Security Now 1001 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
 

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. He says there's not a lot of news, so we're going to do a lot of questions from the audience, feedback and so forth, and then Steve will explain in his understanding of what is going on with AI, the search for artificial general intelligence, and how close we're coming. I think you're going to like this episode. Security Now is next Podcasts you love.

0:00:30 - Steve Gibson
From people you trust.

0:00:32 - Leo Laporte
This is Twit. This is Security Now with Steve Gibson, episode 1001. Recorded Tuesday, november 19th 2024. Artificial General Intelligence it's time for Security Now, the show where we cover your security, privacy, safety, how computers work. What's so intelligent about artificial intelligence? All that jazz with the most intelligent guy I know, this cat right here, mr Steve Gibson.

0:01:06 - Steve Gibson
I am not that Leo. You are not that. No, I'm a what do we call it? A domain expert. I have some expertise in a couple places.

0:01:16 - Leo Laporte
When it comes to Sudoku, you're just like the rest of us.

0:01:19 - Steve Gibson
And when it comes to artificial intelligence, I'm claiming no expertise. I want to talk about, as I said last week, artificial general intelligence, agi, because everyone's throwing the term around. We're hearing people talking about it. Infamous and famous. Uh, ceo of open ai. He claimed oh yeah, we'll have that next week, next year, any day. He said 2025, yeah, and it's like what?

but he's kind of a salesman oh well, yeah, so maybe this was just a nice little stock price boosting ploy, um, but I wanted to take some time. I found a couple interesting articles with a lot of other people in the industry interviewed and some academics interviewed and I thought you know. So today is like no one's going to find out some great revelation about AGI, because I don't have it. But you know, it's clearly a thing and I just thought we should kind of put a marker down and say, okay, here's where it is.

0:02:36 - Leo Laporte
You've done it before. You did it with blockchain. It's very frequent that you're able to, because that's how you work digest all this stuff. You're kind of our retrieval augmented generation. You digest all this stuff and give it back to us so we can understand it. So I'm very much looking forward to this episode.

0:02:55 - Steve Gibson
Well and in the fullness of time. If I spend some time digging in, then that would be interesting, but we got a bunch of stuff to talk about. We're going to look at oh, this is a great story how Microsoft lured the US government into a far deeper and expensive dependency upon its own proprietary cybersecurity solutions than the Biden administration expected the Biden administration expected. Also, gmail will be offering native throwaway email aliases, much like Apple and Mozilla. We'll touch on that, oh my God. And Russia? Well, they're banning additional hosting companies. They're going to give their big internet cutoff switch another trial next month and some other things that'll talk about.

They, oh, and they used a diabolical windows flaw to attack ukrainians. It was found by a, by a security group, and, boy, when our old timers find out what that something we assumed was safe might not be safe to do, that's going to raise some hair. Also, we're going to look at oh, I have a note from our listener about the value of old Security Now episodes. We're going to touch on TrueCrypt's successor, also using CloudFlare's tunnel service for remote network access. Another of our listeners said hey, this is what I'm doing, so we're going to share that. Also, answer the question about how to make a local server appear to be on a remote public IP, which in this case is coming in handy for pretending to be a remote command and control server when testing malware. Also, how to share an impossible-to-type password with someone else. Oh, and another listener asked and I answered and then he confirmed, about finding obscure previous references in the Security Now podcast. So that, and then we're going to dig into this whole question of what is artificial general intelligence and how is what we have today failing that, what are the recognized and widely agreed upon characteristics that AGI has to have, and when might we get some?

So I think a great podcast. There was not, as you could tell. There was not a huge amount of news. I looked everywhere for good stuff but boy, I added it up. I think I have 4,300, plus some inbound pieces of email from our listeners. Holy cow, so like since this began. So I'm not starving at all for listener feedback and I think it's fun. Actually, changing this from Twitter to email completely changed the feel of the feedback since it no longer needs to fit into 280 characters.

Uh, you know, and so it's a you know a lot more interesting so excellent, a great podcast. Oh and Leo, yeah, we're starting in on our second thousand. This is podcast number 1001.

0:06:22 - Leo Laporte
I hadn't really thought of it quite that way the second thousand that's right, you put that into perspective.

0:06:28 - Steve Gibson
That's what everybody wants. They want another thousand. It's like, okay, oh.

0:06:31 - Leo Laporte
God, there we go, okay. Well, you and I are going to work on it. We're going to do our best. That's all we can promise.

0:06:39 - Steve Gibson
I look different than I did 20 years ago, but you look about the same. I don't. You're being very kind You've got your hair still, it's nice silver. I haven't lost the badger.

0:06:48 - Leo Laporte
I still have the badger on top Our show today, brought to you by, I'm very happy to say, big ID. This is a really, really interesting company. They're the leading data security posture management solution, sometimes they call it DSPM. Bigid is the first and only DSPM solution to uncover dark data, to identify and manage risk, to remediate the way you want, scale your data security strategy through unmatched data source coverage. Bigid seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You can take action on data risks, annotate, delete, quarantine and more based on the data, all while maintaining an audit trail, very important for compliance. Right Partners include ServiceNow, palo Alto Networks, microsoft, of course, google, aws, and more and more and more Microsoft, of course, google AWS, and more and more and more. And with BigID's advanced AI models, you can reduce risk, accelerate. Time to insight this is a new metric for me. I love it Time to insight, tti and gain visibility and control over all your data.

Now let me give you an idea of the kinds of people who use BigID. Who do you think would have an awful lot of data in an awful lot of places in a variety of formats, some legacy formats who would need to know where all their data is in such a situation. How about oh, I don't know the US Army? Right, they use BigID to illuminate all that dark data, to accelerate cloud migration, minimize redundancy and to automate data retention. I have this quote is from the US Training and Doctrine Command. It's mind-boggling. This is the quote Quote. The first wow moment with BigID came with just being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data, across emails, zip files, sharepoint databases and more. I mean parenthetically. I'm just going to say you can imagine the different kinds of formats the army has collected over the last couple of decades. He goes on to to say to see that mass and be able to correlate across those, it's completely novel. I've never seen a capability that brings this together like big id does. That's. That's a pretty good endorsement.

Cnbc recognized big id is one of the top 25 startups for the enterprise named the inc 5000, the deloitte 500 two years in a row. They're the leading modern data security vendor in the market today. You need to know this name. Big ID Publisher of Cyber Defense Magazine said. Quote Big ID embodies the three major features we judges look for to become winners understanding tomorrow's threats today, providing a cost-effective solution, of course, and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.

It all starts with knowing where your data is. By the way, also really important if you're looking at AI because, if you think about it, you want to train, but you want to train on the stuff you know. The Army probably has a lot of stuff they you want to train, but you want to train on the stuff you know the Army probably has a lot of stuff they don't want to train AI on because it's sensitive or secret. So it's really important to understand what your data is, where it is, in all sorts of places. That's what BigID can do. Start protecting your sensitive data wherever your data lives.

At bigidcom slash security now, get a free demo. See how BigID can help your organization reduce data risk. Accelerate the adoption of generative AI. We're going to be talking about that later today. Bigid B-I-G. Bigid B-I-G-I-D. Don't ask me to spell ID BigIDcom slash security now. They do have. We're talking about AI. They have so many great reports on their website bigidcom slash security now but they do have a free report that's brand new. That gives you some really useful insights on key trends on AI adoption challenges, including those challenges of what to train on and what not to train on and the overall impact of generative AI across organizations. They know and they have a great paper on this, so read it at bigidcom slash security now.

You need Big I-D. Thank you so much for supporting the work Steve does here, and you support us, of course, when you go to that address, then they know that we saw it on security now, bigidcom slash Security. Now, steve, I'm ready with the picture of the week. It's a good one this week.

0:11:31 - Steve Gibson
It is a good one. And I've had some feedback from our listeners already who really liked it. I was again on the ball and just a reminder to our listeners that we're just shy of. 13,000 people are now subscribed to the Security Now mailing list 12,979.

0:11:51 - Leo Laporte
It's almost exactly the same number of Club Twit members we have, so I think there may be a correlation there.

0:11:56 - Steve Gibson
I think there may be, and that was the count when the mailing went out around 3 pm yesterday. So just saying that 24 hours ahead of time, uh, anybody who was subscribed to the list got this stuff. Um, so, uh, okay, anyway, so the point was that many people wrote back and said wow, that's terrific. So what we have is, um, a residential, uh, staircase going up, you know, as they do, along one wall with a handrail and then a banister on the outside to, you know, so that the stairs are not open. Now this family has a couple of toddlers and looks like maybe sister's a little older than brother. Um, she was first up. Uh, he, he's in diapers still and looks like maybe he's two. Uh, she might be maybe two and a half or three, I don't know. But that across the bottom of the stairs is a screen that mom and dad have said kids are not going upstairs, they stay downstairs, it's a child gate and I think it's a brand new one.

0:13:11 - Leo Laporte
It looks like it because it's still got the sales tag on it.

0:13:13 - Steve Gibson
You're right and, and I noticed also that behind it are a couple of stacks of stuff yeah, that you don't want the kids to get into. They don't want the kids to get into exactly well now, I gave this picture the caption.

the bottom of the staircase may have been blocked, but these future hackers are not deterred because the, the, the stairs protrude out from the, the uh banister supports and the and both of the kids have walked up the outside of the stairs like seeing whether there's a way they can get in there, because they're going to find a way and it looks like maybe that, if I'm right, the oldest sibling looks like she's sort of trying to squeeze herself in because she sort of ran out of runway there.

0:14:07 - Leo Laporte
Now she's got a risk. Now how do we get in?

0:14:10 - Steve Gibson
so, yeah, so there, so there are. We hope the analogy is not that they're behind bars, because you know the, the, the banister does look a little bit like that too. But uh, you know these guys, they're determined to find a way past mom and dad's blockade of the stairs. Oh boy.

0:14:28 - Leo Laporte
Future hackers. That's pretty accurate, yeah, future hackers.

0:14:32 - Steve Gibson
Okay, so some recent reporting by ProPublica raised some interesting questions and I got a kick out of this. I'm sure that our listeners will too. So ProPublica and I'll be interrupting a few times here with some of my own comments. They said in the summer of 2021 and we covered this at the time President Joe Biden summoned the CEOs of the nation's biggest tech companies to the White House. A series of cyber attacks linked to Russia, china and Iran had left the government reeling, and, of course, some of that was Microsoft's fault. Right, and the administration had asked the heads of Microsoft, amazon, apple, google and others to offer concrete commitments to help the US bolster its defenses. Biden told the executives gathered in the East Room quote you have the power, the capacity and the responsibility, I believe he said, to raise the bar on cybersecurity. Unquote Now, they said. Now Microsoft had more to prove than most. Its own security lapses had contributed to some of the incursions that had prompted the summit in the first place, such as the SolarWinds attack, in which Russian state-sponsored hackers stole sensitive data from federal agencies, including the National Nuclear Security Administration.

Following the discovery of that breach, some members of Congress said the company should provide better cybersecurity for its customers. Others went even further. Senator Ron Wyden, who chairs the Senate's Finance Committee, called on the government to quote re-evaluate its dependence on Microsoft before awarding it any more contracts. Now, as we're going to see shortly, what happened is not exactly what Ron was looking for. This was not the kind of re-evaluation that Ron had in mind, republicans said.

