Security Now 1007 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for Security Now. Steve Gibson is here this week. A revelation there is an incredible number of yet unencrypted email servers out there. You don't want it to be your provider. Steve will talk about that and why it's still happening. Also, a capture that you can solve by playing Doom. And then Steve gives us the results of three weeks of hardcore research on how AI works. A really good, I think, insight into artificial intelligence. That and more coming up next on Security Now Podcasts you love.

0:00:39 - Steve Gibson
From people you trust.

0:00:42 - Leo Laporte
This is Twit. Trust, this is twit. This is security now with steve gibson, episode 1007, recorded tuesday, january 7th 2025 ai training and inference. It's time for security now for show of a brand new year, with this guy right here, mr Steve Gibson, who did not miss his Tuesday broadcast one bit right.

0:01:14 - Steve Gibson
You're right. As it turns out, working almost 24-7 around the clock on code can actually burn one out. You burned out coding. I got to a point where, especially when I was okay, so the I'm working on the dns benchmark uh, ipv6 is full, has been fully supported now for a while nice I'm now working on bringing up the, the tls, the the secure encrypted protocols, and the problem was these are all new features, right? This is yeah, this is all new, so you've had a.

0:01:50 - Leo Laporte
DNS benchmark for a long time, but you're going to do a pro should fill people in who didn't hear this a pro version that will have additional features.

0:01:57 - Steve Gibson
Yeah, so here was. The problem was that I wrote it 15 years ago originally and an IPv4 address. Ip address is 32 bits, right. Well, that's the size of the registers in the x86, convenient yes yes, throughout the entire code. I'm assuming that an a dns server's ip fits in a register yeah and so, and so you can do so many clever things that way. Of course, you can index into a list using the IP address.

You can sort the IPs by sorting 32-bit words that are the native size of the processor, so fast, I mean. Well, and so the first thing that happened was IPv6 won't fit in a register because that's 128 bits, so fast. Dns, you know, doh, and DOT and DOQ, which is the QUIC protocol, the QUIC protocol, all of which this next generation of the benchmark will support. So the first thing I had to do, which is where I don't know, the first month went and, oh Leo, I had to be like checkpointing my code. I would go, try to make some changes and go down a blind alley and go, okay, well, that didn't work. So I'd restore the original source code, learning what I had learned from what didn't just work, and try again. I mean, I have had to rewrite a huge portion of the original benchmark because it was so locked into 32 bits for an IPv4 address and that had to be completely scrapped in order to allow both IPv6 and, basically, urls.

0:04:00 - Leo Laporte
The way you address um, dot, you know, dns over tls, doh, dns over https and and doq, you address them as urls, not as ip addresses so anyway, so uh now you have an appreciation for what the unix gray beers are going to have to go through between now and 2038, having represented time as a 32-bit number, which fits very conveniently into a register, they're going to have to add a few bits.

0:04:32 - Steve Gibson
Yeah, Anyway. So about a month ago, I guess, IPv6, I got that all running. The fact that it ran at all meant that I was. Now I abstracted myself out of the IPv4 32-bit problem. That was all working. But I've never had the occasion to create a naked TLS connection, because normally you just use HTTPS, and I've done that a lot on my various apps, but I've never needed to create. Like to do a certificate exchange and negotiate a TLS protocol.

0:05:10 - Leo Laporte
All that's handled by the browser, right, exactly. Now you got to do it yourself.

0:05:14 - Steve Gibson
Or a Windows API that just does it all for you. So I had, in order to get a non-HTTP raw TLS connection. That was all new new code. So that's all now in there and I do have dot working.

0:05:30 - Leo Laporte
Anyway, we got into all this because actually what you got done in a few weeks, that's very impressive. Well, it's, it's. It almost killed, you didn't it?

0:05:40 - Steve Gibson
what happened would be, after working for five days morning, afternoon and evening and Lori's saying, honey, really you work too much I got to a point where, if I was facing some next challenge that I had to deal with, I was like, okay, I can't do this now. In the morning I'll be fresh. This now I just I. I in the morning I'll be fresh, I'll I'll. Anyway, what I realized was not having the weekly break like the enforced break to switch to security. Now bring myself up to speed about what's been going on. Read all of our listener feedback in order in order to, like you know, get the hints from our listeners. It actually is a good thing, so I'm glad we're back.

0:06:29 - Leo Laporte
Think of it as your weekend the day and a half to two days you have to prepare for Spirion.

0:06:34 - Steve Gibson
Actually, that's really what it is. It's a time-shifted weekend because I work on code all through the weekend.

0:06:41 - Leo Laporte
Of course, there's no Saturday and Sunday for this man. There is Monday and Tuesday, though that's the weekend. There's no Saturday and Sunday for this man, Anyway. So there is Monday and Tuesday, though that's the thing.

0:06:47 - Steve Gibson
Today's podcast, first podcast of 2025. Wow Is titled AI Training and Inference.

0:06:56 - Leo Laporte
Oh, I know what else you did over the break. You learned a little bit about AI, didn't?

0:07:01 - Steve Gibson
you. Yes, as I told our listeners, because I said, okay, it was going to be three weeks, right, Because we had the best of, and then we were dark on New Year's Eve.

0:07:15 - Leo Laporte
So for me it's been three weeks since I was last focusing on the podcast and I told everybody, to be clear, what steve has done in three weeks is figure out how to use ipv6, how to do tls naked and how ai works. Not much, it was a good holiday, holy moly.

0:07:40 - Steve Gibson
so before we launch into the podcast I, I want to take a moment to assure everyone who's like, oh God, not more AI, that this podcast, which we call Security Now, is not morphing into AI now. And, yes, here today. You know we have and will spend time looking at what's been, you know, quietly simmering in the back rooms of university and commercial labs for years and has just suddenly, you know, burst. From time to time we've veered rather far afield, touching on topics of health, science fiction, the Voyager, spacecraft and even homemade portable sound guns. What underpins all these diversions is the underlying science and technology that makes them go and, in this most recent case, my focus and fascination with AI. All of the feedback that I've received from our listeners has suggested that this is a topic of interest that is deeply shared and in fact, we've got a bunch of listeners who are in AI. We've got Google AI listeners among those here.

So over the holidays, during the three weeks we've been apart, as we said, I focused upon bringing myself up to speed, really, about what's been going on and I've come away with an understanding, I think, of the big picture and I have a number of observations that I'm excited to share.

Fallout from AI research will bear directly upon the security of our software. I don't know how. You know Microsoft must have a team because you know they're sharing, already thinking how can we leverage this to have fewer patches on every second Tuesday of the month. So, anyway, I wanted to assure everyone yes, we're going to talk about it again at the end of today's podcast, but not forever. I really think this gets it out of my system and I will be now content to wait for things to mature. But we're going to talk about more than that, of course. We're going to talk about the consequences of Internet content restriction, the measured risks of third-party browser extensions there have been some more troubles there the consequences of SonicWall's unpatched 9.8 seriousness, you know, cvss score, firewall severity, firewall severity, the incredible number of still unencrypted email servers, leo, meaning not individual email encryption but the interchange of email among servers still not encrypted today.

0:11:20 - Leo Laporte
That's a shock. People are sending their passwords in clear text. Just wait.

0:11:23 - Steve Gibson
Yes, yes, exactly. And the content of their email. I mean everything, passwords in clear text, just wait. Yes, yes, exactly. And the content of their email. I mean everything is in the clear. That's shocking. Also and I heard you mention this, I think it was on Sunday we have the declaration we hope it's true that Salt Typhoon was finally evicted from three telecom carriers. They've all said oh, you know Verizon.

0:11:44 - Leo Laporte
They're all gone now.

0:11:46 - Steve Gibson
So they say Also, HIPAA has getting a long-needed cybersecurity upgrade. The EU, oddly, has decided to standardize on USB-C for its power charging what? And then, believe it or not, we have a CAPTCHA which you solve by playing Doom. So, once we've caught up with all that. I'm going to share what I've learned from three weeks of studying AI technology and, of course, we have also as our picture of the week we have also as our picture of the week Security.

Now's first ever caption contest. Well, this will be fun, and those of you watching live.

0:12:34 - Leo Laporte
Don't look, hold your powder. We'll give you a chance to caption the upcoming picture of the week in just a moment. It's going to be a good show. Uh, today, our show brought to you by very happy to say, bit warden back for 2025 and goodness knows, uh, you probably need it. Uh, certainly, anybody who these days is using a? Uh, a browser, uh, or has anything they want to keep private is using passwords and, as you well know, the human brain was never designed to remember hundreds of passwords. You need help. You need bit warden, the trusted leader, not just in passwords, but in keeping secrets and in past keys, which you know we're in this transition period. You probably can replace some of your passwords with pass keys, but you still need a password manager. And what better place to store your pass keys than not in your phone or your computer, but in the one thing that's with you all the time your password manager? Bitwarden's open source. It's a great solution, and it's a really good solution, not just for individuals, but for businesses.

In today's digital landscape, it's more important than ever to protect your organization. Bitwarden has stepped up to the challenge with powerful new features designed to simplify and fortify your password management. Recently, bitwarden expanded its Teams plan, so they have an enterprise plan and a Teams plan with a robust SCIM. That's a System for Cross-Domain Identity Management, scim provisioning for users. This is a big deal. This allows MSPs and organizations to really streamline the access control, easily integrating seamlessly with leading IDPs like Azure, active Directory and Okta and OneLogin and JumpCloud. Bitwarden delivers enterprise-level security capabilities that work for businesses of all sizes. That's just one of many, many features in Bitwarden.

Bitwarden has also redesigned I don't know if you saw this. This was kind of a little New Year's gift for everybody who uses Bitwarden. They've completely redesigned the extension. They've created an intuitive and efficient, more efficient password management experience. I think it looks really nice. It's got a modern interface, but there are also benefits under the hood Faster navigation, the organization is clearer, workflows are smoother. It makes it easier for individuals and businesses to do what Bitwarden does best manage their passwords across platforms.

And, by the way, it's not just about security. One of the things that sets Bitwarden apart is its simplicity. Setup is easy. It only takes a few minutes. They automatically will import from most password management solutions. And I said it's open source and it really is. It's GPL licensed. It's posted on GitHub. You can look at the code, you can inspect it Anybody can. But Bitwarden also pays for regular audits by third-party experts and, unlike some other companies, publishes the full results of those audits. So you can use Bitwarden with confidence. Look, your business deserves a cost-effective solution For enhanced online security. You deserve Bitwarden.

Get started today with Bitwarden's free trial of a Teams or Enterprise plan and, as always, because it's open source, it's free forever across all devices. As many passwords as you want, including passkeys and hardware keys. As an individual user Free forever at bitwardencom slash twit. I know you use a password manager and your business probably uses one, but are they using the best one? Help them get to the best password manager bitwardencom slash twit. And if you've got family members or friends who say I don't need a password manager, they really need bitwarden, tell them it's free forever for individuals. Bitwardencom slash twit. Okay. Caption contest time. Steve, do you want to prepare us in any way for this?

0:16:41 - Steve Gibson
well, so um, you could just look at the picture okay and it it raises it raises more questions than it answers. What's it protecting would be?

question number one yeah, and what I love is that you can sort of see a bit of a path out from where the from the vantage point of the photographer of this to the gate. So for those who can't see, it's just this bizarre. Normally you can sort of figure out, okay, what one of these strange pictures, how it came to pass. We have a metal security gate with bars and a locking plate that's protected, so you can't slip a credit card in and a locking handle out in the middle of a field.

0:17:40 - Leo Laporte
This is the field that Steve says you have to go to to have completely private conversations. Maybe that's what it's protecting, I don't know.

0:17:49 - Steve Gibson
It hasn't been mowed for a decade. We've got, you know, bushy trees in the background. Someone said it looks like one of the plants behind it looks like a cauliflower or something, I don't know, but it's like what I mean. How do you explain this? It's crazy. So as I was looking at this, thinking this is a crazy photo that would be great for the podcast and coming up short for a caption that I loved, I thought, okay, let's leave this to our listeners, let's turn this over to everyone who sees these every week and gets a kick out of them. So, anyway, this is Security Now's first caption contest. Here's the picture. It's in the show notes. Take a look at it. You know you can write to securitynowatgrccom.

I sent the email, the show notes and so forth out to all of the subscribers to that list last night and I forgot about the caption contest as being a thing and I thought why is all this email coming in like immediately, this email coming in like, like, immediately? And and that's why, before the podcast, I asked you, leo, I think you're gonna have to tell, explain to me what's going on with narnia, because if there's one term I've heard more than any others, I mean we've had I I should say already a bunch of great submissions. Don't let that forestall anybody from sending theirs in. Next week we will have the what the top 100 captions that have been suggested out of the thousand that I imagine that I'm going to be receiving.

0:19:37 - Leo Laporte
And now you know what Narnia is. Of course it's from. It's a magical kingdom from the book the Lion, the Witch and the Wardrobe, and you get to it by going through the back of a giant wardrobe closet and this does look like maybe you you can't tell from looking at this.

