Security Now 1018 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. He'll talk about a bug Microsoft has known about for years, refuses to correct and is now being used by 11, count them 11 hacker organizations A very disturbing remote takeover of a patchy Tomcat server, something you're going to want to patch right away. He's going to talk about the signal breach, the department of defense use of signal and why that's an unsafe thing to do. And then, finally, if you weren't worried about the future already, stay tuned because steve's going to be talking about the threat that post-quantum cryptography poses to everything. You know it's all coming up. Next, a big one on Security Now Podcasts you love, from people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1018, recorded Tuesday, march 25th 2025. The Quantum Threat. It's time for security now. The show. We cover the latest security news, privacy, information, with a little dollop of sci-fi and stuff like that thrown in, with this guy right here, mr Steve Gibson, the man of the hour. Hi, steve, and hopefully, some fun.

0:01:26 - Steve Gibson
One of the things that I often hear from our listeners in feedback is that they find this entertaining. It is entertaining, it's a strange crowd we have.

0:01:36 - Leo Laporte
If you're a nerd, if you're into this stuff, it's the best thing ever, right? It's better than sliced bread. I mean, this is you know, this is the the good stuff. I know people uh many people consider this the best show on the network and wait all week long for steve to show up on tuesday.

0:01:55 - Steve Gibson
So we're glad we're back again for episode 1018, and whenever I tell my neighbors my, my neighbors sort of have this vague sense that that I do something with a podcast. And so when Lori and I encounter them out walking, they go, still doing that podcast. I said, yep, I just did number 1,070. And they go 1,017?. What.

0:02:16 - Leo Laporte
That's right.

0:02:18 - Steve Gibson
You're a madman, Steve, Congratulations Well we've got a neat episode this week. I titled this one the Quantum Threat. I ran across a really nice piece of sort of a where the industry is update from Hewlett Packard's security people, which just perfectly contextualizes the status now, and I found that after I had absorbed it I thought, okay, there's so much good stuff here, this needs to get shared. So that's going to be where we wrap things this week. But first we're going to talk about the dangers of doing things you don't understand. The dangers of doing things you don't understand uh expressifs you know the chinese producer of the esp32, the most popular iot uh processor. Uh, they've responded to those claims of that back door the bluetooth back door that bluetooth back door which we decided wasn't.

We've got a widely leveraged mistake which we talked about last summer but Microsoft stubbornly refuses to correct, even though it's like I can't remember. Now, 14 different threat groups are all using it. Now it's like come on, Microsoft, you using it now. It's like come on microsoft. Um, a disturbingly simple remote takeover of apache tomcat servers. Like all apache tomcat servers, there's also a 10 out of 10 vulnerability affecting some asus, asrock and hpe motherboards. Google has snapped up.

0:04:05 - Leo Laporte
Do they call that, by the way, ass rock, no well as as rock or as rock. You're right there are.

0:04:11 - Steve Gibson
There are not two s's, so I guess it is it's not a great name if that's what they although I did rename those other routers, the microtic routers. Oh the microtics. Yes, the mic. The microtic router. Oh the microtics yes, the microtic.

0:04:25 - Leo Laporte
Yeah, that sounds really bad.

0:04:26 - Steve Gibson
It's like oh, I think that's microtic. You better have that removed. So we also oh, I was saying that Google snapped up another cloud security firm, but they did pay a price for doing so. We have RCS messaging soon to be getting full end-to-end encryption, and it was done right. We're going to talk about that.

Also, how did an AI crypto chatbot lose $105,000? And what is an AI crypto chatbot? Yeah, it's like what I'd like, what we're going to note. That looks like Oracle may be taking over stewardship of TikTok in order to keep it in country. And whoops, 23andme is sinking. You may not want to let them take your genetic data with them on their way out. No-transcript, and because the news broke after I put all of this together, which was actually early yesterday afternoon, we need to talk about the only cyber thing that anybody is talking about at the moment, that anybody is talking about at the moment, which is this mistake that the White House I guess the cabinet members made of using Signal to discuss very privacy-sensitive, national, security-sensitive war plans. So that's not in the show notes, but we should open with that after we look at our picture of the week.

0:06:25 - Leo Laporte
Yep, I have the picture here. I am ready to scroll up at your command. We'll do that and get into the meat of the matter in just a bit, but first a word from our sponsor, happy to say they have just re-signed for 2025. The great folks at Zscaler. They are the leader in cloud security because they do something that really works for your security. Over the past few years, enterprises have spent billions of dollars on perimeter defenses, on firewalls and, of course, vpns, so people can get through the firewall and get to work. Has that solved the security issues? No, obviously. If you listen to the show, you know breaches are going up 18% year-over-year increase in ransomware attacks last year alone. I think it's going to be even more this year. A $75 million record payout in 2024. And that's just the tip of the iceberg.

Problem is that traditional security tools perimeter defenses and VPNs expand your attack surface. They give you public-facing IPs that are easily exploited by bad actors, especially now that they're using AI tools to hammer away. Also, the real problem is, once somebody penetrates the perimeter defenses, the firewalls, it's presumed oh, they're an employee, they're in, that's okay, let them do whatever they want. Which means you've enabled lateral movement. Users are connected to the entire network. If that user is not a good guy but a bad guy, they can find embarrassing material customer information, emails and then exfiltrate it using encrypted traffic, which the VPNs and the firewalls struggle to see. So you've got a porous situation. It's just not good. I mean. The bottom line is hackers are exploiting traditional security infrastructure. They're doing it with AI. They're outpacing your defenses. We got to rethink security. They're doing it with ai. They're outpacing your defenses. We got to rethink security. Can't let these people win. They're innovating faster than we are. They're exploiting our defenses.

That's why you should turn to z scaler zero trust plus ai. How does it work? Well, first of all, z scaler hides your attack surface, making your apps and ips. Bad guys can't attack what they can't see right. Also, it doesn't make any assumptions about anybody on the inside. It eliminates lateral movement because users can only connect to the specific apps they're authorized to use, not the entire network, and it continuously verifies every request based on identity and context. It simplifies your job with AI-powered automation and it uses AI to detect threats. You know, right now Zscaler is handling over half a trillion with a T daily transactions. Now, of course, the vast majority of them are legit, but there are threats little needles in that giant haystack. They're using AI to scan it and find it so they can stop those threats before they happen. Bottom line hackers can't attack what they can't see. Protect your organization with zscaler zero trust plus ai. You can learn more at zscalercom slash security. Please use that address, that way they'll know. You saw it here. Zscalercom slash security.

0:09:48 - Steve Gibson
We thank them so much for supporting the very important work mr gibson does here on security now well, I will say that a lot of our listeners have said that the podcast has made a huge difference to their lives and their careers.

0:10:02 - Leo Laporte
And nice, and so I would agree with that, I uh it's made a big difference to my life and career actually to be frank, I appreciate the feedback.

0:10:12 - Steve Gibson
Okay, so I gave this one the. The caption once seen, never forgotten because this is just I.

I love human cleverness. Wow, that's clever. I don't know who could look at 3.14. This was, of course, on the radar because we just had March 14th a couple weeks ago and who could look at 3.14 and realize that if it were in the mirror and you tweaked the shape of the numerals a little bit, the mirror image is P-I-E. That's just brilliant, that's cute. That's very cute. Again, once seen, never forgotten. I actually had a really, really good picture of the week and I thought oh, I just okay this one's timely.

0:11:05 - Leo Laporte
you have to do this, yes exactly because we're.

0:11:08 - Steve Gibson
It's gonna be april fool's day next time. We're doing a podcast and you never know what can happen there that'll be fun okay.

So uh, and I've said many times that when someone screws up, an employee, makes a mistake, I know that some people's reaction is to say you're out of here, you're fired, to coin a phrase. I guess I've taken a more tempered approach and thought okay, well, if a lesson has been learned, if the employee who made a mistake an honest mistake, who didn't intend to do what they did learned from it, then you've got a better employee after that than you had before. So are you going to, you know, can, a better employee? You know some other employer is going to get him and he will have learned the lesson at your expense and the other employer gets the benefit. So for that reason, I'm glad that what happened yesterday I guess it was happened and I'm not glad because it's egg on the Trump administration and cabinet's face that doesn't do anybody any good. Socially important lesson for this new group of cabinet officials and people who are in charge of the nation's security to learn.

We on this podcast, more than anywhere else, know that our phones are not secure. It doesn't matter that Signal is secure, we know it is. In fact, I'll be talking about a little bit later and the ratchet protocol, which we talked about a long time ago when it was called text secure. We know signal is state-of-the-art security. We also know that Pegasus and many other types of malware are arranged to get themselves installed in people's smartphones specifically so that if they do something like this, foreign intelligence agencies will obtain that information. A mistake was found because a journalist was inadvertently included in a multi-way signal conversation where the details of a war planning by the US was being shared using signal and people's smartphones. And that's just not secure. And I'm watching the press coverage and people are saying well, signal is secure, it's like yes, but we know that you get the data after it's decrypted and displayed on the screen and while it's being typed in before it is encrypted, it's unencrypted on your device?

Yes, and that's the key. And these smartphones, we absolutely know cannot be trusted, and there's been lots of dialogue. That's why there are skiffs, that's why people have to leave their smartphones at the door and come in without them, and on, on, on. So anyway. So my take is that this mistake will not get made again and that, and that there was, there was, without question, a cavalier, too casual, but probably due to just a lack of understanding, lack of appreciation. You know, these are people who are not in the administration, haven't been historically, in fact. That's why they're here right, because the US voted for the return of Donald Trump and he was going to bring his own people that he felt comfortable with, who were not part of the so-called deep state. So this is what you get. Is you need to learn some lessons? This was an important lesson and I'm sure everybody involved has learned it. I'm sure we're not going to have more, you know, national security conferences being held on random smartphones any longer, being held on random smartphones any longer. So and better. That happened now, like soon, and that now for the rest of this administration. I'm sure this won't happen again. So you know again, I don't tend to fire employees when they make mistakes If they've learned a lesson and it was an honest mistake and it wasn't malicious, it certainly wasn't, it was just casual and it wasn't malicious, it certainly wasn't, it was just casual, and that can't happen. So I'm sure that message has been received across the administration. So, lesson learned. That's the way these things happen.