In response to the president's call for help, microsoft's CEO Satya Nadella pledged to give the government $150 million in technical services to help upgrade its digital security. Well, isn't that nice. On the surface, they wrote, it seemed a political win for the Biden administration and an instance of routine. Subsequent investigation suggests that Microsoft's seemingly straightforward commitment to provide a bunch designed to bring in billions of dollars in ongoing revenue, lock competitors out of lucrative government contracts and even further tighten the company's grip on federal business. And as I'm reading this, I thought you know, if I didn't know better, I would think Gates was still around Since this turned out to be a recognizably classic bill move. So they wrote the White House offer. As it was known inside, microsoft would dispatch Microsoft consultants across the federal government to install Microsoft's cybersecurity products, which, as part of the offer, were provided free of charge for a limited time. That's right. What a bargain. What's wrong with this picture? Ok, so they said well, how about? Once the consultants installed the upgrades, most of whom spoke on the condition of anonymity because they feared professional repercussions At that point, the customer would have little choice but to pay for the higher subscription fees.

In fact, two former sales leaders involved in the effort likened it to a drug dealer hooking a user with free samples. Quote if we give you the crack and you take the crack, you'll enjoy the crack. One said Quote. And when it comes time for us to take the crack away, your end users will say don't take it away from me and you'll be forced to pay. Former salespeople said that Microsoft wanted more than those subscription fees. The White House offer would lead customers to buy other Microsoft products that ran on Azure the companies, of course, their cloud platform. This carried additional charges based on how much storage, space and computing power the customer used. These former salespeople said that the expectation was that the upgrades would ultimately spin the meter and quoting them, spin the meter for Azure, helping Microsoft take market share from its main cloud rival, amazon Web Services.

In the years after Nadella made his commitment to Biden, microsoft's goals became reality. The Department of Defense, which had resisted the upgrades for years due to their steep cost, due to their steep cost, began paying for them once the free trial ended, laying the groundwork for future Azure consumption. So did many other civilian agencies. Former Microsoft salesperson, karan Sandhi, who had knowledge of the deal, said that quote the White House offer got the government hooked on Azure and it was successful beyond what any of us could have imagined. Unquote.

While Microsoft's gambit paid off handsomely for the company, legal experts told ProPublica the White House offer should have never come to pass, as they sidestep or even possibly violate federal laws that regulate government procurement. Such laws generally bar gifts from contractors and require open competition for federal business. Eve Lyon, an attorney who worked for four decades as a procurement specialist in the federal government, said that accepting free product upgrades and consulting services collectively worth hundreds of millions of dollars is not like a free sample at Costco, where I can take a sample, say thanks for the snack and go on my merry way here. You have changed the IT culture, and it would cost a lot of money to switch to another system. Unquote.

Microsoft, for its part, defended, of course, its conduct. Steve Fail, that's F-A-E-H-L Good name. Yeah, yeah, I thought I should spell it F-A-E-H-L. Steve Fail, the security leader for Microsoft's federal business, said in a statement quote by the administration to enhance the security posture of federal agencies who are continuously being targeted by sophisticated nation-state threat actors. There was no guarantee that agencies would purchase these licenses and they were free to engage with other vendors to support their future security needs. Unquote. Pricing for Microsoft Security Suite was transparent, he said, and the company worked quote closely with the administration to ensure any service and support agreements were pursued ethically and in full compliance with federal laws and regulations. Unquote. Fahle said in the statement that Microsoft asked the White House to quote review the detail for antitrust concerns and ensure everything was proper, and they did so.

0:23:20 - Leo Laporte
I love the phrase hooked on Azure. I just think that on Azure that's a nice ad campaign.

0:23:28 - Steve Gibson
There's only one little problem with this, of course. As we know, it really is surprisingly difficult to switch vendors, and of course it gets worse. Pro publica found the white house summit ushered in a new form of concentrated reliance, as well as the kind of anti-competitive behavior the Biden administration has pledged to stamp out their White House offer push. They advised federal departments to save get this, leo to save money by dropping cybersecurity products they had purchased from competitors. Those products, they told them, were now redundant. Salespeople also fended off new competitors by explaining to federal customers that most of the cybersecurity tools they needed were included in the free upgrade bundle.

Today, as a result of the deals, vast swaths of the federal government, including all of the military services in the Defense Department, are more reliant than ever on a single company to meet their IT needs. Propublica's investigation, supported by interviews with eight former Microsoft employees who were involved in the White House offer, reveals for the first time how this sweeping transformation came to be A change that critics say leaves Washington vulnerable the very opposite of what Biden had set out to achieve with his summit. Because of the monoculture right, it's like oh, everybody's using Microsoft. Unfortunately, we've seen Microsoft making some significant mistakes.

0:25:27 - Leo Laporte
Well, wasn't this in kind of response to SolarWinds?

0:25:30 - Steve Gibson
Yes, yeah, yes. This was three years ago when it was like, oh my God, what are we going to do? And so Microsoft said, hey, how would you like some free stuff?

0:25:41 - Leo Laporte
We'll give you $150 million of stuff for free. It was only free for the first year, I mean, it wasn't even free-free, it was a trial offer.

0:25:49 - Steve Gibson
basically it was. I mean okay, so the ProPublica article, I've got a link in the show notes. It goes into much greater detail. That was just like the introduction quarter of it, so I have a link to it, as I said, for anyone who wants more, but I'm sure that all of our listeners get the idea. At one point Microsoft was asked to provide this enhanced security support to the federal government at no charge, indefinitely, which they flatly declined. Then, of course, it became a negotiation over. Well then, how long would the services be free, you know? And of course, what adds even more salt to this wound is that for many years these same federal and military agencies had been steadfastly refusing to go with Microsoft solutions due to their cost. But they could not say no to free. So this allowed Microsoft to get their solutions in the door, to remove any previous reasonably priced competitive solutions. And then, once the free offer expired, the choice was either pay up or go without.

You know, it's at least mildly disgusting. And what's more, you know, this didn't just fall into Microsoft's lap right. Former insiders made it clear that this was their intention all along. From the beginning, Microsoft CEO Satyain adela knew exactly what he was doing.

0:27:29 - Leo Laporte
Basically, it was a trojan horse how hard is it if you've upgraded your security to microsoft g5 level? Is it to go back like, if they go, oh we don't want to pay for it, so we're going to go backwards?

0:27:48 - Steve Gibson
um, if elon musk is going to do anything, this is something he might want to wait this is the kind of thing I mean it takes holding your breath and pinching your nose and and I mean it's an upheaval, and so anyone in IT understands that. But it's not their money they're spending, it's our money they're spending, and so it's always less expensive to pay for the incremental cost of another three months than it is to say, okay, we're on the wrong path, we're going to dead end this path, because it does then mean going out and getting competitive bids and literally having downtime, while all of this changes, because that you know, you have to remove all of this junk and and put in new stuff so if the whole motivation for doing this was oh my god, we've got a big security problem.

0:28:58 - Leo Laporte
Uh, you're not going to tear out the security fix you just installed to fix that so that you can do something else, you're, you're going to be a lot of pressure just to keep on, keeping on well, and leo, you and I and our and the old timers of the uh who are listening to the podcast, we all remember gates.

0:29:18 - Steve Gibson
I mean, oh yeah, he was bill. Bill was much. You know he's revered as some technical genius. I mean he's a genius, but he was much. He's revered as some technical genius. I mean he's a genius, but he was much more of a businessman than he was a coder. And he says that now too. I mean so we watched all of the early shenanigans that Microsoft got up to, things like oh, you can't remove our browser, we built it into Windows. No, it's part of the operating system.

0:29:47 - Leo Laporte
What?

0:29:48 - Steve Gibson
No, it's not Until the EU said, take it out. And they said, well, okay, you know, that should not give us any choice.

Same old, same old, but this just struck me as so Gatesian. It was just like oh boy, yeah, yeah, so ouch, Okay. So Apple has Hide my Email. Mozilla offers their Firefox Relay and you know these are email services that create throwaway aliases for a user's primary account. That create throwaway aliases for a user's primary account.

The recent news is that Google is reportedly working on adding something which they call shielded email to Gmail for their 2 billion Gmail users. So, as with the other services, users will be able to quickly generate random-looking usernames for use, you know, to filling out online forms and subscribing to things and so forth, which hide their real email addresses. So those are just aliases. And then you'll have some means of managing the aliases so that, for example, if you started to get spammed on one, first of all it would be interesting to know who you know which email address is spamming you, and then you're just able to delete it and you'll get rid of it. So I've noticed that a large percentage of the subscribers to GRC's mailing lists are Gmail domain users, so I imagine this will come as a welcome service.

Main users. So I imagine this will come as a welcome service. Unfortunately, I use Gmail as my trash can already, because I've got, you know, GRCcom email addresses, so it's a little late for me. I don't think it would serve much purpose using, you know, shielding what is already my throwaway account, but still, for people whose main, whose primary email is Gmail, I think this sounds like a good thing. And you know, better late than never. It certainly took them a while. On the other hand, Leo, can you imagine the infrastructure that Google must have in order to give 2 billion users like email that works as well as Gmail does?

0:32:06 - Leo Laporte
And they use their own server. They aren't're using, uh, you know, an open source server or anything like that. So if you were, you might be a simple plug-in, but yeah, that's a big deal, that's a lot to move.

0:32:17 - Steve Gibson
Yeah, plus it's old.

0:32:18 - Leo Laporte
Let's not forget. Gmail is not a brand new service, by any means correct, it's one of the very first web services correct.

0:32:25 - Steve Gibson
In fact, I remember, um, do you remember a guy named steve bass who was uh, uh he? He was the. He ran the pasadena ibm pc user. Oh, yes, okay, mug, yeah was the. Yeah, if you tried to pronounce the anyway, and I think he wrote for pc world also his byline, I do yeah, uh, neat guy uh, and he had early access to gmail and so sent me uh an invite that allowed me to get a, you know, a special uh email account at Gmail.

0:33:07 - Leo Laporte
Yeah, which you're not going to tell anybody, because otherwise it would be completely useless.

0:33:13 - Steve Gibson
Believe me, it's next to that now anyway. It's just you know.

0:33:17 - Leo Laporte
I have Laporte at Gmail because I was also early on.

0:33:21 - Steve Gibson
Very nice yep.

0:33:23 - Leo Laporte
And everybody's decided apparently the spam world's decided that I'm French and I get a lot of French spam, almost exclusively French spam, and I also because people this happens to you, I'm sure it happens to our listeners they don't really understand that you can't put a space in a gmail address. So a lot of people named francois laporte and uh and abigail laporte, they they type a space in there and it all goes to laporte at gmail, right?

so I get all sorts of stuff, like your tickets are ready. I mean just endless your reservations for tonight in paris. I mean it's, I'm tempted, but no, I'm well, and, and you're right, the, the.

0:34:07 - Steve Gibson
The problem with it being that big like all those domains are all those names in a single domain. Is that, if it is not, like you know, bzqrt79 or something, if it is leo or fred, it's the end of the world you're, it's like you know goodbye.