0:19:53 - Steve Gibson
This is actual actually a portal to somewhere else and because it looks like you're actually seeing this, this that makes sense actually this shrubbery behind the gate. But no, if you, and clearly some people, have walked down that path from here to the gate, uh, probably just to check, you know, jiggle the handle and see if the gates locked or not.

0:20:16 - Leo Laporte
It's an attractive nuisance. For sure, we're getting some suggestions from the chat room.

0:20:21 - Steve Gibson
Like oh I forgot.

0:20:21 - Leo Laporte
My key would be one, and uh, the long forgotten protocol is an is another, uh, but I bet you the best way to do it would be to email steve. Is there a, a? A prize for the best caption? That?

0:20:36 - Steve Gibson
hearing yours. Uh, read out loud. Yes, on the podcast you'll be. They'll be like that was mine. That's your prize. I said that's your prize, awesome that's not what I said.

0:20:44 - Leo Laporte
That's your prize. Awesome, all right. Well, let's get going. We got a show to do here. We do. Indeed. Lots of stuff probably happened in the last three weeks.

0:20:54 - Steve Gibson
Okay. So I know you touched on this a little bit on Sunday, sort of tangentially, but questions surrounding restrictions on access to internet content are both controversial and nuanced. You know they factor in the individual's age and their location, the nature of the content and the prevailing government, and you know if 10 different people are asked about restrictions on access to Internet content, you're going to get 10 different answers back. So not a lot of consensus there. And where questions of access to internet content by children arise, even parents and guardians will disagree. But I do know from conversations with many parents of young children, many of whom take time from their lives every week for this podcast, managing what their kids are exposed to on the internet is a source of significant concern. The first thing many of our listeners do when setting up a new network at home is to choose a DNS filtering provider that offers what's known as a family-oriented plan, which filters out and removes access to the internet's. You know more unseemly websites. Now. One place where everyone I would say nearly everyone agrees is that age appropriateness is a thing you know there's content on the internet that requires some maturity and perspective to understand correctly. Back in the days before the Internet, you know, which is a world that many of us remember well, our rough age could be determined just by a glance at us right. So if, at the tender age of 10 or 11, we were to try to get into a bar or a strip club, you know those who stood to lose their license to operate such a facility would go to great lengths to prevent our entrance. And you know everyone's familiar with the concept of a fake ID. You know the only reason of needing to fake an identity is to enable its holder to do something that the law forbids them to do at their true age. But what's different today is that we have the Internet and no one knows how old anyone is in cyberspace. One knows how old anyone is in cyberspace. Although there can be some benefits to this, it's also subject to abuse, and this represents a profound change from the physical world that many of us grew up in.

Having been born in 55, I was 34 years old by the time that, in 1989, tim Berners-Lee came up with the idea for the World Wide Web. That means that there was never a time for me when a website might ask me to verify that I was at least 18 years old, and that wasn't true. I was nearly twice that age by the time that websites started. Thinking that would be a good thing, but there's no doubt that, with gossip and curiosity and peer pressure being what it is, plenty of today's children, who are probably far short of their 18th birthday, might well be clicking those you betcha, I'm 18 buttons. Um, you know, it's not my intention to moralize and I'm not doing that here. If today's internet existed when I was 14, I have no doubt that I would have been, you know, curious to see what was hidden behind those buttons and that I might've been pressing them after first bouncing my connection through a handful of Tor nodes. Now, I suspect that few parents would disagree that, where age appropriateness is concerned, a world of difference separates access to the sort of, you know, hardcore adult content that's readily available on the internet from, you know, viewing TikTok cat videos. And the difference is so stark that the internet's premier adult content website already blocks its access across much of the US southern states, and it just went dark across all of Florida last Wednesday in a preemptive action as the Sunshine State's latest legislation went into effect.

A lot of this legislation happened here at the beginning of 2025. Okay, so that's on the extreme side, but what about the cat videos? I chose this as our first topic of 2025 because, as we start into this new year, as I said, more and more states are enacting, and have enacted, internet age restriction legislation aimed at the far more benign gray area of modern social media. And much of this new legislation that just went into effect at the beginning of the year is ad hoc, I think, because we've been addressing the issues for a while. It's increasingly well understood that there are pros and cons to this, but if you look across the legislation, it's just random and uncoordinated.

Here's a really brief timeline. Here's a really brief timeline. On July 1st so summer before last 2023, connecticut put legislation called SB3 into effect, which requires social media platforms to obtain parental consent before allowing minors to open accounts. Then jump forward a year to last summer. On July 1st of last year, louisiana's Act 456 requires social media platforms to impose limitations and restrictions on certain accounts, implement age verification for account holders and obtain parental consent. A couple months later, september 1st that's four months ago Texas HB18 requires digital service providers, such as social media platforms, to get consent from a parent or guardian before entering into an agreement with minors younger than 18, including to create an account. On the 1st of October, maryland Kids Code, as it's called, requires social media platforms to set default high privacy settings for users under 16, ban the collection of children's data for personalized content, ensure age-appropriate design, implement age verification and obtain parental consent for younger users. The same month, utah HB 464 and SB 194, house and Senate in Utah respectively.

The Social Media Regulation Act requires parental consent for minors to create social media accounts and mandates age verification by social media companies. Media accounts and mandates age verification by social media companies. It also restricts social media use between 10.30 pm and 6.30 am for users under 18 without parental consent. 1st of January, so 2025, tennessee HB 1891 requires social media companies to verify the age of users attempting to create and maintain accounts. It mandates that platforms obtain parental consent for minors under 18 and enforces stricter privacy and safety measures for these users. The law aims to protect minors from potential online harms by ensuring that social media companies comply with these new regulations online harms by ensuring that social media companies comply with these new regulations.

There was also three others that went into effect that passed and will be coming into effect Florida, the one I mentioned before, hb3, requiring social media platforms to verify users' ages, obtain parental consent for users under 18, protect minors' personal data, limit their exposure to harmful content. Georgia's SB 351, known as the Protecting Georgia's Children on Social Media Act of 2024, requires social media platforms to implement age verification processes for users, mandates parental consent for minors to create accounts and restrict social media use in schools. Minnesota and finally, minnesota MNHF 3488 sets rules for compensating minors who contribute to online content creation. What You're going to compensate them? It requires content creators to keep records and set aside earnings for minors and it allows for legal action against violators. Also mandates the removal of content featuring minors upon request. And I should mention also I didn't put it in the show notes, but the penalty in Florida is $50,000 per infraction.

0:30:26 - Leo Laporte
Per minor yes, yeah.

0:30:29 - Steve Gibson
It's like what? Okay, and on top of all this, our US Congress also has some legislation that's been floating around since 2023, known as the Protecting Kids on Social Media Act, and its future is unclear, and I have no idea what position the incoming administration and our next Congress will adopt on such measures. You know, on the one hand, there's the politically popular promise of protecting the children, whereas the flip side is that pesky US Constitution's First Amendment guarantee of freedom of speech, and I should mention that a bunch of this new legislation is already under injunction because First Amendment says you can't do some of these things, legislators, no matter how much you want, to much you want to. Now a well-known website featuring adult content greets its visitors with this statement. It says, quote did you know that your government wants you to give your driver's license before you can access this site? It says as crazy as it sounds, it's true You'll be required to prove you are 18 years or older, such as by uploading your government ID for every adult content website you'd like to access. We don't want minors accessing our site and think preventing that from happening is a good thing, but putting everyone's privacy at risk won't achieve that. Now, of course, it's unclear what would prevent anyone from uploading a photo of someone else's ID, or just synthesizing one from scratch to upload. Well, you can imagine a bunch of websites will pop up. You know the create your own ID site.

But the larger point here to note is that there are consequences to this move from the real world to the cyber world and that the unfettered anonymity and freedom we've enjoyed through the first 24 years of the 21st century Internet may soon be challenged. Now it may be that none of this will come to pass, or that at least if it does, it won't be until its consequences have received significant legal and constitutional scrutiny. You know, in reaction to Florida's new laws, last October the Computer and Communications Industry Association and NetChoice, whose members include, you know, the likes of Google and Meta, you know, big social media platform providers filed a federal lawsuit challenging the constitutionality of the various restrictions being imposed by this new Florida law. The lawsuit's text stated quote in a nation that values the First Amendment, the preferred response is to let parents decide what speech and mediums their minor children may access, including by utilizing the many available tools to monitor their activities on the internet. Unquote Now this feels as though it's headed to the Supreme Court, because US legislators are going to need to have some clarification about what they can and cannot require of social media and other companies. But what seems clear today is that these long simmering issues are beginning to come to a boil and that the parents and guardians of minors may soon be put in the loop, at least, and given the controls, hopefully, which they need to allow their households to abide by, whatever the prevailing laws end up being for their locality.

But the question is how can this also be done while preserving the privacy of the individual? As I started out saying, no one knows how old anyone is in cyberspace. That also applies to you and me, right? No one looking at me today in the physical world would mistake me for a minor, but when any of us connect to any website, there's no indication of any kind how long we've been breathing this planet's air. There's been a freedom that we've all enjoyed up to now, so we need to consider what it means to have that change, since that's what we're talking about here. No one would argue that our children need to be protected from harm, even while we're going to need to needing to somehow affirmatively show that we're not minors who are in need of state mandated protection. How do we do that without sacrificing a great deal of the privacy we currently enjoy?

0:35:44 - Leo Laporte
I don't know, leo. Yeah, we as, as you know, we talk about it a lot on all our shows. Um, australia passed a law binding all social media for kids under 16. Right, like a few months ago, right, and we and we did. Still it's not an effect. It won't be an effect till the end of the year, but their attitude is well, we don't know how to do this, but you guys are smart, you figure it out.

0:36:05 - Steve Gibson
Well, and we saw how well that worked for the encryption problem. It's like we need to be able to see what people are doing and we don't know how. So you guys are smart, you guys, you know, you techies, you just figure out how to give us what we want and not breach anyone's privacy us what we want and not breach anyone's privacy. No, I really the biggest point I wanted to sort of point out here is that the physical world figured out how to do this a long time ago, you know, and that's the world we grew up in. But in cyberspace it really, I mean, it's easy to forget that that anonymity is a is something that we sort of take for granted with our use of the internet. But that's at odds with with exactly what all this legislation which we're now seeing begin to happen wants, wants to do. It says you know, we need to know how old you are, and that's a huge change. And it's not just how old children are. They need to know how old we are, to know we're not children.

0:37:19 - Leo Laporte
Yeah, I got carded the other day and I thought that's hysterical, but the guy said well, it's policy, we know, obviously you're not under 18 or under 21.

0:37:26 - Steve Gibson
I was too. I was trying to remember where it was. Somebody asked for my ID. I said what?

0:37:33 - Leo Laporte
This was at a Cost Plus one of those import stores, and he just said, yeah, we just do it. I said I'm not even buying the liquor this old lady is, and he said I need hers too. There is a cynical side of me that says and this is true, I would say, in texas, louisiana, a few states where they don't want this to be solved, they want to ban pornography and so they don't really care if this can't be solved. They're happy when these and it's happened in a number of these states, including now, just now in florida, where the these big pornography sites just abandoned the site they say abandon the state.

0:38:11 - Steve Gibson
so they can't afford the lawsuits.

0:38:13 - Leo Laporte
It's just not worth it and I think honestly, that's what, that that's what the legislators want, seriously, that's what they're trying to do is to scare the adult websites out of their state?

0:38:21 - Steve Gibson
yeah, they don't like pornography. To scare the adult websites?

0:38:22 - Leo Laporte
out of their state. Yeah, they don't like pornography. That's a whole different argument and it doesn't have a security angle to it. But you know, we live in interesting times, don't we?

0:38:35 - Steve Gibson
Well, and for me, we've talked about this a little bit yes, we do live in interesting times, which is why I'm so glad we're here now, Leo.

0:38:45 - Leo Laporte
And you and I are talking about this Especially, by the way, for AI, because that's about to change everything in ways that may make this trivial right.

0:38:53 - Steve Gibson
So for me, the question is the technology of this right, Because we've talked about the technology of tracking, We've talked about the technology of encryption. Well, what about the technology of age attestation? How do you do that? Because one of the things that upset us about that first Google attempt at eliminating tracking was where, when you visited a website, it would present that token that told the site about your interests. And everyone said and I remember you saying, you know, quite rightly, wait a minute, you know they don't have that now. So suddenly our web browser is going to be telling every site we visit what our collection of interests are.

0:39:45 - Leo Laporte
You got any pornography hey yeah it's a it's. These are such difficult problems. I just read a statistic, uh, and I think it's probably accurate. That said, in order to change a policy, any policy, in this country, it takes 90% of the people to believe it should be changed, not 50%, not 60%, 90%. There has to be a generally obvious consensus, an overwhelming agreement.

Overwhelming consensus that this is what we should do, and that happens so rarely on any subject that it seems nothing much happens ever. I don't know. It's quite an interesting issue, one that we are going to be facing. You know, paris Martinow did a very interesting piece in the Information Weekend about a new kind of a face recognition technology. I think it was called YOTI, y-o-t-i that did age verification, and so that's what I think legislators and companies are looking for is something passive, that it just looks at you. You don't even have to pose, it just says yeah, you know, you're probably over 16 or no, you're probably under 16. I mean, maybe that's a solution. The people at YOTI claim it works quite well.

