepping up to this challenge. Having our platforms able to make these assertions for us globally and anonymously is the way to go. All of this discussion of the age of our Apple accounts made me wonder whether there was any way for us to determine how long we've had our accounts. Since I have a credit card register with Apple, they know I'm over 18. But since there are others who might be using debit cards like this 9 to 5 Mac guy and may not have photo IDs or not have one that Apple understands because there were some reports of that in the uk. Also, it appears that it's possible to bring up a web page@privacy.apple.com you'll be asked to log in with your Apple credentials, then respond to a multi factor prompt on one of your Apple devices. Once you've done that, you'll be taken to a choose the data you wish to download page. I have a picture of that at the bottom of page three in the show Notes. And this is. I've never seen this page before. It's an amazingly comprehensive information request portal where you're able to download all sorts of information and data that Apple may have gathered and accumulated about you through the years of your account ownership with them. The one item you reportedly Because I haven't been. I've. I've started the process. I haven't. It hasn't finished because it takes. It can take up to a week. The one item you need to select is Apple account and device information. But boy, there's a lot more if you want more. So I selected that one and pressed continue at the bottom of that very long and comprehensive page of things that that I could request to receive from Apple. In fact the list was so long and comprehensive that I was next asked how large a file I would be comfortable downloading. It defaulted to 1 gigabyte, in which case it sends you however many 1 gigabyte files you need. But I chose the maximum offering of 25 gigs because the file isn't emailed. Once Apple has assembled the information, I then receive another email needing I need to log in again to reprove my identity. Then I receive a link to download whatever Apple has to share with me. Since I initiated this just last Saturday afternoon so three days ago and it's expected to take as much as a week, I'm unsure you know when I'll have results to share. Probably by this time next week and I'll just quickly let people know what I. What I got. But anyway I just wanted to share all that in case anyone listening might also be curious to know how long they've had their account. I wasn't quick to jump on an iPhone. I don't think I had ever had an early ipod. You know I was in love with my BlackBerry. I was one of those pridest from my cold dead.

A (23:43)

You know you still have some in your freezer.

B (23:47)

No, I don't and I actually did get There is a physical keyboard for the iPhone.

A (23:52)

Did you order that?

B (23:53)

Yeah, I tried it. It's. It's, it's crap. It's no good. Besides it makes your phone about. I can't show it on the screen. Yeah, it's like, it's really like weird. It's like you know a foot long and sticks out of your pocket. So no, it's, it's not going to go.

A (24:09)

I, I cannot use the iPhone keyboard. I hate it.

B (24:13)

It is the it is the biggest trade off that. Yeah, I mean I get it that that's what they want to do and remember of course it was meant to be a consumption device theoretically. But no, I know I do have a Bluetooth keyboard that is, you know, a full size keyboard. It's a cute little thing from Logitech, that guy.

A (24:35)

Oh, that's nice.

B (24:36)

Yeah, it is. And it allows you to associate itself with up to three different devices and you choose which one you want. So, so, so it can appear as one of three different keyboards and so if I know I'm going to be typing something at length normally though, I'll just do. I'll like. I'm so annoyed also Leo, with this schism between iPhone and Windows. Like Apple just refuses to accept the fact that Windows owns the desktop and they're only willing to connect to their Mac in a, in a seamless fashion. So I'll like write something long, then I'll email it to myself, get the email on my phone, select it all, drop it into message and send it. I was like, God, really? This is what I'm being made. It's one of the reasons I'm so annoyed with Apple.

A (25:24)

But yeah, anyway, apparently you can also look at your purchases on the, on the Apple ID and the oldest purchase you made.

B (25:33)

Yes, apparently everything. I mean this, this page is so comprehensive. So I just thought it was cool. I didn't know I'd never gone to privacy.apple.com and done that. But if someone wants to know how long they've had their account, I'm. I don't remember when we began the podcast. That would be an interesting. I know that we began the podcast in 2005 but I don't remember whether I had an iPhone by that time

A (25:59)

when I went on come out till 2006. So I know you didn't have an iPhone in 2005.

B (26:04)

Oh okay. Yeah, so I was still BlackBerry happily.

A (26:08)

The most you could have would be 20 years worth of iPhone because actually next year is the 20th anniversary.

B (26:16)

Oh okay. And I probably waited a couple years because again I just like my little BlackBerry.

A (26:22)

Well, you didn't know that you had to prove you were 18 until now.

B (26:27)

That's true. I want to this next piece LinkedIn and and what Microsoft has done is long. Let's take a second break and then I'm going to plow into some research that a disgruntled add on developer posted. But despite of his disgruntlement, he's not wrong. And Leo, what Microsoft is doing is I, you know, because they're the owner of LinkedIn, it's like, what?

A (27:07)

Well, we'll talk about it in just a bit. What? First word from Zscaler, our sponsor for this segment in Security now and the world's largest cloud security platform. We talk about AI all the time. The potential rewards of AI, especially for your business, I think it's safe to say these days. Too great to ignore, right? But you don't want to ignore the risks either. The risk of losing sensitive data attacks against enterprise managed AI. And there's also the issue that generative AI, and we've seen this on this show already many times, increases opportunities for threat actions actors. They're using AI to rapidly create impeccable phishing emails, to write malicious code. Thank goodness sometimes it's buggy and, but, but, but sometimes it's not. And to automate data extraction. I'll give you an example ripped from the headlines. In 2025 there were 1.3 million instances, 1.3 million instances of Social Security numbers leaked to AI applications. And I can tell you right now that you're at risk right now because tax time is a week away and your employees are almost certainly uploading their tax returns, your tax returns, anybody they can find tax returns to AI saying can you do my taxes for me? And what's on your tax return? Everything a bad guy needs to steal your identity. Last year ChatGPT and Microsoft saw nearly 3.2 million data violations. And you can't really blame employees. We're not thinking, oh, it's dangerous to upload stuff to AI. That's dangerous. Yes it is. It's time for a modern approach. Protect yourself with Zscaler's Zero Trust plus AI. It removes your attack surface, it secures your data everywhere, it safeguards your use of public and private AI and, and it protects you against ransomware and AI powered phishing attacks.

B (29:07)

All of that.

A (29:09)

Check out what Siva, the director of security and infrastructure at Zwora says about using Zscaler Watch. AI provides tremendous opportunities, but it also brings tremendous security concern when it comes to data privacy and data security. The benefit of Zscaler with ZIA rolled out for us right now is giving us the insights of how our employees are using various gen AI tools. So ability to monitor the activity, make sure that what we consider confidential and sensitive information according to, you know, companies data classification does not get fed into the public LLM models, et cetera. Thank you, Shiva. With Zero Trust plus AI you can thrive in the AI era. You can stay ahead of the competition, you can remain resilient and even as threats and risks evolve. But there's only one way to do it. Go to zscaler.com security. That's zscaler.com security. We thank him so much for supporting Steve and Security. Now you support us when you go to that address. Of course. Zscaler.com Security Steve.

B (30:17)

Okay, so two weeks ago while you were at RSA, Leo Maika and I took a look at what we might term the super pixels being used by Meta and TikTok now, which caused their own JavaScript code to be quietly run in the browsers of anyone visiting any website that hosted those pixels. And I'm putting pixels in air quotes here because. Well, I'm going to explain. I noted at the time two weeks ago that the use of the term pixel was almost catching in my throat, because what has evolved over time has rendered that term laughable. So just, just so that we're all starting off on the same page here, the original idea was that a so called tracking pixel could be hosted by a website that a user was visiting. That pixel was actually an HTML URL for a single true pixel size dot, you know, a one by one jpeg or GIF or PNG file. It might even be white or transparent. Since it didn't want to call any attention to itself, it just wanted to be on the page. Its entire purpose was to cause the user's browser to to fetch that tiny little innocuous one by one image dot from some other third party's remote server. And so just to be clear, it would be the visible website the user was visiting that would be delivering its pages to its visitors, which contained the reference to that off site third party pixel. And since that pixel was referencing an image resource from another hosting domain, the user's browser would quietly be making that request to retrieve that pixel on behalf of its user. Now we might wonder why the site being visited by its users might wish to add someone else's invisible pixels to its own pages. And the somewhat distressing answer is that the site would be receiving payment by that third party site in return for the addition of those simple tiny pixels. So the obvious next question is why would some third party site be willing to pay first party sites who people visit all across the Internet in return for hosting their little all but invisible pixels? And the answer to that of course, is tracking. This was the emergence of the early Internet tracking economy. When the user's browser requested that tiny little invisible pixel from the remote third party server, its request contained a bunch of metadata information. The request's referrer header would identify the entire URL of the page the site's visitor will was viewing. And the requests cookie header would dutifully return the unique the unique third party cookie that the third party site may have previously given the user's browser to hold, assuming they encountered a little one of these little pixels from that same third party site anywhere in the past. And of course the request would come from the user's IP address. So lots of information available to some random unaffiliated, you know, not obviously affiliated third party site. And all these little tracking beacons scattered far and wide across the Internet would be gathered by this third party site, which could just sit back and aggregate all that data that was available to it. The final bit of horror which we've covered here at the time was that these tracking companies would create their own rewards and prizes and like sweep, kind of, you know, sketchy sweepstakes websites where they would advertise across the Internet in order to draw people in when signing up for their chance to win, you know, non existent or maybe, you know, prizes. Unwitting users would provide a ton of personal information to that site, you know, at least their names and email addresses and probably more, sometimes their phone numbers, you know, because hey, there's a chance to win. And since these bogus reward sites were being hosted by the same companies who were littering the Internet with their tracking pixels, all of that anonymous tracking data that had been aggregated over time and every website visited the IP address that had that it had been visited from the user's IP address would then be all de anonymized when the user provided their name and email addresses in return for essentially nothing. Unfortunately, those early days now look quaint in retrospect, as users became aware that the sites they were visiting were secretly betraying them behind their backs, compromising their privacy by embedding a pixel in return for payment. Browser extensions such as our favorite one, UBlock, Origin, but also Privacy, Badger, Ghostery, Adguard, Disconnect and NoScript were created to give users who cared some control over this egregious behavior. The next thing to happen was the evolution of the embedded tracking object from a relatively benign now in retrospect, just a little jpeg, GIF or PNG image pixel into a reference to a remote host's HTML or JavaScript. Arranging to run a third party's remotely supplied JavaScript now is the ultimate goal. And that can be done simply by directly referencing a third party JavaScript resource in the hosting pages. HTML, you know, just whatever it is. JS For JavaScript, just like a site's own provided JavaScript, the third party JavaScript will be loaded into and run by every page the user displays. The problem we have now is, is that we've invited foreign code to run inside our web browser. And the behavior of that code, the very code itself, is subject to unilateral change by that third party at any time. And it is from such changes that the practice of web browser fingerprinting has evolved. Right. It should now be clear why the continued use of the term pixel, you know, for anything Meta or TikTok are doing, is laughable. It's not a pixel any longer, although it still goes by that name. Now what we have now is, is essentially hostile, uncontrolled, explicitly privacy compromising code execution by unseen third parties. That's the threat environment that users and their browsers face today. It's completely changed over the course of the last two decades. The duration of this podcast, we've seen all of this. One of the points I wanted to make before we turn to last Week's news about LinkedIn is just how much this behavior is completely hidden from anyone who's clicking links and wandering around the web. You know, the expression out of sight, out of mind has never applied more than it does here. This unseen behavior has been a problem since the first use of a third party cookie for surreptitiously tracking user movement across the web. Through the intervening decades, such behavior has exploded. And the only thing that has any chance of reigning it in on a wholesale level, not just like we who care running add ons like you block origin, but like actually affecting everyone, is government legislation which will eventually wrestle this stuff to the ground, criminalizing it and, and just making it impossible to continue. And there we probably have the EU to thank because they tend to be pioneering this.