0:34:28 - Leo Laporte
There's a story about jim at aolcom. Poor jim never really did get to use that email address. Do you want me to take a break or do you want to continue on?

0:34:41 - Steve Gibson
I think now is a good time. We're half an hour in and then we're going to talk about uh, it's definitely not love coming from russia, so from russia and we do get to talk about russ.

0:34:58 - Leo Laporte
Thank you, steve. Our show today, uh, brought to you by those great folks at Delete Me. I have some direct experience with Delete Me because we have been using it for our CEO for some time now. If you've ever searched for your name online, I don't actually recommend that you do this, but if you've done it, you know how much of your personal information is right there in public. It's all data brokers. They've been collecting this stuff for years. Every app you use it's not just TikTok, it's Facebook, it's Instagram, every site you visit and they take all that information, they collate it and they make basically a dossier about you and your family, about everybody. You know Maintaining privacy is more than a personal concern. It's a family affair. That's why Delete Me has introduced family plans, so you can have Delete Me for everyone in the family, and I think they do have this corporate plans as well. I think that's what we use, because you really should have Delete Me for every manager in your company.

I've told this story before. Forgive me if you've heard it before, but we ran to delete me because Lisa, somehow bad guys figured out what her phone number was, what company she worked for and who her direct reports were and what their phone numbers were. I wonder where they got that information right. And, as a result, they were able to do a spear phishing campaign, purporting to be texts from Lisa's phone, the CEO's phone saying quick, I need some Amazon gift cards, I'm in a meeting, get them and send them to this address. Fortunately, our employees are smarter than that but immediately told me you know, we got to do something to reduce the amount of information about our management online, and that's when we went to Deleteme.

Deleteme helps reduce risk from identity theft, from cybersecurity threats like that, from harassment, you know, from all of the things privacy violations can do. It is not a nice thing. Deleteme's experts know where the data is. They will find and remove your information from hundreds of data brokers. And, by the way, if you get the family or the corporate plan, you can assign a data sheet for each member that's tailored to them so that you could say, well, don't delete the Instagram information, but do delete the Facebook. That kind of thing. Easy to use controls. So, as an account manager, you can manage privacy settings. That kind of thing. Easy to use controls. So, as an account manager, you can manage privacy settings for the whole family.

But this is important Once they've removed that data, you don't just then walk away because you could do that yourself. First of all, you need to know the hundreds of data brokers out there, but then you need to know, as new ones come online and they do every single day. It's a very profitable business. You need to know to go back, and that's what Deleteme does. They continue to scan and remove your information regularly, not only from the existing data brokers, from all the new ones that pop up all the time, and I'm talking addresses, photos, emails, relatives, phone numbers, social media, property, value, everything. It's's all. Online data brokers have it all. Until we get a comprehensive privacy law in this country protecting you, you got to protect yourself and your family and your business.

Reclaim your privacy by going to join delete mecom slash twit. The offer code twit gets you 20 off, which is a great deal. Joindeleteemecom slash twit and use the offer code twit for 20% off. And once you go to joindeleteemecom slash twit, look at all the offerings. They have a very granular set of offerings that can really do the things you need to do to protect yourself online. So I would very much recommend. Looking at all that. It's really an amazing company. Joindeleteemecom slash twit. Thank you, delete Me, by the way. After the national public data broker breach, steve, we searched for my name. It was right there my social security and everything.

0:39:02 - Steve Gibson
Mine too Not.

0:39:03 - Leo Laporte
Lisa's, not Lisa's, and I thought that that's a pretty telling thing. That delete me really worked. Join delete me dot com. Slash twit.

0:39:13 - Steve Gibson
Thank you delete me, steve. So Russian officials have recently Roskomnadzor.

0:39:20 - Leo Laporte
I'm sorry, I jumped the gun.

0:39:23 - Steve Gibson
We're going to get there in a second have recently announced via Telegram that they which I thought was interesting, oh yeah.

Let's use Telegram, isn't that interesting, punishing them Wow, that they plan to expand Russia's ban on foreign web hosting providers who are hosting content that discredits the glorious Russian army their words. So Akamai and CDN77 may soon find themselves added to the banned list for being naughty. Overall, russia appears to feel that the Internet is, at best, a mixed blessing. It's unclear to me how it's possible to even function within today's globalized economy without it. I think they're nuts.

0:40:11 - Leo Laporte
But Russia seems poised. I'm sorry, I'm getting ready. I'm getting ready for the go ahead.

0:40:15 - Steve Gibson
That's right. Russia seems poised to at least explore getting along without the Internet, to which end Russia's illustrious Internet watchdog, none other than Ross Komnonzor has announced its plan to conduct another test next month of Russia's big Internet disconnect switch.

When pulled, does what it says it severs all ties between Russia and the rest of the global Internet. And they did it once before, didn't they? They tried it and they've been working on it for years. They have to do things like figure out what to do with DNS queries that resolve to IP addresses that are no longer available, I mean. But they just don't want everything to hang and crash and like sitting in, like you know, with the hourglass spinning. So you know, it turns out that disconnecting from the Internet is not an easy thing to do. And, of course, as I was thinking about this, I thought what about Starlink? Because it's no longer the case that useful Internet connectivity requires landlines and fiber optic trunks and all of that.

0:41:45 - Leo Laporte
Starlink is banned in Russia that would be my guess or it doesn't offer it. Let me see it's available in Ukraine, of course.

0:41:56 - Steve Gibson
And you're right, russia is sanctioned right now.

0:41:58 - Leo Laporte
Yeah, that's what I thought. Yeah, so that just works in their favor, doesn't it?

0:42:04 - Steve Gibson
That's right. Easier to disconnect Eas easier to pull the switch.

So anyway, so they're they're going to do another test in December. And again, you know it's like, is there some big long term plan here? Is it? Is it just so that they, like are worried they're going to get attacked? I don't know. You know we would know if our country was doing the same thing, because it would have an effect. I mean, pulling the switch on global connectivity will have an effect, so really interesting. You know we'll have to see what they've got planned. But while we're on the topic of Russian antics, get a load of this.

One of the zero days it was CVE-2024-4351 that Microsoft patched this past week was, you know, in patch Tuesday last week was used in a Russian hack of Ukrainian organizations earlier this year.

According to the security firm Clear Sky, the Zero Day was part of an exploit chain that exposed NT Landman you know, nt Land Manager credential hashes, also known as NTLM credential hashes also known as NTLM credential hashes when victims interacted with URL files that were received in phishing emails.

But here's the part that really caught my attention that right-clicking, deleting or moving the file established a connection with the attacker's server, exposing authentication data. The report suggests that the campaign also used social engineering to convince victims to run executables? Okay, but hold on Right-clicking on a file to display its context menu and examine its properties, deleting it or dragging it to another directory was all that's needed to cause the victim's machine to establish a remote connection to a malicious server. Victim's machine to establish a remote connection to a malicious server. What so? I went over to clear sky to see what was up and I've got a link in the show notes for anyone who wants to see too. The clear sky research team posted their write-up last wednesday writing a new zero day vulnerability cve. Oh, by the way, it was posted wednesday because the patches were pushed on Tuesday, the day before closing this down. They said a new zero-day vulnerability 43451.

0:44:56 - Leo Laporte
Ironically, clear Sky Security sent an invalid response. I don't know if it's blocked or it can't provide a secure connection, so it might be my browser. Sometimes this happens.

0:45:09 - Steve Gibson
Uh, interesting, uh yeah I think maybe, uh, maybe, maybe do it.

0:45:15 - Leo Laporte
Excuse me, do an explicit https yeah, no, because I think the ubiquity blocks certain things ah, okay yeah, so I was just clicking the link you provided.

0:45:26 - Steve Gibson
Yeah.

0:45:27 - Leo Laporte
Let me try clicking it here. Yeah, I'm sure it's fine, it's just me. Yeah, I also have that from Safari. It just came right up for me. Yeah, so it's Ubiquiti. I've noticed this. There's certain places I can't go and I think it's the security. I do use security in the Ubiquiti. Oh, and I think it's the security I do use security in the ubiquity.

0:45:46 - Steve Gibson
Okay. So they wrote a new zero-day vulnerability 43451, was discovered by Clear Sky Cybersecurity in June of this year, 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities. The vulnerability activates URL files containing malicious code through seemingly innocuous actions. Then they have three bullet points First, a single right click on the file in all Windows systems will do this. Windows systems will do this. Deleting the file in Windows 10 or 11 will do this. Dragging the file to another folder in Windows 10 or 11 and some Windows 7, 8, and 8.1. They wrote the malicious URL files were, and I should note that a URLl file is just text, so it's kind of pushing it to call it malicious but okay it's just a link, it's just, yeah, it's got.

It looks like an any file. So they wrote the malicious url files were disguised as academic certificates and were initially observed being distributed from a compromised official Ukrainian government website. What actually happened was that the Russians compromised an email server in Ukraine and then used the email server's credentials to send you know DKIM, spf, you know DMARC approved email to others in Ukraine. So the email that was coming in looked like it was verifiably authentic from the compromised server, but in fact, unfortunately, it was phishing email. So they said the attack begins with a phishing email sent from a compromised Ukrainian government server. The email prompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user interacts with the URL file by right-clicking, deleting or moving it, the vulnerability is triggered. So I'll just say this is like. This is the first time I've seen that. Like you know, dragging a file and dropping it in the trash, or right-clicking to learn more about it, that's all it takes under Windows 10 and 11 in order to well, and right-clicking in all versions of Windows in order for this thing to happen. Anyway, I've got more details. So they said, when the user interacts with a URL file by right-clicking, deleting or moving it, the vulnerability is triggered. Connection establishes a connection with the attacker's server and downloads further malicious files, including SparkRat malware. Sparkrat is an open source remote access Trojan that allows the attacker to gain control of the victim's system. The attackers also employed techniques to maintain persistence on the infected system, ensuring their access even after a reboot.

Ok, so the culprit here is a dot URL file, which is a Windows Internet URL shortcut text file, and anyone who's ever looked at like the original dot I-N-I you know config files back in the early days of Windows will recognize the format here. It's got sections that are surrounded by square brackets and then just simple name equals value pairs, all in text. Simple name equals value pairs, all in text. The key is that the file contains a URL equals line where the scheme of the URL is file colon, forward slash, forward slash, followed by the IP of the malicious remote server malicious remote server. In Windows, the file colon slash, slash scheme is handled by SMB, which is, of course, server message blocks, which underlies Windows' original file and printer sharing, which, as we know, was never up to snuff security-wise. So that's where NTLM credential hashes come in, because windows has always been extremely generous, handing out it's like I D I D it's users by by sending their credential hashes around, long before it was realized that that's not a good idea to be sending somebody's hashed credentials, because there's all kinds of mischief you can get up with them, including just a replay of the credential hash, in order to impersonate them, which is exactly what this thing does. So, apparently, upon even extremely innocuous contact with these files in Windows and it's worse, in more recent Windows 10 and 11, windows Explorer will, without any prompting, reach out to the file server that's indicated in the shortcut, even without its recipient executing the shortcut. The researchers wrote.