0:41:03 - Steve Gibson
So of course, it does mean that you have to have a camera aimed at you.

0:41:07 - Leo Laporte
Oh, that's a good point. Yeah, many people probably don't want that either. Yeah it's a little spooky.

0:41:16 - Steve Gibson
What's not spooky is this next advertiser. Oh, they're fantastic.

0:41:19 - Leo Laporte
In fact, your timing couldn't be better, Steve, because you know what happened when those laws passed in those states vpn sales went through the roof.

0:41:31 - Steve Gibson
Uh-huh yep, because guess what the vpn?

0:41:33 - Leo Laporte
protects your privacy. This episode of security now is brought to you by the vpn. I recommend the only one I use express vpn. Nice couldn't be better timing.

A few decades ago, private citizens, you know, were, as we were talking about, private. But the internet's changed everything. Think about all the stuff you browse, you search for, you watch, you tweet. Now imagine all that data being crawled, collected and aggregated by data brokers into a permanent public record, your public record. Having your private life exposed for others to see was something only celebrities worried about, but in an era where everyone is online, in a sense everyone is a public figure. So if you want to do stuff online and you want to do so privately, you turn to ExpressVPN. That's what I do. Everybody needs a VPN and ExpressVPN is the best. It's private, absolutely. They guarantee no logging, no record. In fact, you can pay for ExpressVPN with cryptocurrency and, even more kind of make sure that no one knows anything about you.

Expressvpn runs their ExpressVPN trusted server in RAM. When you press that big button on your ExpressVPN app and it's on your iPhone, your Android phone, your Mac, your PC, your Linux. You can even run it on a router. They even sell routers very good routers actually at ExpressVPN. You can put it on there and it runs on many other routers. Routers actually at ExpressVPN. You can put it on there and it runs on many other routers.

You're saying privacy matters to me and you press that button. You're connecting to an ExpressVPN server somewhere in the world and they have more than a hundred countries now. So you're going to that spot, that IP address that you then emerge into the public internet. No one is. It's not yours, it's theirs, no one knows it's you. But more than that, expressvpn runs. As I said, they spin up this trusted server. When you start that vpn, it runs in ram sandbox. It cannot write to the drive, so there's no record of your, of your use, of your visit. You know the authorities can knock on the door and grab the express vpn servers. They've done that in the past in countries where they don't need a warrant even they just barge in and take it and there's nothing on there. Furthermore, they use a custom debian distribution that wipes itself every morning. Every morning they reboot. No, no history. One of the best ways for, and the easiest ways for data brokers to track you really is the way they track you is through your unique IP address Every time you merge on the internet from your current internet service provider. That's your number. It even reveals a little bit about your location with geo IP locating. With ExpressVPN, you're using their IP address Much more difficult for data brokers to monitor, track and monetize your private online activity.

Expressvpn also encrypts 100% of your network traffic, so we know that's valuable too. In fact, you're going to hear I'm shocked because I thought, oh, you don't need this anymore. Every email server is encrypted, right? No, we're going to hear about that in a second. If you're using one of the email companies that Steve's about to talk about, you also want to use ExpressVPN to encrypt not only your password going to the email server but the mail going back and forth. It's very important on a public Wi-Fi, I imagine right.

Expressvpn is easy to use. It lets you choose the country you're in and it's so fast. They invest. This is why you don't want a free VPN. They invest. It can be less than seven bucks a month, so it's not expensive, but that's important that you want to pay for it, because they take that money and they rotate their IP addresses. They do this trusted server thing. They make sure and they provide enough bandwidth. They provision their service sufficiently so that you can get HD quality video. It doesn't slow you down.

Protect your online privacy today. I hope I've convinced you. This is the one. Expressvpncom slash security now. We're thrilled to have them back in 2025. E-x-p-r-e-s-s VPNcom.

Expressvpncom slash security now. Right now, they've actually upped their offer for extra months free when you buy a one-year package, so the price is even better. You may not use it all the time, but when you need it you will be really glad to have it. Expressvpncom slash security now. Great to have them back on the show for a whole another year. In fact, every sponsor you hear on this show and our other shows in the new year they've re-upped and we're very grateful to them. We're also grateful to all the brand new subscribers we got. You know I made the pitch in the last few weeks of the year that we may not make it in 2025 without your help, and a lot of people have joined Club Twit Thanks to that. So welcome to our new Club Twit members and, of course, as always, an invitation to everybody to join. If you're not a member twittv slash club twit, all right, let's go on. I'm sorry to interrupt for such a long period of time. Back to Mr Gibson.

0:46:40 - Steve Gibson
So we have a bit of a cautionary tale here. I think everything on this show is a cautionary tale.

0:46:47 - Leo Laporte
to be honest, I guess that's true.

0:46:50 - Steve Gibson
Except AI. I don't think that's cautionary.

0:46:53 - Leo Laporte
At least not. I'll be interested in what you have to say. Actually, I'm very curious.

0:46:56 - Steve Gibson
Okay. So I needed to share this because it highlights a very real threat which users of increasingly popular web browser extensions face, and that's a compromise of the extension which is then downloaded or updated by the user's browser. Now, several times in the past we've talked about the threat of an extension's author abandoning an extension, like deliberately saying okay, I just, you know, I'm done with this. I've been tending this thing for 10 years and then selling his you know, basically the installed base to an unscrupulous third party. So that's one problem, but there's a there's a different one. The other clear and present danger is a deliberate attack on, and compromise of, an extensions publisher for the purpose of turning an extension malicious.

This is what recently happened to the cyber firm cyber Haven, the security firm cyber Haven, and at least 35 other known Chrome browser extensions that are known to have been compromised as part of a concerted effort. Okay, so what happened? Two days after this past Christmas, on December 27th, Cyberhaven posted under their headline Cyberhaven's Chrome extension security incident and what we're doing about it. You do not want that headline, they wrote. Our team has confirmed a malicious cyber attack that occurred on Christmas Eve affecting Cyber Haven's Chrome extension. Public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies. We want to share the full details of the incident company interrupting their holiday plans to serve our customers.

0:49:11 - Leo Laporte
Oh, that's why they do it Christmas Eve, isn't? It?

0:49:14 - Steve Gibson
That's exactly right.

0:49:15 - Leo Laporte
Nobody will be home.

0:49:16 - Steve Gibson
That timing was no coincidence and acting with the transparency that is core to our company values, and I got to say and I will say I'm impressed by this response that the guy wrote. On December 24th, a phishing attack compromised a Cyber Haven employees access to the Google Chrome Web Store. The attacker used this access to publish a malicious version of our Chrome extension, which was version 24.10.4. Our security team detected this compromise at 11.54 pm UTC on December 25th and removed the malicious package within 60 minutes. So they have some bullet points. First, version 24.10.4 of our Chrome extension was affected. The malicious code was active between 11.32 am UTC on December 25th and 2.50 am UTC on December 26th, so for a total of a little over 25 hours. Chrome based browsers that auto updated during this period were impacted. Our investigation has to confirmed that no other cyber Haven systems, including our CI CD process and code signing keys, were compromised for browsers running the compromised extension during this period. The malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites. Now they know that it's Facebookcom. We'll get to that in a second. Also, while the investigation was ongoing, our initial findings show the attacker was targeting logins to specific social media, advertising and AI platforms and AI platforms. Then our response we notified affected customers December 26th at 10.09 am UTC. We also notified all other customers not impacted. The compromised extension has been removed from the Chrome Web Store. A secure version 24.10.5, has been published and automatically deployed. Version 24.10.5 has been published and automatically deployed. We've engaged an external incident response firm for third-party forensic analysis. We're actively cooperating with federal law enforcement. We've implemented additional security measures to prevent similar incidents For customers running version 24.10.4,. That's the bad one of our Chrome extension during the affected period. We strongly recommend Confirm if you have any browsers running the CyberHaven Chrome extension version 24.10.4 and force an update to version 24.10.5. They said currently available in the Chrome Web Store, or newer. Rotate Facebook personal and business account passwords for accounts on impacted machines. Review all logs to verify no outbound connections to the attacker's domain or other malicious activity. Okay, so it's good to see that this security firm acted appropriately in every way. They responded immediately. They determined the original attack vector, how the bad guys penetrated their perimeter security and they now know that an employee fell victim to a crafted phishing attack. They replaced their compromised extension, quickly, verified that this was the extent of the penetration and notified the public without delay. They fessed up to the mistake and made no attempt to downplay it, and they did all this on Christmas Day, wow. So, as you said, leo, it's likely no coincidence that the phishing email attack was launched on December 24th. Wow, malicious modification would go undetected. Now I'd have to say that this particular phishing attack might have caught any developer unaware.

The show notes here, adjacent to the text here on page six, has a snapshot of the perfectly formatted HTML notification that was received by a developer. I mean, it looks completely legitimate. You know, from the Chrome Web Store. Hi there, we wanted to let you know that your item is at risk of being removed from the Chrome Web Store. Please see the details below. And it gives it the item name, cyber Haven Security Extension V3, the item ID, which is correct, and then, under violations, it says excessive and or irrelevant keywords in the product description, which you know okay, whoops, violation, sure, unnecessary details in the description. And then it says relevant section of the program policy. And then it quotes their policy that somebody felt at Google or Chrome Web Store management was wrong. And then there's a button for go to policy. So I mean it who wouldn't click that? It looks like a completely legitimate event.

Google application, which was called and it shows it on the screen Privacy Policy Extension, which, if you really stop to think about it, it's like whoa wait, I'm authorizing the addition of something called Privacy Policy Extension. Well, they named it that in order to be tricky, because that's not something you want to do. But by naming it privacy policy extension, you sort of obscure that fact. So, again on Christmas Eve, it's like time to go home, but we don't want to have our extension yanked during the holidays, so let's take care of this now.

The authorization page was hosted on Googlecom and was part of the standard authorization flow for granting access to third-party Google applications. So just one tiny little glitch in an otherwise normal authorization flow. The employee followed the standard flow and inadvertently authorized this malicious third-party app. The employee had Google's advanced protection enabled and had multi-factor authentication covering the account. The credentials were not compromised, yet this still happened. So it was a very carefully crafted and phishing attack designed to capture even somebody who was paying attention. So what they found was that the malicious extension 24104 was based on a clean previous version of the official Cyberhaven Chrome extension. So the attackers went to some effort in order to create this attack, to set this up and not just for them, and remember, as I said, 30-some other extensions were all compromised. The attacker made a copy of the clean extension, then added their malicious code to create a new malicious version of that that 24.10.4. Then uploaded it to the Chrome Web Store.

The Cyberhaven guys reverse engineered the malicious modification to their extension in order to determine what it was doing. In a subsequent posting they wrote In our analysis of compromised machines, the extension was targeting Facebookcom users. If the user was logged into Facebook and navigated to the Facebook website, the extension would execute the malicious code path. Here's what the malicious flow would execute is it would get the user's Facebook access token, meaning an impersonation attack immediately. Anybody who had that could just open their browser as them and be logged in just as they are. Get the Facebook user's ID. Get the user's account information via the Facebook API. Get the user's business accounts via the Facebook API. Retrieve the user's ad account information again through the Facebook API. Package all this information along with Facebook cookies and the user's agent string and send it to their command and control server, they said. After successfully sending all the data to the command and control server, the Facebook user ID is saved to browser storage. That user ID is then used in mouse click events to help the attackers, with two-factor authentication on their side if that's needed.

So, again, a high-level attack against browser extensions. So the web browser extension attackers were interested in attacking the accounts of any Facebook users whose Chrome browsers might update to the malicious extension before it was detected and removed from the Chrome Web Store. Obtaining a Facebook access token cookie, as I said, allows full impersonation of the user and because Facebook now has a very feature, complete API, a lot of damage can be done. Another security site, secure Annex, provided a broader perspective because the Cyberhaven guys were just focused on theirs, but this was, as I said, a much broader attack. Security Annex provided that perspective into the attackers behind this campaign. By pivoting from the known malicious Cyberhaven extension, indications of compromise were obtained. That's how we know now how many more Chrome Web extension developers fell victim to these phishing attacks. The earliest known instance of one of this group's many attacks was way back last May, so these guys have been active since then.

I think it's important for everyone to have some sense for the scope of this. So here's, for example, 19 of the compromised Chrome web extensions VPN City with 10,000 users, parrot Talks with 40,000 users, uvoice with 40,000 users, internext VPN with 10,000 users, bookmark Fave, icon Changer with 40,000 users, castoris with 50,000. Weigh in AI with 40,000. Search Copilot, ai Assistant for Chrome with 20,000. Vid Helper, video Downloader with 20,000. Ai Assistant Chat, gpt and Gemini for Chrome with 4,000. Vidnox Flex Video Recorder and Video Share with 6,000. Tinamind, the GPT-4 Opower AI Assistant, with 40,000. Bard, ai Chat with 100,000 users, reader Mode with 300,000 users, primus, which was previously Pato, with 40,000. Gpt-4 Summary with OpenAI 10,000 users, graphql Network Inspector with 80,000 users, yescapture Assistant with 200,000 users and Proxy Switchy, omega with 10,000.