Okay, our first piece of news that I had, I said don't try this at home, or anywhere else for that matter. I've touched on this before, but it's worth repeating. Auto dealerships were being abused in a supply chain chain supply chain attack from a compromised shared video service, which was a well, it was unique to dealerships. It's something that that dealerships were using as a, you know, an outsourced managed service provider that was providing these video services to them who knows what for. But when active, the attack would present visitors to this dealership-hosted website with a webpage containing infected JavaScript. So when they visited this at any of over 100 dealerships, there was a chance that a specific this malware JavaScript would load containing malicious code. If it did, it would redirect the user to a page on a compromised host. That prompted the user with something everybody is now seeing, right. It's that it would show a dialogue box and with the big headline robot or human, and then it would say check the box to confirm that you're human, thank you. And then the thing we've all seen just a checkbox that says you know that alleges I'm not a robot, and the little reCAPTCHA logo and you know who would not click it. We're having to do that now increasingly In this case, however, of course, this is malicious. So this is not actually the reCAPTCHA single-click dialogue. This is malicious JavaScript running.

So the next thing that would happen is unusual. It would drop down like that little I'm not a robot dialogue would drop down, expanding with three additional verification steps. And here's where I said we've encountered this before, because we've talked about this before. The first verification step press Windows button, windows plus R. Second step press Control V. Third step press enter. Well, okay, listeners of this podcast understand that you know windows plus R opens the run dialogue down at the lower left of your screen and gives it focus. Pressing. Then control V will paste whatever the malicious script had placed onto the Windows clipboard, and it was able to do so when you clicked the I'm not a robot button. That wasn't actually I'm not a robot. That was yes. Here's permission to paste onto my Windows clipboard. So now the string has been pasted into the run field of the run dialog, which will be executed when you follow step three and press enter. So if the user performed these steps, a PowerShell script was executed on the user's machine that would download further payloads and ultimately install the remote access Trojan, sectop rat, a remote access Trojan R-A-T.

And again, I've mentioned this before. I'm deliberately revisiting this because it's so diabolically clever and because I mean diabolic, and I believe that it perfectly captures a significant and fundamental problem that doesn't have any simple solution, and that's the human factor. I know that listeners of this podcast would not blindly follow these instructions, but we would all pause to consider what's going on here, which suggests we're like wait what? And then we're looking at it and go, oh, I'm not doing that. But the important point here is that tech-savvy PC users are in the clear minority. We, as the techies in our social groups, our families, the people that others come to, we hear their questions, we understand that many people, when presented with this, would go, oh okay, I got you know, and like followed, one, two, three, followed the instructions. The vast majority of PC users have no idea what's going on at all and, as a consequence, instruction following has always been their way of life within the PC world. Leo, you had a radio show for decades and you were Mr Instruction Giver, so that you know, because people needed to follow instructions in order to solve their problems. The person could be a brain surgeon by training and education and experience, but that would still not prepare them for all of the many clever ways a PC user can be tricked into doing something self-destructive.

The great annoyance for me is that I cannot see a future where this is resolved. I don't know how we get out of this mess. The only thing I can see that might resolve this and I'm actually not kidding would be an entirely different user interface experience with our PCs. Meaning there isn't a run dialogue, there isn't a copying from the clipboard and pasting into it and pressing enter. Those things go away. Imagine an entirely different user experience for our personal computing environment where active AI agents interface the user to their personal computation and communications devices. You know it might sound far-fetched, but I was watching Leo before MacBreak Weekly talking to an AI having a conversation with it back and forth.

0:23:17 - Leo Laporte
Yeah it was great yeah.

0:23:19 - Steve Gibson
I mean, it was like you could, and here was Alex talking about how he's using was it? Vibe in order to-.

0:23:27 - Leo Laporte
They call it Vibe coding, but it's I don't know what he was using. There's a variety of tools.

0:23:32 - Steve Gibson
Oh, so Vibe is a generic term for like it's sort of the way you read books, leo, without actually doing any reading.

0:23:42 - Leo Laporte
I get it. Audio counts, I get it. Audio counts yeah you're not typing code because you don't know how to code. You're telling the chat, the chat bot, to code.

0:23:52 - Steve Gibson
Uh, you're giving it the vibe of the of the app, not the actual I see yeah we want something sort of like this yeah, yeah on the corners, yeah, yeah so, as we know the reason, we know the reason I think I'm kind of serious is once upon a time let's go back in time All interaction with computers was via I mean all a teletype which had a clunky, clankety keyboard and it typed text onto a wide roll, a continuous roll of paper.

A big jump was to the textual video display screen, which was faster and quieter, and then, for a long time, that's all we had, that's all there was. And then the next big change was to a graphical display which we interface to, not only with that same keyboard, which was now quieters. In the way humans interface, interact with computers, I think we're on the cusp of another one, and so I could see where one way of taking the human out of the execution loop which hurts them as much as it helps them, is for there to be an AI agent, a Dave saying. I'm afraid I can't do that.

0:25:32 - Leo Laporte
I guess that was Hal Hal saying to Dave this attack would not have worked on an iPad or a Chromebook. It works on Windows and it could probably work on Macintosh. I think we need both, steve I. I don't want to give up my capability to run arbitrary code on my computer. It's my computer, but there are a lot of people who shouldn't have that capability. They should probably be using a chromebook or an ipad, and I think, yes, that's the theory.

0:26:01 - Steve Gibson
I completely agree and and again I'm, you know, windows 10, which where I do anything.

0:26:07 - Leo Laporte
I'm this whole notion of agency coming.

0:26:08 - Steve Gibson
That's overall a good thing. We got a lot of sharp edges and corners and things to polish off.

0:26:35 - Leo Laporte
I think it's just going to introduce more exploits. It's not going to get rid of them, is my personal feeling.

0:26:41 - Steve Gibson
Change them yes.

0:26:42 - Leo Laporte
Yeah, it's just going to be different. Then they'll take advantage of dave I would have.

0:26:47 - Steve Gibson
I would have a hard time arguing that, leo I think you're probably right?

yeah, I think that is the case. Okay, shanghai, china, recently, uh uh express f just responded to the Spanish researchers' backdoor discovery. They wrote quote Recently, some media have reported on a press release initially calling out ESP32 chips for having a backdoor. They used air quotes. Expressif would like to take this opportunity to clarify this matter for our users and partners. Recently, some media have reported on a press release initially calling out ESP32 chips for having a backdoor. Of note is that the original press release by the Tarlogic research team was factually corrected to remove the backdoor designation. However, not all media coverage has been amended to reflect this change.

So they said what was found, the functionality found, are debug commands included for testing purposes, and that's entirely feasible. By the way, I didn't suggest that when we talked about this. But, yes, that makes absolute sense that you would want to verify that the host controller interface, for example, is able to read and write to main memory, as it must for DMA direct memory access to function. So the way to do that have some undocumented commands that cause it to do so and then check to see whether main memory has been altered as those commands requested in order to verify. So it fits perfectly. They said these debug commands are part of Expressif's implementation of the HCI host controller interface protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers. Please read our technical blog to learn more.

But they said they had five key clarification points. First, internal debug commands. These commands are meant for use by developers and are not accessible remotely, which is the main point we made when we talked about this. They said having such private commands is not an uncommon practice. Two, no remote access. They cannot be triggered by Bluetooth radio signals or over the internet, meaning they do not pose a risk of remote compromise of ESP32 devices. Third, security impact. While these debug commands exist, they cannot by themselves pose a security risk to ESP32 chips. Expressif will still provide a software fix to remove these undocumented commands, which that's news, okay.

Fourth scope If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE, you know, bluetooth low energy host, the aforementioned HCI commands are not exposed and there is no security threat. And finally, not exposed and there is no security threat. And finally, number five affected chipsets. These commands are present in the ESP32 chips only and are not present in any of the ESP32-C hyphen S and hyphen H series of chips. So they finished with their commitment stating. So they finished with their commitment stating, just like to put everyone's mind at rest. Es-the-art in like saying we want to know if we make any mistakes. No-transcript, we don't know the backstory there. So OK, expressif said.

Expressif also extends its gratitude to the security research community for promptly clarifying that the disclosure does not constitute a backdoor. Their responsible disclosures and continued support have been invaluable in helping users accurately assess the security implications and maintain the integrity of their connected devices and understand. This was initially right like a big black mark. And oh, china, you know. So it's good that a lot of the community said oh, wait a minute. At the same time, they finish. We recommend that users rely on official firmware and regularly update it to ensure their products receive the latest security patches. Should you have any questions, please do feel free to contact ExpressGIF's official support channels.

So you know, as we know, this is exactly what we concluded from an examination of the location and nature of these so-called backdoor commands. The key is that they were never externally accessible. They were simply commands for the internal native Bluetooth HCI controller. And boy, it is the idea that they would be for debugging the hardware when, like during initial QA, you want to make sure that the controller is working that's able to do these things. So totally makes sense. And also for doing things like setting the, the, the Mac address. Could you use it for spoofing? Ooh, yes, but you can always change the Mac address of this stuff. So fine, not a big problem. And besides, you can't do it remotely, you have to deliberately do it on the chip using those commands. So that wasn't a problem. Here's something that is 11 advanced persistent threat groups are known to be abusing a Windows zero day.

0:33:48 - Leo Laporte
Oh man.

0:33:48 - Steve Gibson
Eleven, eleven. We know them by name, but because what they're doing is not technically leveraging a flaw in Windows. So far, although this was reported to microsoft by trend micros zdi their zero day initiative six months ago, last september, microsoft has declined to address the issue. There's like it's not. It's like it's what it's supposed to do. It's like, but Microsoft, it's bad. We talked about this at the time because it was. You know. It was just a head shaker that in 2024, let alone still today, in 2025, leo Windows LNK link files are still being exploited. And, what's more, despite the fact that the exploitation of this single zero-day vulnerability goes back eight years, microsoft says no fixie.

The 11 APT groups operate out of North Korea, iran, russia and China. So you know the good guys None who have recently been behaving as friends of the West. They've all used this zero day to hide their malicious instructions in LNK files sent to targets, in LNK files sent to targets, and Trend Micro has discovered nearly 1,000 malicious LNK files which are abusing the technique. Microsoft's response is that it's all working just the way they want it to. As I said, we covered this before Recall that there was, and unfortunately still is, a way to format the fields of the link file to essentially white space pad the actual content of the link field, the target field, so that so far off to the right that none of it shows up where the user goes to examine the link file's properties. So if you right-click and do properties to look at the link file, you don't see anything in the target field. Look at the link file you don't see anything in the target field. The user won't see that they're going to run evil malware downloaderexe when they click the link. I have a link to Trend Micro's fully detailed report in the show notes for anyone who's interested.