When examining the URL file, clearsky's team exposed a new vulnerability Right-clicking the file establishes a connection to an external server. In addition, execution in a sandbox raised an alert about an attempt to pass the NTLM hash through the SMB protocol. After receiving the NTLM hash, an attacker can carry out a pass the hash attack to identify as the user associated with the captured hash without needing the corresponding password. In other words, the credential hash that NTLM's SMB protocol sends out to identify its Windows user can simply be captured and subsequently used to impersonate the user as if they were logged in the researchers wrote. Further investigation yielded that in Windows 10 and 11 operating systems, the action of dragging the file from one folder to another or deleting the file caused the file to communicate with a target server and only then be deleted or moved. Under Windows 7.8 and 8.1, the file did not initiate communication when dragged or deleted, unless the target folder was open at the time of dragging. They said this did not happen on the first attempt, but was observed only after two to three attempts. That is, they concluded. The newly detected vulnerability is somewhat more exploitable on Windows 10 and 11 operating systems.

Our listeners here to learn that the actions that any of us might take to dispose of something we may have inadvertently received could themselves lead directly to a compromise of our machine. That's new. So Microsoft reportedly patched and closed this flaw in last Tuesday's patch updates. So that's good. Patched and closed this flaw in last Tuesday's patch updates. So that's good. But it should serve to remind us that those of us using Windows are using an extremely complex operating system that is still dragging a ton of legacy code forward. That code was written, that NTLM SMB file and printer sharing code was written, and its protocols were designed long before the world had an appreciation for just how secure our future systems would need to be.

What came to mind as I was thinking about this? The classic example of this, was the original design of the Windows metafile format. Windows draws on the screen through a series of drawing primitives, you know, invoking a circle or a rectangle or a line function with parameters and so forth. A Windows metafile, you know WMF, is just the capture of those drawing primitives. It's essentially a script. Then later, when that metafile is opened, those primitives are replayed onto a new blank canvas to recreate the original drawing. So the metafile contents are interpreted.

But the designers of the original metafile format thought what if we want to do something more, you know, something more than just replaying something that was previously recorded? Why can't the file contain some code that's executed? And remember this was Windows 3.0. So among all of the interpreted tokens, they specified a meta escape code, which is what it was called, that would cause the system to execute what it was called. That would cause the system to execute, to essentially escape from interpreting GDI graphics device interface tokens, and execute the code contained within the Windows Metafile, starting at the bytes immediately following the special escape code. And so it sat there in the Metafile specification for years, until much later.

Oh, and it was copied as like from 95 to 98. To what was that? The last 16-bit version? It was me Windows ME, and then it made the jump to Windows NT and so on. So later years later, in the era of NT and network and Internet connectivity, it was suddenly rediscovered and labeled as a horrible exploitable flaw. At the time when I calmly stated that it was obviously there all along by design, many people misunderstood me. They thought I was saying that Microsoft had deliberately planted a back door in Windows Metafiles. It was, you know, it was originally deliberate, but it was never malicious, it was convenience. It was convenience, yes, it was a reasonable thing to do back when we could trust every image our machines might try to render. But let's just say it didn't age well.

And neither was Microsoft's original NT LAN manager and their SMB protocol. You know they have not aged well either, and you know they were also designed back before we really understood security. So this, you know this wasn't deliberate on Microsoft's part, and what was really interesting was that a week or two ago, we were just talking about how Microsoft has decided not to keep patching NTLM problems, yet the zero patch guys are. So there's another reason why zero patch is worth looking at. Oh, and I should mention I got a bunch of feedback from our listeners who said you know, steve, you should mention that there's a free tier also, so it's not necessary to subscribe to Zero Patch in order to get some of the benefits of it. So I just wanted to mention that, along with all the others, and thank you everybody who wrote to say you know, there's a freebie available, so there is a free tier for Zero Patch. Okay, so not a lot happened this week and we've just covered it all, so I'm going to spend some time with some feedback from our amazing listeners. Good, I believe he would pronounce his name Aiko A-Y-I-K-O. I'm sorry if that's wrong, but I'll say Aiko. Fred is in Uganda. And he said hey, steve and Leo. This is Aiko Fred from Uganda.

I've been listening to security now since 2021, starting around the 800s as in you know episode number. He said I occasionally miss a few episodes when things get busy, sometimes up to a month, but I'm thoroughly enjoying the show. He said I don't have I do not have a formal background in computer science, but I developed an interest in programming in 2020 and learned some Erlang and Elixir, he said, my first and only languages which I'm now using at work. He said it made me realize I had only a blurry understanding of many key concepts. I'd never thought to go back to the earlier episodes from 2005, but a few episodes ago a listener recommended going back to the earlier episodes, so I decided to give it a try and wow, he said the way you explain topics like how the Internet works, cryptography and VPNs really clicked for me. He said I was blown away by how much easier it was to understand these concepts through your explanations. Now I feel like I've been programming by superstition all along.

He said each he said each episode has left me wanting more, and I've even re-listened to some episodes three to four times, especially those on cryptography and internet fundamentals. I'm now on episode 58, and I'd encourage anyone with a shaky grasp on these topics to check out the earlier episodes. They won't regret it, isn't that? So I wanted to share that just to remind our listeners about that. But he finishes saying one episode made me think this is exactly what I need. He said that was episode 41, true Crypt. He said unfortunately, I learned that TrueCrypt's development was discontinued in 2014. Do you have any recommendations for alternative tools with similar features to TrueCrypt that are compatible with Linux?

I love something with the same level of privacy and security. Thank you again for all your work. I really appreciate it, looking forward to episode 1000. Best regards.

So I mentioned this bit of feedback last week that I wanted to share it this week because I know that this podcast has been discovered by many people years after we recorded those early fundamental technology podcasts. We've heard from others who, after discovering this podcast, had the idea of going back to start from scratch and catch up, and those people have invariably found that it was worth their time. So, frankly, part of me is tempted to just stop and recreate some of that work from the early days so that they're put back into everyone's feeds. But that doesn't make any sense because they're already there. Every podcast we've ever recorded remains available to everyone, and reproducing content we've already created would displace our new content, for which we often barely have enough time as it is. So from time to time I'll take a moment, as I have here, to remind our listeners that back in the early days we laid down many of the fundamentals of the way everything we're talking about today works, and it was done in a way that many people have found to be extremely accessible.

Also, another thing we often hear is that, while our listeners enjoy the content today, they feel that there's much they don't understand. You know they say like well, I get it. I understand maybe 20% of what you're talking about. We just mentioned that a week or two ago. You know, it is true that I consciously build upon the foundation that we have laid down before using what's come before. That's the only way it's possible for us to move forward, to move forward. So to those who feel that they've been tossed into the deep end of the pool by showing up here late, let me note that all of that knowledge that's missing and assumed was once covered in detail back in the earlier days of this podcast. Really, I mean all of the stuff we talk about and sort of zip over when we're talking about something new. That's all been discussed in detail in the past and it's all there waiting and free for the asking for anyone who wants it.

1:04:12 - Leo Laporte
At some point I'd love to make a playlist of foundational episodes that people should listen to. Yeah, but just for Aikouko, fred. Uh, there is a replacement for true crypt. Steve talks about it in episode 582. You'll get there. It's a vera crypt and he talks about it in this episode and many other episodes.

1:04:31 - Steve Gibson
Yep it is it's so, it's it is. And I have a link to vera crypt in the show notes uh, v-e-r-a-c-r-y-p-t dot f-r. Veracryptfr. I went over and took a look and, yep, I mean it was updated a month or two ago, so it is being kept current. Uh, and it is platform agnostic. It'll work beautifully for linux and encrypt your drive just like true crypt once would have. Very nice. Yes, see, we cover. See, we've covered it all.

1:05:00 - Leo Laporte
We've covered it all over the years.

1:05:02 - Steve Gibson
We really have. Well, Leo, how many thousands of hours.

1:05:06 - Leo Laporte
That's right.

1:05:07 - Steve Gibson
Wow, several at least. Okay, scott Gottfried wrote to share his powerful solution for accessing his network from home. But, leo, let's take a break, and then we're going to find out what Scott is using in order to get roaming access, and it's not something we've ever talked about. Oh, how fun.

1:05:29 - Leo Laporte
Something new? Yeah, like Hamachi or we've talked about a lot of different ways of doing stuff like that, yeah.

1:05:36 - Steve Gibson
And you know, Hamachi still exists.

1:05:38 - Leo Laporte
Really, but it was log me in log me in.

1:05:40 - Steve Gibson
Bought them, yeah, and so it's a commercial service, but it's still there and it was a great idea using what five dot right, yeah?

1:05:49 - Leo Laporte
uh, well I can't wait to hear what, what else there is out, uh, out there. But first a word from our fine sponsor, a name you know. I know you know one password. You may be thinking oh yeah, I know they do a really good password manager. Well, this is a new product from 1Password, kind of takes a password manager. The next step, it's called Extended Access Management.

Now let me ask you a question. If you're in IT or run a business, do your employees, do your end users always work on company-owned devices using IT-approved apps? Of course they're the best right. No, they don't. They bring their phone in their laptop, they're watching their Plex server from home. So how do you keep your company's data safe when it's sitting on all those unmanaged apps, on all those unmanaged devices? One password's answer to that question extended access management. One password. Extended access management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM, password management and MDM cannot touch.

Imagine your company's security like the quad of a college campus. You know the nice brick paths leading through the green sward between the ivy-covered buildings. Those are the company-owned apps. It-approved apps, company-owned devices, the managed employee identities. It's all nice, it's all peaceful. But then, as on any college campus, there are the paths people actually use, the shortcuts worn through that beautiful green grass that is actually the straightest line from building A to building B. You don't want to go roundabout to get to physics 101. You know about straight lines, right? Those are the unmanaged devices, the shadow IT apps, the non-employee identities like contractors. If you've got employees, it's inevitable they're going to do their own thing.

Problem is most security tools only work on those happy little brick paths. A lot of the security problems take place on the shortcuts. That's why you need 1Password Extended access management. It's the first security solution that brings all these unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, every app is visible. It's security for the way we really work today and it's now generally available to companies that use Okta or Microsoft Entra. It's also in beta for Google Workspace customers, so good news. You can check it out right now at 1passwordcom slash security now. This is really an exciting new offering from 1password 1-P-A-S-S-W-O-R-D right 1passwordcom slash security now. We thank them so much for supporting Steve's important work here at Security Now. We thank you so much for supporting Steve's important work here at Security Now. We thank you for supporting it by going to that site. So they know you saw it here. 1passwordcom slash security now.

1:08:48 - Steve Gibson
Okay, on we go. More Q&A. Scott leaves to the end that everything he describes is all a free service provided by Cloudflare, which is really interesting.

1:09:01 - Leo Laporte
I've used their pages. They have a lot of free services actually.

1:09:04 - Steve Gibson
Yeah, so I wanted to mention that up front. That is the freeness, so that, while I'm sharing what Scott wrote, everyone who might have a similar need will be taking it seriously and thinking oh, this is interesting.