So every one of those Chrome web extensions was compromised last year and there are more Just those exposed as many as 1,060,000 users of Chrome to malicious browser-side code. Now, the good news here, if there is any, is that the attackers appeared to be focused solely upon Facebook users and their accounts, but that was this time and they are certainly willing, obviously, to go well out of their way to compromise those accounts. It wasn't long ago that we were talking about the move from Chrome's v2 extension manifest to the significantly more limited v3 and how, as a consequence, ublock Origin, for example the full uBlock, origin won't ever be offering its full-strength v2 version under v3 once Chrome completes that switch under v3, once chrome completes that switch. I'm certain that the chromium team understands how much value the third-party browser extension ecosystem brings to their chrome browser. But given this attack campaign as just one example and you gotta know they know, they know about way more about abuse of this than is even publicly known it's not difficult to see why they would be anxious to curtail the damage that aberrant extensions are able to do to those extensions users. Thus the move to the more limited scope version 3 manifest.

And note that none of this is ever about an extensions user doing anything wrong. That never happened. It was the extensions developers whose account was accessed and abused. So this is another form of supply chain attack. And users of Chrome, you know, as users of Chrome, the one thing we can do is practice good what I would call browser extension hygiene, meaning keeping the set of extensions which we're loading and using to a minimum and removing any deadwood that might needlessly expose us through that extensions um, you know, inadvertent compromise. Every you know, every additional extension that is loaded. It has access to deep user data in the browser has access to deep user data in the browser, so there's nothing you can do to prevent the extension from being compromised. But so just minimize the number that you're using and when you look at that list there's a bunch of crap there.

1:04:48 - Leo Laporte
It's all crap. A lot of the stuff was AI assistance to work with the AI that you don't need Right. However, it's clear with this very effective phishing attack that it doesn't have to be crapware. It could be anything right, I mean-. Yes, yes Is there something about browser extensions that are inherently insecure. I remember Google saying oh, you shouldn't use browser extensions for your password manager because they're inherently insecure, because this was a bid to get you to use chrome's password manager.

1:05:20 - Steve Gibson
But consider that when we enter a username and password, our password manager pops up and says would you like me to save that for you? It has, it sees our username and password.

1:05:34 - Leo Laporte
Yeah, yeah, it has a lot of information oh goodness yeah, yeah, I mean, and they're all written in javascript. Is that inherently problematic, or?

1:05:43 - Steve Gibson
no, it's possible to write. It's. No, in fact, here the, the extensions are not the problem, right? It's that somebody called in. They've been socially engineered.

1:05:52 - Leo Laporte
Yeah, it's that somebody crawled in. They've been socially engineered.

1:05:54 - Steve Gibson
Exactly. Well, they crawled into the developer and turned the extension malicious, added deliberate code to the extension and then rode the developer's coattails, uploaded an update to the extension, just like the developer would if they were fixing a bug in their extension. And then, of course, chrome wants to remove any bugs that might be in extensions, so it's checking to see if there's a new version and, if so, get you the new one.

1:06:29 - Leo Laporte
So is there an argument for not using any extensions at?

1:06:32 - Steve Gibson
all there's an argument for it, but that would cripple us. I mean, you know, we want Bitwarden to be able to auto-populate our login fields.

1:06:44 - Leo Laporte
I do like what Brave has done in response to Manifest v3, because that will eventually turn off uBlock. Origin Brave just built it into the browser, so maybe that's the better way to do it. If it's a browser company you trust, let them handle a password manager and all of that you are trusting the security provisions of every extension developer whose extension you load.

1:07:20 - Steve Gibson
You can imagine the lengths that the Chrome team go to to make sure that the base browser is secure, and even then there's the occasional error All the time.

1:07:32 - Leo Laporte
Yeah, and really the reason is these browsers are your interface to the outside world.

1:07:36 - Steve Gibson
So they're the prime vector. It's an OS now and it's an operating system.

1:07:40 - Leo Laporte
Yeah, it's a very complex piece of software.

1:07:42 - Steve Gibson
It's become so. As I said a long time ago, it's no longer possible to create one from scratch.

1:07:48 - Leo Laporte
You can't Right.

1:07:49 - Steve Gibson
You know you don't have to now because Chromium Core is open source, so you don't have to.

1:07:55 - Leo Laporte
But yeah, yeah, I mean I use, I'm looking at my browser extensions. I use a Chrome-compatible browser called Arc. I've got Bitwarden. I've got Snowflake I didn't put that on there, let me take that off. I've got uBlock Origin. Those are the two I have to have pretty much every freeware, yes, I would say.

1:08:15 - Steve Gibson
your password manager and uBlock Origin, two must-have tools.

1:08:21 - Leo Laporte
Oh, I know what Snowflake is. That's the thing we recommended. That enables Tor to work.

1:08:27 - Steve Gibson
Oh right, right, right, right, I'll leave that.

1:08:31 - Leo Laporte
I forgot about that.

1:08:32 - Steve Gibson
Yep.

1:08:35 - Leo Laporte
Okay.

1:08:35 - Steve Gibson
so, leo, we're an hour in, let's take a break, and then we're going to get to SonicWall and some more news from the last three weeks Loving the news, loving it all.

1:08:46 - Leo Laporte
And just a reminder, steve, we're going to have an extra break in the show. I've already that's the pace we're keeping. Yeah, we're very happy about that actually this. You know what Little props to Steve. This is easily the most in-demand show on the network. Companies really want to be on this show and probably because a lot of these companies are security companies, like Veeam, our sponsor for this segment.

1:09:12 - Steve Gibson
Well and Leo, if they're re-upping, it's because this is working for them.

1:09:17 - Leo Laporte
It works. Yeah, yeah, we have some pretty happy sponsors. I must say, veeam is back as well. Welcome back to 2025, veeam. Without your data, your customer's trust turns to digital dust.

Veeam this is something I really feel like everybody every business listening to this show ought to be using Veeam. Veeam's data protection and ransomware recovery tools right, that's what you need. It ensures you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens. Actually, most of you do use Veeam, so I'm talking to the handful that don't. It is the number one global market leader in data resilience. And get this stat 77%. More than three quarters of the Fortune 500 uses Veeam to keep their businesses running when digital disruptions like ransomware strike 77%.

I always ask this when I hear that a company oh, we got hit by ransomware. We got to pay $12 million in Bitcoin to get our data back. We have no other way, don't you have a backup? Turns out it's a hard thing to do. That's why you need Veeam. Veeam will let you back up and recover your data instantly, and the reason it's our thing to do is because your data lives all over the place, including in the entire cloud ecosystem right, but Veeam does it. They also will, in many cases, stop ransomware in the first place by proactively detecting malicious activity. They'll say, uh-uh.

You can also remove the guesswork by doing something. Even if you didn't have Veeam, everybody should be doing having a recovery plan and policy. You have a recovery plan and policy, right. Most I think a lot of companies go it's not going to happen to us, it's not going to happen to us. Oh, I don't want to think about it. No, remove the guesswork. Use Veeam to automate your recovery plans and policies. Plus, veeam is the greatest. They are the experts. So you can get real-time support from ransomware recovery experts as part of your Veeam subscription Data. It's the most important part of your business, right? So get data resilient with Veeam. Now, the only complicated thing here is it's two E's V-E-E-A-M. Okay, make a note of that. V-e-e-a-m Easy to remember. Veeamcom. You can learn more there. Get data resilient with Veeam. And actually, this is one of those sponsors where I feel like we should be doing the ad for free. Don't tell them that, because this is something everybody should have.

1:12:01 - Steve Gibson
I don't understand why anybody would get bit by ransomware in this day and age. Veemcom all right, back to steve, okay, so back in august. Sonic wall, uh, you know, a well-known manufacturer of popular network security appliances, and now n NSA has got two meanings. It's the National Security Administration, is that?

1:12:21 - Leo Laporte
NSA. You know it's funny. I should know that we must be getting old. Steve, I think we are National Security Administration. I believe that's correct.

1:12:30 - Steve Gibson
yes, and also network security appliances NSAliances, nsa Network Security Appliances. Anyway, sonicwall revealed a serious vulnerability in their SSL VPN firewall product. Now they rated it with a severity of 9.3. However, nist N-I-S-T officially gave it a 9.8, which you know that's not good. And shortly afterward CISA formally warned of the serious potential for its exploitation. Both SISA and SonicWall, they called it and the SonicOS, which is the OS in their appliance, improper access control vulnerability, which already doesn't sound good, and noted that it was potentially in quotes. Being well, they didn't have it in quotes, but everybody else has being successfully attacked in the wild Now.

Among the reporting on this, I particularly like the write-up by the security intelligence firm Field Effect. They wrote while it's unclear what SonicWall means by potentially exploited, field Effect can confirm that we have seen an increased targeting of SonicWall firewalls since CVE 2024 40766 was announced on August 23rd. However, further investigation is required to determine if the threat actors are specifically targeting 40766 or other older unpatched vulnerabilities. I really thought this was interesting. They said traditionally when vendors disclose critical vulnerabilities in edge devices, it draws attention of threat actors toward the devices in general, and that could be what we've observed in relation to the SonicWall firewall. So I really appreciated their measured response. There's no breathless hyperbole here. They finished by noting SonicWall firewalls are very popular among critical infrastructure industries and corporate environments and are thus frequently targeted by threat actors looking to obtain initial access into networks of interest. According to the Shadow Server Foundation and you're going to be hearing about Shadow Server Foundation a couple more times before we're done here today thousand sonic walls are deployed worldwide, representing a significant potential attack surface for threat actors who possess sonic wall exploits. Okay, so that was back in august, where and when we have an estimated 400 000 internet facing sonic walls with a known remote authentication vulnerability. This was three generations Generation 5, 6, and 7 all had this vulnerability. So here we are now. Where are we?

Two days after Christmas, on December 27th, a Japanese security researcher posted his own update on the state of play with SonicWall devices. Today, he wrote. In August 2024, the SonicWall NSA vulnerability 40766 was disclosed, indications that the ransomware groups Akira and Fogg are still exploiting this vulnerability for unauthorized access. Through my ongoing investigations, I found that, as of December 23, 2024, the number of companies suspected to have been compromised by these two groups via this vulnerability had exceeded 100. Okay, so you know, here we're on the edge of the corporate network facing the internet. Oftentimes we're just talking about oh look, they got hit by ransomware. How'd that happen? Well, this is how that happens. Here this guy has identified these two ransomware groups, acura and Fog, that have used this vulnerability, which was announced and for which a patch was available last August, having penetrated 100 companies that did not patch, he says.

In this article I will share the details of this investigation and highlight the current situation in which at least 48,933 devices remain vulnerable to CVE 2024-407-66. In other words, that was August. Patch was made available and announced. Today, 48,933 of those devices are still vulnerable and in this case, these two groups are known to have the organizations listed on various ransomware groups leak sites own SonicWall network security appliance devices as victims of Akira and Fog. I found that over 100, approximately 46%, were running SonicWall. Considering that the SonicWall network security appliance ownership rate among organizations victimized by other ransomware groups, excluding Akira and Fog, remains around 5% or less, this figure of 46% for those two groups is remarkably high, in other words, me speaking, whereas the general rate of overall SonicWall presence among companies who've been breached and listed by ransomware groups other than Akira and Fog is down at 5% Still not great, but we can't blame SonicWall for being the cause of the organizations victimized by just those two ransomware groups which are currently exposing a SonicWall device to the internet strongly suggests that those two groups have successfully designed an exploit for the vulnerability and are working their way through the inventory of still exploitable and unpatched SonicWall device owners.

This Japanese reporter wrote, he said, or researcher wrote, he said I developed a proprietary method to evaluate patch status by examining the HTML structure of SonicWall devices to assess mitigation efforts for the CVE-2024-407-66. Now I'll just stop right there and say the fact that you're getting HTML from a device exposed to the internet, you know that immediately makes me worry because that means there's a web page that you visit and this thing delivers. And we know what a problem people have securing web pages because it just seems that programmers are so sloppy about the code that's used to put up a web page. It's incomprehensible to me that this is a problem today, but it still is. You know, all these web management interfaces are what's constantly being cut through and here's a security vendor like you know, a serious security vendor, who's got the same problem.

So he says for SonicWall NSA devices with SNMP exposed, it's possible to obtain accurate model and version information. You know, snmp is the network management protocol, which exposes an API that allows you basically to access lots of settings in a device. In this case it's able to obtain model and version information. So he's able to create a correlation. He said, by comparing the results of my custom method, his HTML structure, reverse engineering with the SNMP data from around 5,000 devices, he says I've confirmed the accuracy of this detection approach. So anyway, he then posted a chart showing the lackluster patch status across these devices. The United States has more than half of the globally deployed SonicWall devices. Actually, that's a different heat map. We'll get to that one in a second.

1:22:18 - Leo Laporte
Oh sorry, I'm on the wrong heat map.