A (39:10)

They use pixel now, pixels used kind of generically in the ad industry to anything that's tracking. We're often asked to put pixels in our podcasts, which obviously you can't do. You can't put pixels in an audio audio file. But it, but they're have been some

B (39:27)

audio beacons though, haven't there?

A (39:29)

Well, and we do actually in the feed there are redirects and that's as close as you can get, right?

B (39:36)

Bounces you through something and then, and then eventually. Well, and in fact Pod track, you were using Pod track in order to count downloads.

A (39:45)

That's exactly how we were counting downloads. Exactly. And we still do Something similar. We don't do it with PodTrack, but yeah, that's exactly. So they call those pixels too. It always puzzle me when advertisers say, can you put a pixel in the podcast? And it's like, I don't think so.

B (39:59)

Yeah, because they're not, you know, yeah,

A (40:02)

it's not a pixel, but they just mean tracking of something.

B (40:05)

And it's interesting too because it does demonstrate how much they've just come to take it for granted. It's like, oh, yeah, you know, we want, we want analytics. We want to gather as much date. Yes.

A (40:18)

Yeah.

B (40:18)

Well, talk about knowing everything. Leo, wait till you hear this.

A (40:22)

Okay.

B (40:23)

Okay. So the, the examination of things that are going on behind people's back without their knowledge brings us to last week's LinkedIn revelation which has been dubbed Browser Gate. Okay. Now this is by the apparently disgruntled developer who has a beef with LinkedIn's owner, Microsoft. The Browser Gate website is clearly passion driven and its thesis raised some questions in my mind about its creators motivations. Okay. But I'm getting ahead of the story. Let's first look at that website. It is@browsergate.eu b r o W S E R G A T E U so going there, we're first confronted with the bold black headline, LinkedIn is illegally searching your computer. Okay. The site then elaborates, writing, Microsoft is running one of the largest corporate espionage operations in modern history. And now that may seem like it's a little over the top, but I don't think anyone's going to think that once we're through looking at this closely. He wrote every time any of LinkedIn's 1 billion users visits LinkedIn.com hidden code. Okay. It's not really hidden. I mean, all code is hidden, right? We don't look at the code. No one does. But, you know, so it's. Yes, it's de facto hidden. Hidden code searches their computer for installed software. That's true. Collects the results. That's true. And transmits them to LinkedIn server and to third party companies, including an American Israeli cybersecurity firm. The user is never asked, never told. LinkedIn's privacy policy doesn't mention it. Because LinkedIn knows each user's real name, employer and job title. It is not searching anonymous visitors. It is searching the computers. Identified people at identified companies. Millions of companies every day, all over the world. This, he writes, this is illegal and potentially a criminal offense in every jurisdiction we've examined. Okay, so I want to, I want to share what this author claims is the behavior of LinkedIn's downloaded code. And for the record, none of this behavior appears to be in dispute. All of the evidence that they have collected is available for download and analysis and it has been subsequently verified by independent researchers including by bleeping computer who has the advantage of objectivity and knowing their way around. So under the heading of what we found, this author writes Mass breach of personal data LinkedIn's scan reveals the religious beliefs, political opinions, disabilities and job search activity of identified individuals. LinkedIn scans for extensions that identify practicing Muslims, extensions that reveal political orientation, extensions built for neurodivergent users, and 509 job search tools that expose who is secretly looking for work on the very platform where their current employer can see their profile. Under EU law, this category of data is not regulated, it is prohibited. LinkedIn has no consent, no disclosure and no legal basis. Its privacy policy mentions none of this. LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha and ZoomInfo. Because LinkedIn knows each user's employer, it can map which companies use which competitor's products. It is extracting the customer lists of thousands of software companies from their users browsers without anyone's knowledge. Then it uses what it finds. LinkedIn has already sent enforcement threats to users of third party tools using data obtained through its covert scanning to identify its targets. In 2023, the EU designated LinkedIn a regulated gatekeeper under the Digital Markets act and ordered it to open its platform to third party tools. LinkedIn's response? It published two restricted APIs and presented them to the European Commission Commission as compliance. Together these APIs handle approximately 0.07 calls per second. Meanwhile, LinkedIn already operates a private internal API called Voyager that powers every LinkedIn web and mobile product at 163,000 calls per second and Microsoft's 249 page compliant compliance report to the EU the word API appears 533 times. Voyager appears 0 times. Meaning he's saying that they're not acknowledging the use of this internal this other internal API. At the same time, he writes, LinkedIn expanded its surveillance of the exact tools the regulation was designed to protect. The scan list grew from roughly 461 products in 2024 to over 6,000 by February of 2026. The EU told LinkedIn to let third party tools in. LinkedIn built a surveillance system to find and punish every user of these tools. LinkedIn ships your data to third parties. It loads an invisible tracking element from Human Security, formerly Premier X, an American Israeli cybersecurity firm Zero Pixels Wide hidden off screen that sets cookies on your browser without your knowledge. A separate fingerprinting script runs from LinkedIn's own servers. A third script from Google executes silently on every page download. Well, many people have that, but he says all of it encrypted, none of it disclosed. But he finishes Microsoft has 33,000 employees and a 15 billion legal budget. We have the evidence. What we need is people and funding to hold them accountable. Okay, so is this probably happening? As we'll see in a moment, apparently so. And thanks to the gdpr, much of what's being done behind the backs and without the explicit knowledge and permission of European Union citizens might well be illegal, as the creator of this website clearly believes. But knowing Microsoft, I would expect it to be covered by some, you know, vague consent to business purposes language which anyone can, can mean to take, you know, can take to mean anything. As we've seen. The good news is European regulators are genuinely and generally unimpressed by such implied consent. Okay, so to help us through this, you know, through a far less biased lens than this guy has, two days ago on Sunday, the Next Web did some great reporting on this. Even lacking the original author's bias, the Next Web's headline was LinkedIn is secretly scanning your browser for 6,000 extensions and you weren't told. And just to give everyone so that we understand what we're talking about, it is actually reading searching for files on a user's hard drive. It is, it is looking through your file system when you go to a LinkedIn page, which is what bleeping computer confirmed and showed, you know, happening in their report of this.

A (49:07)

Is it part of its fingerprinting, you think? Or do they want that information?

B (49:11)

There, there's actually different fingerprinting than this. They apparently actually want to know what browser Chromium browser extensions you have installed. So here's what and, and, and the Next Web makes this clear. They said every time you visit a Chromium based browser and actually Firefox users apparently are subjected to far less of this because it is very browser specific. Yeah, which is nice. Every time you visit LinkedIn in a chromium based browser, a hidden. Again they use the word hidden. But okay. JavaScript routine silently probes your browser for more than 6,000 installed extensions, collects 48 hardware and software characteristics about your device. That's the fingerprinting part, encrypts the resulting fingerprint and attaches it to every API request you make during your session. The practice labeled browser gate by researchers is not disclosed in LinkedIn's privacy policy. Says the Next Web you know who's you know doesn't have a cross to bear here or ax to grind. LinkedIn says it's a security measure. Critics say it is covert surveillance of a billion users browsing behavior at industrial scale. There's a routine that runs on your computer every time you open LinkedIn. You cannot see it, you are not told about it, and it is not described in the company's privacy policy. According to an investigation published in early April 2026 by Far Linked EV, a European association of commercial LinkedIn users, the platform get this Leo injects a 2.7 megabyte JavaScript bundle is like it's like wow, 2.7 megabytes of JavaScript into its website that silently scans visitors browsers for the presence and actually it's the visitors PCs for the presence of more than 6,000 specific Chrome extensions, assembles a detailed fingerprint of their hardware, encrypts it, and transmits the result to LinkedIn servers where it's attached to every subsequent action taken during the session. The investigation the Next Web writes independently, confirmed by bleeping computer, which verified the scanning behavior through its own testing, has been dubbed browser gate. LinkedIn disputes many of the report's characterizations. The technical facts, however, are not in dispute. LinkedIn calls its scanning system spectroscopy. When a user loads the LinkedIn website, the script fires off up to 6,222 simultaneous requests, each one probing for a specific browser extension by attempting to access files on the user's file system associated with that extension's id. The presence or absence of a file in the response indicates whether the extension is installed. The entire operation runs silently in the background without a visible prompt or notification of any kind beyond ext. Again, 6222 extensions like that it's checking for why. What business is it of LinkedIn? What extensions to that degree, more than 6,000 of them that a user has installed. Beyond extensions, the script collects 48 distinct characteristics of the user's device, CPU, core count, available memory, screen resolution, time zone, language settings, battery status, audio hardware information and storage capacity, among others. Now, those are traditional. Those are called like standard fingerprinting, right? They said if individually these attributes are unremarkable, combined they form a device fingerprint true specific enough to identify a user even after cookies are cleared. Okay, we've all seen that before. However, they said once compiled, the data is serialized to JSON and encrypted using an RSA public key. LinkedIn's internal identifier for the key is APFC DFPK before being transmitted to telemetry endpoints, including LI track and platform telemetry LI APFCDF. The fingerprint is then permanently injected as an HTTP header into every API request made during the session, meaning LinkedIn receives it with every search, every profile view, every message sent. Okay, now I'm going to pause here a minute. They haven't looked at the code. I'm sorry I haven't looked at the code, but what the Next Web described makes sense in an interesting way. They wrote that the data was compiled, serialized to JSON and encrypted using an RSA public key. But my spidey sense tripped when I didn't see any mention of hashing. And I did see that mention of reversible encryption thanks to the use of an RSA public key. As we all know, the widely accepted way of fingerprinting a browser is to collect all of that random yet very specific data, then hash it down into an information lossy, thus irreversible hash. This creates a token that can be used to represent the user's browser as it moves about the web. But my first question is why Microsoft would need to have that at all. This sort of fingerprinting is only used by third parties who wish to track browsers as they move to other sites containing the same third party fingerprinting code. But Microsoft's LinkedIn users are already logged in with a first party relationship to Microsoft, so why would Microsoft need to track them anywhere? Doesn't make any sense. There. It seems to me that this is not a fingerprint at all in the traditional sense. I think that it must be a form of what I will call a super fingerprint. Microsoft is assembling those 48 data points into a JSON object which is then serialized. A random symmetric key will be derived and used to reversibly encrypt that serialized JSON blob. That symmetric key will then be encrypted with the RSA public key contained within that massive 2.7 megabytes of JavaScript. That means that at any later date, Microsoft or anyone else who might have the matching RSA private key, and they alone can decrypt the original symmetric key, then use that to decrypt and deserialize the JSON object to obtain the original 48 individual pieces of information. Why would that be useful? Well, the problem with using a hash to fingerprint is that thanks to the magic of cryptographic hashing and Deliberately so if even one single bit of the hash's input data were to be changed, on average half of the resulting hashes bits will be inverted. The point is that if just a single characteristic bit changes an entirely new and untrackable hash results. But Microsoft's Super Fingerprint avoids the information lossy hash. So they've presumably retained all of the information contained within those 48 pieces of information individually. That means that Microsoft's Super Fingerprint can retain tracking or more likely a tight association with the user's browser. Even when some of the browser's data changes, they change screen resolution, they should their battery status changes, right? Because that's one of the things the battery percentage change would completely result in a different hash. In the old school fingerprint mode. Here the Microsoft can examine it, see that the battery charge changed but nothing else did, and go, okay, same person, and then update the fingerprint to match the new battery status and continue tracking. So it is literally a super fingerprint. And since all this is sent back to the Microsoft LinkedIn mothership, what Microsoft probably does is fully decrypt all of that browser parameter data and keep it on file for every LinkedIn user. Over time, this would allow Microsoft to to identify exactly how many and which web browsers each of their 1 billion LinkedIn users were to log into, since they're logging into LinkedIn. And perhaps that information could be useful for some security purpose. So that I can believe. The other thing that would also be interesting to check would be what exactly those 48 pieces of information are. I didn't dig into it, you know, that there could be a wolf hiding among the sheep if the presumption was that everything was being hashed into a fingerprint, that none of the specific information that Microsoft was collecting could be a big deal since that information would be lost due to the hash. Okay, you know, but if we assume that Microsoft is collecting and reversibly encrypting and forwarding all of that to their mothership, it would be interesting to see exactly what they're collecting and retaining. Because 48 individual things, that's a lot of things, you know, more than just screen resolution and battery charge and you know, that kind of stuff, you know, browser, user agent, string and so forth. Anyway, the the next web does have a bit more to say. They wrote the question of which extensions LinkedIn is scanning for makes the surveillance more sensitive than simple fraud detection would require. According to the browser gate report, LinkedIn's list includes more than 200 products that compete directly with its own with LinkedIn's own sales tools. As noted before, Apollo, Lusha and ZoomInfo. Because LinkedIn knows the employer of each registered user, systematically scanning for the presence of a competitor's tools gives the platform visibility. LinkedIn visibility into which companies are evaluating or deploying rival products. Because again, they know who the LinkedIn person's employer is. The list also reportedly includes tools associated with neurodivergent conditions, religious practices, political interests and job hunting activity. Categories that in the European Union qualify as sensitive personal data subject to heightened protection under the General Data Protection Regulation. You know, gdpr Knowing that a user is running a job search extension, for instance, is a meaningful inference about their employment intentions drawn without their consent. The scale of the operation has grown substantially over time. In fact, this is really what's breathtaking. LinkedIn, they said, began scanning for 38 specific extensions in 2017. 38 extensions being scanned for in 2017. By 2024 that number had grown to 461. Hey, if some is good, more is better. Nobody seems to be minding or complaining, so let's just scan their hard disk more widely. By February of 2026, meaning a month and a half ago, the list had reached 6167. Yes, 6167 individual extensions files being scanned for. They wrote. BLEEPING COMPUTERS Testing confirmed the scanning was active as of early April 2026.