So Scott said hi, steve, congrats on 1,000. I've listened for all 20 it seriously and thinking oh, this is interesting. So Scott said hi, steve, congrats on 1000. I've listened for all 20 years, every episode, thank you. And Leo, he said I've heard several questions from your listeners about how to access their home network while traveling VPN, overlay network. I had the same question. My primary requirement for accessing my home network was that I did not want to open any ports on my router. Amen to that, he said.

I researched solutions for several months until I happened upon a blog post at Cloudflare. The solution for me is the Cloudflare Tunnel and that's at wwwcloudflarecom. Slash products, slash tunnel, t-u-n-n-e-l. And he said I run an old Intel NUC from inside my network that creates an outgoing tunnel to Cloudflare, lets me add my own domains, has a firewall, provides authentication and allows me to configure routing for my four internal home subnets. He said it's awesome.

I run two separate photo sharing apps for the family. The apps run in Docker containers on the NUC, which has Linux and Kasa OS, but the tunnel could run on a NAS or Xima board. When traveling, I use the CloudFlare Warp app on my laptop and connect to my home network. I can then RDP to my Windows NUC, I can access my Ubiquiti cams and I can access my TrueNAS. Nothing on the home network is exposed to the internet. It all happens through the tunnel. The family accesses my shared photo apps, jellyfin and Pywego, using a web browser pointed to my custom domain. I add authorized family member email addresses to the CloudFlare dashboard. When a family member tries to log on to one of the apps, they just enter their email address. They are sent a PIN for access. All of that is handled by CloudFlare.

It's a little bit of a propeller beanie kind of stuff. It's a little bit of a propeller beanie kind of stuff, but one could just start with a tunnel to access the home network without sharing apps and dealing with authentication. Oh, he says I forgot to mention all of the stuff I use at. Cloudflare is free, all caps. Exclamation point is that I hope this might help anyone searching for this type of solution. Best Scott. So thank you, scott, for this type of solution. Best Scott. So thank you, scott, for sharing that. It was news to me, so I went over to take a look.

Cloudflare's tunnel page says protect your web servers from direct attack From the moment an application is deployed, developers and IT spend time locking it down, configuring ACLs you know access control lists, rotating IP addresses and using clunky solutions like GRE tunnels. There's a simpler and more secure way to protect your applications and web servers from direct attacks Cloudflare Tunnel. Web servers from direct attacks. Cloud flare tunnel. Ensure your server is safe, no matter where it's running public cloud, private, cat cloud, kubernetes cluster or even a Mac mini under your TV. So from Scott's description, it sounds like an extremely powerful and capable solution for simple, safe, remote connections to an internal network. It may be more than many of our listeners need, but I wanted to put it on everyone's radar, you know, because it really does up authentication. Have registered email addresses where someone is able to receive a PIN, provide that back and then automatically get access through the tunnel back to the network. You know there's a lot there. It does a lot, but anyway it looks like a potentially very interesting solution.

At the same time I got a note from Jeff Price, who also happened to write thanks for the emails. They're very helpful. He said I have meaning the weekly security. Now you know preview of the podcast. He said I have a medium-sized network at home with Synology, nas, dozens of IoT devices etc. I've been using Tailscale for all remote connections. This means no open ports or port forwarding. I also set up a system inside my home as an exit node, which means even when I am traveling I can encrypt all of my traffic back to my home and then exit from there. In other words, anything he's doing while he's traveling believes he's still at home, which can be useful for access to streaming services and so forth that have specific geographic boundaries. He said Tailscale has worked great and it is much faster than OpenVPN. So just another reminder that the overlay network solution is almost drop-in, easy to use, and there are Tailscale and ZeroTier and there's also Nebula and Netmaker. There are clients for all of the various OSs that we're using and even for the various NASs. So you know there's a, probably a. Well, it is far less flexible and capable. It's also sort of more of a homegrown solution than Cloudflare's tunnel. So you know your mileage may vary. Pick the solution that seems best for you.

Adam B has an intriguing problem. He said Hi, steve, I'm a longtime listener to the show. I'm not sure how long, but I definitely remember when you used to alternate episodes between topics and news and he means news and feedback. He says I'm a proud Spinrite owner and feedback. He says I'm a proud Spinrite owner and, thanks to you and Leo getting me interested in HackerOne, a few hundred dollars better off, having found a couple of local privilege escalation vulnerabilities during some poking around on my weekends. That's very cool. So he's a little bit of a white hat hacker helping people. He says I have a question that I have not been able to find an answer to online and I thought might interest you and my fellow listeners. I'm a hobbyist malware that's isolated from the Internet just to see what happens.

Sometimes the samples will try to communicate with a command and control server. Often the hard-coded C2 server is a fully qualified domain name, but sometimes it's a public IP address. Domain name, but sometimes it's a public IP address. He says it can often be useful to pretend to be the command and control server just to see what the sample sends. When the C2 server is a fully qualified domain name, it's easy enough to use my own DNS server in the isolated network to answer the DNS request with an A record IP address of my choosing, meaning that right. So the malware says I need the IP address of badguysru and because he's created an isolated network, he's got his own DNS server. So the machine running the malware generates a DNS query to badguysru and the DNS responds with 192.168.0.20 or something which is a machine on that network. So that's where the malware attempts to connect to, which is his own server, so he can see what's going on, he said. However, when the C2 server is a public IP address, this becomes more troublesome. I think I have two choices, he wrote. He said one, patch the sample to change the IP address to one on the LAN. Or two, somehow get my LAN to answer the ARP request with a MAC address of my choosing. He said the problem with choice number one is that this isn't practical at scale, meaning you know, patching the malware in order to point it to something local. And I agree. And he said, as in you know, sometimes I like to run 10, 20, or 50 versions of the same malware family. He said I don't want to have to manually patch 50 different samples. It also seems like the less satisfactory choice. The problem with choice two is that I simply can't figure out how to do it. How can I configure my network so that if a sample makes a request for a public IP address, in other words one that isn't in the slash 24 of my LAN, the request is handled by my C2 server? The best answer I could find online was concerned with ARP poisoning, but this seemed very unreliable and likely to cause an unstable network. It feels like the answer will be something to do with the default gateway, but I can't figure it out. I hope that makes sense. I would really appreciate your thoughts on the subject. A big thank you to you, leo, and the whole team. Kind regards, adam.

Okay, what Adam wants to do can definitely be done in a highly robust fashion to do can definitely be done in a highly robust fashion. It would be possible to manually add static routes to the routing table of the machine that's hosting the malware. This would cause the traffic bound for that target IP to override the normal non-local default route, which would send the traffic out to the network's gateway interface and instead to another local network interface. But doing that is tricky and messy. The more straightforward solution and it's really slick would be to obtain a router that has some extra hardware interfaces. That little NetGate SG1100, which I'm using here has an AUX network connection. You know it's got WAN and LAN and AUX as in auxiliary and it's not a simple switch using the same network as the LAN. It's a separate network interface and that can be given its own LAN or, for example, one of those Protectly P-R-O-T-E-C-T-L-I Protectly Vault devices. I'm using one of those at my other location. Those are nice also and Amazon has those for sale sale or you can get them directly from Protectly.

The idea is to have an extra physical network interface. You would use the router software such as PFSense or OPNsense to define another small LAN network for that extra interface and instead of using one of the normal private networks like 192.168.somethingsomething or 10.somethingsomething, you would create a network that includes the target IP of the command and control server. You then attach a machine, this C2, your command and control spoof server. You attach a machine to that interface and manually assign it the IP of the command and control server that the malware is looking for. That the malware is looking for Now. Whenever the malware in the host machine addresses Internet traffic to that remote public IP, your local router's routing table will see that the IP matches within that extra network and will send the traffic to it rather than out onto the public Internet the traffic to it rather than out onto the public internet. So you wind up with a very straightforward, robust and easily adjusted and maintained solution. And yes, dale Myers has a problem. I've forgotten how many breaks we've taken.

1:22:40 - Leo Laporte
I thought there was something going on. We have one more, so you could put that anywhere you want. Okay, only one left.

1:22:47 - Steve Gibson
Only one more and then we'll finish our feedback and before we get into what is AGI, thank you, dale Myers has a problem no one should ever face. He said hi, steve, I never thought when I started listening at 0001 that there would ever be a thousand and still counting Security Now podcast. He said I started at the beginning right after Fred Lange suggested that your podcast might be worthwhile. He was right. At the time I was a volunteer in the IT department of a parochial school. The things I learned from SecurityNow led to important improvements in our system over the years. In those days there were not so many listeners and you took time to answer two of my questions submitted in the feedback dialogue box at the bottom of the security now page.

Now I have a new question that raises that relates to using a password manager. He said I've been doing a bit of traveling by air lately and the last time I was in my travel agent's office I decided to use some of the accumulated points. She said she could not access my account without my password. There was a place for it on her screen, but I could not figure out how to get the password from there or to there from my password manager. Any thoughts? Signed Dale Myers.

Okay, so my first thought was huh, that's a really good question. How would you do that securely? And then I thought I wonder why this isn't a problem we've heard about before. And then the question answered itself, since no one should ever have this problem. No one should ever be asked to give their password to someone else, like a travel agent, so that she could access their account. So you know it's not a bigger problem because it should never be required of anyone ever, should never be required of anyone ever. The whole thing, you know, seems like a fundamentally bad idea. But that doesn't help Dale, who apparently does have this problem, even if everyone agrees he should never have had this problem in the first place. Given that Dale has been listening since episode one, we know that his travel account is currently protected by a ridiculously gnarly long, random and impossible to manually enter or even communicate password. So my advice would be not to even try. Briefly change your password to something ridiculously simple to type which meets the travel system's password policies but otherwise minimal in every way. You know it's only going to be that way for a few minutes, so its security doesn't really matter Once the travel points have been transferred, the account's password can either be restored to what it was before or set to something new. Now a workable alternative would be to just send the account's initial gnarly password via email or a text to the travel agent. Let her log in, do whatever she needs, then change the account's password to something new and super secure once the points have been moved.

Now, having said that, I did get a piece of feedback from a listener about an incredibly cool looking device. I've got it on the way to me because I want to understand it and be able to talk about it. It is a little dongle which has a USB port and it is a Bluetooth keyboard dongle, meaning that what Dale could do if he had this, or if any of our listeners had this problem, dale could have this with him, give it to the travel agent and have her plug it into her computer. You know, just any USB port. Now, very much like the original YubaKey, this thing looks like a USB keyboard. So then there are Android and iOS and other apps for this thing. So Dale would be able to send his password through this app and it would type into the password field on the travel agent's computer, which is kind of a cool hack.

Anyway, I'll know more about it. I'll have all the details in next week's podcast for anybody who wants to jump ahead. It was not cheap. It was $37, and it's being shipped from Poland, as I recall, but still.

1:27:53 - Leo Laporte
I thought it was kind of a cool thing?

1:27:56 - Steve Gibson
Kind of a cool thing. Chris C asked a while back. You said something about a large company that was fined for not keeping Teams or Slack chats as required by federal law. Do you remember who this was and what the law was? So I replied to Chris I vaguely recall that in passing, but I have no specific recollection and I said GRC's on-site search in the upper right of every page can be used to search only the podcast transcripts which are fully indexeded, so you might be able to track down the reference that way. So that was my reply to chris.