1:22:20 - Steve Gibson
Well, apologies, yes, but shadow server One heat map looks much like the other. Actually, that's a very good point, it is the case.

So SonicWall, of course, is a US organization, so it's no surprise that the US has more than half of the globally deployed SonicWall devices. There are 390,474 worldwide SonicWall devices, in the US 238 678. So, sadly, of the identified global, 48 933 currently known vulnerable still vulnerable. Since last August SonicWall devices 29,107 are detected as still being vulnerable in the US, four months after their publishers and CISA's warning of a 9.8 CVSS vulnerability which is exploitable. So I say it again something needs to change.

And is it, you know, any surprise that ransomware continues to be a scourge across the internet? On the one hand, any company being victimized with their proprietary data exfiltrated and then held for ransom you know that's a crime. Doing that to them, that's hacking. But we all know that Internet security can never be a one and done, install and forget. The connection of an internal corporate network to the global public network is incredibly empowering, but with it comes the responsibility of managing the security of that interconnection. Because that's what you're talking about doing. You're talking about taking your internal proprietary corporate network, where all kinds of private stuff exists, and of that interconnection is to risk everything that the organization holds dear.

A SonicWall device like this, for which a problem is found in August and in the US more than 29,000 of them are sitting there. Just, you know, these two groups, the ransomware groups, are just working their way through them. It feels like the fact that the number is only 100, to me that feels like it isn't. You know, like, even though the severity is high, it must be that the exploitability index is low, that is. You know, it takes some work to like, you know, pounding at these things in some way in order to get in, but eventually you do to get in, but eventually you do. So boy again to our listeners just be sure that some sort of email account exists that is being monitored and that is receiving the notifications, that you're on all the equipment vendor notification lists for the equipment that you're using, and that somebody is like okay, I'll get around to that. No, it's get that done as a top priority. As I said, something needs to change. I ask why SonicWall isn't just able to go fix this themselves.

1:26:36 - Leo Laporte
They should be able to push it, shouldn't they? Yes?

1:26:38 - Steve Gibson
Yes, we have to get there. We're doing it now with consumer routers.

1:26:44 - Leo Laporte
It's time to move up to the big iron Is SonicWall's hardware yes, okay, yeah, they should be able to push for updates.

1:26:51 - Steve Gibson
It's a top tier firewall vendor, absolutely, yeah, yeah, okay. So Shadow Server Foundation and email encryption, or lack thereof.

1:27:04 - Leo Laporte
This blows me away.

1:27:06 - Steve Gibson
Yeah, speaking of the Shadow Server Foundation, on New Year's Eve morning they posted to their blueskysocial account. They posted we've started notifying owners of hosts running POP3 slash IMAP services without TLS enabled, meaning usernames and passwords are not encrypted when transmitted. We see around 3.3 million such cases with POP3 and a similar amount with IMAP. Because most overlap, they said it's time to retire those services.

1:27:52 - Leo Laporte
You got to wonder some of them are just being run by individuals, right? No email company would not use TLS.

1:28:09 - Steve Gibson
Individuals can't and I'll get to that in a second because all ISPs block port 25, which is the unencrypted SMTP port. So it can't happen. Right, so can't happen. So this is something you know we don't talk about often, but it bears reminding everyone. Like the rest of the entire original Internet meaning Web and IMAP protocols was not originally encrypted. It was all sent over simple unencrypted TCP connections in ASCII plaintext, thus making it all completely readable by anyone tapping into any location, whether near to any sender or receiver, such as by an ISP or wireless hotspot operator, or over the public internet wherever traffic is moving past. Now, with inertia being the prevailing force that it obviously is on the internet, we just talk. Look at the sonic wall sitting there for four months, patches available, nothing's happening, with inertia being the prevailing force that it obviously is on the internet.

The Shadow Server Foundation reminds us that a sizable portion of email servers have never bothered to move to encryption. You know, no one has ever made them encrypt, Unlike the web. With HTTPS, where encryption became mandatory, email security has largely fallen through the cracks. It has arguably become more important than ever, as we depend upon it as our identity authentication of last resort. That means that all of the email these 3.3 million servers send and receive has remained the same unencrypted plain text that it was 35 years ago. Right now, today, those emailed oops, I forgot my password recovery links the. We just sent you a super secret six digit, one time code to authenticate yourself, because it's so important emails. Those are all out there for anyone to see. And lest we imagine that these 3.3 million email servers must be scattered among backwater countries no one has ever heard of and can't spell, the Shadow Server Foundation thoughtfully provided a heat map Now you want the heat map now, now.

You want the heat map now, now we need the heat map, leo, just where these utterly security negligent machines are located. Guess which country leads the pack? Wow, yep, none other than the good old us of a.

1:31:09 - Leo Laporte
It's not within possible that these are misidentified or they're honeypots or something like that.

1:31:14 - Steve Gibson
No, no, within our proud borders lie some 898 700 completely unencrypted email servers. Those nearly 899 000 email servers are right now, today, this very moment, exchanging email for people who probably have no idea that everything they're sending and receiving is in the clear and readable by anyone who might even be the least bit curious, because it takes very little effort. Be the least bit curious because it takes very little effort, and we know that none of these people at home or, I'm sorry, are at home.

to your point, leo, we know that they're not at home because long ago ISPs blocked SMTP's port 25 due to rampant spam abuses, five due to rampant spam abuses. So these must be organizations of some size who probably think it's, you know, super spiffy to save some money by running their own email, while apparently never stopping, that's super spiffy. We got our own email. You know we're saving money.

1:32:32 - Leo Laporte
That's right, super spiffy, super spiffy.

1:32:37 - Steve Gibson
Unfortunately, all the email that they're transacting is readable by anyone. Now, I said there were a total of 3.3 million and we've accounted for the US taking the top slot at nearly 899,000 instances. Well, there are others. Germany takes the second spot at 560,900 unencrypted email servers, poland is in third place at 388,000, followed by Japan at 294,000, and then the Netherlands down to 137,300. Then France, spain, and you got to get down to. Let's see, france is still over 100,000, spain at 88.2,000 and the UK at 84.7. So you know this is a thing.

Now, having seen these numbers, it would be very interesting to know what is going on. Run encrypted web servers with up-to-date TLS certificates? Because why the world insists upon it? Yes, but they never bothered to think about their email. Email servers, just like web servers, connect to each other using the TCP protocol. So just like web servers connect to each other using the TCP protocol, so just like web servers, it is very possible for email servers to add a layer of authentication and encryption by negotiating TLS certificates with each other. This allows them to each verify the other's identity and to agree upon a shared secret key to use for encrypting and decrypting each other's traffic. The $64,000 question is how is this ever going to be made to change? Because we know that the phrase being made to change is the only way it will ever happen.

Move to encrypted connections by rightfully scaring anyone using a browser that was unable to establish an encrypted connection to a remote web server. At first, it was a frightening experience. Today, one really needs to work at establishing an unencrypted connection to a web server. You know I got to click all sorts of yes, I'm sure, and I know what I'm doing, and you know my will is updated. So you know, yes, please let me have an unencrypted connection. It's crazy. So as a consequence because web browser you know nobody wanted to run a server that users would say I don't think I'm going to go here and they'd just go somewhere else. Consequently, it didn't take long for all web servers to obtain TLS certificates.

As we know, this transition to HTTPS everywhere was tremendously aided by the creation of let's Encrypt and the ACME protocol, which automated the issuance and installation of free web server domain validation TLS certificates. Unfortunately, nothing like let's Encrypt exists for email servers. The ACME protocol is able to verify a server's control over a domain through the presence of a transient signature file located in the wellknown root directory of a web server or by querying for a text record with that domain's DNS, but there is no similar direct support for email servers, despite there being clear demand for it, evidenced within let's Encrypt's feedback forums. People are wanting to encrypt their email. Let's Encrypt says yeah, we don't do that. Sorry about that. You know, all of GRC's email transactions are, of course, encrypted At the moment.

Once every year, after I've updated all of GRC's servers with a new certificate from DigiCert, I need to manually reformulate the certificate from binary to ASCII base 64 encoded and install it into GRC's beloved HMail server. That's a manual process which I don't mind performing once a year, but as and if certificates continue their apparently inexorable reduction in lifetime, any sort of manual process will obviously become increasingly problematic. Since I have multiple Windows and Unix servers that need to be kept synchronized with wildcard domains, this entirely pointless reduction in certificate lifetime will eventually force me to roll my own solution to keep everything running without my intervention, my own solution to keep everything running without my intervention. I've received a great deal of feedback from our listeners, who've chimed in with their own issues surrounding shortening certificate lifetimes and the headaches this is creating for them and for their non-web services, because there are many non-web services and ACME is only useful for web services. Because there are many non-web services and Acme is only useful for web services. And DNS Certificates are not used only for the web and we wish they were being used more for email, but they're used for many other purposes which are being ignored.

It appears that the CA Browser Forum is being, I think, somewhat myopic in their apparent belief that the entire world is the web and thus forcing these short lifetime certificates on everyone to delineate the use of short-life certificates only for web services where automation is convenient and supported, while allowing non-web server TLS certificates to remain reasonably multi-year, that web browsers are able to, and have said they would be, eventually independently rejecting any certificate having an out-of-spec total lifetime, meaning the span between not valid before and not valid after, dates, both of which are available.

Browsers have said if that's more than whatever it's supposed to be like, now it's a year, we're just, you know, doesn't matter if it's still valid, if you got it too long ago, we're going to say no. That means that everything could be left as it is, with web browsers being the sole enforcers for short life web certificates, which would allow everybody else to use longer life certificates. Anyway, I've wandered well off course here, but my point is without some means of enforcing the use of TLS certificates for email, of TLS certificates for email, history shows us that nothing will ever move these recalcitrant email servers to encryption. If they don't see any problem today, why would they ever make the effort, especially when it's not particularly easy? And boy, if we ever get six-day certs, forget about it. The only obvious mechanism for forcing this change would be for those web servers that do support encryption to refuse to accept any insecure email connections and Gmail could do this with a stroke of a pen, because they're so big.

Yes, of a pen because, yes, they're so big. Yes, the problem is, for example, out of fear of missing anyone's important email, I historically configured grc's email server to accept unencrypted email over port 25, while offering to dynamically upgrade the connection to full security using StartTLS, which is an SMTP command that allows cooperating email servers to add encryption over a traditionally unencrypted port. But I have to say now I'm beginning to think that perhaps it's time to end that practice. End that practice for GRC to refuse unencrypted email, because another interesting tidbit here is that port 25 has largely become the domain of spammers.

Spammers use port 25 because they don't have to have any certs. They can pretend to be anybody they want to be and there's no verification of their identity, which certificates do enforce. But for those 3.3 million unencrypted email servers in the world, nearly 899,000 of which are in the US, you know, before they're going to be able to move to encryption, they're going to need some means of obtaining reasonably priced and reasonably maintained TLS certificates, and that doesn't exist today for small, independent servers. You know, it's easy to run an email server unless you have to constantly be updating its certificates, so nobody bothers, it's a messo, I'm shocked because I I really thought that every email server now used encryption.

1:42:59 - Leo Laporte
I mean, I just I'm stunned. Uh, do you? Do you think these are commercial providers or who are?

1:43:06 - Steve Gibson
these. I really do wonder, yeah, who, who they are and it may well be companies with their own, you know. Email honey, it's those super spiffy anybody?

1:43:18 - Leo Laporte
anybody who could have the smarts to configure an email server, one would think be able to get a certificate for it, uh boy, that's I mean it.

1:43:28 - Steve Gibson
It is free. If you bring up an email server and you've got a connection to the Internet, it's free.

1:43:35 - Leo Laporte
Yeah.

1:43:35 - Steve Gibson
And I'll bet you that that's how this happened, and because it was working 20 years ago, nobody's revisited it. It's like, well, and they're just not thinking about it. Wow, they had to have a certificate for their web server because they probably have a little corporate website, but it isn't easy to do and we know that. If it isn't easy and if no one makes them do it, they're just not doing it. Yet the employees in that company are receiving password recovery links and six-digit one-time passcodes everything and it's completely in the clear.

1:44:15 - Leo Laporte
I would love to see yet another heat map on which servers are being used. Are these primarily Exchange servers? Are they traditional IMAP servers? What are they? Smtp mail, what are people using? Very wild, I don't.

1:44:34 - Steve Gibson
What are people using?

1:44:35 - Leo Laporte
Very wild. Okay, a break Break and more of Steve Arino coming up in just a bit, including, I think, the best part of this show I'm waiting for Save it for last His AI analysis.

1:44:50 - Steve Gibson
I think I have some good things to say, ready to hear this. He's AI analysis.

1:44:52 - Leo Laporte
I think I have some good things to say, ready to hear this. He's read all the stuff. Now Our show today, brought to you by a really good company. We like quite a bit ThreatLocker, and you've maybe heard of ThreatLocker, I hope you have. It's the best way to secure your endpoint and it's, by the way, extremely affordable and easy to set up. It's never been easier to harden your security with ThreatLocker and never again worry about zero-day exploits or those nasty supply chain attacks. Big companies use it. I mean JetBlue uses ThreatLocker to secure their data and keep their business operations flying high Notice. They were not brought down by the CrowdStrike hack because they didn't use it. They used ThreatLocker.