The high priority takeaway for our listeners is to never click any link that has an apparently empty target field, because the target field cannot be empty. That field must be non-empty for the link to have any effect. That's the field that tells it what to do. So it makes no sense for the target to ever be blank. You know, never make the mistake of assuming that a blank field means the entire link is benign just because there's nothing obviously nefarious about it. You know, it's just heavily space padded in order to move the bad news out where you can't see it. And in fact I think I recall that there was also an exploit where what you would see looked deliberately benign, because that was just the left-hand portion of a much longer thing which had a bazillion spaces in it, and then the actual bad news. So it's even possible to spoof what is in that.

I mean Microsoft, as we've seen from time to time there are some design corners that you can get yourself painted into which just don't have good solutions. And so here's Microsoft, basically committed to supporting, you know, link files. They can't take them out now. It would break all kinds of stuff in Windows, so they're stuck with it. But it was a bad idea back when it was added to Windows 1.0, and it's not gotten any better since. But, leo, half an hour in, I think we should talk about what has gotten better since oh okay, I think we could do that.

And then we can look at the trouble that Apache Tomcat servers are in. Oh, please.

0:38:43 - Leo Laporte
Oh, that's bad news. There's got to be some reason for lnk files, right.

0:38:48 - Steve Gibson
I mean people share lnks, or something oh, they're handy, my desktop is covered with them.

0:38:52 - Leo Laporte
Well, there you go yeah, you can't get rid of them no steve's desktop is covered with them can't.

0:38:58 - Steve Gibson
Actually, I haven't clicked on any of them in about 12 years, so I'm not really sure what they do.

0:39:03 - Leo Laporte
I'm thinking at this point you might not want to, that's hysterical. Yeah, yeah, those are the aliases, right. Yep, yep, I use them too. Maybe they should change how they work. That might be a better solution to that.

0:39:18 - Steve Gibson
Well, one wonders why Microsoft is just saying no, we're not, we're not, we don't care that. You've got literally. I saw some examples in this Tread MicroLink. There are some that are 32K of spaces. How do you defend?

0:39:37 - Leo Laporte
that Microsoft.

0:39:40 - Steve Gibson
How do you yes, how do you defend having something that is obviously?

0:39:43 - Leo Laporte
makes no sense. Yeah, which is also being abused. Yes, here's something that makes a little bit of a sense. Actually, people are doing something that does make no sense in the world of security. Our sponsor for this portion of security now is legato security. Would it make sense for you to put in a burglar alarm that didn't have any monitoring? So if you're gone for the weekend and somebody breaks into your house, no one knows, the alarm knows, but nobody's paying attention. Well, what doesn't make sense to me is there a lot of security folks who have all of the defenses and all the alarms but then they go home for the weekend and nobody's keeping an eye on things. I understand why it's expensive, but no business should be their own burglar alarm, and that applies to cybersecurity too. Legato Security is great for the smaller, mid-sized business that doesn't want to have a security operations center monitoring everything. They'll do it for you. Legato Security provides the same standard of security controls the big guys use that large enterprises use, without the cost of building your own internal security operations center. It's a recognized leader by CRN, by MSSP alert in 2024.

Legato security transforms how businesses approach cyber security. Now, first of all, you're going to say, well, I don't want to put in all new stuff. No, it's a technology agnostic MSSP platform, managed secure provider platform. It provides your business with a custom suite of security solutions tailored to your needs. You know you don't. You can continue to use exactly what you like. It integrates seamlessly with your existing tools, so you don't have to do a big infrastructure overhaul. What you're adding is a security operations platform on top of it. They call it Ensemble, and it delivers consolidated, prioritized and actionable alerts in real time via a comprehensive single pane. That's nice too, because if you have it in multiple pages, multiple locations, it's hard to know what's really going on. This is a single pane of security.

You know hackers don't take holidays. Remember that story we had where the malicious Chrome extensions were pushed on Christmas Eve because they knew nobody would be around for a few days and they could run untrammeled, unhampered. Hackers don't take holidays. In fact, they actually actively attack you when they know you're off the clock, attack you when they know you're off the clock. You need Legato Security's 100% US-based team, all in the US. They provide proactive threat detection. They also do triage and remediation, so if something happens, they can help you fix it 24-7, 365 days a year. You should go look at the website because they have this beautiful, purpose-built SOC Security Operations Center.

Your team can focus elsewhere. You know what? Wouldn't you like to be able to clock out, go home for the weekend and not have to worry? From entrepreneurs to Fortune 100 companies, legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth and you can focus on having a beer out by the swimming pool.

A recent customer says quote Legato Security is the only supplier that has delivered everything they said they would and we didn't have to drive them. They just get it done. In fact, what I love about Legato Security is they won't call you and say you got a problem. They'll call you and say you had a problem. They'll call you and say you had a problem, we fixed it. Wouldn't you like that? It and security professionals, just remember this.

Legato Security's MSSP team is here to augment your team, not replace them. They're the professionals you want on your team to back up your cybersecurity forces and fortify your proactive defenses every hour of every day in the year, 24-7, 365. It's not enough just to have security tools. You know this. You got to have the expertise to back it up See if your defenses are as strong as you think.

Legato's got a great at their website legatosecuritycom free risk assessment. You can just go through this checklist and see where you might have a problem. Visit legatosecuritycom. That's free, just to give you a sense of where Legato can really help out. Find out what they can do to help you regain control and enjoy your weekends like you used to Legatosecuritycom the bad guys aren't taking time off, but you get to LegatoSecuritycom. I talked to these guys, had a great conversation with them a couple of months maybe the last month, I guess not so long ago and I was so impressed with what they're doing LegatoSecuritycom. Thank you, legato, for supporting the important work Steve's doing here. He's also part of On. We go with the show, steve.

0:44:51 - Steve Gibson
Okay. So the API security firm Wallarm W-A-L-L-A-R-M posted an announcement last week titled One Put Request to Own Tomcat, and they said CVE 2025-24813 RCE is in the wild. They wrote a devastating new remote code execution vulnerability 2025 248 13 is now actively exploited in the wild. Attackers need just one put API request to take over. Oh Leo, it's so bad.

To take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user, ic857, is already available online. Okay, so here's what we know. Is already available online. Okay, so here's what we know. This newly disclosed attack leverages Tomcat's default session persistence mechanism, along with its support for partial put requests. Tomcat is Apache's Java web application server that provides a pure Java HTTP web server environment in which Java code can run. This new exploit works within this environment and requires just two simple steps. One of the reasons this is so bad is it is so easy to do.

First, the attacker starts by sending a put request to upload a. I should explain HTTP has a number of it's sort of at its base original definition, a number of verbs. There's get, which is the most commonly used verb ever, which just gets, you know, gets content, gets HTML content from the server. So you, you, you, the. The client says get and then provides the path to where, to what page should be gotten, and then receives it. Post is another common one where the client is sending some data back. That's what typical forms use. They use posts in order to send data back to the server. Another one is head, which says just give me the headers of the page so I can see if it's changed recently, how big it's going to be. You know, I don't want the whole page, I just want the headers. And then, similarly, a final verb although there's a bunch of others is put which says here is a file that I want you HTTP server to accept from me.

So the attacker starts by sending a put request to upload a malicious session file to the server. To upload a malicious session file to the server, the payload of that put request is a base64 encoded YSO serial gadget chain that's designed to trigger remote code execution when it's deserialized. You know like we've talked about serialization and deserialization, deserialization being the interpretation phase. This initial put request writes a file inside Tomcat's session storage directory where it stores session state, automatically saves session data in files. The malicious payload is now stored on disk, just like any other valid session would be waiting to be deserialized. So the first step essentially causes the Apache Tomcat server to upload and store the attacker's Java attack file in total, in whole. Then, with the session file uploaded, the attacker simply triggers deserialization. That is the resumption of what Tomcat believes is a stored and saved session which it has every reason to trust because it thinks well, I create the session files right, I'm the one who made these. So now I'm going to reconstitute this previously stored session.

The attacker triggers the deserialization of that file by sending a simple GET request providing a J session ID cookie which points to the malicious session. So literally two commands, two simple, well-documented, well-understood out in the public domain. Now, with proofs of concepts floating around and it happens Seeing that session ID, tomcat dutifully retrieves the stored file, deserializes it and executes the embedded Java code, which typically grants full remote access to the attacker typically grants full remote access to the attacker. So this is about as horrible as a remote attack you get, because it's dead simple to execute, requires no authentication and very little imagination, even no technical expertise. Lots of proofs of concepts are out there. The only technical requirement is that the Tomcat server is using file-based session storage, which is common in many deployments. Also, the use of Base64 encoding allows the exploit to bypass traditional security filters, making detection somewhat more challenging. And, of course, before you can detect it, you need to know to look for it in the first place.

Wallarm detected the first attack in the early afternoon of March 12th I'm sorry, yeah, march 12th, central Standard Time, originating from Poland, a few days before the first public exploit was released on GitHub, few days before the first public exploit was released on GitHub. For anyone who's curious and interested, I've got the GitHub posting from this person who tweeted it IC857, with the proof of concept, ready to run the wallarm. Folks, caution about the future writing. While this exploit abuses session storage, the bigger issue is uploading malicious JSP files, modifying configurations and planting backdoors outside of session storage. They said this is just the first wave.

The reality is that reactive security waiting for CVEs adding web application firewall rules and hoping logs will catch threats will always be a losing game. Cve 2025-24813 went from disclosure to public exploit in just 30 hours, so a day plus six hours and whang. Now it's happening. It's not the first time that this has happened and I'll just note that 30 hours is not time enough for Apache's Tomcat team to get up to speed and patch, let alone test and deploy what is a critical update, to say nothing of having those updates deployed and actually get servers patched. I mean, this is just too quick to turn around and of course, that's what we're seeing now. Right, we've talked about this before. There's a race for exploitation to occur before patches can be deployed.

0:53:24 - Leo Laporte
It feels like maybe the disclosure was either too complete, like it gave people too much information, or maybe they should have done it in private first. Well, it was certainly not a responsible disclosure people too much information, or maybe they should have done it in private first well, it wasn't.

0:53:35 - Steve Gibson
It was certainly not a responsible disclosure. This just was posted on a chinese forum. Yeah, that's right okay and so this, yeah, this wasn't a security.

0:53:43 - Leo Laporte
No way was this responsible.

0:53:45 - Steve Gibson
Yeah, and we can't always count on that right it'd be nice if we could.

But not everybody is says, hey, I need brownie points here, please. You know, this was some you, some Chinese person, or at least a person posting over on a Chinese forum saying look what I found. Everybody, give this a shot, see if it works. And lo and behold, they did. Ouch, wow, yeah, nist's National Vulnerability Database concurs about the severity of this CVE, assigning it the maximum common CVSS severity rating of 9.8 and formally labeling it critical.