I wanted to share this because I use grc search from time to time myself in the same way when I'm looking for something from our own past. You heard me casually mentioned that we talked about something you know it was back during podcast number whatever. So I just don't want anyone to imagine for a second that I recalled that podcast. Like Chris here, I did recall that it was something that was mentioned, but not what or when. Since I get these sorts of questions often like that Chris asked, I just want to pass on to everyone that both the show notes and Elaine's precise transcripts are fully indexed and that index can be easily searched using GRC search box and I checked a little bit later Chris had replied. He's responded. Thank you, exlamation point I didn't know that was there.

He said I found it in SN number 959. He said Google did not help me, but the search engine on your site, powered by the same company, did so. Again, we do have, you know, essentially podcast specific search, which will allow anyone to find something that they think they recall that we talked about before, but can't remember exactly where or when. You're free to keep asking me, but you know I'll do the same thing you could do, which is to use the little search box in the upper right of every page at GRC. And Leo, we are ready to talk about artificial general intelligence, whatever that is. We'll at least maybe know what it is, even if we don't know when, about half an hour from now. But let's take our last break and then we'll plow into that.

1:30:35 - Leo Laporte
I'm excited, I'm really excited. I'm ready to take notes Our show today, brought to you by those great folks at Delete Me. I have some direct experience with Delete Me because we have been using it for our CEO for some time now. If you've ever searched for your name online, I don't actually recommend that you do this, but if you've done it, you know how much of your personal information is right there in public. It's all data brokers. They've been collecting this stuff for years. Every app you use it's not just TikTok, it's Facebook, it's Instagram, every site you visit and they take all that information, they collate it and they make basically a dossier about you and you and your family, about everybody. You know, maintaining privacy is more than a personal concern. It's a family affair. That's why delete me has introduced family plans so you can have delete me for everyone in the family. I think and I I think they do have this corporate plans as well. I think that's what we use, because you really should have delete me for every manager in your company.

We ran I've told this story before, forgive me if it's you know you've heard it before but we ran to delete me because Lisa somehow bad guys figured out what her phone number was, what company she worked for and who her direct reports were, and what their phone numbers were. I wonder where they got that information right. And, as a result, they were able to do a spear phishing campaign, purporting to be texts from Lisa's phone, the CEO's phone, saying quick, I need some Amazon gift cards, I'm in a meeting, get them and send them to this address. Fortunately, our employees are smarter than that. But immediately told, immediately told me, you know, we got to do something to reduce the amount of information about our management online, and that's when we went to delete me. Delete me helps reduce risk from identity theft, from cyber security threats like that, from harassment. You know, from all of the things privacy violations can do. It is not a nice thing. Deleteme's experts know where the data is, they will find and remove your information from hundreds of data brokers. And, by the way, if you get the family or the corporate plan, you can assign a data sheet for each member that's tailored to them so that you could say well, you know, don't delete the Instagram information, but do delete the Facebook. That kind of thing. Easy to use controls, so as an account manager, you can manage privacy settings for the whole family. But this is important Once they've removed that data, you don't just then walk away because you could do that yourself.

First of all, you need to know the hundreds of data brokers out there, but then you need to know, as new ones come online and they do every single day. It's a very profitable business. You need to know to go back, and that's what Deleteme does. They continue to scan and remove your information regularly, not only from the existing data brokers, from all the new ones that pop up all the time, and I'm talking addresses, photos, emails, relatives, phone numbers, social media, property, value, everything. It's all online Data brokers have it all. Until we get a comprehensive privacy law in this country protecting you, you've got to protect yourself and your family and your business.

Reclaim your privacy by going to joindeletemecom slash twit. The offer code twit gets you 20% off, which is a great deal. Joindeletemecom slash twit and use the offer code twit for 20% off. And once you go to joindeletemecom slash twit, look at all the offerings. They have a very granular set of offerings that can really do the things you need to do to protect yourself online. So I would very much recommend looking at all that. It's really an amazing company. Join. Delete me dot com. Slash twit. Thank you. Delete me, by the way. After the national public data broker breach, steve, we searched for my name. It was right there my social security, everything mine not leases, not leases.

Yeah, and I thought that that's. That's a pretty telling thing, that that, believe me, really worked. Join, delete mecom, slash. Uh twit, thank you, delete me. All right, I've been dying to hear this. Steve Gibson on AGI.

1:34:58 - Steve Gibson
Well, okay, steve Gibson surveying a bunch of other people's feelings about AGI.

1:35:06 - Leo Laporte
Yeah, that's fair. I want to know what you think too, though I think you'll probably give us some ideas.

1:35:12 - Steve Gibson
Okay, I should note that I already have everything I need, with thanks to today's chat GPT 4.0. And it has changed my life for the better as a time saver in sort of, in the form of a programming language super search engine and even a syntax checker. I've used it sort of as a crutch when I need to quickly write some throwaway code in a language like PHP, where I do not have expertise, but I want to get something done quickly. I just, you know, I'd, like you know, solve a quick problem, you know, parse a text file in a certain way into a different format, that sort of thing. In the past I would take, you know, if it was a somewhat bigger project than that an hour or two putting queries into Google, following links to Programmer's Corner, stack, overflow or other similar sites, and I would piece together the language construction that I needed from other similar bits of code that I would find online. Or, if I was unable to find anything useful, like you know, solve the problem. I would then dig deeper in through the languages, actual reference texts, to find the usage in the syntax that I needed and then build up from that. You know, because you know, after you programmed a bunch of languages. They're all sort of the same largely. I mean Lisp is a different animal entirely, as is APL, but the procedural languages it's just a matter of like. Okay, what do I use for inequality? What do I use for how exactly are the looping constructs built, that kind of thing. That's no longer what I do, because I now have access to what I consider a super programming language search engine.

Now I ask the experimental coding version of ChatGPT for whatever it is I need. I don't ask it to provide the complete program, since that's really not what I want. I love coding in any language because I love puzzles, and puzzles are language agnostic. But I do not equally know the details of every other language. There's nothing ChatGPT can tell me about programming. Assembly language that I have not already known for decades, assembly language that I have not already known for decades. But if I want to write a quick, throwaway utility program, like in visualbasicnet, a language that I've spent very little time with, and because I like to write an assembly language, you know. But I need to, for example, quickly implement an associative array, as I did last week, rather than poking around the internet or scanning through the visual basic syntax to find what I'm looking for. I'll now just pose the question to chat GPT. I'll ask it very specifically and carefully for what I want and in about two seconds I'll get what I may have previously spent 30 to 60 minutes sussing out online.

It has transformed my work path for that class of problem that I've traditionally had. It's useful whenever I need some details where I do not have expertise is, I think, the way I would put it, and I've seen plenty of criticism levied by other programmers of the code produced by today's AI. To me it seems misplaced. That is, their criticism seems misplaced and maybe just a bit nervous, and maybe they're also asking the wrong question. I don't ask ChatGPT for a finished product because I know exactly what I want and I'm not even sure I could specify the finished product in words or that that's what it's really good for. So I ask it just for specific bits and pieces and I have to report that the results have been fantastic. I mean, it is literally, it's the way I will now code languages. I don't know, I think is probably the best way to put it. It is, you know, it's ingested, the internet, and you know obviously we have to use the term it knowing them very advisedly. It doesn't know them, but, whatever it is, I am able to ask it a question and I actually get really good answers. To tight problem domain questions, okay, to tight problem domain questions, okay. But what I want to explore today is what lies beyond what we have today, what the challenges are and what predictions are being made about how and when we may get more. Whatever that more is, you know, the there, where we want to get, is generically known as artificial general intelligence is a type of artificial intelligence that matches or surpasses human cognitive capabilities across a wide range of cognitive tasks. This contrasts with narrow AI, which is limited to specific tasks, which is limited to specific tasks. Artificial superintelligence ASI, on the other hand, refers to AGI that greatly exceeds human cognitive capabilities.

Agi is considered one of the definitions of strong AI. They say creating AGI is a primary goal of AI research and of companies such as OpenAI and Meta. A 2020 survey identified 72 active AGI research and development projects across 37 countries. The timeline for achieving AGI remains a subject of ongoing debate among researchers and experts as of 2023, some argue that it may be possible in years or decades. Others maintain it might take a century or longer and a minority believe it may never be achieved. Longer and a minority believe it may never be achieved. Notable AI researcher, jeffrey Hinton, has expressed concerns about the rapid progress toward AGI, suggesting it could be achieved sooner than many expect. There's debate on the exact definition of AGI and regarding whether modern large language models LLMs such as GPT-4, are early forms of AGI. Contention exists over whether AGI represents an existential risk. Many experts on AI have stated that mitigating the risk of human extinction posed by AGI should be a global priority. Others find the development of AGI to be too remote to present such a risk.

Agi is also known as strong AI, full AI, human level AI or general intelligent action. However, some academic sources reserve the term strong AI for computer programs that experience sentience or consciousness. In contrast, weak AI or narrow AI is able to solve one specific problem but lacks general cognitive abilities. Some academic sources use weak AI as the term to refer more broadly to any programs that neither experience consciousness nor have a mind in the same sense as humans. Related concepts include artificial superintelligence and transformative AI. An artificial superintelligence is a hypothetical type of AGI that is much more generally intelligent than humans, while the notion of transformative AI relates to AI having a large impact on society, thus transforming it, for example, similar to the agricultural or industrial revolutions. A framework for classifying AGI levels was competent, expert, virtuoso and superhuman. They define, for example a competent AGI is defined as an AGI that outperforms 50% of skilled adults in a wide range of non-physical tasks, and a superhuman AGI, in other words, an artificial superintelligence, is similarly defined, but with a threshold of 100%. They consider large language models like ChatGPT or LAMA2 to be instances of the first level emerging AGI.

Okay, so we're getting some usefulth episode of this podcast was posted on Perplexity AI, titled Altman Predicts AGI by 2025. The Perplexity piece turned out not to have much meat, but it did offer the kernel of some interesting thoughts and some additional terminology and talking points, so I still want to share it. Perplexity wrote. Openai CEO Sam Altman has stirred the tech community with his prediction that artificial general intelligence, agi, could be realized by 2025, a timeline that contrasts sharply with many experts who foresee AGI's arrival much later. Despite skepticism, altman asserts that OpenAI is on track to achieve this ambitious goal, emphasizing ongoing achievements and substantial funding, while also suggesting that the initial societal impact of AGI might be minimal. In a Y Combinator interview, altman expressed excitement about the potential developments in AGI for the coming year. However, he also made a surprising claim that the advent of AGI would have surprisingly little impact on society, at least initially. This statement has sparked debate among AI experts and enthusiasts, given the potentially transformative nature of AGI, and Altman's optimistic timeline stands in stark contrast to many other experts in the field, who typically project AGI development to occur much later, around 2050. Despite the skepticism, altman maintains that OpenAI is actively pursuing this ambitious goal, even suggesting that it might be possible to achieve AGI with current hardware. This confidence, coupled with OpenAI's recent $6.6 billion funding round and its market valuation exceeding $157 billion, underscores the company's commitment to pushing the boundaries of AI technology.