Imagine taking a proactive. It wasn't a hack, was it? It was a bug. Imagine taking a proactive deny. This is what I love about it Deny by default approach to cybersecurity.

It blocks every action, every process, every user. Just everything's blocked by default, unless explicitly authorized by your team. Threatlocker helps you do this so easily and and this is important provides a full audit of every single action, all those authorizations, all those blocks, and that's so useful for risk management, but also for compliance. And ThreatLocker is a great company with a 24-7 US-based support team. They are there to help you get on board. They are there for anything that comes up. This is a way to stop the exploitation of trusted applications within your organization. You can keep your business secure, protect you from ransomware. It doesn't matter what your industry is. It doesn't matter what your business is and really, in many ways, it doesn't matter what your budget is. Threatlocker can solve your problem. Threatlocker's ring fencing so cool isolates critical and trusted applications from unintended uses or weaponizations. It limits attackers' lateral movement within the network and oh, by the way, it works on Macs too. So your whole network can be protected and you get unprecedented visibility and control of your cybersecurity quickly, easily and cost-effectively. With ThreatLocker's Zero Trust Endpoint Protection Platform.

We've talked about Zero Trust on the show before. It's a really great way to protect yourself. Get a free 30-day trial. You can see for yourself how easy it is to set up and configure. I think one of the reasons people didn't do zero trust in the beginning was oh, it's going to slow everything down. This makes it so easy and the compliance piece is huge. Learn more about how ThreatLocker can help you mitigate unknown threats. Ensure compliance. Just go to ThreatLockercomcom. That's threatlockercom.

We're thrilled to have him back in the year 2025. And we're very excited. I think Jonathan Bennett's going out to this. I would be. I can't, but for a limited time.

You can go visit zerotrustworldthreatlockercom. That's their big event Zero Trust World. Use their special code. Okay, now get ready for this. It's a lot of letters. Z-t-w-t-w-i-t 25. Okay, it's easy to figure out. Z-t-w Zero Trust World TWIT 25. 200 bucks off registration for Zero Trust World 2025. It's coming up next month. Z-t-w-t-w Eurotrust World 2025. It's coming up next month. Ztw Twit25. You'll get access to all the sessions. You'll get hands-on hacking labs. You even get meals and an after party. This is the event of the year. It's in Orlando. This year. This is the most interactive hands-on cybersecurity learning event of the year February 19th through the 21st, 19th through the 21st three days. It's at Carib Royale in Orlando. Man, I wish I could go to this. Oh well, you can. And don't forget, save $200 with the code ZTWTWIT25. Threatlockercom we love these guys. Welcome back to security now for 2025. Threatlockercom we love these guys. Welcome back to security now for 2025. Threatlockercom and don't forget the code ztw twit25. Okay, steve on, we go with salt typhoon.

1:49:05 - Steve Gibson
So, following up on the news, we talked about this, uh, last year, which wasn't that long ago, not so long ago.

Um, this Chinese-backed advanced persistent threat group known as Salt Typhoon had infiltrated all telecom providers. Now three US providers AT&T, verizon and Lumen all say that they've now evicted Salt Typhoon from their networks. Ok, after this widespread and frighteningly successful hacking campaign came to light, cisa suggested that we should not be relying upon the security of telecom carriers and should instead add our own strong encryption provided by third-party apps such as Signal. Imagine that, in the aftermath of these attacks, remaining with CIS's recommendation would seem prudent, because you know, who knows whether they actually did evict these guys, and if your traffic happens to cross over some of the telecom carriers that have not yet succeeded in successfully evicting Salt Typhoon, then your communication is still probably not very secure. So if you're just ordering pizza, don't bother, but if it's something super sensitive, it's probably worth bringing up something like Signal to hold your conversation. Also, on December 27th, the US Department of Health and Human Services issued a notice of proposed rulemaking. God, there's acronyms for everything. We have HHS, health and Human Services.

We also have the Notice of Proposed Rulemaking. That's the NPRM. Oh yeah, to modify HIPPA, oh Lord. So that's, of course, hipaa, the Aging Health Insurance Portability and Accountability Act of 1996. So it's been around for a while. Anyway, you can imagine it needs some modernizing. Hipaa regulations will be getting a bunch of new, welcome and needed cybersecurity rules. Getting a bunch of new, welcome and needed cybersecurity rules, including the mandatory use of encryption, multi-factor authentication, network segmentation That'll be nice Vulnerability scanning and more.

The show notes went out last night and I've already seen some of our listeners who had some some interesting feedback about this HIPAA change, so I may have some interesting stuff to share from them in follow-up to this next week. I also got a kick out of this wacky bit Under the label of true miscellany. I wanted to mention in passing that the EU apparently having nothing more pressing to legislate at the moment, which is saying something for the EU has taken the time to establish USB-C as the official common standard for charging electronic devices throughout their union. There's actually an official document bearing the headline One Common Charging Solution for All. In part, the EU legislation reads, quote the Commission capital C promotes solutions that favor technological innovation in electronic device charging, which one would, while avoiding market fragmentation.

The voluntary approach did not meet consumer, european Parliament or Commission expectations, so we put forward a legislative approach. The common charger will improve consumers' experience, reduce the environmental footprint associated with the production and disposal of unneeded chargers, while maintaining innovation. Wow, in other words, the market didn't settle into any sane and rational standard by itself, so we're going to impose some legislation where needed here. They said the common charging requirements will apply to all handheld mobile phones, tablets, digital cameras, headphones, headsets, portable speakers, handheld video game consoles, e-readers, earbuds, keyboards, mice and portable navigation systems as of the 28th of December 2024, meaning end of last year. These requirements will also apply to laptops as of the 28th of April 2026. Oh good.

1:53:56 - Leo Laporte
Yeah, so we have some time with our laptops, but I think that's huge. I mean most of my laptops.

1:53:59 - Steve Gibson
Now do use USB charging.

But those proprietary chargers just were awful dumb such transition periods will give industry sufficient time to adapt, which would be nice before the entry into application. The main main elements are as follows A harmonized charging port for electronic devices. Usb-c will be the common port. This will allow consumers to charge their devices with any USB-C charger, regardless of the device brand. Harmonized fast charging technology harmonization will help prevent different providers from unjustifiably limiting charging speed and will help to ensure that charging speed is the same when using any compatible charger for a device.

Unbundling the sale of a charger from the sale of the electronic device Consumers will be able to purchase a new electronic device without a new charger. This will limit the number of chargers on the market or left unused. Reducing production and disposal of new chargers is estimated to reduce the amount of electronic waste by 980 tons yearly. Wow, Wow, 980 tons worth of chargers eliminated. No more drawers full of unneeded, unwanted, unused and forgotten chargers. So before long, those in the EU will be spared the experience of opening the box and thinking oh shoot, not another damn charger.

They did note that, since the wireless magnetic induction charging market is so far behaving itself and is not showing undue fragmentation, they did not feel the need to impose any order there. But that market too might need some harmonization if things start going all wild and woolly. So they're keeping a watchful eye on it. They just wanted everyone to know. Now you guys behave yourself over there in the magnetic induction side and we have the doom capture. That's right.

Since nobody likes captchas, an enterprising software engineer has created a doom captcha system where you have to kill at least three bad guys in the doom video game to proceed to a website, and it's actually a functioning captcha.

Uh, since I thought our listeners would get a kick out of it's actually a functioning CAPTCHA. Since I thought our listeners would get a kick out of it, I gave it one of GRC's shortcuts of just Doom. So grcsc, slash doom will take you to doom-captchavercelapp, and its author wrote a CAPTCHA that lets you play Doom to prove you're human and, he said, for educational and entertainment purposes. He said the project works by leveraging Emscripten to compile a minimal port of Doom to WebSAM and enable intercommunication between the C-based game run loop, which is G underscore game, dot C, and the JavaScript-based Captcha UI. Some extensions were made to the game to introduce relevant events needed for its usage in the context of a Captcha. Started out with a minimal SDL port based of Doom that can be efficiently compiled to WebSM. Then tweaked the build to make it compatible with the shareware version of WAD. That's Doom 1.WAD for legal use.

1:57:43 - Leo Laporte
You know, any computer can kill three monsters in Doom. That is the worst CAPTCHA ever.

1:57:50 - Steve Gibson
Actually, yes, I'm no video gamer, leo, so I was promptly. I was promptly killed right off the bat while I was working out the arrow keys and the space bar right for for movement and firing computers better than a human.

It's not that difficult to three baddies since I to kill three baddies because I was even. I was able to pull that off on my second try. Anyway, since, as I said, grcsc slash doom, one of our, one of the people who received the show notes last night, sent me a note and said I thought I remembered this from the past and I think it was maybe episode eight. It was 890, something he said where we talked about this. I don't know whether this is exactly the same or whether this has been updated to be using WebASM, but you know, I mean it does run in a browser and one of these. You know, boy, if I got into WebAssembly I would be dangerous, I think, because you know, mix my assembly language interest this isn't that easy, is it?

it's not that easy oh, now, what I did was, I just stood there. So they come out, right, yeah you shouldn't go to them, that's right, yes, exactly, yeah, I managed to kill the three, just like he's got me.

1:59:05 - Leo Laporte
Oh yeah, oh, this is harder than it looks. There we go, there we go oh, oh, you solved it, yep that's what I. That is not good. Any computer will play this better than you will, I promise. Yeah, that's hysterical. I think that's true, yeah.

1:59:22 - Steve Gibson
Okay, so we're ready to go to AI training and inference. We have one last break. So let's take that and then we'll plow in.

1:59:31 - Leo Laporte
It's a quick break, merely a suggestion that you all join Club Twit. I mentioned that. We were very grateful to all the new members. Welcome, thank you. Seven bucks a month it really makes a big difference in our bottom line. With Club Twit, we were able to meet half of our payroll two weeks out of the month and, yes, advertising supports most of what we do, but not all of it. And in order to keep doing this at the level we're doing, we need you to join. And if enough people join, if we could get 5% 1 in 20 of our audience to join, the sky's the limit we could have an AI show. We could do so much more.

So what do you get? Ad-free versions of all the shows. You get the Club Twit Discord, which is really actually a wonderful hangout, a great place to play, to chat, not just during the shows but all the time. And there's events that go on in the club. We've got Chris Marquardt's photo event. Photo time is coming up Thursday. Micah's Crafting Corner is January 15th. We've got Stacy's Book Club coming up. In fact, we're voting right now on which book we should be reading for Stacy's Book Club. And you also get to hang out with some really fun people. That's not all I mean. There's a lot more to join in the club Seven bucks a month, less than a couple of cups of Starbucks Americano blend, and you could be a member of Club Twit. The most important thing you get out of it is the warm and fuzzy feeling knowing that you're helping us do this work and if you find it valuable, if you listen, please consider joining. We'd love to have you Twittv slash Club Twit. You can give more if you want. Seven is just the, you know starting point. Um, and I think there are other things in there. I don't know, are we still doing the two-week free trial? I think we are. There's also a referral code you get when you join so you can tell people about it on your socials and for every one of them that joins, you get a free month. We want to make it fun. Um, maybe not as fun as playing doom in a captcha, but we want to make it fun and we sure would love to have you twittv slash club twit now, whether you're a member or not.

There is another thing you can do to help us. Right now we're doing our annual survey. A couple more weeks to go to twittv slash survey. Uh, it's just five minutes, 10 minutes. Answer some questions. It helps us know you better understand you, better know what you want. It also helps us I'll be honest attract advertisers. We don't tell them anything about you individually, but in aggregate we like to be able to say yeah, you know, 75% of our audience are decision makers in IT. That's actually true Things like that. Advertisers love hearing that kind of stuff. So help us out, don't lie. Help us out. Answer honestly. That's all you need to do. Twittv slash survey. Take the survey. We really, really appreciate it. Thank you, butch. Put the link up in the Discord. It doesn't have to be club members, anybody, in fact, all of you. We'd like you all to take the survey. All right, steve, I am dying to hear what you think about all this AI stuff.

2:02:50 - Steve Gibson
So, as I said at the top of the podcast and I will reiterate, security now will not be evolving into AI today.

2:02:54 - Leo Laporte
No, we have shows for that. That's fine, yes.

2:02:57 - Steve Gibson
And that said, aside from the fact that the recent, truly astonishing advances in AI are going to directly impact everyone's lives outside of the security sphere, I'm also very certain that we're going to be seeing AI's impact upon the security of our software and operating systems, and we may not be needing to wait long. So over the course of the next few years, I'm sure that the topic of AI will be re-emerging, and I'm not saying I'm never going to talk about it again, because it'll just be fun to talk about the major advances that I expect that we're going to be seeing One actually, I'll be talking about in a second, only about a month away. So our listeners have been following my journey through this topic and it's not been a straight line. More than anything else, I endeavor to be an honest researcher. An honest researcher will readily revise their entire belief system as required when presented with new facts and information. You know, clutching to obsolete dogma simply because it's familiar and comfortable is not the way of science, and it was because I was puzzled and confused by what I was experiencing firsthand that I went searching for that information. I believe I found it. I believe I understand it at least as much as is possible without actually implementing it myself and I've got other work to do. So that's not going to happen, and I've been changed by what I learned Three weeks ago.