Now there's a little bit of good news here. The global inventory of these Apache Tomcat servers appears to be somewhere just short of about 19,000 installations, so it's not 19 million. That's good, you know. It's not a huge amount of global exposure, but on the other hand, they're likely to be running within enterprises that would qualify as prime targets for an enterprise to be running, you know, a, a, a, a Java, uh application server, probably a more substantial organization. So our takeaway here is to you know the, the, the refrain that, yes, security is difficult and features will almost always come back to bite you in the butt, no matter how you pronounce the ASRock server.

0:55:21 - Leo Laporte
I think we've decided it's ASRock now. Asrock yes, Good, Not ASRock okay.

0:55:29 - Steve Gibson
Not.

0:55:29 - Leo Laporte
ASRock.

0:55:30 - Steve Gibson
Let's be clear Before we leave the topic of really bad remotely exploitable vulnerabilities. I should mention that the firmware security company Eclipsium discovered a remotely exploitable vulnerability in AMI, megarack, rac, megarack Baseboard Management Controllers. You know, bmcs. Those are the sort of like the pre-boot firmware which allows remote management of servers over the internet by connecting. Typically, you have a reserved NIC, a network interface, you know, and an ethernet connection to allow you to manage that server remotely. Well, they found a problem. The vulnerability, which is being tracked as CVE-2024-54085, received a 10 out of 10 severity score. The reason for the maximum score is that the vulnerability allows attackers to bypass authentication and access the baseboard management controller's remote management capabilities. In other words, you're certainly going to protect this. You sure don't want this thing exposed to the Internet. But over 1,000 devices with these mega rack interfaces are currently exposed on the Internet, with Asus as rock say hey, let's have some fun and bypass authentication and then you're in. I mean, you can upload firmware, you can change the passwords, you can reboot the systems, you can get up to all kinds of mischief using the BMC port and not something you ever want to have publicly exposed.

Google purchased Wiz Cloud Security and we've recently covered some news involving the good work of the cloud security startup, wiz, and, due to the sound of its name, I felt the need to spell it it's W-I-Z as in wizard.

In case we talk about them in the future and I imagine that we will be, I wanted to note for the record that they were just acquired by Google in what must have made their venture capital investors very happy, since, as I said, this was a startup and the acquisition was the largest cybersecurity related acquisition ever. So, uh, you know, the size of Google doesn't appear to be shrinking. Google first attempted to purchase Wiz last year for the measly sum of $23 billion, but that deal fell through and I imagine there was plenty of disappointment to go around. But Google came back again this time closing the deal for $32 billion in cash. The deal will need to pass regulatory review, and that might be such smooth sailing at this point, but I have no real idea, since I expect we'll be encountering them in the future, just as we do Mandiant another one of Google's security acquisitions recently. I wanted to mention that, so they are now part of the google juggernaut are they like mandiant?

0:59:39 - Leo Laporte
are they a security research firm? What is it that?

0:59:42 - Steve Gibson
they're? They're a cloud security uh group. Uh, you know, they find things and report things and and offer security services. Yeah yeah, gsma is the GSM association, where GSM stands for the global system for mobile, as in communications. Right? They made some news Friday Actually it was Friday before last with their announcements.

Headline RCS encryption a leap towards secure and interoperable messaging. So here's what Tom Van Pelt, the technical director of GSMA, posted. He said in my last post, which was RCS Now in iOS, he said a new chapter for mobile messaging. He said I celebrated the integration of rich communication services, rcs, with Apple's iOS 18. Accumulation of years of collaboration across mobile operators, device manufacturers and technology providers, he wrote.

Today I am pleased to announce the next milestone the availability of new GSMA specifications for RCS that include end-to-end encryption Hallelujah, yes. Based on the Messaging Layer Security, mls protocol. Messaging Layer Security, he said. Most notably, the new specifications define how to apply MLS within the context of RCS. These procedures ensure that messages and other content, such as files, remain confidential and secure as they travel between clients. That means that RCS will be the first large-scale messaging service to support interoperable end-to-end encryption between client implementations from different providers, together with other unique security features such as SIM-based authentication. End-to-end encryption will provide RCS users with the highest level of privacy and security for stronger protection from scams, fraud and other security and privacy threats. These enhancements to support end-to-end encryption are the cornerstone of the new RCS Universal Profile release. In addition to end-to-end encryption, rcs Universal Profile 3 makes it easier for users to engage with businesses over RCS messaging through a richer, deep link format and includes additional, smaller enhancements such as improved codecs for audio messaging and easier management of subscriptions with business messaging senders. In addition, rcs continues to support a range of interoperable messaging functions between iOS and Android users, such as group messaging, the ability to share high-resolution media and see, read receipts and typing indicators.

He finishes. I would like to thank all of the contributors for their support in developing and finalizing these new specifications. They represent significant progress in enabling even more of a thriving RCS ecosystem built on the foundation of secure and private messaging for the benefit of end users worldwide. Okay, now I took a brief look at the 90-page specification and it looks like the right people have been involved. Among other things, I noted that the word ratchet appears 20 times in the document. We've discussed the use of ratchets for group messaging key distribution in the past for group messaging key distribution in the past, having first encountered the term when we discussed Moxie Marlinspike's axolotl ratchet. Actually it was a double ratchet which he developed along with Trevor Perrin as part of the TextSecure project, which was later rebranded and expanded into what we now know today as the signal protocol. I would, I guess I would take issue with tom's characterization of of the rcs's mls as more secure and better and blah blah. It's not, it's at parity, but that means it's really really really secure.

Yeah, you know it's all you need it's. You know it's good as it gets it's state of the art.

1:04:41 - Leo Laporte
Good enough for the Department of Defense. It's good enough for me.

1:04:44 - Steve Gibson
That's right. It's good enough to discuss war planning. So the bottom line is that it appears that the cross-platform RCS multimedia secure messaging protocol that even Apple now supports as of iOS 18, will be obtaining strong, state-of-the-art end-to-end double-ratcheting, you know, signal-style style encryption, and it will be done correctly. So one has to wonder what the uk and the eu will have to say about that a little bit of history.

1:05:27 - Leo Laporte
When rcs, the rcs spec, came out from the gsm association, it had no encryption. Google decided encryption had to happen. So their implementation had a Google and encryption. But because that came from Google, Apple did not implement it. Apple said until there is a standard, we're not going to implement encryption in. You know, Apple Messages has encryption but not RCS. So that was a problem because Apple users using RCS might have thought oh, it's encrypted, because it is if it's Google to Google, but not if it's Apple to Android. So this is a big, a very important improvement and I do hope Apple moves quickly to implement it, Because then I mean that's the problem right now with SMS it's not secure. Yes, I mean that's the problem right now with SMS it's not secure. Then we will have on both Android and iOS and encrypted, secure messaging technologies and that's a big, big improvement.

You're right, it's going to you and the UK are going to hate it.

1:06:26 - Steve Gibson
Yes, they are. I mean they're going to have a fit, yeah.

1:06:30 - Leo Laporte
Because all your text messages will be suddenly encrypted.

1:06:33 - Steve Gibson
Yeah, I mean like well encrypted, where it's encryption done right a la Signal and Messenger and everything.

1:06:44 - Leo Laporte
Although again and this is an important lesson that I do hope Pete Hicks has learned- the fact that it's encrypted in flight does not mean that it's encrypted on your phone.

On your phone and, of course, I don't know what it'll be like with RCS, but when you use iCloud to back up your signal messages, they're backed up in the clear. So you know, that's something you might want to consider as well. I don't know what they're going to do. I will read up on this. I'd be very curious what happens to it. You know I don't know what they're going to. I would. I will read up on this. I'd be very curious what happens to it.

1:07:15 - Steve Gibson
Well, and I know, I have not ever really paid attention to what equipment our presidents receive, but I think they have special phones, don't?

1:07:24 - Leo Laporte
they, I remember.

1:07:24 - Steve Gibson
Obama was bitching and moaning about.

1:07:27 - Leo Laporte
He had a BlackBerry and he really loved his BlackBerry, but he got elected president, his blackberry. But he got elected president and the first thing the secret service did is hand him a greatly modified windows ce phone that obama hated. He hated it and he came on. I was on the tonight show bitching about it, but that was a long time ago, uh, in when trump was elected 2016. When he took office in 2017, very famously refused to hand over his iPhone. So it's my guess that they don't give him a Windows CE phone anymore, but that really does raise issues, because if you're using it to communicate super secret stuff, it's not super secret, especially with Pegasus out there and all these other ways, the Chinese hackers who are sitting in our phone system specifically listening to governmental interactions. This is you.

1:08:22 - Steve Gibson
You should be in a skiff well, and I'm again Leo, there's no way this lesson has not been learned. Well, I mean it. They only got caught.

1:08:31 - Leo Laporte
Remember they got caught. That's the problem. They've probably been doing this all along. It is a violation of-.

1:08:36 - Steve Gibson
That's why I'm glad. That's why I'm glad they got caught. But it is a violation.

1:08:41 - Leo Laporte
There are going to be hearings because it's a violation of DOD regulations. I'd be really curious. Dod has its own secure messaging technology that they use and they, of course, have SCIFs. I'd be very curious. We probably won't be able to learn any details about it.

1:08:56 - Steve Gibson
I just think it was very convenient and they didn't understand that they have to have these kinds of communications under really controlled circumstances. Now they understand.

1:09:09 - Leo Laporte
I'm sure they were told that Probably part of the instruction of the the part of the briefing, the instruction manual that you.

1:09:18 - Steve Gibson
Maybe they slept through that part, I don't know uh, let's take a break and then we're going to ask, we're going to answer the question what world are we living in today?

1:09:31 - Leo Laporte
what timeline are we living?

1:09:32 - Steve Gibson
I don't recognize some parts of this world.

1:09:34 - Leo Laporte
I know exactly what you mean. I can't wait to hear what you have to say about that. Steve and I are the old men shouting at the clouds why I oughta. Let's talk about our sponsor for this segment.

1:09:47 - Steve Gibson
Get off my Wi-Fi, my Wi-Fi, I'm using it.

1:09:53 - Leo Laporte
How dare you put a password on it? I was using your Wi-Fi. I'm using it. How dare you put a password on it? I was using your Wi-Fi. We've talked about this sponsor before Delete Me, and we have a very clear example of why, here at Twit, we use Delete Me. I think every business, for at least its management, should have Delete Me, because it protects you against the worst kind of spear phishing attacks.