Achieving artificial general intelligence faces several significant technical challenges that extend beyond current AI capabilities. So here we have four bullet points that outline what AGI needs that there's no sign of today. First common sense reasoning AGI systems must develop intuitive understanding of the world, including implicit knowledge and unspoken rules to navigate complex social situations and make everyday judgments. Number two context awareness. Agi needs to dynamically adjust behavior and interpretations based on situational factors, environment and prior experiences. Third handling uncertainty AGI must interpret incomplete or ambiguous data, draw inferences from limited information and make sound decisions in the face of the unknown. Learning. Developing AGI systems that can update their knowledge and capabilities over time without losing previously acquired skills remains a significant challenge.

So one thing that occurs to me as I read those four points reasoning, contextual awareness, uncertainty and learning is that none of the AIs I've ever interacted with has ever asked for any clarification about what I'm asking. That's not something that appears to be wired into the current generation of AI. I'm sure it could be simulated if it would further raise the stock price of the company doing it, but it wouldn't really matter, right, because it would be a f. Do you think you're feeling sort of cranky today? You know it wasn't really asking a question, it was just programmed to seem like it was. You know, understanding what we were typing in. The point I hope to make is that there's a hollowness to today's AI. You know it's truly an amazing search engine technology, but it doesn't seem to be much more than that to me. There's no presence or understanding behind its answers.

The Perplexity article continues saying Overcoming these hurdles requires advancements in areas such as neural network architectures, reinforcement learning and transfer learning. Additionally, agi development demands substantial computational resources and interdisciplinary collaboration among experts in computer science, neuroscience and cognitive psychology. While some AI leaders, like Sam Altman, predict AGI by 2025, many experts also known as Security Now episode 2860. 90% of the 352 experts surveyed expect to see AGI within 100 years. 90% expect it so not to take longer than 100 years, but the median is by 2060. So you know, not next year, as Sam suggests they wrote.

This more conservative outlet stems from several key challenges. First, the missing ingredient problem. Some researchers argue that current AI systems, while impressive, lack fundamental components necessary for general intelligence. Statistical learning alone may not be sufficient to achieve AGI. Again, the missing ingredient problem. I think that sounds exactly right. Also, training limitations. Creating virtual environments complex enough to train an AGI system to navigate the real world, including human deception, presents significant hurdles. And third, scaling challenges. Despite advancements in large language models, some reports suggest diminishing returns in improvement rates between generations, between generations. These factors contribute to a more cautious view among many AI researchers, who believe AGI development will likely take decades rather than years to achieve.

Openai has recently achieved significant milestones in both technological advancement and financial growth. The company successfully closed and here they're saying again a massive $6.6 billion funding round valuing at $157 billion. But you know who cares. That's just, you know, sam is a good salesman. They said this round attracted investments from major players like Microsoft, nvidia and SoftBank, highlighting the tech industry's confidence in OpenAI's potential. The company's flagship product, chatgpt, has seen exponential growth, now boasting over 250 million weekly active users, and you count me among them. Openai has also made substantial inroads into the corporate sector, with 92% of Fortune 500 companies reportedly using its technologies. Despite these successes, openai faces challenges, including high operational costs and the need for extensive computing power. The company is projected to incur losses of about $5 billion this year.

So when I was thinking about this idea of you know, we're just going to throw all this money at it and it's going to solve the problem, and oh look, you know, the solution is going to be next year, the analogy that hit me was curing cancer, because there sort of is an example of you know, oh look, we just we had a breakthrough and this is going to, you know, cure cancer. It's like no, we don't really understand enough yet about human biology to say that we're going to do that. And you know, I know that the current administration has been, you know, these cancer moonshots and it's like, okay, have you actually talked to any biologists about this? Or do you just think that you can pour money on it and it's going to do the job? So that's not always the case. So to me, this notion of the missing ingredient is the most salient of all of this. It's like what we may have today has become very good at doing what it does, but it may not be extendable. It may never be what we need for AGI, but I think that that what I've shared so far gives a bit of color, of calibration, about where we are and what the goals of AGR, of AGI, are.

Um, I found a piece also in Information Week where the author did a bunch of interviewing and quoting of people that I just want to share just to finish this topic off. It was titled Artificial General Intelligence in 2025. Good luck with that and it had the teaser. Ai experts have said it would likely be 2050 before AGI hits the market. Openai CEO Sam Altman says 2025, but it's a very difficult problem to solve. So they wrote a few years ago, ai experts were predicting that artificial general intelligence would become a reality by 2050. General intelligence would become a reality by 2050. Openai has been pushing the art of the possible along with big tech, but despite Sam Altman's estimate of 2025, realizing AGI is unlikely soon.

Hp Newquist, author of the Brain Makers and executive director of the Relayer Group, a consulting firm that tracks the development of practical AI Makers. An executive director of the Relayer Group, a consulting firm that tracks the development of practical AI, said we can't presume that we're close to AGI because we really don't understand current AI, which is a far cry from the dreamed-of AGI the dreamed-of AGI. We don't know how current AIs arrive at their conclusions, nor can current AIs even explain to us the processes by which that happens. That's a huge gap that needs to be closed before we can start creating an AI that can do what every human can do, and a hallmark of human thinking, which AGI will attempt to replicate, is being able to explain the rationale for coming up with a solution to a problem or an answer to a question. We're still trying to keep existing large language models from hallucinating unquote, and I'll just interrupt to say that I think this is the crucial point.

Either or rather, earlier I described ChatGPT as being a really amazingly powerful internet search engine. Partly that's because that's what I've been using it to replicate powerful internet search engine. Partly that's because that's what I've been using it to replicate For my own needs. As I said, it's been a miraculous replacement for a bunch of searching I would otherwise need to do myself. My point is this entire current large language model approach may never be more than that. This could be a dead end. If so, it's a super useful dead end, but it might not be the road to AGI at all. It might never amount to being more than a super spiffy search engine.

The InfoWeek article continues OpenAI is currently alpha testing advanced voice mode which is designed to sound human, such as pausing occasionally when one speaks to draw a breath. It can also detect emotion and nonverbal clues. This advancement will help AI seem more human-like, which is important, but there's more work to do and, frankly, that's where we begin to get into the category of parlor tricks, in my opinion, like you know, making it seem like more than it is, but it still isn't. Edward Tehan, ceo of ZeroGPT, which detects generative AI's use in text, also believes the realization of AGI will take time. In an email interview with the article's author, edward said quote the idea behind artificial general intelligence is creating the most human-like AI possible, a type of AI that can teach itself and essentially operate in an autonomous manner.

So one of the most obvious challenges is creating AI in a way that allows the developers to be able to take their hands off eventually, as the goal is for it to operate on its own. Technology, no matter how advanced, cannot be human, so the challenge is trying to develop it to be as human as possible. That also leads to ethical dilemmas regarding oversight. There are certainly a lot of people out there who are concerned about AI having too much autonomy and control, and those concerns are valid. Make AGI while also being able to limit its abilities when necessary. Because of all these questions that are, limited capabilities and regulations at the present, I do not believe that 2025 is realistic.

Current AI, which is Artificial Narrow Intelligence, ani performs a specific task well, but it cannot generalize that knowledge to suit a different use case. Max Lee, the CEO of the decentralized AI data provider, urt and an adjunct associate professor in the Department of Electrical Engineering at Columbia University, said quote at Columbia University said quote given how long it took to build current AI models, which suffer from incessant I'm sorry, from inconsistent outputs, flawed data sources and unexplainable biases. It would likely make sense to perfect what already exists rather than start working on even more complex models In academia. For many components of AGI, we do not even know why it works, nor why it does not work. To achieve AGI, a system needs to do more than just produce outputs and encourage I'm sorry and engage in conversation which judgments that consider others, including the environment in which the judgments are made, and a lot more. From that perspective, we're still very far. It's hard to imagine AGI that doesn't include social intelligence, and current AI systems don't have any social capabilities, such as understanding how their behavior impacts others, cultural and social norms, etc. Unquote. Company SoftSwiss said quote to get to AGI, we need advanced learning algorithms that can generalize and learn autonomously, integrated systems that combine various AI disciplines, massive computational power, diverse data and a lot of interdisciplinary collaboration. For example, current AI models like those using autonomous vehicles require enormous data sets and computational power just to handle driving in specific conditions, let alone achieve general intelligence. Unquote.

Llms are based on complex transformer models. While they are incredibly powerful and even have some emergent intelligence, the transformer is pre -trained and does not learn in real time. For AGI, there will need to be some breakthroughs with AI models. They will need to be able to generalize about situations without having to be trained on a particular scenario. A system will also need to do this in real time, just like a human can when they intuitively understand something. In addition, agi capabilities may need a new hardware architecture, such as quantum computing, since GPUs will probably not be sufficient. Note that Sam Altman has specifically disputed this and said that current hardware will be sufficient. In addition, the hardware architecture will need to be much more energy efficient and not require massive data centers. Llms are beginning to do causal inference and will eventually be able to reason. They'll also have better problem solving and cognitive capabilities based on the ability to ingest data from multiple sources.

So, okay, what's interesting is the degree of agreement that we see among separate experts. You know they're probably all reading the same material, so there's some degree of convergence in their thinking. But you know, altman is an outlier and it seems to me as though these people know what they're talking about from the things they've said. It seems to me as though these people know what they're talking about from the things they've said. Perhaps you know, maybe Sam has already seen things in the lab at OpenAI that no one else in the outside world has seen, because that's what it would take for Sam to not be guilty of overhyping and overpromoting his company's near-term future. Now I put a picture in the show notes. You had it on the screen there a second ago, leo, that is not a mock-up, that is not a simulation. This is an actual image of a tiny piece of cerebral tissue. Those are neurons and axons and dendrites. The coloration was added, but that is actual human brain tissue in that photo in the show notes, in that photo in the show notes.

I'm especially intrigued by the comments from the top academic AI researchers in the world who admit that to this day, no one actually understands how large language models produce what they do. Given that, I'm skeptical that just more of the same will result in the sort of qualitative advancement that AGI would require, which is certainly not just more of the same. When I said in the past that I see no reason why a true artificial intellect could not eventually be created, I certainly did not mean next year, I meant someday. I meant that I believe that a biological brain may only be one way to create intelligence, to create intelligence One thing I've acquired during my research into the biology of the human brain is a deep appreciation for the astonishing complexity I mean astonishing of the biological computing engine that is us. That is us.

The number of individual computing neurons in the human brain is 10 to the 11. Okay, so that's 100 billion. 100 billion individual neurons. A billion neurons 100 times over. So you know, consider that, a billion neurons 100 times. And not only are these individual neurons very richly interconnected, typically having connections to 20,000 others, each individual neuron is, all by itself, individually, astonishingly complex in its behavior and operation. They are far from being simple integrative binary triggers, like you know, we learned in elementary school and we have 100 billion of these little buggers in our heads. So perhaps Sam is going to surprise the rest of the world next year. We'll see Color me skeptical but not disappointed. As I said, I'm quite happy to have discovered the wonderful language accessible internet digest that chat GPT is. You know, that's more than a simple parlor trick. It's a big deal and it's, I think, kind of magic. But I suspect that all it is is what it is and for me that's enough for now. I'd wager that we have a long ways to wait before we get more.