A (63:26)

I don't understand why they are looking for specific extensions instead of just saying what extensions are you running? I don't. Can't you ask the browser what extensions are running as part of the fingerprinting? I think you can.

B (63:41)

Well, they're probably going beyond extensions. I mean they're what, what they're doing for all applications. They're looking for file names. They are doing file name queries in. It is. And, and Leo, I don't think I have a link here to the bleeping computer report, but you might grab it while I, while I'm, I'm sharing this because it's bracing to actually see what. And I think it may have been Lawrence himself who did the research. So now we're at, as of February 2026 we're at 6167, which they note is a 1252% increase in two years. Bleeping computers Testing confirmed the scanning was active, as I, as I noted, as of early April 2026.

A (64:36)

So is this.

B (64:37)

Oh, yep, that is that those. And you can see the IDs and then the files that are actually being scanned for JavaScript, AVGs, HTMLs. So those are. Those are actual.

A (64:52)

Blame the browser for letting it do this.

B (64:55)

I agree. I and that's where you're. You're going to see me reach that conclusion here in a minute. That we users need control over this completely out of control behavior.

A (65:05)

Yeah. Huh.

B (65:09)

So they wrote the next web wrote LinkedIn's response to bleeping computer was pointed. A spokesperson said, quote the claims made on the website linked here are plain wrong. The person behind them is subject to an account restriction for scraping and other violations of LinkedIn's terms of service. To protect the privacy of our members their data and to ensure site stability, we do look for extensions that scrape data without members consent or otherwise violate LinkedIn's Terms of Service. So. So they're saying they're looking at more than 6,000 extensions because they're naughty and okay, they said that they do that they do not use the data to infer sensitive information about members. LinkedIn's the Next Web wrote LinkedIn's characterization of the Source Matters Fairlinked EV is connected to Team Fluence Signal Systems OU, an Estonian company whose managing directors are Steven Morell and Jan Lebling. Team Fluence makes a Chrome extension also called team fluence that LinkedIn restricted for alleged terms of service violations. The company subsequently filed a preliminary injunction against LinkedIn Ireland Unlimited company and LinkedIn Germany at the Regional Court of Munich, alleging violations of the Digital Markets Act, EU Competition Law and German data protection rules. In January, the Munich court denied the injunction, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination. The financial dispute between the parties does not change the technical findings, however, which were verified independently. It does mean the framing of those findings is contested. The reader should weigh both the substance and the claim and its provenance. This is not LinkedIn's first serious encounter with European data protection enforcement. In October 2024, the Irish Data Protection Commission, which regulates LinkedIn in the EU through its Irish subsidiary, fined the company 310 million euro, approximately $334 million at the moment for processing users personal data for targeted advertising without a valid legal basis. So LinkedIn was found to be using personal data for targeted advertising. The decision found that LinkedIn's consent mechanisms did not meet GDPR's requirement that consent be freely given. LinkedIn was ordered to bring its data processing into compliance. The browser gate investigation drops into that context the legal question of whether scanning for 6,000 browser extensions constitutes processing of special category personal data and whether users lack of awareness of the practice or renders any implied consent invalid is exactly the kind of question the Irish Data Protection Commission has already shown it's willing to adjoin in court. Europe's evolving digital regulation framework has been moving steadily toward requiring explicit disclosure of all significant data collection, and a scanning operation of this scale, conducted without any mention of in a privacy policy, appears difficult to square with that direction of travel. LinkedIn is a Microsoft subsidiary acquired in 2016 for $26.2 billion. Microsoft has been aggressively expanding its AI capabilities in 2026, with LinkedIn's vast data set of professional identity and employment history forming a significant part of the data infrastructure infrastructure on which those capabilities rest. The relationship between LinkedIn's data collection practices and Microsoft's broader AI ambitions is not addressed in LinkedIn's privacy policy either. Anyway, so they talk about LinkedIn having more than 1 billion registered users. Oh, and they did note short of using a non chromium browser such as Firefox, which would limit but not necessarily eliminate LinkedIn's fingerprinting capabilities, there is no user facing setting that prevents the scanning. The platform does not offer an opt out because it does not disclose the practice in the first place. The 2026 push for governed and transparent AI and data practices is built on precisely the premise of that invisible data collection of this kind should not be the default okay, so. We began this topic by, you know, reminiscing over the quaint web browser Pixel, which was literally a pixel image dot supplied by some other domains web server that has evolved or perhaps devolved into an astonishingly monstrous and invasive 2.7 megabyte unsolicited blob of code that does actually, as observed, confirmed and reported by bleeping computer, scan the mass storage file system of its website's visitors. You go to LinkedIn.com that happens to you looking for the files belonging to at last count and this is rapidly increasing 6,236 web browser extensions which are arguably none of its business. As the Next Web stated, this may be illegal in the eu, where thankfully privacy regulations are very strong and are only getting stronger. But whether or not this is illegal, it seems pretty clear that things and I agree with you Leo, on this point, have gotten way out of hand, apparently due to a complete lack of adult supervision. Something really bizarre is going on at Microsoft's LinkedIn property. So regardless of the motivations of these begrudging, you know, developers, I'm very glad that that the world has just received an absurdly clear example of the need to Perhaps give our web browsers some some form of control over, you know, like what the JavaScript that the browsers are hosting is allowed to do. It would be nice if some sort of an alert came up and said whoa, do you realize that that the website that you have just gone to has made 6,232 queries of your file system like for different files by name of your file system. And how do you feel about that anyway, you know there, you know this JavaScript is rumaging around inside users computers for a while searching for all those files. Maybe we should be asked if we consent to having it do that. That just seems like you know, crazy behavior on Microsoft's part and they are only getting away with it because it has, you know, these people use the word hidden or secret. You know, it just isn't obvious in the same way. The third party cookies have never been obvious. So you know, out of mind or out of sight out of mind. And this has been certainly, you know, something no one would be aware of otherwise. It's crazy. But Leo. Yes, I know, you know what our listeners do want to know about?

A (73:35)

They want more ads, right? Hey, I did want to mention this broke during the show Anthropic we know was working on a new model in the rumors Mythos and that the rumors were it was going to be so good that they were holding it back for fear it would be misused. Today they announced that they are going to allow a small number of people to use Mythos for security reasons. They say it is so good strikingly capable a computer security tasks. They've already set it against existing browsers and operating systems and they say found tens of thousands of vulnerabilities including in operating systems that are in every operating system and every browser that is currently in use. So of course it could also be misused. Their fear is to find vulnerabilities that can be exploited. So they have announced something today called Project Glasswing which they are going to. Here, let me go full screen on this. They're going to offer to a small number of companies. It is not going to be in wide availability but they're going to offer

B (74:57)

to, offered to the good guys the

A (74:59)

world's most critical software to find those vulnerabilities before the bad guys get access to to this model.

B (75:07)

Now Leo, we are living in a science fiction world.

A (75:10)

Well this could be just really good marketing. I, I mean understand what better way to say hey our model is good. But they, I think I, I think it's credible and they Say they've already found thousands of high severity vulnerabilities. They found Linux vulnerabilities have been around for 25 years. Free. They found a free BSD escalation exploit that was very severe. So they are giving this away to a broad number of companies who have, you know, mission critical software in the enterprise and hoping that they'll find those vulnerabilities before it becomes, they become public.

B (75:50)

So it's going to be turned over to, you know, and I think I, what I read about this, a rumor at the time because it wasn't officially disclosed, is this would be a super high end model that would cost more to use.

A (76:06)

Yeah, the rumor is it'll be very expensive. We don't know. That's not been confirmed yet. They are dedicating $100 million in token credits to these companies so they can use it, you know, kind of freely. I think this is a big security story. Again, it could be just a very good marketing ploy. But I tend to credit that this is possible. And the scores on the software benchmarks for this thing are off the charts. Much better than their current 4.6 opus.

B (76:38)

No kidding. Even more so than opus.

A (76:40)

Yeah, much more so, like 50% better than opus.

B (76:44)

Wow.

A (76:44)

So they found a 27 year old OpenBSD bug, they found a 16 year old FFmpeg bug. You know, I mean we're going to see more and more of this obviously and the fear is that people will use it for, you know, to find those flaws and exploit them. So they want to give this away to people so that they can find them and fix them before they get exploited. So that remote code execution in the FreeBSD that's 17 years old, I mean

B (77:12)

remote code execution, I thought it was a privilege.