Our CEO was impersonated by a bad guy who not only knew her name and her phone number, but the names of her direct reports and their phone number, and the problem is all of that information is easily found online. If you've ever searched for your name online and I don't recommend this you will not like how much of your personal information is just sitting there. And then you know all the sites say this and for a buck 50, I could tell you it's criminal record. They all offer give me a little more and I'll tell you more. That's why maintaining privacy has just become an urgent concern, not just for individuals, but for families, for businesses, and the good news is Deleteme has plans for all of the above. With Deleteme's family plans, you can ensure that everyone in your family feels safe online. Their enterprise plans help everybody in your company stay safe.

We immediately got Deleteme for Lisa, our CEO company stay safe. We immediately got delete me for lisa, our ceo. And the good news is when, when steve and I searched the, the big national public database breach, and we found steve and I both found our social security numbers in there. We did not find any information about lisa and that tells me that delete me had been working. Delete me helps reduce risk from identity theft, from cyber security threats, from harassment and it and it really works. Delete me's experts will go out, they will find and remove your information from the hundreds of data brokers, by the way, completely legally operating in the united states, these data brokers it's. It's not even illegal for them to sell your social security number to the highest bidder, whether it be China, a marketer.

With Deleteme, you can assign a unique data sheet to each member of your family that's tailored to them, with easy-to-use controls. Account owners can manage privacy settings for the whole family. Then and this is important Deleteme will continue to scan and remove your information regularly because there are new data brokers literally every day. It's such a profitable business. More people get into the business Plus data brokers not the nicest people in the world.

Even if you delete your data, chances are that dossier is going to start repopulating almost immediately, so you need to go back and check. I'm talking everything that you don't want the public to know, like your address, your photos, your emails, your relatives, your phone numbers, your social media, your property value, your social security number. Protect yourself, reclaim your privacy, visit, join. Delete mecom slash twit. When you use the offer code TWIT, you'll get 20% off. Joindeletecom slash twit. Offer code twit for 20% off and I can say it really works. Joindeletecom slash twit. Thank him for supporting Steve and the work he does Very important work here at Security. Now, okay, tell us about this brave new world we're living in.

1:13:16 - Steve Gibson
Okay, now I want everyone to just listen to and contemplate this sentence, which, for me at least, begs the question as I said, what world are we living in today? Here's the sentence that was published as a quick one-liner news blurb in a prestigious security newsletter. It read an attacker used malicious Twitter replies to hack an AI crypto chatbot and steal over $105,000 worth of Ether. Wow Okay, an attacker used malicious Twitter replies to hack an AI crypto chat bot and steal over $105,000 worth of Ether.

1:14:06 - Leo Laporte
I have lots of questions. I don't even know what that means. Yeah, what does that mean?

1:14:10 - Steve Gibson
First of all, you have to have some malicious Twitter replies, whatever those are, and those malicious replies need to be able to hack an AI crypto chatbot. What Did those replies hurt the AI crypto chatbot's feelings?

1:14:30 - Leo Laporte
Aww.

1:14:32 - Steve Gibson
Like, and what the hell is it?

1:14:35 - Leo Laporte
ai crypto chat bot anyway, it sounds like just a mushed together bunch of words and who?

1:14:41 - Steve Gibson
who in their right mind would give this thing reign over a big pile of ethereum cryptocurrency? What is wrong with people?

1:14:51 - Leo Laporte
what? What's going on?

1:14:53 - Steve Gibson
So you know this podcast listeners know that historically I am more or less bullish on cryptocurrency, at least upon the fundamentals of the technology, which I've understood from the start well enough to code it up myself if I had to up myself if I had to. But what this has all become, leo, is utterly unrecognizable. It's just insane. Need any tulips? Anybody? An attacker used malicious Twitter replies to hack an AI crypto chatbot and steal you know more credit to them If you are able to use malicious Twitter replies and hack an.

AI crypto chatbot. Okay, you earned your money. Wow, you know, maybe I could try knitting. Is that still a thing?

1:15:51 - Leo Laporte
Yes, it is, we all need socks, steve.

1:15:55 - Steve Gibson
Oh, I forgot to mention that the Twitter account that perpetrated the heist or the hack or whatever the hell it was the guy's Twitter account was Fungus man, which is just perfect Of course Just perfect.

Okay. So the news on the TikTok US takeover front is that Oracle is the frontrunner at the moment. Politico's reporting about this contained enough interesting techie bits to make it worth sharing here. So, particularly because there are still lots of technical questions left to be resolved about how it's possible to use TikTok safely, and because it looks like it's going to happen. So here's what Political reported. They said the software company Oracle is accelerating talks with the White House on a deal to run TikTok, although significant concerns remain about what role the app's Chinese founders will play in its ongoing US operation. You know, like US side operation. According to three people familiar with the discussion so this was multiply sourced reporting, you know done right. Vice President JD Vance and the National Security Advisor, mike Waltz, the two officials President Donald Trump has tasked with shepherding a deal to bring TikTok under US ownership, are taking the lead in negotiations. While senators have voiced a desire to be read in on any talks to people familiar said A third person described the White House discussions as in advanced stages. The people who were granted anonymity were not authorized to discuss sensitive details of ongoing negotiations publicly.

It comes amid ongoing warnings from congressional Republicans and other China hawks that any new ownership deal, if it keeps TikTok's underlying technology in Chinese hands, could be only a surface level fix to the security concerns that led to last year's sweeping bipartisan ban of the app. Key lawmakers, including concerned Republicans, are bringing in Oracle this week to discuss the possible deal and rising national security concerns. According to four people familiar with the meetings, one of the three people familiar with the discussions with Oracle said the deal would essentially require the US government to depend on Oracle to oversee the data of American users you know Oracle obviously being big database people and ensure the Chinese government does not have a backdoor into it, a promise the person warned would be impossible to keep. The person told Political quote. If the Oracle deal moves forward, you still have this algorithm controlled by the Chinese. That means all you're doing is saying trust Oracle to disseminate the data and guarantee there's no backdoor to the data by its US owner. Or if TikTok's Beijing-based parent firm, bytedance, retains a role in its operations, it could retain vulnerabilities that could be exploited by the Chinese government. In other words, you know we need clean room. And how are we going to get to clean room status here?

The data security company HaystackID, which serves as independent security inspectors for TikTok US said in February last month that it has found no indications of internal or external malicious activity, nor has it identified any protected US user data that has been shared with China. Spokespeople for Oracle, tiktok ByteDance and the White House did not respond to requests for comment. The deal is still billed as a Project Texas 2.0, in a nod to a previous agreement between TikTok and Oracle to relocate American users' data to servers based in Texas and block ByteDance employees in China from having any access to it, according to the first person. But that agreement, which also required Oracle to review TikTok's source code to determine its safety, failed to assuage congressional and Biden administration concerns that the app is being used by China as a spying and propaganda tool. The tech-focused outlet the Information reported Thursday that Oracle is a quote leading contender, unquote to run TikTok with ByteDance, preferring it for the role. The details about the White House's approach and the seriousness with which White House officials are considering the proposal have not yet previously been reported.

It comes as Trump stares down an April 5th deadline to secure a new owner for the Chinese video sharing company, after he signed an executive order in January delaying enforcement of Congress's ban on the app for 75 days. The app briefly went dark for about 12 hours in January after TikTok's parent company, bytedance, failed to meet the deadline to sell its stake and the Supreme Court upheld the congressional ban. Vance JD Vance during an interview with NBC News on Friday said he was hopeful a TikTok deal would be reached by the early April deadline. Last week, trump said his administration was in talks with four different groups about a deal. Trump told reporters in January that he was open to Oracle founder and executive chairman Larry Ellison buying TikTok. Larry Ellison buying TikTok. Ellison is a longtime Trump supporter and he's part of the so-called Project Stargate, a $500 billion AI infrastructure initiative that also operates OpenAI, softbank and MGX.

While Trump during his first administration sought to ban TikTok over national security concerns, he embraced the app last year on the campaign trail. Security concerns. He embraced the app last year on the campaign trail. In December. He told throngs of young conservative supporters that at a turning point rally in Phoenix that he has a warm spot in my heart for TikTok, he said because of the outpouring of support he received from younger voters in the 2024 election.

It's unclear whether the deal the White House eventually reaches will satisfy China hawks on the Hill, though they may have little power to complain.

Trump's executive order extending the initial deadline in the face of concerns from GOP lawmakers and legal experts about the order's legality showed his willingness to defy congressional will, and the decision on whether ByteDance sells TikTok or license its use by a US company ultimately rests with the Chinese government.

Beijing wants to protect TikTok's monopoly access to its user data and is hostile to any suggestion that Chinese firms bend to the will of suspicious foreign governments. Over the past year, authorities in Beijing and in the Chinese embassy in Washington have mostly dodged questions about the status of possible talks for the purchase of TikTok by a non-Chinese firm. Talk by a non-Chinese firm what little Beijing has said about that possibility hasn't offered much hope that it's in favor of such an agreement. The Chinese government will firmly oppose is their direct quote any forced sale of the company and require ByteDance quote to seek governmental approval in accordance with Chinese regulations. Unquote for any potential foreign ownership deal, a Chinese commerce ministry spokesman told reporters in March. That same month, a Chinese foreign ministry spokesperson accused Congress of resorting to hegemonic moves to try to take control of the app. In January, the Chinese government deployed more conciliatory language about a possible TikTok sale, but offered no clues on whether it would approve such a deal. Any such transactions quote should be independently decided by companies in accordance with market principles. Unquote.

1:24:37 - Leo Laporte
A Chinese foreign ministry spokesperson said in January so, leo, I guess the question is whether China would rather lose the US market or compromise. You know bifurcateiktok. If that's what it it seems like, to be honest, this is the least of our worries. I mean, what are we worried about tiktok?

for they have chinese hackers in our phone system that we will never eradicate because we're unwilling to upgrade our routers juniper routers we have hundreds of unregulated data brokers in this country who are selling your personal information to china completely legally, and we're not willing to do anything about it.

1:25:29 - Steve Gibson
Uh, china, there's no evidence there's no evidence that tiktok ever misbehaved but even if it does, they don't need it to they.

1:25:38 - Leo Laporte
They already use Twitter and Facebook and every social network for disinformation. I mean honestly at this point either way, I don't care what happens to TikTok.

1:25:51 - Steve Gibson
And it might well be that a little bit of a dance is done here, that Oracle is allowed to bless this, and we just let this all stay the way it is and not worry about it any further.