2:09:52 - Leo Laporte
How would you know if something is in an AGI? That's one of the things that's bothered me.

2:09:59 - Steve Gibson
The Turing test is not real.

2:10:02 - Leo Laporte
There's a Chinese room test. That may be a little better. I think there's really no way to judge an AGI. No I mean AGI.

2:10:08 - Steve Gibson
No, I mean it would Well. Another perfect example is chess. Once upon a time you could have easily said well, humans are Humans, can play chess. No machine can play chess, right, I mean, that was something people were saying for a long time. Now we've just. You know, the computers have blown past us, and I know that you have also used constrained domain large language models, which you've trained by dumping all of a bunch of Lisp textbooks into it and then been able to ask questions. This is a fantastic.

The solution we have for cancer is by using chemotherapy to limit growth of our whole body, because cancer cells are a problem because they're able to reproduce at such a high rate. I mean, it's like we haven't even begun to start an actual cure. We just have sort of mitigation that is able to push people into remission. My feeling is that I agree with the experts who suggest that what we may see today, we should regard it as nothing more than what it is, and there's no reason to believe that we're going to get some sort of transformation just by getting more of the same.

2:12:05 - Leo Laporte
Yeah just by getting more of the same. Yeah, I also think that looking for an AGI is maybe not really the sensible end goal. That machines could be as useful as an AGI or as powerful as an AGI without actually being a general intelligence. I don't know if that's a reasonable thing to be measuring.

2:12:31 - Steve Gibson
Well it is certainly the case that if you, if we had something where people could could describe casually exactly how and how they wanted a computer program to operate and actually got a functioning error-free, bug-free thing, that would be transformative for the world of coding Right, and I would not be surprised? Yes, I would not be surprised if we don't have something like that before long.

2:13:07 - Leo Laporte
I asked one of my favorite AIs, perplexity AI, which is a search internet search engine. You should give it a try, since that's how you seem to think or seem to like using AI. So I asked is there a test for AGI? It mentions a Turing test, some other tests, but then it mentioned some casual tests, like the coffee test. An AI enters an average American home and figures out how to make coffee. You know what, if a robot could do that, it may not be AGI, but boy, that's impressive.

Or could go to college, enrolls in a university, obtains a degree passing the same classes as humans. I think we might be close to that passing the same classes as humans. I think we might be close to that. The IKEA test an AI controls a robot to assemble flat pack furniture correctly after viewing parts and instructions. Many humans can't do that, so that would be an interesting test as well. I think that those are obviously kind of silly, but that points out there is no kind of accepted definition for what AGI is and there are many different ways. Just as with humans, there are many ways to be intelligent. I think there are many ways for a machine to be usefully intelligent. If a machine could come in my house and make coffee without any you know advanced knowledge about that, except kind of maybe a basis basic idea of what coffee is and how to make it. I'd be impressed. I think that would be useful. May not be agi, but it'd be pretty cool.

2:14:41 - Steve Gibson
Anyway, yeah, there was a happen in our lifetime I love nim uh, and there was a way to to set up um, a, a computer, using match boxes and match sticks right where, where you would you?

you? Basically, this thing was like a very early combinatorial computer and by iterating on this you were training it to make the right decisions over time about how many sticks to take away when a certain number of matchsticks remained. And I mean, this is the kind of stuff that fascinated me as I was a kid. I wasn't climbing stairs on the outside of the banister, I was you know.

2:15:32 - Leo Laporte
But see, that's combinatorial math and you can easily see how it would be simple to program something. You know. I have kind of a famous book a list book, as it turns out, by Peter Norvig, called paradigms of artificial intelligence programming, and it talks about the some of the or. It is an early book. I think it's 30 or 40 years old now. It's in public domain. It's that old. But he talks about some of the early attempts to do what he called a gps, a general problem solving machine, and it's basically that. It's a combinatorial thing. We'll try this and then this and then this, and if that doesn't work, backtrack, then try this and this, and you could see how you could solve chess that way, given a fast enough machine, or even Go, which is a lot more difficult to play than chess, or protein folding, a lot of things. Those are useful tools, maybe not intelligent, but we don't even know what human intelligence is, so I don't know how we, yeah, and I think you're right when you mentioned protein folding.

2:16:35 - Steve Gibson
there are many people who are expecting that what we have now, or could have in a year or two, could make, you know, dramatically change health care by, like you know, looking at mass amounts of data and pulling associations and relationships out of that that we don't see, because it just has a scope that we don't have.

2:17:03 - Leo Laporte
And that's really more a question.

2:17:06 - Steve Gibson
Yeah.

2:17:08 - Leo Laporte
And it has something to do more with capacity the amount of data it can store, which is so much faster than a human mind, the amount of speed with which it can process it again faster than a human mind. That doesn't make it intelligent, that just makes it faster and bigger and better in some ways. I think it's a fascinating subject and you probably feel the same way as science fiction fans. I think we both would love to see AGI in our lifetime. Just be fun to talk to an alien intelligence that we created.

2:17:39 - Steve Gibson
It would certainly be the case that creating a conversation would be a next step, that creating a conversation would be a next step where, if you actually got a sense of you know they're, they're, they're being something there, I just I don't, I get no sense that that it's anything other than you know and it's clearly you know it's, you know it refers to itself in the first person. You know it's like let me know if there's anything more I can do for you. So they're like. You know they gave it a bunch of sugar coating, right. It is designed to make us think like you know, exactly like we're talking to us, to an entity.

2:18:18 - Leo Laporte
It's not an entity. Even the word hallucination really is an inappropriate anthropomorphization of what's really going on.

2:18:25 - Steve Gibson
Yeah, calling it a mistake.

2:18:27 - Leo Laporte
It's just a mistake. It's just a mistake, it's an error, steve, as always, fascinating show, great information, lots of food for thought. We just got an email from a prisoner who listens to the show, but he's allowed to listen to the podcast in the library, but he can't read the show notes because he doesn't have access to the Internet.

And he said could you print out the show notes and mail them to me? And I think we will. I think they should allow that. Talk about rehabilitation. Start listening to this show by the time you get to episode 1002, you're going to be pretty smart about this computer stuff.

2:19:06 - Steve Gibson
You'll have a career when you get out of jail.

2:19:08 - Leo Laporte
I think you might well. You might well. I'm glad you listened to the show and I hope you keep listening. A special thanks to our Club Twit members who make this possible with their $7 a month. That's all it is. That's the lowest price of any podcast network. For all the shows we do, for all the content we do, for access to the Discord ad, for all the content we do, for access to the Discord ad-free versions of the shows. Specials we put on, like our photo specials, our coffee specials, coding there's all sorts of stuff going on crafting in the club. I think that's a pretty good deal for seven bucks and it really makes a difference to our bottom line.

If you have not yet joined, please go to twittv slash club twit. Two weeks free. You can see what it's like and if you refer somebody you'll get a link when you sign up. If you use that link, put it on your socials and refer somebody, you'll get a free month for everybody who joins, which means you you could possibly, if you have enough friends, never pay for club to it at all. Twitter dot TV slash club to it. Spread the word. And for our existing members. We thank you so much.

We do this show every tuesday right after mac break. Weekly. That ends up being about 1 30 to 2 pm pacific, let's say 5 pm eastern, 2200 utc. I mentioned when we do it because we stream it again. Thanks to the club members, we're able to stream this live on eight I have to put up the fingers because I lose track eight, eight different platforms. There's the Club, twit Discord, there's TikTok, there's Xcom, twitch, youtube, linkedin, kik and I left out some Facebook. Did I get LinkedIn, one of them? Lots of places, you know what? If you go to twittv slash live, you'll see a list of all of them. Watch live if you want, but I highly encourage you to get a copy of the show Now. You can get it from Steve if you want. We certainly encourage you to do that.

Grccom he has a couple of unique versions on his website the 16-kilobit audio version, which is a little scratchy, but it's small. It's small, it's small, small but scratchy. I know people like that. He also has the 64-kilobit audio less scratchy, sounds a lot better, but it's five times bigger, four times bigger. He also has the transcripts, which are great. We mentioned those earlier. Elaine Ferris does those. She does a wonderful job. They're great for searching, or I think people like to read along. In fact, somebody had a tip I saw that listen at double speed and then read along with it. You'll understand it all completely, but you'll get it done in half the time. Isn't that a clever idea? Try it.

2:21:40 - Steve Gibson
It's like having subtitles. Yeah, exactly.

2:21:44 - Leo Laporte
It's subtitles for the show and really good ones, right? Not computer generated GRCcom. While you're there, take a look at Spinrite. 6.1 is the current version of the world's best mass storage, maintenance, performance enhancing and recovery utility. If you have mass storage, you need Spinrite. Get a copy right now. It's Steve's bread and butter. Yeah, get a copy right now. It's Steve's bread and butter, not. But soon something else is coming along. I will be paying for that pro version of the DMNS benchmark as soon as that's available.

It'll be good It'll be. I can't wait to see that. I'll keep that running all the time. Lots of other stuff there for free, including shields up grccom. And if somebody was saying, if he sent me an email, said if Steve would just publish his email I would send it to him. Do not send me email for Steve. Send it to Steve. Here's how. Go to GRCcom, slash email. Enter your email address. Excuse me, optionally sign up for the newsletters. But that's optional. You don't have to. But he will then validate your email address and you can just send him email at security, now at grccom you just send it.

It's amazing. Uh, that's new, actually, and it's a really good solution to uh, to steve's emails, uh problems. So again, grccom slash email. We have the show at our website, twittv slash sn. When you're there, you'll see a link to the YouTube channel a great way to share little clips. Please do that. People who don't listen to Secure Now send them some useful stuff. Say you're missing a great show. You should be listening. That helps us a lot. So, grc, I'm sorry. Twittv slash SN. There's a YouTube link there and there's also, of course, best way to listen Subscribe in your favorite podcast player. You'll get it automatically. There's audio and video and then you don't have to ever worry about it. You'll have a security now in your inbox suitable for listening at any time. Steve. Security now in your inbox, suitable for listening at any time. Steve, have a great week.

2:23:51 - Steve Gibson
I'm about a third of the way through peter f hamilton's exodus. Uh, I'm. It's dragging a little bit. I'm at.

2:23:57 - Leo Laporte
I'm at three quarters and it's like okay I was afraid of that. Yeah, so far.

2:24:03 - Steve Gibson
I have to say a third of the way, and it's gripping well he's so inventive it is definitely that um see what you think when you get to 75 I'm gonna talk. It's like okay, well, you know it's a lot of work you really don't want that in your science fiction no, you got to what they call the slog.

2:24:24 - Leo Laporte
Uh yeah, the slog is never fun. We got the slog with that one with Al Capone in it. Oh, there was that.

2:24:32 - Steve Gibson
And then that other last whatever that I don't even remember, dreaming Void, there were all the kids on that planet and they were running around and I don't know what happened. Okay, peter.

2:24:44 - Leo Laporte
It's hard to write a thousand-page and keep it going all the time. Yeah well, but we still love it. We do. Uh, thank you, mr gibson, have a great week. We'll see you next week on security. Now, right, oh, bye, bye.