A (77:16)

That's a different one. That's an OpenBSD. This is in FreeBSD. This allows anyone to gain root on a machine running NFS from anywhere on the Internet. So it's a pretty. And it's been around for 17 years, so they say, fully autonomously. No human was evolved even in the discovery or exploitation of this vulnerability after the initial request to find the bug. So that's the concern. A bad guy will find it and suddenly you've got all of these FreeBSD distros completely vulnerable.

B (77:49)

Yikes.

A (77:51)

4.6 was able to exploit the vulnerability but required human guidance. Mythos did not. It could be. And that's really scary the idea that they could autonomously.

B (78:02)

Well, I mean there's no question that the bad guys will pay whatever that it cost is and, and find exploits and jump on them. It is. This is, you know, we, we, you know, we talked about exactly this for a while. Remember that? I don't remember if it was open AI or Anthropic. We're saying that the good news is the AI seems better at finding problems than it is at exploiting them. That's not apparently changed.

A (78:34)

And the other thing that I thought was really telling is Mythos is able to chain exploits as many as six exploits. So that's a big deal because as we've talked about many, many times, it's not often that just a single exploit is enough. Often these exploits are chained.

B (78:53)

Right.

A (78:54)

And the fact that Mythos can do it autonomously, it's a little scary. So that's a big story. We'll hear a lot more about it. We'll talk about it tomorrow on Intelligent Machines. And I'm sure, in fact, if we can, we got a really good guest on Intelligent Machines tomorrow, Daniel Meisler, who is a security researcher, many years with security, worked at security at Apple and other companies and is an AI aficionado. So he'll have something to say about this for sure. Should be very interesting. All right, let's take that break that you promised. I just wanted to mention this.

B (79:26)

Yes, I'm glad you did.

A (79:27)

Just happened.

B (79:28)

Yeah, that's gonna be and story. There will be people who didn't check their code or that weren't. I mean, that didn't qualify for Anthropic's initial offer and bad guys. There's just no question that we're going to see a, you know, on the, on the margins there will be new exploits that are found and, And I

A (79:50)

think again, it could just be a marketing ploy, but I think. I think I want to give credit to Anthropic for doing the right thing to hold this back and release it this way so that people had a chance. As otherwise, I'm afraid we don't have much of a chance in this modern world. Our show today, brought to you by material, I mean talking about security. They are the cloud workspace security platform built for lean security teams. They're not there to replace you, they're there to support you. Managing security is hard enough, but doing it in the cloud is even harder. And phishing is not the only problem. Today's email security does the best it can, but it stops at the perimeter. And because when you're in a cloud environment, your email, your data and your identity security tools are all siloed. So it's very hard to detect these attacks. Material crosses the barrier, protects email files and accounts in both Google Workspace and Microsoft 365. And that's because effective email security today needs to do more than just block phishing and other inbound attacks. It needs to provide visibility and defense across the entire workspace threat surface. So material goes the extra mile. They ingest your settings, your contents and your logs to give you holistic visibility into threats and risk across the workspace and the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. Yes, phishing protection of course. And email security. Combining advanced AI detections with threat research so you know ahead of time what's coming and user report automation so your users could be part of this detection and protection of sensitive data across inboxes and very important shared files. That's another threat vector. You also have account threat detection and response because I don't know about you, but we're seeing this every single day. People are trying to break into our Google workspace accounts, our Microsoft 365 accounts. Material gives you comprehensive control over access and authentication of people and third party apps. You need that information too. Material empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication when you have extra sensitive content blast radius visualization for accounts so you know what the risks are and the ability to detect and respond to threats and risk across the entire cloud Workspace. Material enables organizations to scale their security without scaling their teams. Material drives operational efficiency with its simple API based implementation and flexible automated and one click remediations for email file and account issues, including an AI agent that automates user report triaging and response. So it takes some of the load off of your team too. Material protects the entire workspace for the cost of just email security alone. With a simple and transparent pricing model, this is a great solution. It secures your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See Material Security to learn more or book a demo. Again, that's Material dot Security. Thank them so much for supporting security. Now time is right. Everybody's in the cloud these days. You need material security. All right, let's get back to Steve.

B (83:27)

So while I was over at Bleeping Computer confirming that Lawrence Abrams had independently verified Microsoft's hard to believe JavaScript behavior. Wow. I encountered the news that Microsoft was also has now also begun forcing upgrades of unmanaged Windows 11 PCs from 24H2 to 25H2.

A (83:54)

Yeah, saw that yeah.

B (83:56)

Last Friday, bleeping Computer reported. Starting this week, Microsoft has begun force upgrading unmanaged devices running Windows 1124H2 Home and Pro editions to Windows 1125H2. According to the company's lifecycle policy report, Windows 1124H2 will reach end of support in roughly six months on October 13, 2026, also known as the Windows 112025 update. Windows 1125H2 began rolling out in September to eligible Windows 10 or 11 devices as a minor update installed through enablement packages less than 200k in size, Microsoft said in a Monday rollout to the Windows release Health Dashboard. Quote the machine learning the machine learning based intelligent rollout because of course Leo, everything has to be intelligent learning intelligent AI nonsense now otherwise it's no good right Humans those I don't want dumb humans what they're doing smart yeah that's right. Has expanded to all devices running Home and Pro editions of Windows 11 version 24H2 that are not managed by IT departments. Devices running these editions will no longer receive fixes for known issues, time zone updates, technical support, or monthly security and preview updates containing protections from the latest security threats. These devices will automatically receive the Update to Windows 11 version 25H2 when they're ready, no actions required, and you can choose when to restart your device or postpone the update. Yeah, right, we've been there before until they start saying do you want to do it now or later? They said. Those who don't want to wait for the automatic update can manually check whether the update is available in Settings Windows Update and click the link to download and install Windows 1125H2. If you're not ready to update you, you can also pause updates from Settings Windows Update by selecting the amount of time you'd like to pause them. However, you must install the latest updates after the time limit has passed. Microsoft also provides a support document and a step by step guide writes Bleeping Computer to help users resolve problems encountered during the Windows 1125 H2 upgrade process. Since the March 2026 Patch Tuesday updates were released last month, Microsoft has issued several emergency updates, including ones that address a known issue, breaking sign ins with Microsoft accounts across multiple Microsoft apps such AS teams and OneDrive. It also pushed out of band updates for hot patch enabled Windows 11 Enterprise devices that fixed a Bluetooth device visibility issue and and security vulnerabilities in the Routing and Remote Access Service management tool. So I wanted to mention this because GRC's in control, freeware can also be used to give users control over exactly this process. It configures Windows to appear as if it's under management. Thus it is not unmanaged and Microsoft will officially leave it alone. If you have used Incontrol to lock down your current Windows version and may wish to make the move to Windows 1125H2, control can just be as easily reversed. So I just saw that I wanted to give everybody reminder, you know, it's as we know we had fun with it at the time, Leo back in the Windows seven days where the first version of this was called Never ten.

A (87:53)

Never ten.

B (87:56)

When I, when I vowed to never be using Windows 10. So never 10. And then there was a. There was a temptation to do never 11, but because they promised us that 10 would be the last version, I thought, nope, fool me once. You know, I'm not. It's Lucy pulling the football out from under Charlie Brown. So I decided instead to create In Control, which would allow us, you know, once. Apparently there's going to be a Windows 12, right? So, okay, I'm glad I called it In Control and not never, right?

A (88:32)

Never 11. Never 12. You could do it. You know what though? If you're really thinking you could get upgrade fees every year, just, just think about it.

B (88:40)

I'm just saying, actually it's free, so.

A (88:43)

Oh shoot. No, you see, you see,

B (88:47)

did want to mention that it's freeware and it was with no bugs known at the time of its release. So it's still at release one and it works perfectly and it's free and you can use it forever. So Last week's deep dive into the Light LLM mess revealed that the proximate cause of Light LLMs troubles was actually the use of of a compromised free and open source vulnerability scanner called Trivi. It was widely expected that Light LLM would not be alone in this, and indeed we've since learned that none other than Cisco Systems became another victim. Bleeping Computer also reported on this. They explained Cisco has suffered a cyber attack after so Cisco has suffered a cyber attack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code Steal Cisco's source code belonging to the company and its customers. A source who asked to remain anonymous told Bleeping Computer that Cisco's Unified Intelligence center, the CSIRT and EOC teams contained the breach involving a malicious and Here it is. GitHub Action Plugin from the recent Trivy compromise. We'll be talking about action in a minute, they wrote. The attackers used the malicious GitHub action to steal credentials and data from the company's build and development environment, impacting dozens of devices, including some developer and lab workstations. While the initial breach has been contained, Bleeping Computer was told that the company expects continued fallout from the follow on Light, LLM and Checkmark's supply chain attacks. As part of the breach, multiple AWS keys were reportedly stolen and later used to perform unauthorized activities across a small number of Cisco AWS accounts. Cisco has isolated affected systems, begun reimaging them, and is performing wide scale credential rotation. I wanted to mention that one of the things that we're seeing now is that the bad guys know how to take advantage of the things they steal. Back in the early days, you know, we were seeing like AWS credentials were stolen, but then we didn't immediately hear that and they were used like to ill effect for those who, from whom they were stolen. Now we're always seeing that. My point is that is another thing that seems to have changed is all the bad guys know how to take advantage of what it is they steal and, and they know that they're, they're, that, that their, their window of opportunity will be very short, so they immediately jump on it and, and you know, their, their attacks, the, the attacks go broad and, and deep and wide so, so that they're getting the most bang they can for the buck to the detriment of the, you know, the victims of these. They wrote Bleeping Computer that more than 300 Cisco GitHub repositories. 300 GitHub Cisco repositories were also cloned during the incident, including source code for its AI powered products. Of course Cisco is going to have that. Why fix the old ones such as AI assistance, AI defense and unreleased products. Whoops. Yeah. A portion of the stolen repositories allegedly belong to corporate customers, including banks, BPOs and US government agencies. Multiple sources told Bleeping Computer that more than one threat actor was involved in the Cisco CICD and AWS account breaches with varying degrees of activity. Bleeping Computer contacted Cisco with questions. I bet they did. Regarding the breach, but has not received a reply to our emails. They wrote Cisco's breach was caused by this month's Trivi vulnerability scanner supply chain attack in which threat actors compromised the project's GitHub pipeline to distribute credential stealing malware through official releases and GitHub actions. That attack enabled the theft of CICD credentials from organizations using the tool, giving actors access to thousands of internal build environments. Security researchers linked these supply chain attacks to the Team PCP threat group based on the use of their self titled Team PCP Cloud Stealer infostealer. Team PCP has been conducting a series of supply chain attacks targeting developer code platforms such as GitHub, PyPi, NPM and Docker. The group also compromised the light LLM PyPi package, which impacted tens of thousands of devices and the Checkmarks KICS project to deploy the same information. Stealing malware so one One snarky but understandable comment I saw from someone commenting upon the fact that some of Cisco's source code had escaped. Somebody wrote, maybe they can fix some bugs while they're in there. Yeah, we can hope.

A (94:41)

They probably could if they wanted to.