1:26:06 - Leo Laporte
This is the problem with corruption is, at some point you just throw up your hands and say I give up, it's just more corruption. Larry Ellison, you even said it is a big donor to the president. The president saved TikTok after wanting to delete it, by the way, because Jeff Yass, who's another giant Republican donor, owns 30% of it. It's just crony capitalism of the worst kind and I no longer can be bothered. Well, they win, they win, they win.

1:26:43 - Steve Gibson
We're about technology here.

1:26:44 - Leo Laporte
We have other big problems to worry about.

1:26:46 - Steve Gibson
Yeah.

1:26:47 - Leo Laporte
Yeah, and you have a few of them coming up, and one is yes.

1:26:53 - Steve Gibson
Two days ago day before yesterday, on Sunday, march 23rd the original personal genomics company 23andMe filed for protection under Chapter 11 of the Bankruptcy Act. Their press release had the headline 23andMe initiates voluntary Chapter 11 process to maximize stakeholder value through court-supervised sale process. Now I'm mentioning this here from a personal privacy standpoint, because now might be a good time for anyone worried about the future of any of their genetic data being held by 23andMe to delete it from 23andMe's databases and to close their account. As a founding member of 23andMe, I just did exactly that. I have a picture in the show notes of the little pop-up that I received saying your data is being deleted. We've received your confirmation to delete your data and we're in the process of deleting your data. Your account will no longer be accessible and will be deleted per your request. For any further assistance, contact customer care.

Since it took me some poking around their website, I recorded the process to make it easier for anyone who might wish to do the same. You know, I spit in their test tube long ago and I'm not in a panic about it, but given that they're going under and someone I don't know will be purchasing their assets for pennies on the dollar. Leaving my genetic data behind in their database seems unlikely to do me any good at this point, so I logged in selected settings under my look, that you know, shadow head and shoulders icon in the upper right of the page, once that page came up, which I thought was interesting. It took a while. I've not used their site a lot, so I don't know if it's always been slow. Maybe there's just a lot of people doing this at the moment.

So I may have not been alone, yeah, so then scroll to the very bottom of the page, to the 23,. After you click on settings under there and that page finally comes up. Go to the very bottom under the 23andMe data section, then click the view button. Now, when I did that, I noted that the view page has a clean looking URL. There's no subscriber specific gobbledygook in the URL, so it looks like it takes you directly to the page. It's uyou.23andmecom slash. User slash edit slash records. Alternatively, I wanted to make that easier for people, so after logging in, you could just use the GRC shortcut link I created to jump directly to the Sayonara page. It's grcsc slash. Bye-bye.

1:30:20 - Leo Laporte
B-Y-E B-Y-Ee. But you have to be logged in for that.

1:30:24 - Steve Gibson
You've got to yeah, log in first and after you're logged in at 23andme grcsc slash.

1:30:30 - Leo Laporte
Bye, bye did you download your genome before you deleted the data, or do you?

1:30:35 - Steve Gibson
you know I, I selected all those things to download everything, yeah, uh.

1:30:40 - Leo Laporte
But what are you gonna to do with it?

1:30:42 - Steve Gibson
Well, exactly, well, exactly, cause I I got plenty of saliva for the future, so I've I've generating it, you know, with great alacrity, so it's not a problem.

Uh, it takes time for them to get the data to you. They said, okay, we for them to get the data to you. They said, okay, we've received. I mean, I checked all those things and I queued myself up and it said once we get your data assembled, we'll send you a link in your registered email. And then you click on that in order to get it. And I just thought, screw it, I don't care, Get me out of here. So you know, I just I deleted my all my data and my account before I had a chance to receive any of that. So you can, they will send you all your reports. You're able to download your raw genetic data in its entirety, your entire DNA readout. So you could wait for that and then delete your data. But I just figured, if I need to spit in a tube somewhere else, I'll do that.

1:31:43 - Leo Laporte
I actually have done it elsewhere. One of the things, one of the issues with 23andMe is it doesn't actually do a full genome. It does a weird like statistical analysis of a small part of your genome. I had the father of modern genomics on triangulation a couple years ago, George Church, and he has his own company, Nebula Genomics. It's more expensive than 23andMe but it's the full genome and you can download it it's gigabytes of data and then send it off to. There are many companies now springing up saying, oh, we'll analyze. If you have your genome, we can analyze it, for you know certain diseases yeah, my sense is this is only going to get better with time exactly and you know, and I'm carrying my genome around with me, I'm not in any danger of losing it.

I'm trying to remember if Nebula did, I think it did spit as well. Some do a cheek swab, but this did spit as well and it took a while, but it was like $1,000. It wasn't cheap. But it is the complete genome which is still not that useful. But maybe someday, I don't know, I guess I'll do my 23-hour stuff and I know there are people that are big on it.

1:33:05 - Steve Gibson
I think that it tells you something about some various propensities that you might have.

1:33:11 - Leo Laporte
But you know diet and exercise, I found a number of long-lost third cousins, things like that.

1:33:17 - Steve Gibson
Actually, I had one of my high school buddies who I mentioned I'm still in touch with. He knew that he was adopted, but it turns out that his birth parents were far more prolific than he ever knew and he's found a huge extended family. Oh, that's cool. I mean he's reconnected with them all and he visits them, and I mean it's transformed his life that that he was able to find all of these other siblings that he never knew he had.

1:33:51 - Leo Laporte
The same thing happened to jennifer, uh, and I think it was through 23, and me. She met a long lost cousin, explained that they shared a grandparent and they just had a family reunion for thanksgiving where he and his family came out because he was adopted. Same story and his long-lost family and they all. I think that's wonderful, right? That's an amazing thing.

1:34:13 - Steve Gibson
Yeah, paul connected it through ancestry DNA and that allowed him to link up with other people that he never knew he had, so it does do something yeah. Very cool. Okay so finally, in some good news for cybersecurity professionals, the White House administration has reportedly told federal agencies to please avoid firing any cyber guys.

1:34:42 - Leo Laporte
We can't figure out if we need them or not, and I think today they probably think they need them more than they did yesterday so that's good.

1:34:50 - Steve Gibson
Here's part of what Reuters wrote under their headline White House instructs agencies to avoid firing cybersecurity staff. They wrote. According to an email seen by Reuters, the White House is urging federal agencies to refrain from laying off their cybersecurity teams as they scramble to comply with a Thursday deadline to submit mass layoff plans to slash their budgets. Greg Barbaccia, the United States Federal Chief Information Officer, sent the message Wednesday in response to questions about whether cybersecurity employees work is national security related and therefore exempt from layoffs. He wrote in the email to information technology employees across the federal government, which has not been previously reported. He said, quote we believe cybersecurity is national security and we encourage department-level chief information officers to consider this when reviewing their organizations. Unquote. Unquote. Describing, quote skilled cybersecurity professionals as playing quote a vital role in mission delivery and information assurance. Unquote. Non-cyber mission areas, without negatively affecting their agency's cyber posture, which I guess means fire any of the non-cyber people you need to, but keep the cyber guys because we want to keep them. So you know, as part of the downsizing that Trump and Musk have controversially been engaged in recently, cisa had more than 130 positions cut.

We've talked so much about CISA more and more often for the past few years, since they've objectively been doing an astonishingly good job, which is more than unusual for anything within the government bureaucracy. I certainly never expected CISA to amount to what it has, so I've been hoping that CISA would survive and remain as highly functional as they have been, and, to that end, there was some recent news that those jobs were being reinstated, so that's reassuring. There was some recent news that those jobs were being reinstated, so that's reassuring. We need CISA. They've really been implementing some terrific policies and creating, you know, needed requirements for the cybersecurity of federal agencies and setting policies that the CIOs are able to use when having you know that difficult conversation with the CFO about you know the money that they're going to need to keep their enterprises secure. So, yay, oh God, I love this one.

I said the bit of news was AI project failure rates are on the rise. It was an interesting piece that I saw in Cybersecurity Dive which caught my eye. It was a report that said that AI project failure rates were on the rise, which I thought was interesting. It suggests that just slapping a now even more better with AI Label on anything and everything may not always produce a win. My guess, though, about. The reason for failure rates rising is mostly the explosion in all of those labels having been hastily added.

Still, it was interesting that, according to a report from S&P's Global Market Intelligence, based upon a survey of more than a thousand responding enterprises across North America and Europe, the share of businesses scrapping most of their AI initiatives increased to 42% this year, up from 17% last year. Again, I'm sure largely this is because so many more were trying. The average organization scrapped 46% of AI proof of concept just proof of concepts before they even reached production 46%. So you know nearly half were like let's try this. It's like, okay, that didn't work, just forget about it. The surveyed enterprises cited cost, data privacy and security risks yay, as the top obstacles. I wonder whether they heard any news about that AI crypto chatbot. Anyway, at this point, ai adoption is predominantly being found within IT operations, followed by customer experience, workflows you know, like your little AI thing that comes in the lower right corner and says need me to help? You Need any help? Yeah and also marketing processes. So it appears that the initial AI everywhere euphoria is quickly coming back down to earth and closer to reality. I'm sure, not letting any of it get anywhere near spin right, that's for sure.

Speaking of which, in a piece of listener feedback, ken wrote saying Hi, steve, ken here, 65 years old, canadian trucker for 40 years. He said I just wanted to say thank you for your dedication and enthusiasm in the tech world and the beautiful things you've contributed to tech. I just bought Spinrite recently and it's a total game changer. I ran it on my current machine and it tuned up my SSDs like crazy. Amazing software, thank you. I build computers and repair them, and recently a buddy of mine dropped off an old Windows 7 machine that was in a closet for seven years. He wanted the old pictures from it. Of course, I managed to get it to boot and got all his old pics and transferred them to a new rig. I had ready to go. I ran Spinrite, of course, and now that old beast runs like a champ. So thank you for your report, ken. The best thing about Spinrite for me is, aside from it being the miracle that is largely provided for my life, is I get to hear about how much its use helps people, and really nothing beats that.

Tom wrote Hi, steve, now that uBlock Origin is no longer supported in Chrome, I'm going to start using Firefox origin is no longer supported in Chrome, I'm going to start using Firefox. I've exported my bookmarks from Chrome to Firefox, but I'll likely be using both browsers, at least for the time being. Do you know of any browser extension that mirrors favorites between Chrome and Firefox? Mirrors favorites between Chrome and Firefox. If I make a change to any bookmarks while I'm using Chrome, I'd like for those changes to sync to my Chrome. Wait, while I'm using Chrome. So he meant from Firefox to Chrome. Make a change in either browser. Like to have them sync over to the other? Thanks, tom. So that's a terrific question, I suppose.