As I said, I might have something to say about this before we met again today, and I said, if so, I would probably enjoy sharing that with this audience, with a special email over the holidays. Now, the possibility of that happening induced more than 1,100 of our listeners who had not already signed up to the Security Now mailing to do so. So for that reason alone, due to that declaration of interest, I felt I had to say something Today. I have much more to say on the topic than I did nine days ago, last Monday, december 30th, when I sent that out. But let's start with what those 15,060 subscribers received from me last week. Then I'll expand a bit on what I think are the most important points and what I've continued to learn since. So what I wrote then was when I first set about writing this email, my plan was to share what I had learned during the first half of our three-week hiatus from the podcast, but it quickly grew long, even longer than this, because I've learned quite a lot about what's going on with AI. Since I suspect no one wants to read a podcast-length piece of email which I would largely need to repeat for the podcast anyway, which is what I'm doing now, I'm going to distill this into an historical narrative to summarize a few key points and milestones. Then I'm going to point everyone to a 22-minute YouTube video that should serve to raise everyone's eyebrows. So here it is.

First, everything that's going on is about neural networks. This has become so obvious to those in the business that they no longer talk about it. It would be like making a point of saying that today's computers run on electricity Duh, duh. Okay, ai computation can be divided into pre-training and test time, also called inference time. Pre-training is the monumental task, and it is monumental of putting information into a massive and initially untrained neural network. Information is put into the network by comparing the network's output against the expected or correct output, then back-propagating tweaks to the neural network's vast quantity of parameters to move the network's latest output more toward the correct output. A modern neural network like GPT-3, which is already obsolete, had 175 billion parameters interlinking its neurons, each of which requires tweaking. This is done over and over and over many millions of times across a massive body of knowledge, which I have in quotes to gradually train the network to generate the proper output for any input. Generate the proper output for any input.

Counterintuitive though it may be, the result of this training is a neural network that actually contains the knowledge that was used to train it. It is a true knowledge representation. Now, if that's difficult to swallow, consider human DNA as an analogy. Dna contains all of the knowledge that's required to build a person. The fact that DNA is not itself intelligent or sentient doesn't mean that it's not jam-packed with knowledge. In fact, it's not jam-packed with knowledge. In fact, the advances that have most recently been made, which I'll get to in a bit, are dramatic improvements in the technology for extracting that stored knowledge from the network. That's why I titled today's podcast AI Training and Inference. The inference is the second half.

The implementation of neural networks is surprisingly simple, requiring only a lot of standard multiplication and addition, pipelined with massive parallelism. This is exactly what GPUs were designed to do. They were originally designed to perform the many simple 3D calculations needed for modern gaming. Then they were employed to solve hash problems, to mine cryptocurrency, but now they lie at the heart of all neural network AI. Now, even when powered by massive arrays of the fastest GPUs rented from cloud providers. This pre-training approach has become prohibitively well was becoming, and is, prohibitively expensive and time consuming.

But seven years ago, in 2017, a team of eight Google AI researchers published a truly groundbreaking paper titled Attention is All you Need. The title was inspired by the famous Beatles song Love is All you Need, and the paper introduced the technology they named Transformers. Actually, it was named that because one of the researchers liked the sound of the word. The best way to think of transformer technology is that it allows massive neural networks to be trained much more efficiently in parallel. This insightful paper also introduced the idea that not all of the training tokens that were being fed into the network which is the long string of data being fed into a model during one training iteration not all of those tokens needed to be considered with equal strength, because they were not all equally important. In other words, more attention could be given to some than others. No-transcript, so that limited the quality of the networks. What happened was it then? Thanks to this breakthrough, it became practical and possible to train much larger neural networks, which is what gave birth to today's LLMs, large language models, now the GPT. In chat, gpt stands for generative pre-trained transformer. Pre-trained is the training, transformer is this technology.

But over time, once again researchers began running into new limitations. They wanted even bigger networks, because bigger networks provided more accurate results, because bigger networks provided more accurate results. But the bigger the network, the slower and more time-consuming, and thus costly, was its training. It would have been theoretically possible to keep pushing that upward. But a better solution was discovered Post-training computation. Traditional training of massive LLMs was very expensive.

The breakthrough transformer tech that made LLM-scale neural networks feasible for the first time. Well, now, that was being taken for granted, but at least the training was a one-time investment. Least the training was a one-time investment. After that a query of the network could be made almost instantly and therefore for almost no money. But the trouble was that even with the largest practical networks, the results could be unreliable, known as hallucinations.

Aside from just being annoying, any neural network that was going to hallucinate and just make stuff up could never be relied upon to build chains of inference where its outputs could be used as new inputs to explore consequences when seeking solutions to problems.

When seeking solutions to problems, being able to reliably feed back a network's output into its inputs would begin to look a lot like thinking, and thus inference, for true problem solving. Then, a few years ago, researchers began to better appreciate what could be done if a neural network's answer was not needed instantly. They began exploring what could be accomplished post-training if, when making a query, some time and computation and thus money could be spent working with the pre-trained network. This is known as test-time computation and it's the key to the next-level breakthrough. By making a great many queries of the pre-trained network and comparing multiple results, researchers discovered that the overall reliability could be improved so much that it would become possible to create reliable inference chains for true problem solving. Using the jargon of the industry, this is often called chains of thought, although I still object to giving too much credit to imbuing these with too much human brain technology, there's no thinking involved.

So inference chains would allow for problem-solving behavior by extracting the stored knowledge that had been trained into these networks, and the pre-trained model could also be used for the correction of its own errors. Now I should note that the reason asking the same question multiple times results in multiple different answers is that researchers also had long ago discovered with neural networks that introducing just a bit of random noise, which is called the temperature, into neural networks resulted in superior performance. And yes, if this all sounds suspiciously like voodoo, you're not wrong, but it works anyway. Open AI's recently released O1 model, which I talked about at the very end of last year, is the first of these more expensive test time inference chain AIs to be made widely available. Chain AIs to be made widely available. It offers a truly astonishing improvement over the previous ChatGPT 4.0 models that we were using. Since O1 is expensive for OpenAI to offer on a per-query basis, subscribers are limited to seven full queries per day, but the o1 mini model, which is faster and still much better but not as good, can be used without limit. But wait, there's more. The big news is that during their celebration of the holidays, open ai revealed that they have an O3 model that blows away their brand new O1 model. It's not yet available, but it's coming soon.

What is available are the results of its benchmarks, and that's why I believe you need to make time to watch this YouTube video. I created a GRC shortcut with this episode number, which is 1007. So grcsc slash 1007, that will bounce you to a I think it's 22 minute YouTube video talking about the benchmarks that have been the independent benchmarks that have been run against this O3 model. Okay, so is it AGI? Openai is saying not quite, but there's little question that they're closing in on it. As you'll see in that video, the performance of OpenAI's latest O3 model when pitted against independent evaluation benchmarks designed specifically to measure the general reasoning strength of AIs when confronted by problems that were absolutely never part of the AI's training set, demonstrate reasoning abilities superior to most humans. You need to watch the video grcsc slash 1007. Even if it were AGI? Even if it were AGI and we're probably not far from that people are saying it is I don't care, but that doesn't mean it's taking over. The AGI designation is only meant to indicate that, over a wide range of cognitive problem-solving tasks, an AI can outperform a knowledgeable person. Computers can already beat the best chess go and poker players.

I think it's very clear that today's AIs are not far from being superior to humans at general problem solving. That doesn't make them Frankenstein's monster to be feared. It only makes AI a new and exceedingly useful tool. Many years ago, I grabbed the domain clevermonkeyscom just because I thought it was fun. It occurs to me that it takes very clever monkeys indeed to create something even more clever than themselves. All the evidence I've seen indicates that we're on the cusp of doing just that. Okay, so with a little bit of editing to improve it. That's what our listeners received from me over the holidays.

If you take nothing else away from this discussion of AI today, here is the one point I want to firmly plant into everyone's mind, because this is the sticking point that I see everywhere. Nothing that was true about this field of research yesterday will remain true tomorrow, nothing. This entire field of AI research is the fastest moving target I have ever experienced in my nearly 70 years of life. There are a number of consequences to this fact. For one, no book about AI that was written a year ago or six months ago or even last month will be useful. Up to date about what's happening today can definitely be useful for describing the history of AI and as a snapshot of a point in time, but even their predictions will prove to have been wildly wrong. The guys at OpenAI who are working on this and ought to know believed two years ago that at least another decade, another 10 years, would be needed to achieve what they announced last month and are getting ready to unveil. They thought it would take 10 years. It took two. One of the factors in facilitating this astonishing speed of development is that it turned out that much of what was needed was scale, and a weird side effect of cloud-side computing is that it's massively scalable. If you can pay to rent it, you get to use it. So investor dollars were pumped into the training of ever more complex models, and they kept seeing surprising improvements in performance.

Leo's original appraisal of large language models as fancy spelling correctors was an accurate and useful from the hip summary of open ai's chat gpt3 model. That's their take on it too. Chat gp3 produced grammatically correct language, but it only coincidentally and occasionally produced anything highly meaningful. If it was left to keep talking, it would soon get lost and wander off course to produce grammatically correct nonsense. Even so, back then highly creative people who operate on the cutting edge, like MacBreak Weekly's Alex Lindsay, were using the chat GP3 model as a source of new ideas and inspiration.

As I wrote this, I was reminded of how popular formal brainstorming once was, where sometimes random ideas were just tossed out without any filtering and that was the. You know, that was the entire point to say something as a means of inspiring some new perspective. So even ChatGP3 was useful for the nonsense that it sometimes produced. But as a consequence of everything I've learned over the past three weeks and of the events which have transpired since Our previous podcast title, podcast 1005, three weeks ago, the Wizard of Oz, how quickly it ages no longer seems yes, no longer seems to fit, and I'm a bit embarrassed by what I wrote because it no longer reflects reality. I'm a bit embarrassed by what I wrote because it no longer reflects reality. As I said earlier, an honest researcher may need to discard previous belief systems when confronted with new information and facts. Never has that been more true than it is here. I'm needing to continuously update my own internal model.

There is an unfortunate downside emerging, however. Unfortunate, I suppose, but inevitable. With startling speed, ai has moved from a curio in the corner of university and corporate R&D labs into big business. That meant that the suits in their neckties, with their non-disclosure agreements, descended upon the labs of the once freely and fruitfully collaborating academia-oriented researchers and dropped the cone of silence over their ongoing work. In the distinguished lecture series at the Paul Allen School, one of OpenAI's leading researchers, noam Brown, gave a lecture titled Parables on the Power of Planning in AI from Poker to Diplomacy. I have a YouTube link to Noam's excellent talk. At the end of the show notes his lecture, you could so clearly see Noam's unbridled enthusiasm and love of his subject, and also his disappointment when he was forced to stop himself short to prevent sharing some detail of his work that was now deemed to be proprietary and no longer his to share.

We only have Google's breakthrough transformer and attention technology, which was the sole enabler of the subsequent LLM revolution. Because seven years ago, back in 2017, when things were still moving somewhat slowly, google AI researchers were freely publishing their work as the academic curiosity that it was. At the time, they were working on improving Google's interlanguage translation capabilities, and this inspiration emerged unbidden from a chance meeting of eight Googlers from various parts of the organization. Would such a breakthrough be published in today's climate Seems unlikely. And now OpenAI is seeming less open than it once was. We know that ChatGPT-3 used a neural network containing an astonishing 175 billion neuron interlinking parameters, but 10 digits of accuracy each. We know that because OpenAI freely told us. But we have no similar information about any of their succeeding models. The sizes of the various Chat GPT-4 models, not to mention 01 and 03, have become closely held secrets, as have details of their operation.

2:26:54 - Leo Laporte
This is something that Elon's been complaining about, right? This is why he's suing them. Yep, yeah.

2:27:00 - Steve Gibson
He said. Fortunately, a massive amount of detail all detail needing for recreating much of what we see today from the corporate side had previously been shared in the public domain, and research continues with new vigor and doubtless with new funding within academia. And remember that it wasn't so long ago that Apple was getting patents on Andy Hertzfeld's clever stepwise circle drawing algorithms for bitmaps. Very little of anything that's really useful remains secret forever, and it seems clear that before long we're going to have AI everywhere. Ok, now I would love to spend more time talking about the way neural networks function in detail, because there's some very cool aspects of that too, but that's not the purpose of this podcast, and perhaps I'll find another opportunity for that in the future. There are absolutely already tons of videos on YouTube talking about all of this for anyone who's interested, and YouTube's recommendation engine appears to be quite excellent, because as soon as I started digging around in there, I got a lot of great points yeah.

I do need to point out a specific series of astonishingly well-conceived and produced instructional videos on this topic from a guy named grant sanderson. Oh, I've watched these they are really good.