B (94:43)

Wow, wow wow. So I know from seeing the domains of our Security now listeners who have email subscriptions the the email domains in email subscriptions that the Proton family of products are very popular. Interesting among our listeners. Yeah, I see a lot of app proton.com email in in our our subscriber base. So I wanted to note that last Tuesday Proton announced Proton Meat, which Proton describes as a privacy first end to end encrypted audio and video conferencing solution. They up they Proton explained, writing when meeting in person isn't an option. We turn to video calls for conversations too important for email or chat. Whether you're talking to a doctor, hosting an executive meeting, or checking in with your kids, you expect these interactions to be private and safe. But mainstream video conferencing services such as Zoom, Google, and Microsoft can eavesdrop on your conversations. Proton Meat gives you back your privacy and peace of mind by protecting your calls with endtoend encryption so nobody can listen in or use your conversations to sell ads, conduct surveillance, or train AI. Okay, now I was I'll admit I was somewhat surprised by Proton's claim of eavesdropping, and it appears that they're mostly referring to the leakage of metadata. Not that that's not a problem, but that seems to be their focus. Also, their information may be a bit dated and skewed. Their claims included links to Zoom, Google and Microsoft. But for example, the Microsoft link talked about Outlook Psych. Okay, and the Zoom link was a posting written six years ago in 2020. This is not to suggest that I would not be far more inclined to trust Proton than Microsoft, Google, or Zoom. I would, without question. Anyway, I have the link to last week's Protons meet announcement in the show notes for anyone who may be interested in following up on Although I'm sure if you just go to Proton Me, which is the domain of this link that probably comes up on their announcements and I mentioned we would be talking in the future about GitHub. Well, that future is now. The recent light LLM and now Cisco and now several other attacks that have all been attributable to the Trivi malware scanner also involved GitHub's actions feature. In the wake of these various messes, GitHub has announced that it now plans to accelerate the development and rollout of some of the additional GitHub Actions security features it had originally planned to roll out later this year in otherwise, in other words, whoops, maybe sooner rather than later. So since since Actions are now seeing some serious abuse, there's no time like the present to improve their security and that is happening. Also cloudflare said that in their posting that sort of just sort of in passing that the use of the sort of checking back in 1.1.1.1 remains super private. They they and this was posted on the 8th anniversary of its launch. They said exactly 8 years ago today. They posted this I guess Sunday. We launched 1.1.1.1 public DNS resolver with the intention to build the world's fastest resolver and the most private one. We knew that trust is everything for a service that handles the phone book of the Internet. That's why at launch we made a unique commitment to publicly confirm that we are doing what we said we would do with personal data in 2020. We hired an independent firm to check our work instead of just asking you to take our word for it. We shared our intention to update such examinations in the future. We also called on other providers to do the same. But as far as we're aware, no other major public resolver has had their DNS privacy practices independently examined. So anyway, their posting continues at some length, but they were just audited by one. And this is the point. They just had an audit by one of the top four accounting firms and they again passed with flying colors. So they they do not want to know who uses their service nor what those users look up. DNS querying source IPs are anonymized on use and deleted within 25 hours. So they are really doing everything they can to honor their privacy commitments. And Leo, we're at an hour and a half in. Let's take a break and then I'm going to talk about the other very cool thing that Cloudflare has just done by basically creating a WordPress replacement.

A (100:33)

Yeah, very, very. Yeah, yeah. I think it's very interesting. Yeah, we'll talk about the EM dash in just a little bit. I think that's what Steve's aiming at. Yep. But first a word from another thing to get very excited about. Our sponsor, Bitwarden. I actually saw them at RSEC and was really great to talk to them. I love what they're up to, especially if you are an AI developer in AI, you'll love the secrets features that they're adding. Let me talk about Bitwarden, our sponsor for this segment of security. Now, if you didn't know the trusted leader in passwords, passkeys and secrets management. As I said, with over 10 million users across 180 countries and more than 50,000 businesses, Bit Warden is consistently ranked number one in user satisfaction by G2 and software reviews. Some really nice features. I talked with them at RSEC about a new thing they just announced, the Agent Secure Access, which is an SDK that they're making open so everybody can adopt it, that lets you use your password manager to store and deliver secrets, you know, API keys, things, tokens, things like that to your AI without putting them in clear text anywhere on your hard drive. All the security of the Bitwarden vault, all the convenience of having AI be able to get it but not reveal it and not whatever it does not commit to GitHub. They're always adding new features. It's so great. I've been using their SSH key generator, another great idea, because now I just keep all my SSH keys in Bitwarden. I don't have to maneuver them and move them around. I have it all there and Bitwarden's on every machine, so it makes it very simple. With Bitwarden Access Intelligence, this is for enterprise, another great feature. Organizations can use Bitwarden to identify weak, reused or exposed credentials and coach your employees to take action immediately, which is great. They become part of your security team while Vault Health alerts, which they've had for some time, and password coaching surface risk to individual users in real time and guide them to fix issues on the spot, turning one of the most common causes of breaches into something visible, prioritized and fixable. And now let me talk about this new Agent Access SDK. This is so cool. This is what we interviewed them about at rsac. It's a. I love it that they're making it open. I mean, first for me, that was the thing that blew me away instead of saying no, this is ours, it's proprietary, no one else can use it. They want everybody to use it, which makes it that much more useful. It's a powerful way for developers and teams to securely integrate controlled credential access, the kind you get from Bitward Warden into applications, automation, workflows and AI agents. It enables programmatic just in time access to vault stored credentials without exposing sensitive data, supporting their secure use within modern development environments. This release does not incorporate any AI functionality. I think they want to make this clear into the Bit Warden solution. Don't worry, they're not doing that. And maybe even as importantly, does not grant AI systems persistent or unrestricted access to vault data. That's why it's an SDK. The Agent Access SDK is a separate open source development toolkit designed to enforce secure human approved and scoped credential access for teams that leverage AI agents in their workflows. I immediately installed was exactly what I needed. It's available now in an early alpha phase for testing. The Agent Access SDK introduces a secure framework for how agents request, receive and use credentials, helping define a model for safe credential interaction in agent driven systems. Of course they've got the Bitwarden MCP as well, another way of keeping your credentials secure while making it easier to get your job done. Bit Warden now enables passkey logins everywhere. I love passkeys. You can do it now with Windows 11. Yes, securely unlocking devices at the OS level Now of course they had to do the work with Microsoft on this. They're working with Microsoft on native passkey Support in Windows 11 and this also extends SSO to automatically log users into more apps, which makes credential management across devices more seamless than ever and makes users extremely happy. Trust me, as a user I know that for people who are looking for a self hosted lightweight option, look for Bit Warden Lite. It offers a self hosted password manager designed for home labs, personal projects, just any kind of quick deployment, minimal overhead and total control. If you're a trust no one person, you're going to love bitwardenlight. You got to know that Bitwarden's open source code is regularly audited by third party experts. You can go visit it and look at it yourself. It's on GitHub, GPL licensed, it meets SoC2 type 2 GDPR, HIPAA CCPA standards, ISO 2700-12002. It's completely secure, it's implemented right and it's open. And that's so important get started today with Bitwarden's free trial of a teams or enterprise plan for your business or get started for free forever across all devices. As an individual@bitwarden.com TWIT that's bitwarden.com TWIT I know I loaded you up with a bunch of new features, but they're loading us up with a bunch of new features. They are really amazing. They are working hard and doing a great job. Bitwarden.com TWIT it's the only password manager I use and the one I recommend. Okay, Steve, on we go.

B (106:31)

Okay, so. Oh, I guess it was on April 1st, so because I. Because I'm starting this with also on April 1st Cloudflare announced so that must have been on April 1st that they, that they were talking about their 1.1.1.1 DNS. Also on April 1st, Cloudflare announced their M-E M D A S H For those who don't know, there are, there's the regular hyphen style dash then there are dashes that are the the width of an N and the width of an M. And so M dash is what they call this. I don't really know why, but it's kind of just a cool name. Anyway, it caught my eye and I'm sure it will. Actually many of our listeners sent the announcement to me, so I knew they were aware of it because its goal M Dash the M Dash project's goal is to replace WordPress with a far more secure successor. And you know the express the expression far more secure in the case of WordPress is not a high bar since you know every security now listener knows quite well what a complete security disaster WordPress has become. And it's not WordPress's fault. The problem is it's creaky old architecture which Cloudflare has just completely replaced. The source of WordPress's trouble has been that it promises to allow anyone to author and offer an insecure WordPress plugin and that its architecture doesn't allow security containment of those. Unfortunately, many people have taken them up on this and the result is a mess. So here's what we learned from Cloudflare. They wrote the cost of building software has AI. The cost of building software has drastically decreased. We recently rebuilt the most popular REACT framework next JS in one week using AI coding agents. But for the past two months, our agents have been working on an even more ambitious project, rebuilding the WordPress open source project. From the ground up. They wrote WordPress powers over 40% of the Internet. It is a massive success that has enabled anyone to be a publisher and created a global community of WordPress developers. But the WordPress open source project will be 24 years old this year. Hosting a website has changed dramatically during that time. When WordPress was born, AWS EC2 didn't exist. In the intervening years, that task has gone from rending virtual private servers to uploading a JavaScript bundle to a globally distributed network at virtually no cost. It's time to upgrade the most popular content management system, CMS on the Internet to take advantage of this change. Our name for this new CMS is M Dash. We think of it as the spiritual successor to WordPress. It's written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate via dynamic workers solving the fundamental security problem with the WordPress plugin architecture under the hood. MDash is powered by astronauts, the fastest web framework for content driven websites. M Dash is fully open source MIT licensed and available on GitHub. While em Dash aims to be compatible with WordPress functionality, no WordPress code was used to create mdash. That allows us to license the open source project under the more permissive MIT license. We hope that as opposed to gpl, we hope that allows more developers to adapt, extend and participate in EM Dash's development. You can deploy the EM Dash version 0.1.0 preview to your own Cloudflare account or to any Node JS server today as part of our early development beta. Okay, so all of that is super interesting, but what about WordPress's security? Right, before we get to that, Cloudflare felt the need to congratulate WordPress and kind of apologize, I think a little bit for replacing it. So they wrote. The story of WordPress is a triumph of open source that enabled publishing at a scale never before seen. Few projects have had the same recognizable impact on the generation raised or on the Internet. The contributors to WordPress's core and its many thousands of plugin and theme developers have built a platform that democratized publishing for millions. Many lives and livelihoods being transformed by this ubiquitous software. There will always be a place for WordPress, but there's also a lot more space for the world of content publishing to grow. A decade ago, people picking up a keyboard universally learned from to publish their blogs with WordPress. Today it's just as likely that person picks up astro or another TypeScript framework to learn and build with. The ecosystem needs an option that empowers a wide audience in the same way it needed WordPress 23 years ago. EM Dash is committed to building upon what WordPress created an open source publishing stack that anyone can install and use at little cost, while fixing the core problems that WordPress cannot solve. And here it comes. WordPress's plugin architecture, they wrote, is fundamentally insecure. 96% of security issues for WordPress sites originate in plugins. In 2025, more high severity vulnerabilities were found in the WordPress ecosystem than in the previous two years combined. Okay, in other words, things with WordPress are getting worse, not better, they wrote. Why, after over two decades, is WordPress plugin security so problematic? A WordPress plugin is a PHP script that hooks directly into WordPress to add or modify functionality. There is no isolation. A WordPress plugin has direct access to the WordPress site's database and file system. When you install a WordPress plugin, you are trusting it with access to nearly everything, and trusting it to handle every malicious input or edge case perfectly. EM Dash solves this. In EM Dash, each plugin runs in its own isolated sandbox, a dynamic worker. Rather than giving direct access to underlying data, Emanation, provides the plugin with capabilities via bindings based on what the plugin explicitly declares it needs in its manifest. This security model has a strict guarantee an Em Dash plugin can only perform the actions explicitly declared in its manifest. You can know and trust up front before installing a plugin exactly what you are granting it permission to do, similar to going through an oauth flow and granting a third party app a specific set of scoped permissions. WordPress plugin security is such a real risk that WordPress.org manually reviews and approves each plugin in its marketplace. At the time of writing, that review Queue is over 800 plugins long and takes at least two weeks to traverse. The vulnerability surface area of WordPress plugins is so large that in practice, all parties rely on marketplace reputation ratings and reviews. And because WordPress plugins run in the same execution context as WordPress itself and are so deeply intertwined with WordPress code, some argue they must carry forward WordPress's GPL license. These realities combine to create a chilling effect on developers building plugins and on platforms hosting WordPress sites. Plugin security is the root of this problem. Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress Marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace, your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. In other words, you are locked in. So that's the gist of it. They, their posting continues at much greater length, but everyone gets the idea, right? Cloudflare has leveraged AI agency to take the conceptual promise that WordPress met and to dramatically overhaul its architecture for licensing freedom and security. Essentially it is a plugin architecture where these dynamic workers are running as their own execution spaces. They communicate to this new M Dash core via an API. And the API calls that they are allowed to execute are strictly controlled by the manifest which they explicitly define and export right up front. So it is a, it is the architecture you would design today if you wanted to do what WordPress has been doing. But to do it in a secure Fashion and on GitHub all open, all open source MIT license means you can do much more with it if you wish. So another big home run I think, for, for cloudflare.