For my part, I've become so accustomed to only using a single browser platform at a time and just assumed that each would have its own native and closed ecosystem, that I never considered wanting or needing cross-platform synchronization. But, spurred by Tom's question, I poked around and found a very nice-looking third-party cross-platform extension for both Chrome and Firefox, as well as for Android. It's called XBrowserSync S-Y-N-C and it's wwwxbrowsersyncorg. And boy, these guys sure are saying all the right things. Here's a little snippet from their site that says all the right things. Here's a little snippet from their site that says XBrowserSync, as in cross-browser sync, is a free and open source. So there it is open source alternative to browser syncing tools offered by companies like Google, firefox, opera and others.

The project was born out of a concern for the over-reliance on services provided by big tech, who collect as much personal data as they can and have demonstrated that they do not respect their users' privacy. Now, with the proliferation of open source code and projects, it's easier than ever to create tools and services that allow users to take back control of their data. Cross-browser sync respects your privacy and gives you complete anonymity. No sign-up is required and no personal data is ever collected. To start syncing, simply download Cross Browser Sync for your desktop browser or mobile platform, enter any encryption password and click Create New Sync. You'll receive an anonymous sync ID, which identifies your data and can be used to access your data on other browsers and devices.

Cross Browser Sync does not only sync, but also enhances your productivity by enriching your data. Browser bookmarks with the addition of descriptions and tags, and an intuitive search interface enables you to find, modify and share bookmarks quickly and easily. Cross-browser sync even adds descriptions and tags to new bookmarks for you automatically, and you don't ever worry about losing your data, thanks to the included backup and restore functionality. The Cross Browser Sync Desktop Browser Web Extension syncs your browser data between desktop browsers. It works with the browser's native bookmarking features, so you can keep using the native tools whilst always staying in sync. If you like to organize your bookmarks into folders, don't worry. Krause Browser Sync respects your bookmark hierarchy and syncs it across your browsers.

So, wow, that sure sounds like exactly what Tom is looking for, and it's from folks who clearly share the spirit and philosophy we'd like them to have. After reading Tom's note and running across that cross-browser sync extension, I sent this all back to Tom. Not long after that he replied thanks, steve, I will look into this a bit more. But when I clicked to download for Chrome, I'm taken to the Chrome Web Store, which shows this extension is no longer available because it does not follow best practices for Chrome extensions. Thanks, tom. He said Okay.

So that sure sounds like the Chrome folks don't like the whole idea of cross-platform browser synchronization. On the other hand, I tried it and it worked for me. And, as I said, I sent these notes out in the late afternoon yesterday and I've already had feedback from a bunch of our listeners who are using it and it is working for them. So I don't know what Tom hit. Maybe it was a temporary snag, I I can't explain it, but for what it's worth, uh, I've already had feedback from our listeners who have said this thing is great and it works. So, tom, I hope you can get it working. Maybe just try again. Maybe there was something stored in a cache or or who knows what that caused trouble. And, leo, we're at an hour and a half in. I've got a couple more bits of feedback before we get to our main topic, so let's take a break.

1:47:09 - Leo Laporte
Absolutely. It's not going to be a long break. It's just enough for me to say thank you, steve, for doing what you do, and thank you to our Club Twit members for doing what you do, because it's your donations, contributions, subscriptions that's probably the right word that make all the difference in our bottom line. If you're not yet a Club Twit member, I'd like you to consider it. Seven bucks a month, it's very affordable. You get ad-free versions of all the shows. You wouldn't even be hearing this if you're a Club Twit member. No begging allowed. You also get special events. We've got chris markwart's photo uh show coming up. Uh, we're gonna have another wonderful evening of cozy quilting or whatever it is. Uh, micah does in his crafting corner. Stacy's book club is ahead. We even have a coffee show scheduled with mark prince, the coffee geek. That's all coming up in the next month All four club members. There's also the Discord, which is a great place to hang, not just when the shows are on the air, but 24-7. That's one of the fun things about Club Twit is it's not just about Twit programming, it's about really a great community of people who share an interest in technology and have a lot of fun talking about it answering questions as much as anything else. So if you're not yet a member of the club, can I invite you to join? Seven bucks a month, fabulous benefits. Most importantly, it helps us keep Steve and all the others on the air. Keep doing what we're doing.

We started Club Twitter two years ago when we had a big downfall in ad revenue due to COVID and a variety of other things. That got even more scary towards the end of last year. I'm very happy to report that the advertisers have come back. I think they realize the value of advertising on our shows, but they still don't subsidize the entire effort. They get us about 90, 95% of the way there. It's the club that makes up the difference and it gives us the opportunity to do more interesting things. If you're not yet a member, please consider going to twittv slash club. Twit Seven bucks a month. Join the club. It's a lot of fun and we love having you. It's a vote in effect for us to keep doing what we're doing, what we love to do Twit TV slash club to it and thanks in advance. All right Back to you, steve.

1:49:36 - Steve Gibson
Okay. So someone whose handle is back, ghost said I found your comments on the state of vendor support for old and outdated hardware intriguing and wanted to add more insight into what is a very complex issue, as I work for a service provider that is also a manufacturer of networking gear and often see both sides of the issue. So this is somebody you know on that side. On the industry side, he wrote hardware manufacturers deal with the same software and hardware. End of life, end of service, eol EOS. He abbreviated issues as customers just at a micro level. Every ASIC CPU IC has a lifetime and its own software with a lifetime.

When vendors have to support more products from a software and hardware standpoint, it costs the vendor more. The vendor can and often does charge more for this support of old gear, but at some point the cost of support will outweigh the cost that could be charged to a shrinking set of customers. Vendors will often discount or offer trade-ins for old gear to encourage customers to upgrade to new gear. Luckily the vendors well the big iron guys will give advanced notices of EOL EOS and have the sales team always eager to engage the customer on new sales opportunities. As service providers we struggle with the never-ending notices of end-of-life, end-of-service of gear and will often have to fight for capital to do upgrades or replacements. These efforts will be taken on based on business objectives, risk etc. And leads to the never-ending dance between the CTO, cfo, sales and product development. He said the service provider side Hardware manufacturers will always EOL equipment and often give notice well in advance. Always EOL equipment and often give notice well in advance. Larger companies that sell big iron will give notice years out. For example, juniper, off the top of my head, provides three years for hardware support and one to two years on software support after the hardware is no longer supported for replacement support. So there's normally plenty of time for planning for obsolescence and replacement. Of course, these replacement plans are driven by business goals, which leads to point two, the CIO-CFO battles, which of course this is what he's talking about. That I talked about last week when I made up that dialogue between the CIO and the CFO, you know, and their competing priorities. The CIO-CFO battles are the norm and this battle is complex at best. Do we update now, later? Never Do we roll the dice. Are we doing a new build somewhere else that has our focus? These are endless. Just to say it's complex. The other side of this equation is the hardware manufacturer side and this is what drove me to send this feedback.

On the hardware support side we've got discrete components. Ics, chips etc can no longer be sourced. Discrete component replacement causes board redesign and the cost of redesign is too high. Discrete component software support is end-of-life due to the manufacturer. End-of-life of the IC. The IC, you know, integrated circuit library is no longer supported due to end-of-life.

On the software support, the new replacement product is just cheaper, better, faster. Why keep the old one around, given its install base? He says this is too complex, often political. You don't want to upset a longtime big customer with a hardware upgrade whatever. And on the software support side, for example, see the issue with hardware support, ics, as this is part of the software chain, os and supported software no longer supported by the vendors. New or upgraded replacement hardware uses different software for various reasons and thus is not compatible with the old hardware. This causes a complete new software support development and test chain. The cost of support is higher than the customer can sustain and can drive the customer to find other solutions. Like the hardware side, this is complex and often political. Software licensing has a lifetime, limited in volume, developer seats, et cetera. That forces an EOL action. Yeah, so obviously lots of things to consider.

I thought this person's comments were worth sharing. For one thing, I would never expect ongoing hardware support for any device beyond the manufacturer's original commitment. If it might be available, okay fine. You know, things like power supplies can often be somewhat generic and might be easily replaceable, but I get it that if a circuit board dies and the components are no longer available, then the thing died. But if, for example, a port dies on an expensive router or on a switch that is out of warranty, then the calculus from my perspective is entirely different and the conversation with the CFO is then very different. It's the mission-critical device just died. We're currently limping along and we need it replaced ASAP.

You know that's not the conversation that I hypothesized last week. I do really understand that maintaining old software has a decidedly non-zero cost, but you know, the point I was making last week was that it felt like revenue was being left on the table. Revenue was being left on the table. The manufacturer hopes that, you know. The vendor of the equipment hopes that a lack of ongoing support will force their customers to move to newer equipment because the vendor understands the security risk of not having security updates to old hardware. That's where the gap is. The customer doesn't quite understand the security implications, so their trade-off is different. The reality is most of those devices will remain out of warranty and out of support and will suffer the potential consequences from the security side. But great conversation and dialogue, and one that CIOs and CFOs should be having.

Dan Linder said Hi, steve, in Security Now, episode 1017, you made a comment about a Juniper router being unsupported and vulnerable and then a hypothetical conversation between a CIO and CFO about replacing that otherwise hardware just because it was out of support with US Department of Defense rules. And one thing I haven't heard you discuss on the show are the STIG documents. S-t-i-g stands for Security Technical Implementation Guide and of course you haven't heard me talk about them because I've never been in government and hope to never be. I'm sure at this point there's no danger of that happening. He said the STIG document is a series of checks or control and actions to take on a specific system that can harden it to some degree to mitigate threats to its overall security. Okay, that sounds great. Threats to its overall security? Okay, that sounds great.

Each control is given a category one, two or three rating, with Cat 1 being the most important controls to implement. Within each control, there are some check text steps and corresponding fix text steps which is why I'm glad I'm not in the government no, which list a simple command or action to take to validate that the control is in place and, if not, what can be done to enable it. Okay, now, all seriousness, that sounds great because it's a checklist. It's like these things you have to do and this is how you do them and this is how you check that they're done. He said.

While the STIGs give a specific fixed text to implement, most security organizations that review the application of these STIG controls allow for additional external controls that will mitigate a specific problem if it can't be addressed with the fixed text suggested. For instance, if an insecure system is being used but is only used in an air-gapped environment only accessible by a small number of people already vetted and trusted, they might well be willing to overlook a Cat 1 finding. In all the STIGs I have worked with and, dan, I'm glad you've maintained your sanity they all have a security question which requires confirmation that the system being secured can still receive updates from the manufacturer. If the company in your example was applying and enforcing the STIGs as written, then the CIO has quite a bit of leverage. To go back to the CFO to get this system replaced Yay, and that's why I want CISA to get this system replaced. Yay, and that's why I want CISA to stay whole and functioning.