This was how I got my education in this stuff yes, I, grant's website is three blue, one brown numeral, three blue numeral, one brown dot com and grant's bio says these videos and the animation engine behind them began as side projects as I was wrapping up my time studying math and computer science at Stanford. After graduating, I worked for Khan Academy producing videos, articles and exercises primarily focused on multivariate calculus primarily focused on multivariate calculus. Since the end of 2016, my primary focus has been on 3Blue1Brown and its associated projects. In those years, I've also had the pleasure of contributing to a number of different outlets for math exposition, including spending a semester lecturing for an MIT course on computational thinking, contributing a Netflix documentary about infinity, writing for Quanta and collaborating with many other educational YouTube channels.

2:29:42 - Leo Laporte
I have to say, his animated visualizations are astonishing. This is the one I found the most useful. If you just want a quick introduction, he put it out in november. Uh, llms for beginners.

2:29:51 - Steve Gibson
Very good, very, really well done and knowledgeable yes, um, I have a link in the show notes. He did a series of eight, which are it starts on neural networks and runs through all of this technology, transformers, back propagation, the whole breakthrough of attention and how that operates. Anyway, I recommend them without reservation to anyone who's interested in understanding more of the inner workings of the comparatively and I love the word ancient technology of neural networks, because this stuff's been around forever Now. What's interesting about this is that this old technology of neural networks has recently been given new life, thanks solely to the scalability of cloud-based computing and the presence of GPUs, which are able to perform massive amounts of simple computation operations, so long as we have sufficient power. It appears not processing power and, as we know, electrical power too that the world is facing, I believe, a true breakthrough.

Thanks to the scale of compute and training, we've been able to throw at the problem. However, what we have today works and is working, but it is incredibly inefficient. But it is incredibly inefficient. It works only due to the massive scale we've managed to throw at neural network technology, which is itself an extremely flexible but inefficient technology. For example, it's possible to train a neural network that has just a handful of neurons to perform a simple binary adder function, but the same thing can be done far more efficiently with a couple of logical NAND gates. The thing that makes the handful of neurons potentially more interesting is that the same network could be trained to perform other simple functions. But the fundamental problem remains that any simple function that a neural network could be trained to do could be reduced to a far more efficient couple of NAND gates.

So here's what I think will eventually emerge someday, and I have no idea whatsoever when that might be. My hunch is that, just as with the handful of neurons that can be trained to perform simple logic functions, we're going to eventually discover that there is a far simpler way to solve the same AI implementation problems much more efficiently than we're currently solving them by throwing massive scale of inefficient neural networks at the problem. I have no idea what that solution might be, but the intriguing thing here is that cognitive science researchers now have a crude sort of brain that does manage to store a useful amount of knowledge and is able to use that knowledge to solve novel problems and, I suspect before long, to invent newly true things, I mean, you know, to truly invent new things. People are already beginning to ask, looking at these networks, exactly how it does this, because, believe it or not, that remains a mystery. What is no mystery is what transpires here every Tuesday, as it will next Tuesday and for many more Tuesdays to come.

2:34:09 - Leo Laporte
You know I like your idea that it might be not simply throwing more power at the existing structures, but finding a new structure that might be more efficient. I sent you a link. There is an article that came out five years ago by this guy who is a well-known researcher in reinforcement learning and AI, and he actually had an insight. It's kind of funny. He had an insight back in 2019. He calls it the bitter lesson.

He says the biggest lesson that can be read from 70 years of AI research is that the best way to make AI better is to just give it more power because of Moore's law. That's what we're seeing. Yep, uh, it's, it's more power. So he says the other. The second general lesson is the actual contents of minds. Are our own minds right? Are tremendously, irredeemably complex? So let's stop trying to find simple ways to think about the contents of minds. That's probably the wrong thing to try to do to duplicate the human mind. We want AI agents that can discover like we can, can learn like we can, so that we don't have to reproduce the complexity of our own minds.

2:35:27 - Steve Gibson
We can let them learn, yeah that's really what happened is, you know, neural networks are interesting because they're self-organizing and when you train a multilevel neural network that has like three or four layers of interconnected neurons to do image recognition, it turns out you're able to do it, it's able pretty easily to recognize handwriting, and that works when you give it a whole bunch of samples. But then you look at how it's doing it, like what do the individual layers of neurons hold? We have no idea. And it looks like noise, it's just junk and it's like you know how is it doing this and we don't know. And believe me, leo, when you're talking about even ChatGPT-3, that is now a comparatively simple old technology from og 90 days ago, um and 175 billion neurons.

We have no idea. You know it comes out and we it's like whoa, look at that, it works we don't know what's going on in there.

2:36:40 - Leo Laporte
No, it's a black box. Uh, I'm very excited. I do think that I mean, you know, look, sam Altman's a great marketer and a great showman, but I do think that he has something that we're going to see in the next few months that is probably as close to AGI as we need to get.

2:37:03 - Steve Gibson
Yes, yes. I think that's absolutely right. I'm worried about what it's going to cost, because I probably want to use it and it looks like it's going to be expensive. There's like a pro version of.

2:37:15 - Leo Laporte
O1. 200 bucks. He says they're losing money on the pro version at 200 bucks a month because people are using it so much. Yeah.

Let's hope they can make it up in quantity I, yeah, I have a friend who works in the, in the business, who took me aside some months ago and said the next decade is going to look very weird, it, everything. It just is what you said it's moving, so it's faster than anything we've ever seen, yeah, and that the, the developments that are going to happen over the next few years even are mind-bending.

2:37:48 - Steve Gibson
Yes, I would advise anyone listening. When anyone asks them what they think about AI, they can say well, I'll tell you what I thought last month. Yeah, Because I'm not kidding you, it is a shockingly fast-moving target, and the reason is it turns out there was an infrastructure ready to scale.

2:38:08 - Leo Laporte
Yes, there was infrastructure waiting for AI, and then, yes, and Moore's Law has scaled it so fast. So, just so you feel reassured, you do not have to become the AI show At this point, uh, we're. I'm probably going to rechristen this week in google to this week in intelligent machines, because I think that's really the most interesting development for this year and the years to come. And, uh, google has become less and less interesting as a single company, but what's happening in all of those companies is more interesting.

2:38:46 - Steve Gibson
Well, that's good, because that's also this week in IM.

2:38:52 - Leo Laporte
Yeah, I like it right. Twime Intelligent machines. I thought was better than AI.

2:38:58 - Steve Gibson
Tell me about Elon, because I'm not up to speed on his recent.

2:39:03 - Leo Laporte
It's hard to know what his reasoning is, but he is sued now, OpenAI because he says you know our original concept. It's true, he was a founding member. Was it to be open? Was it to be open that he said in the beginning, no company should control artificial intelligence? And so he's suing them because they want to eliminate their non-profit status and they're converting to a fully for-profit, although it might be a public benefit corporation. Um, nevertheless, elon's right on the surface that it shouldn't be controlled by any big company. You might say, if you were cynical, that he's really just trying to slow open ai down so his own corporate commercial for-profit AI Grok can catch up. I think that might be closer to the truth. You never know with Elon, but I think on the surface he's right. No big company should be in control of this.

This needs to be something we all use, and it saddens me when I hear a scientist because of an NDA, say, say, oh, I can't tell you what I'm doing yeah, you probably heard that.

2:40:09 - Steve Gibson
Uh, there was a paper out of china also, where they've, they believe, they figured out how o3 works, even though open. Ai is not saying yeah, that's.

2:40:19 - Leo Laporte
The good news is that this is such a game changer that I think every country, every scientist, everybody's working on this and, uh, it's going to be very interesting time we're in. I don't know if it's going to be a good time, but it's going to be interesting, yeah, well, as I said, I got into this because I started using it as sort of a super internet search engine.

2:40:42 - Steve Gibson
Right and uh, it's good for that. It is very useful. You absolutely have to check its work because it does.

2:40:49 - Leo Laporte
You know, I, I, I, I the best ones, give you references that you can follow back. Yeah, that's why I use perplexity AI for my search research and it's always very good about. First of all, it's very up to date, unlike some of the older models, its training continues well, and I did ask uh, I think it was 4-0.

2:41:10 - Steve Gibson
Uh, because I asked something that it didn't seem right and I said when? When were you? When did your training?

2:41:17 - Leo Laporte
stop.

2:41:17 - Steve Gibson
And it said I stopped in october of 2023 yeah, so I was like oh okay. Well then you don't know what I'm asking you Exactly, exactly, so.

2:41:26 - Leo Laporte
OpenAI does have a GPT that is connected to the internet, but Perplexities, I think, is the best. It's not only a very good model, but it's up to date.

2:41:34 - Steve Gibson
I'm hearing that Claude is also very good for code stuff.

2:41:39 - Leo Laporte
Yeah, Claude has a search tool. I do think this is going to replace search. I have stopped using traditional search entirely.

2:41:47 - Steve Gibson
Yeah, and you have to know that's where Google is putting so much of their effort.

2:41:51 - Leo Laporte
They seem a little behind. Anyway, it's going to be a very, very interesting time, shall we say, and while I want you to continue to cover AI to whatever extent you wish, just be reassured ai is absolutely the focus of a number of our shows and especially, I think, this week in google is going to become more of an.

it already is a lot about it and no one better than jeff to uh to steer the ship well, I'll put my two cents into, and one of the things we're going to do as we transform that show is to bring in experts, because we need expert information Neat. Yeah, I think that's going to be very fun. Well, I appreciate, Steve. You're an expert by virtue of your deep knowledge and continuing your research, and we're so glad to have you on the network.

2:42:40 - Steve Gibson
Satisfy my curiosity. For now I have a sense for what's been going on. Yeah, and back to security. Next week we got a lot of feedback from our listeners that I'll be sharing. And onward into 2025.

2:42:53 - Leo Laporte
Yeah, and, by the way, if you want the links that Steve was talking about, his entire show notes are available on his website, grccom. You can also subscribe, because he has a mailing list that will send you the show notes ahead of time so you have an early look at them. But in order to do that, you need to go to grccom slash email. It's a chance to register your email so you can give him feedback too. He won't accept email that isn't validated, uh first, but while you're there, you'll see, and they're not checked by default.

So pay attention, there's two different newsletters. You can check those and get those at your preferred email address. You can also get copies of the show there. He has the normal 64 kilobit audio, but he also has a very abnormal 16 kilobit audio for the bandwidth impaired. He also has a very useful transcriptions, written by Elaine Ferris, from that 16 kilobit audio. She doesn't transcribe the hiss and the clicks, she just transcribes our words and does an excellent job. So show notes, 64 kilobit audio, 16 kilobit audio and transcripts all available at GRCcom. While you're there, pick up a copy of Steve's Bread and Butter, of Steve's bread and butter. He buys lunch with Spinrite, the world's finest mass storage, performance enhancer, maintenance utility and recovery utility. If you have mass storage, you really should have Spinrite 6.1, the current version. Go get it. Grccom. Lots of other stuff, including soon, I think the DNS benchmark and the pro version.

2:44:26 - Steve Gibson
Working on a new toy for people.

2:44:28 - Leo Laporte
I'll subscribe the minute it's available. I'm very excited about that. Lots of free stuff too. Check it out. Grccom.

We have a copy of the show at our website, twittv slash SN for security. Now, once you get there, you'll see a link to the YouTube channel that has every video of security. Now, that's useful if you want to share a clip. If you have a friend who's got an interest in AI, for instance, you could share just that portion of the show. Youtube makes that very easy, and I encourage you to do that, because not only does that help your friend, it spreads the word, and I think more people should subscribe to this show. I think this should be required listening all over the world. So use that YouTube for that Best thing.

Though, if you do listen to the show on a regular basis, subscribe. You can do it in any podcast client and automatically get it as soon as we're done with it. If you want the very freshest version, you can even watch us do this live. We record security now, right after Mac break, weekly on Tuesdays, usually about 1.30 to 2 pm Pacific, 5 pm Eastern, 2200 UTC. The streams there are eight of them. Our club members get the access behind the velvet rope in our ClubTwit Discord, but there's also YouTube, twitch, tiktok, xcom, linkedin, facebook and Kik, so eight different ways you can watch. If you watch live, you'll be getting the very freshest version, but you probably still want to subscribe so that you have a copy for later. Delectation. See, you have a wonderful week and I will see what are you reading now, are you? You're done with the peter hamilton, I know?

2:46:03 - Steve Gibson
I am and I miss it now. I was grumbling, I was complaining that it was endless and I would never get through it. I was like, oh, okay.

2:46:12 - Leo Laporte
How long am I going to have to wait? You develop an affinity for the characters and for the scene and you want to know what's going on. Yeah, yeah.

2:46:20 - Steve Gibson
It did get me, but you know, if it's a couple of years, then I'll reread it, like John did, immediately Right, and then plow into number two.

2:46:33 - Leo Laporte
Jammer B is in our Discord chat and he says told ya, yeah, we will see you next week. Steve, on Security Now.

2:46:39 - Steve Gibson
Thanks, buddy Till then.

2:46:45 - Leo Laporte
Bye.