A (118:08)

Yeah, it's very interesting. I hope they support it and I mean clearly they want to take over the 40% of the Internet that's run by WordPress and they probably have pretty credible reason to chase.

B (118:23)

I think if we see a core of add ons emerge which solve the problems that people have and you look at the, at the security model that it offers, you know, why, if you were starting from scratch, would you use a WordPress CMS as opposed to an M dash CMS?

A (118:45)

There's another reason for them doing this. They want to make something that is easily manipulated by AI, that an AI could build a website, easily build a website on. And while AI can certainly do that with WordPress, I think this is designed specifically with that.

B (119:01)

I bet you are exactly right.

A (119:02)

Yeah.

B (119:03)

Okay, we're going to talk about the FCC ban on consumer routers. Let's take our final break and then we are gonna, I'm gonna take our, our listeners through what happened, what happened so that it's. Well, everybody, as I said at the top of the show, by the time we're done here, everyone will have a very clear sense and understanding for what it means and how it may change. We'll see. Yeah, we shall see why it makes no sense. Yeah, I mean, it really, really, really doesn't.

A (119:45)

Good. Well, I'm really, really interested in your take. But that's coming up after this word from our sponsor, Hawks Hunt. And you're going to want to know about this one. We just actually set it up for ourselves. Because what is my greatest fear at this point? That an employee is going to fall for one of the dozens of very well done phishing emails we get every single day, all the time. As a security leader, you've been there. You have a team that you know needs to learn how not to click on those links, how not to respond to those phishing attempts. But you try to train them and then what do you get? You get the eye rolls right during the training and you can't really blame them. The one size fits all, you know, phishing simulations. Your employees spot them from a mile away. The report button that gets ignored. More often than not. Your programs are running, but it's not changing employee behavior. Meanwhile, AI is making real attacks more convincing by the day, and leadership is starting to ask the question you don't have a clear answer to. Is this actually working? Well, hoxhunt was built to answer that question. Hox Hunt was built to work. Hox Hunt empowers your employees to spot and stop advanced phishing attacks. It drives measurable behavior change and it does it in just like social media does it through personalized gamified micro training powered by AI and behavioral science training. Your employees will enjoy, will love. And when people like what they're learning as opposed to fighting it, they learn. And you'll love it as an admin because Hoxhunt does all the heavy lifting. In fact, I was just talking to her. Russell has been setting this up for us. Simulations run automatically across email, but not just email slack teams because you know, bad guys get in any way they can. The emails are personalized to each employee based on role, location and behavior. Just like the phishing, every simulation uses AI to mirror real world attacks, meaning employees are being tested on what's actually getting through, not some outdated template. They go, please give me a break. They recognize it immediately. And because it's gamified, it keeps engagement high without feeling punitive. And because every interaction generates a coaching moment, you're not just tracking completion. You're actively building behavioral indicators that tell a real story. Reporting rates, repeat clicker reduction, and time to report. The kind of metrics that hold up when leadership asks those hard questions. But you don't have to take our word for it. With over 3,500 verified reviews on G2, Hoxhunt is the top rated security training platform, recognized for best results and easiest to use. Is also recognized as customers choice by Gartner and used by thousands of companies. Qualcomm, DocuSign, Nokia, they all trust it. To train millions of employees worldwide, visit hoxhunt.com securitynow today to learn why modern secure companies are making the switch to Hoxhunt. That's Hoxhunt.com SecurityNow H-O-X H-U-N-T.com SecurityNow I can't wait. I know. We're going to get some of these simulations soon. I don't want to be the one guy who falls for him. I really don't. But you know what? That's nice. One of the nice things is they give you gold stars. They don't punish you. They don't make you look dumb. They reward you for the right behavior. And that's the way to do it. All right? Speaking of behavior, this isn't exactly the right behavior. The FCC has banned all routers made outside the us, which is to say, all routers.

B (123:51)

So yes, anyone encountering the News which landed two weeks ago on March 23 would be correct in thinking that someone must have made a mistake somewhere. First of all, the reality of today's global electronics manufacturing sector is that U.S. domestically manufactured consumer grade routers do not exist. All routers purchased by and available to US consumers are manufactured elsewhere, typically in China, Taiwan or Vietnam. So the FCC's surprise edition of every consumer router to the so called covered list means that the likes of Asus, Linksys, Netgear, eero, TP Link, D Link and Nest have all suddenly joined the likes of previously banned non consumer devices made by Huawei, zte, Highra and Hickvision. The headline that appeared in the afternoon 15 days ago read FCC Updates Covered List to Inc. This is the FCC's own press release. They they so they. Their headline is FCC Updates Covered List to Include Foreign Made Consumer Routers. The press release explained that the full title was FCC Updates Covered List to Include Foreign Made Consumer Routers prohibiting approval of new models. So all of the existing apparently attack prone and buggy routers can still be sold, but anything that's new and hopefully improved is banned. Yay for the US's national security. The official fact sheet that accompanied the press release included the helpful subhead Update follow up. You know, this update follows determination by executive branch agencies that consumer grade routers produced in foreign countries threaten national security. Okay, so I need, I need to share some more of what the FCC wrote because it's not even internally consistent. The press releases fact sheet says Washington, March 23, 2026. Today the federal Communications Commission updated Its covered list to include all consumer grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones and smart devices to the Internet. This followed a determination by a White House convened executive branch interagency body with appropriate national security expertise that such routers pose unacceptable risks to the national security of the United States or the safety and security of United States persons. Unquote. It continues, the Executive branch determination noted that foreign produced routers 1 introduce a supply chain vulnerability that could disrupt the US economy, critical infrastructure and national defense and 2 pose a severe cybersecurity risk that could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons. Unquote. President Trump's 2025 National Security Strategy stated, quote, the United States must never be dependent on any outside power for core components from raw materials to parts to finished products necessary to the nation's defense or economy. We must re secure our own independent and reliable access to the goods we need to defend ourselves and preserve our way of life. Unquote. Malicious actors, they wrote, have exploited security gaps in foreign made routers which again routers to attack American households, disrupt networks, enable espionage and facilitate intellectual property theft. Foreign made routers, again, all routers were also involved in the Volt, Flax and Salt Typhoon cyber attacks targeting vital U.S. infrastructure.

A (128:49)

Well, it wasn't my linksys. Okay, sorry.

B (128:54)

As outlined below, today's action does not impact a consumer's. Guys, here it is a consumer's continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell import or market router models approved previously through the FCC's equipment authorization process. By operation of the FCC's covered list rules, the restrictions imposed today apply to new device models. Okay, wait. It just said today's action does not impact a consumer's continued use of routers they previously acquired, nor does it prevent retailers from continuing to sell import or market router models approved previously through the FCC's equipment authorization process. So in other words, every single one of the existing apparently suddenly untrustworthy routers that everyone in the world already has are going to be left alone where they are. After all, what else can be done? Consumers already own those. This means that foreign manufacturers, which again is to say all router manufacturers because they're all foreign, are prevented from introducing any new router models into the U.S. they're free to keep making the existing routers and they're also presumably free to keep updating those routers firmware which might be used to add new features or eliminate bugs, we would hope, but that would mean that as WI FI technologies continue advancing and requiring support from new chipsets and new radio hardware, newer routers cannot be obtained from traditional foreign suppliers. Okay, that happened Monday afternoon. Fifteen days ago. By the end of that week, the Technology Policy Institute, a Washington based non profit think tank, published an analysis of this action which I think is extremely useful and worth understanding because it compares what just happened to the previously enacted and outwardly similar ban on Huawei and ZTE equipment. For the policy that for the Technology Policy Institute, Scott Walston titled his piece the FCC Got the Router Ban Wrong. It Knew Better. Here's what he explained and reminds us he wrote on March 23, the FCC effectively banned all new foreign made routers from the US Commercial market by adding them to its so called covered list. The action followed a White House convened interagency national Security Determination issued just three days earlier. The Commission took this action with no notice and comment proceeding, no published cost benefit analysis, and without providing a broad transition process for the affected industry. The only path forward for manufacturers is to apply for conditional approval from the Department of Defense or the Department of Homeland Security. I'll note that the the actual documentation about this which I read which requires this con this conditional approval to be obtained is from the US Department of War or the dhs. Scott appears to be choosing to use the Department's earlier name, so he continues. The security concerns, he writes, are real. Chinese state sponsored hacking groups including Volt Typhoon, Salt Typhoon and Flax Typhoon have exploited vulnerabilities in consumer routers to penetrate American networks, conduct surveillance and build botnets for attacks on critical infrastructure. Okay, now I'm I'm not taking issue with what Scott wrote here, but I do want to take the time to note that to the best of my knowledge, none of our current consumer grade routers ship in an inherently vulnerable state. It's true that in years past, meaning more than a decade ago, more than 10 years ago, we were encountering instances and we discussed them on the podcast where, for example, Intel's demonstration only source code for their UPNP implementation was unfortunately dropped directly into routers. This resulted in UPNP being bound to consumer routers wan facing network interfaces essentially by mistake. After delivering a podcast about that the next week, I announced that I had enhanced Shields UPS services to explicitly allow visitors to check for public UPNP exposure. But all of that was fixed back in 2013 and 2014. 12 years ago. the time, many people were exposed that we fixed that we as an industry fixed it Also, back then, as in more than 10 years ago, we encountered instances where ISP provided routers had open ISP admin ports. They were either using weak authentication credentials or known authentication credentials or contained remotely exploitable weaknesses. But for quite some time now, it has only been when a router's user deliberately configures their router to allow external connections and thus to implicitly solicit external attacks, that any of the various Chinese typhoons, Volt, Salt or Flax might have been able to get into users networks through those routers. My point is, for quite some time now, like for the past 10 years, it's been users who have been unwittingly causing these external open port exposure problems. And none of what, none of that, none of those problems would be lessened by routers having domestic points of origin. Thus, nothing the FCC is attempting to do will fix anything that is now broken. Scott continues writing Router security deserves serious attention, but in the past the FCC addressed threats like these in a way that was more targeted, more precisely designed, and better built to survive a legal challenge comparing the FCC's handling of the Huawei and ZTE threat in the 2019 through 2022 to the new router ban reveals what happens when an agency abandons the deliberative process that makes its expertise useful to respond to the national security risks posed by Huawei and zte. The FCC followed a deliberative process and produced a carefully constructed regulatory framework. Congress identified the specific companies as threats in section 889 of the Fiscal Year 2019 National Defense Authorization Act. The FCC designated Huawei and ZTE as national security threats in June of 2020, published its initial covered list in March of 2021, and adopted a Notice of Proposed Rulemaking and Notice of inquiry on June 17, 2021, initiating two separate dockets and inviting public comment. The Commission then adopted a Report and order in November of 2022 with a unanimous 40 vote, and simultaneously issued a further notice of proposed rulemaking, seeking additional comment on issues it hadn't yet resolved. That process took time, but it also produced outcomes that it could never have achieved in a weekend. Now, we could argue that's bureaucracy, and bureaucracy has overhead and it takes time, but what it does is it tends to keep it from making mistakes. And as he said, just deciding to do it over the weekend and then doing it well, you get the kind of things that we've been seeing from this administration for the last, what, year and three months. The comment process, he writes, produced differentiated treatment based on actual risk The FCC did not treat all five Chinese companies identically. It fully banned new Huawei and ZTE equipment, but took a more nuanced approach with Hick Vision, Dawa and Haitara. The FCC agreed with commenters who argued that these companies pose different levels and kinds of risks. The FCC required those three companies to document the safeguards they would put in place and froze their applications pending that review. The router band, by contrast, that is, this one treats a Netgear router assembled in Vietnam identically to a TP link router designed in China. The comment process identified a clear scope. The FCC had to define what counted as covered equipment. For example, it established that handset equipment designed for broadband operation with connection speeds of at least 200kbps fell within the scope of telecommunications equipment, while equipment below that threshold did not. That line was not in the original proposal. It emerged from the comment process as affected companies argued that basic radio equipment should not be treated the same as broadband capable devices. The FCC drew a principled boundary. The router band that we have now draws no such lines. Its definition of produced in a foreign country encompasses any major stage in the process through which the device is made, including manufacturing, assembly, design and development, potentially sweeping in routers designed by American companies and assembled overseas as they all are. The Huawei ZTE response included transition assistance. The FCC's decision imposed real costs on carriers. Rural carriers told the FCC they couldn't afford to remove Huawei and ZTE equipment without financial help. Congress responded by creating the Secure and Trusted Communications Networks reimbursement program, initially funded at a 1.9 billion dollar level, which removed which funded the removal and replacement of insecure equipment from carrier networks. The program has problems such as a lack of evaluation and careful tracking of funds. Okay, maybe some waste, fraud and abuse. But if the cost imposed on a company is due to a government mandate, the government should at least consider how to pay for it. Fortunately, that doesn't apply here. Nothing really changes for consumers, he wrote. The comment process produced legal durability. During the rulemaking, commenters raised constitutional challenges, including arguments that the rules were an unconstitutional bill of attainder, violated the Equal Protection Clause, and amounted to an unconstitutional taking of property. The FCC addressed each of these arguments in its order. Building a Legal Record. When Huawei challenged the related NDAA restrictions in court, a federal district court found the restrictions lawful because the government had demonstrated they reasonably furthered non punitive national security goals. The router ban, meaning what's happened now has no comparable record and former FCC officials have already predicted it will face legal challenge. Also, he writes, the process was iterative. The FCC recognized that its initial rules were a first step and continued refining them. A second report and order clarified that covered equipment includes modular transmitters, proposed a definition of critical infrastructure, and sought further comment on the scope of marketing prohibitions. The agency learned from industry input how supply chains actually work, and adjusted its rules accordingly. None of this happened with the router ban. The White House convened a panel. The panel issued a determination routers bad. Three days later, the FCC implemented it. Although the Secure Networks act leaves the FCC little discretion over whether to add items to the covered list once the White House makes a qualifying determination, the FCC still retains substantial leeway over how to implement the resulting equipment authorization restrictions, including its scope, transition periods, and what guidance it issues for affected parties, meaning it still could have done more, he writes in the Huawei ZTE proceeding. The covered list edition itself was relatively quick, but the FCC spent more than a year designing the designing the implementing rules through a public process. Nothing in the Secure Networks act prevented the FCC from doing the same here. It chose not to. The router ban bears all the hallmarks of a policy that never faced serious analytical scrutiny. And to those who've been watching Washington recently, what a shock. The stated the stated jurisdiction is cybersecurity risk from foreign manufacturing. But the evidence the FCC itself cited undercuts the case for a foreign country of manufacturer approach. According to the Department of Justice, Volt Typhoon primarily targeted Cisco and Netgear routers devices designed by American companies. The routers were vulnerable not because of where they were manufactured, but because those companies had stopped providing security updates for the discontinued models. And I'll just note that's true in the case of Netgear. Volt Typhoon leveraged routers whose firmware had never been updated and was thus very old and also exposed management interfaces which with weak credentials. So again, it's nothing about country of origin, Scott continues. The FBI's own guidance urged router owners to replace end of Life devices, and CISA's mitigation advice to manufacturers focused on secure design and automated updates, not supply chain origin. Salt Typhoon compromised major US Telecommunications carriers through network equipment made by Cisco, though Cisco's own security researchers reported that most intrusions it reviewed involved stolen credentials rather than software vulnerabilities. The National Security Determination includes supporting evidence from nist, CISA and and the FBI and other agencies on router vulnerabilities generally, but none of it perv persuasively establishes that country of Production standing alone is a useful proxy for cyber security risk and agents. Basically the White House just, you know, waved the wand, you know, waved a hand and said, let's outlaw foreign made routers, period. All those bad consumer routers were, you know, we're outlawing them. An agency, he writes, exercising careful judgment, would have noticed this disconnect. If the problem is that manufacturers abandon security updates for older devices, the solution might be to mandate some kind of software maintenance or to require vulnerability disclosures, not a blanket import ban. Organized around the country of manufacture, the FCC has an interdisciplinary expert staff who could have evaluated whether country of origin is actually a useful proxy for cybersecurity risk. Given the speedy timeline, it seems unlikely that meaning three days, it seems unlikely that that they were consulted in any meaningful way. In principle, country of manufacturer could matter in hardware supply chains if a state actor could theoretically compromise hardware during production. This concern is real and deserves a serious policy response. But a blanket ban covering routers from every country on earth is not that response. And a targeted action against manufacturers with documented ties to adversarial intelligence services, combined with supply chain integrity requirements for all manufacturers seeking FCC authorization would address the hardware concern far more precisely. That's roughly what the FCC did with Huawei and zte. But the current ban treats a router from Finland the same as one from China. Making the matter worse is that virtually no consumer grade routers are manufactured in the United States. That only widely cited. The only widely cited exception is some Starlink WI fi routers that SpaceX says are made in Texas. Even major American brands including Netgear, Eero and Google, manufacture their products overseas. The conditional approval process, which is the supposed escape valve, requires companies to disclose their management structure, detail their supply chain and present a plan for onshoring manufacturing to the United States.

A (149:40)

That's what this really is. This is about manufacture, not security, right?

B (149:45)

What a shock.

A (149:46)

Yes.

B (149:47)

And he writes, that is not a security audit. It is industrial policy.

A (149:54)

Yes.

B (149:55)

Masquerading as a national security framework. No comment period. Helped shape it. And while there are extensive submission requirements to, there appears to be no public review timeline or clear decision standard. Meanwhile, the ban creates the very vulnerability it claims to address. Firmware and software updates for existing covered devices are permitted through at least March of 27, thanks to a blanket waiver from the FCC's Office of Engineering and Technology. But that waiver expires. A router that cannot receive security updates becomes exactly the kind of unpatched vulnerable device that Volt Typhoon and Salt Typhoon exploited. Some may argue that the post salt typhoon threat environment necessitates faster action than the multi year Huawei process allowed. But if that is true, it becomes hard to justify an action that does nothing about the millions of foreign made routers already deployed in American homes and businesses, which are the actual devices that Volt Typhoon and Salt Typhoon exploited. If the threat were urgent enough to justify bypassing all deliberation, one would expect the FCC to be making I'm sorry to be taking emergency action on the installed base. It is not. The ban addresses only future models making this a forward looking regulatory action for which a deliberative process was both feasible and appropriate. A serious response would combine targeted restrictions on specific manufacturers with supply chain integrity and software maintenance requirements for all manufacturers seeking FCC authorization. The FCC has the expertise to design such a framework and it did exactly that with Huawei and zte. In December testimony before the Senate Commerce Committee Chairman Carr, FCC Chairman Carr told lawmakers that the FCC quote, is not an independent agency, formally speaking, unquote. The router ban is a case study in what happens when that posture translates into skipping the processes that make regulation work. The comparison between the Huawei ZTE process and the router ban is not just a story of about two different policy decisions. It is a controlled experiment in what deliberative process is worth Same agency, same statutory framework, same category of threat. But the 2019 through 2022 process in which the FCC used its full deliberative toolkit, produced targeted bans, differentiated treatment based on risk, precise scoping informed by industry expertise, billions in transition funding and a legal record durable enough to survive court challenge. The 2026 process in which the Commission used none of those tools, produced a blanket ban on an entire product category without differentiation. No scoping analysis, no transition assistance, and a legal record so thin that that former FCC's officials are already predicting litigation. The Secure Networks act is the mechanism that enables this arrangement. Under the statute, the FCC says it cannot update the covered list on its own, but rather must implement determinations made by national security agencies when those determinations were narrow and entity specific. This was a manageable arrangement and the FCC still exercised its own judgment in designing the implementation rules. Now that the determinations have expanded to cover entire product categories and the FCC has chosen not to exercise its implementation authority, the agency is implementing sweeping trade and technology policy without the deliberation such decisions require. The same rapid implementation pattern produced the December 2025 ban on foreign made drones, which is already being challenged in court. In that case, Section 1709 of the Fiscal Year 2025 National Defense Authorization act gave national security agencies one year to complete an evidence based review of DJI drones with an automatic covered list addition. As a fallback, instead of a targeted review of dji, the Executive Branch again issued a broad national security determination covering all foreign made drones, which the FCC implemented immediately. DJI has since sued to challenge the action and he finishes Process is not bureaucratic waste of time. It is the mechanism through which an agency's expertise improves the quality of its decisions. The FCC demonstrated this in 2022 when it banned Huawei and ZTE equipment through a deliberative process that produced a more targeted, more durable and more precisely designed result. Whatever the reasons, the Commission did not follow the same approach here, meaning the fcc the outcome speaks for itself. Congress should pay attention. The Secure Networks act created a mechanism that when combined with sweeping executive branch determinations and an FCC or willing to implement them without deliberation, allows the President to ban entire categories of consumer technology without notice, without comment, without cost benefit analysis, and without any of the procedural safeguards that normally govern consequential regulatory action. If Congress intended the covered list to be used this way, it should say so. If it didn't, it should act before the next product category lands on the list. Okay, so where does this leave us? This apparently arbitrary and short sighted ban will do exactly nothing to actually improve the security of any existing routers whose current models may continue to be sold. Since new routers cannot be sold, one effect may be to freeze current model numbers where they are. Unfortunately, major generational router improvements have multi year design, development and manufacturing pipelines. This means that all of the router manufacturers will currently have their future planned models in the process of becoming ready for market next year later this year. Next year. Except that now that market has just been killed for them. That suggests that Scott is probably correct about future lawsuits. Under the terms of this ban, even domestic manufacturers incur incorporated in the United States whose equipment is made offshore. Which is to say all routers will need to appeal to the conditional approval process, which as Scott noted, requires companies to disclose their management structure, detail their supply chain and present a plan for onshoring manufacturing to the United States. What a mess. With any luck, saner heads will prevail or competent management of the FCC will will be installed. It doesn't appear that we currently have that. I'll finish off today's look at actual consumer consumer security with a little fan, a little sanity check. Reminder. Nearly everyone now has IoT network technology running inside their network. Security perimeter that's establishing that establishes and maintains through their NAT router persistent connections. And many if not most of these phone home and maintain persistent connections are to servers located outside the US As I've been noting for many years now, these devices which we blithely invite into our homes to set up their own shops could do far more damage to, you know, actual damage to consumer security than any routers designed within the last decade. We have invited them inside our network. They can see our network's management interface at, at 192168 0.1 or dot 1.1 or wherever it is and no one's monitoring them. For all we know they are busy right now trying to brute force that management interface. But you know, don't tell anyone in Washington or they might become the FCC's next misguided target. Wow.

A (160:11)

It's just, I mean it's so frustrating.

B (160:13)

I wanted to share this because it, it, it really puts in context how arbitrary this was. How it doesn't achieve anything. Whereas the, the previous ban on Huawei and ZTE actually did. It identified a problem, substantiated the problem and surgically excised what needed to be removed and then helped to pay for the removal and replacement of this Chinese gear that with good reason we decided we could not trust having inside the US infrastructure any longer. Instead this just says we're banning any new foreign made routers. Crazy. I mean it's absolutely does nothing.

A (161:01)

Yeah.

B (161:02)

And, and one hopes that it is so errant that it'll somehow get fixed. It's just hard to, it's hard to believe it will continue.

A (161:14)

Meanwhile, I don't know what we're going to do. I guess built, you know, you, you got instructions, don't you on your website to build like a pfsense router, right?

B (161:26)

Yes, it is just not a problem any longer to get a little, a little fanless PC and use actually OpenSense Opn Sense is now the one, is now the one to switch to pfsense is, you know OpenSense grew out of it and is I think probably the better choice.

A (161:48)

And you put it on. What is that little box that you put it on? I can't remember the name of that.

B (161:54)

It's, it's. A cute little thing.

A (162:01)

Yeah, it's a cute little thing. Somebody in the chat room will. Yeah, because I know they, yeah, there

B (162:06)

is a little, it's called the SG 1100 although it has nothing to do with Steve Gibson but.

A (162:12)

Well, that's it, that's all you need is the SG 1100. And you run Open Sense, I'm sure you can run up. It's from netgate.

B (162:18)

Yes, netgate.

A (162:19)

Netgate.

B (162:19)

Right.

A (162:20)

Yeah, yeah.

B (162:21)

And that's a cute little guy.

A (162:23)

Now they say PF Sense, but I, I suppose you.

B (162:26)

Yes. And they are, they, they, they are still on with PF Sense and there's nothing wrong with PF Sense, but if I were the other. There's another little platform. I bought one on Amazon. It's the one I'm using over in my, at my place with Lori. It's got four network interfaces. I can't, I can't remember the name of it now, but I, oh, oh, and on it, I'm also using pfsense just because I know pfsense. Right. But if somebody were just starting out start with. And, and, and this little guy is. Now this is not a radio router. There is no antenna there. So, so you need, you need to solve the, the radio connection problem separately. But.

A (163:06)

Right.

B (163:07)

It is a, it. You know, PF Sense is a very powerful little routing software.

A (163:11)

Oh yeah. It has all the security features you could want. Really.

B (163:16)

So you know, we're up to Wi Fi 7 now. I don't. And so what this is saying is we cannot ever get a Wi Fi 8 router because that would require a next.

A (163:28)

Unless Elon decides to make it.

B (163:31)

Yeah.

A (163:32)

Jeez.

B (163:33)

I, I, I, you know, it's just nuts.

A (163:43)

40% of all the routers in the United States are made by TP Link, a Chinese company. That's the one they were going to ban initially. Then they thought I said, well, what, you know, if we're going to ban them, let's just ban them all. Even if they're made in Sweden, it doesn't matter. I was at RSAC and I went over to the Ubiquity because I use ubiquity gear. I went over the Ubiquity booth, I said, hey, I'd just like you to comment on this FCC decision. It happened that morning and they would, they did not want to talk about it. There's no, it was a. And I understand why it's no win. What are they going to say? We don't like the idea? No, we like the idea. No, no comment, no comments. The only thing you can say. Say the only safe thing to say. Unless they had plans to build a factory in Piscataway, I don't know what else they're going to do. I think that's the plan. Right. Well, everybody just has to build a factory in the US And God knows there are lots of people out there who just dying to build routers in a router factory. They are just lining up and all

B (164:47)

the consumers will be happy to pay an extra hundred bucks for.

A (164:51)

Yeah. Oh that too.

B (164:52)

Domestic manufacturing.

A (164:53)

Yeah.

B (164:55)

To get nothing in return. I mean it's like.

A (164:57)

Well, the statistical routers are no more secure. Just because they're made in the US doesn't mean anything. In fact they're less frankly. Yeah. And I'm sure this Netgate is not made in the U.S. no, nothing is

B (165:14)

made in the U.S. nothing. Nothing. We don't make things here.

A (165:18)

Oh well, that's the mistake. I mean admittedly it probably should.

B (165:22)

Well the, the mistake is being, is like rattling sabers between us and China. We ought to recognize that it is a good relationship, it's mutually beneficial and, and we ought to just have a detente here and say, look, you know, you want us to buy your stuff, we want you to make the stuff that, that, that we're going to buy.

A (165:42)

So come on, let's wrap this up because in about half an hour we're about to bomb Iran into the stone age.

B (165:49)

So I got pushed back by two weeks. Oh, what a shock. I know.

A (165:54)

A taco.

B (165:55)

That's right. We got it. We got a two week.

A (165:57)

What a shocker.

B (165:59)

That happened during the podcast during one of. I, I got a little notification.

A (166:04)

Stunning, stunning development. Who would have thought? Okay, well I'm actually, I'm relieved to be honest as I'm sure 90 million Iranians are as well dodged that bullet or cruise missile as the case may be. Well, thank you sir. You are a gentleman and a scholar and I appreciate everything you do. Mr. Steve Gibson. You'll find him@grc.com that is the place to go to get of course the things he makes for a living which include spinrite, the world's best mass storage maintenance, recovery and performance enhancing utility. Current version 6.1. Awesome, awesome tool. Everybody who has mass storage needs it. Let's just say that Also the DNS benchmark Pro which just came out, that's available at the same place 999 save a penny 999. Although there are no pennies anymore either. So they've gone the way of the American of the foreign made router. What else? While you're there you might want to check out. You can send Steve email if you want, but you got to get your email address whitelisted because he doesn't want spam by going to grc.comemail and when you give him your email, you'll notice there's two boxes below it that you can check. They're unchecked by default, but you can say, hey, I would like to get your weekly mailing of the show notes for this show. Or hey, I would like to know when you've got a new product. You might get something in the next hundred years, you might not. It's not exactly an active mailing list, but it is, it is a mailing list and you can get on it grc.com email there's lots of other great stuff. It's well worth browsing around a great site. Meanwhile, we have of course copies of the show at our website, Twit TV SN. There's a YouTube channel you can go to with all the shows video of them. Great way to share a clip. And of course you can subscribe in your favorite podcast client and get it automatically the minute we're done fixing it up. If you want it faster than that, you can watch live. We do the show every Tuesday right after Mac break weekly. That would be 1:30 Pacific, 4:30 Eastern, 20:30 UTC. We stream it live on YouTube, Twitch, X.com, facebook, LinkedIn and Kik. Also club members get access to it behind the velvet rope. If it as it were in the club Twit Discord. So you know, sign up for the club. That's a great way to get ad free versions of the show. Special access our AI user group. It's coming up this Friday. Micah's Crafting Corner. Lots of special programming and you support this very important show and all the other ones? We do. So if you're not a member. Twit TV Club Twit. Steve, thank you so much. Great to see you. We'll see you again next week.

B (169:06)

Yes, sir. For the. But will that be the 14th? We'll be back.

A (169:10)

Taco Tuesday. Thank you, Steve. Take care.

B (169:14)

Bye.

A (169:16)

Hi, I'm Leo laporte, host of this Week in Tech and many other shows on the Twit podcast network. Can you believe it? 2026 is around the corner. So this, my friends, is the best time to grow your brand. With Twit. Nobody understands the tech audience better than we do. We love our audience and we know how to effectively message to them. We develop genuine, genuine relationships with brands, creating authentic promotions that resonate with our highly engaged community of tech enthusiasts. You know, over 90% of Twitch audience is involved in their company's tech and IT decision making. Can you believe that? 90%, 88% have actually made a purchase Based on a Twit post read ad no one comes close. We're the best at this. As one Twit fan said, I've bought from Twitt TV sponsors because I trust Leo and his team's knowledge of the latest in tech. If Twitch supports it, I know I can trust it. You cannot buy trust like that. Well, actually you can. You can buy an ad on Twitter. All our ads are unique. They're read live by our expert host, Micah Sargent me. We simulcast all during the shows on our social platforms so everybody can be watching live. You know one of our customers, Harun Meir, the founder of ThinksCanary, he's been with us since 2016. Since 2016, he said we expected Twit to work well for us because we were longtime listeners who over the years bought many of the products and services we learned about on various Twitch shows. And we were not disappointed. The combination of the very personal ad reads and the careful selection of of products that Twit largely believes in gives the ads an authentic trusted voice that works really well for our products. 10 out of 10 will use again. Thank you Harun. We love you. And it's been nine years. That's kind of. That's the proof, right? Partnerships with Twit offer valuable benefits including over delivery of impressions. You get presents on show, episode pages. So there's a link right there that our audience can click on. We're in the RSS feed descriptions a link there too. And social media promotion. Our full service team will craft compelling creative to elevate your brand and support you throughout your entire campaign. I work on the copy myself to make it authentic, to make it real. If you want to reach a passionate tech audience through a network that consistently over delivers, Please contact us us directly. PartnerWIT TV that's the email address. PartnerWIT TV let's talk about how we can help grow your brand. Or just go to Twit TV advertise for more information. I look forward to working with you. Thanks for listening. Security Now.