He said I hope you can find time in a future episode to give a brief talk about the SIG documentation. No, dan, don't hold your breath. And some of the potential Please don't make me do that securing anyone's environment regardless of government affiliation. Well, dan, I'm glad you're there and I'm glad you're following the stigs to the letter maybe that's why they use signal, because they just couldn't bear to read the stig wow and get in a skiff and then row row, row your boat.

Whatever it is they do with a skiff.

2:00:26 - Leo Laporte
Oh my.

2:00:28 - Steve Gibson
Yeah, all right.

2:00:30 - Leo Laporte
Security Now continues on. It is time to examine the quantum threat.

2:00:37 - Steve Gibson
I think people are going to be surprised and interested by this. I really liked what HB had to share. We love showing up for this podcast every week, which, after all, leo, we've been doing for nearly 20 years and as much as I would dearly love to be, I doubt we'll still be here the day a quantum computer first cracks actual working strength.

2:01:10 - Leo Laporte
public key encryption oh, I was hoping it would open my wallet for me. But I guess if I'm dead it doesn't really matter.

2:01:17 - Steve Gibson
Boy, I'll leave it to actually I don't know if your password is protected by public key. It's probably private key. It's probably just a password that generates a symmetric key, in which case you're still going to be locked up tight.

2:01:34 - Leo Laporte
Thanks, dad, you left me something completely useless something completely useless.

2:01:49 - Steve Gibson
Um, but you could give the wallet to uh, uh hank and you know, in time in his lifetime, yeah, that's right, um, although he's doing so well without salt, by the way. We, you know, we use the the crap out of that stuff oh my god, it is our. It is our go-to present for our friends. We bought 20 bottles of the what was it?

2:02:03 - Leo Laporte
It was the garlic, the flaky essential. Oh, you bought the garlic truffle salt.

2:02:10 - Steve Gibson
It's really good on popcorn and stuff, or a little bit on some filet. It makes a really nice. Yes, it's excellent on steak yeah, yeah, yeah, we use it on steak.

2:02:19 - Leo Laporte
You know he's opening in the next few months a sandwich store in new york city we should make hank yeah, it'll be salt hank. It's on bleaker street, next to john's salt hank's sandwich store, wow, go get a delicious juicy sandwich there. Good for him he'll probably be selling the salt, and now he does pickles too, by the way. Well, I only mentioned that because I am an investor in the pickle business.

2:02:42 - Steve Gibson
Well, this was an unsolicited commercial. It's the truth. We use the truffle garlic salt. It's like we got 20 bottles. He was sold out for a long time, yeah, yeah, and then it came back in stock.

2:02:55 - Leo Laporte
It's funny that you did that the same thing. I bought a case, yeah.

2:02:58 - Steve Gibson
Yeah.

2:03:02 - Leo Laporte
One the same thing. I bought a case. Yeah, yeah, he, uh. One last thing, though to his credit, he made it on his own. He never used my last name. Nobody knew who he was. He didn't go, he didn't, you know, somehow ride my coattails. He did this all on his own. I'm very proud of him I've seen his tiktok stuff.

2:03:14 - Steve Gibson
It's astonishing he's got the gift. Yeah, yeah, yeah he's got. Anyway, through the years of this podcast we've all become students of the history of computer security, and one lesson we've all learned together is just how very, very long it's going to take to wash all of the old pre-quantum crypto out of our existing systems. Everything we have now is pre-quantum crypto. We know that there are a couple of messaging systems that are mixing pre and post. That's good. That all leads to the simple and incontrovertible conclusion that there's no time like the present to begin.

Last Tuesday, hewlett Packard's threat research group posted a terrific piece called From False Alarms to Real Threats Protecting Cryptography Against Quantum. That's what I want to share today. In their opening they make some great points that are well worth appreciating. They wrote quantum computers could break asymmetric cryptography, which would be catastrophic for society's digital infrastructure. I mean, truer words have never been written. Quantum computers powerful enough to break cryptography do not exist today, but the threat of one being created steadily advanced in 2024. So they're talking about last year, of course.

With multiple quantum computing technologies overcoming development obstacles, the security community is now more sure than ever that sufficiently powerful quantum computers will come. Some think it could be 10 years, but with the speed of recent innovation, an unexpected breakthrough could accelerate that. This has created a significant security risk because we rely on protections for a long time and need them in place before threats arise. Since we last wrote on this topic a year ago, authorities around the world have increased efforts to urge organizations to start migrating systems to quantum resistant cryptography. Critical industries are especially advised to mitigate these quantum risks, given they are high profile targets. Targets Particular priorities for migration include sensitive data vulnerable to capture and decrypt, attacks and protections rooted in hardware. That's, the key protections rooted in hardware. Without upgraded protections at the hardware and firmware foundation, quantum attackers could compromise devices, even if the software running on the hardware is quantum resistant. 2024 also saw several false alarms of quantum breaks to cryptography. We expect that to become a trend as innovation in quantum computing progresses. To become a trend as innovation in quantum computing progresses. What we have seen is that such false alarms will elicit panic in some but only complacency from others. But they also proved useful in raising the conversation about readiness and an understanding of the consequences of a real alarm. In short, we must stay vigilant and prepare for the real threat.

Over the last year, we at HP also made progress to protect customers from the threat of cryptography being broken by quantum computers. Last year, we announced the world's first business PCs to protect firmware integrity against quantum computer attacks. Today we are announcing the world's first printers to provide firmware integrity against quantum computer attacks. These security innovations demonstrate our dedication to safeguarding our customers against future threats. Demonstrate our dedication to safeguarding our customers against future threats. They then quoted Boris Balachev, the head of the HP Security Lab, an HP fellow and chief technologist for security research and innovation. Boris said quote as innovation progresses toward more powerful quantum computers, it is urgent to prepare for the threats this represents to the asymmetric cryptography we depend on in our daily digital lives.

This starts with migrating systems that cannot be updated easily once deployed. After the Once deployed. After the introduction of quantum resistant firmware integrity protection in PCs last year, today we are announcing the launch of printers with similar capability to protect against future quantum computing threats. We continue with our commitment to lead the way with endpoint security innovation and keep our customers safe into the future. Now, this is not something we focused upon or talked about previously, and of course, they're correct, as we know all of the secure booting technology we have today is based upon the motherboard's firmware being able to verify the digital signatures of the software that the motherboard's UEFI firmware first loads. And all of that secure boot technology is currently pre-quantum pre-quantum it's embedded into the hardware with technologies such as the TPM, the Trusted Platform Module, that dates from 2003.

Listening to what HP has to say here really serves, I think, to put a much finer point on this looming issue. I've edited the piece which follows to remove HP's non-technical self-promotion. There was a lot of it in here and for its length, because it went on longer than it needed to, but there's a great deal of information here. Still. I want to share it. They wrote in the past 12 months, the cryptography and security community has experienced heightening concern over the progress of quantum computing.

The last year has been marked by key developments in quantum computing technology, as well as multiple instances of false alarms over potential quantum breakthroughs that put cryptography at risk breakthroughs that put cryptography at risk. Although these alarms were ultimately disproven, when considered alongside genuine advancements in quantum computing, they highlighted the fragility of society's digital infrastructure. A sufficiently powerful quantum computer could break much of the cryptography relied upon globally, given how fundamental cryptography is to security everywhere. A quantum computing breakthrough before the world is ready would jeopardize security. It could allow attackers to run riot across our digital infrastructure, giving them freedom to access network services, take over devices, steal blockchain assets, decrypt sensitive data and more.

In reaction to these advances, there has been an increased sense of urgency to fortify cryptography. Driven by technical authorities and experts, this urgency has led to accelerated timelines and new policies to address the looming quantum threat. Against this backdrop, the security community has intensified its preparations. Academia, standards bodies, governments and industry are collaborating and making concerted efforts to migrate technologies to being quantum resistant. In this blog post, we discuss two false alarms that percolated through the community over the last year and what we learned from them. We explore the current state of the quantum computing threat to cryptography and how the community is preparing a response. And how the community is preparing a response.

The first alarm took place in April of 2024 during the NIST 5th PQC Post-Quantum Computing Standardization Conference, which had convened to discuss cryptography designed to withstand quantum computer attacks. The trigger for the alarm was an academic paper newly published and not yet reviewed or corroborated, describing a new quantum computer attack that could have been effective at breaking the new post-quantum cryptography the technical community had been working on for almost a decade. This cryptography was meant to become a global standard to protect digital infrastructure Should quantum computers break traditional asymmetric cryptography like RSA and most elliptic curve cryptography. It claimed a claim, so they said a claim it was broken was shocking and would leave the quantum-resistant migration in disarray, if confirmed true. Speculation about the paper entitled Quantum Algorithm for Solving Lattice-Based Crypto Systems lit up our technical social media networks. One of our team was at the conference.

While the talks continued and the audience listened attentively, attendees gradually started to form small huddles trying to make sense of the publication. Remarkably, no one was sure the paper was incorrect. Most hoped it probably was incorrect, but at face value it was convincing, presenting a credible nine-step algorithm that put quantum-resistant lattice-based cryptography in a very precarious position. For eight days there was furious analysis among cryptographers and quantum computation experts, with very few people claiming to be experts in both fields. Many researchers wrestled with analysis beyond their areas of expertise. A Discord community sprang up, crowdsourcing a comprehensive analysis and triage of the paper's claims. This intense assessment phase ended when two researchers found an inconsistency in the final step of the nine-step algorithm. The paper's author engaged with this critique and confirmed the final step had an irreconcilable error and thus the community breathed again. But for an entire week the community responsible for developing the cryptography that will protect much of our digital lives into the future had seriously considered the possibility that they had got it wrong Because this was so technical and didn't impact the cryptography we currently use. The news didn't make the broader security community panic and the doubt didn't last long enough within the cryptography technical community to gain momentum and spread, and of course, our podcast listeners may recall that we did touch on the fact of this having happened at the time. We will keep you in the loop. Hp continues.

The second moment of 2024, when the broader security community thought that cryptography was broken, was also triggered by an academic paper. The paper, quote quantum annealing public key cryptographic attack algorithm based on D-Wave advantage, unquote was published in May of 2024 in the Chinese Journal of Computing. This false alarm caused more widespread uncertainty and panic within the technical community and beyond, with several reports stating, incorrectly, that some researchers were able to break RSA encryption using a D-Wave Advantage quantum computer, quantum computer. And again, that news made it into this podcast because it would be difficult to overstate just what havoc would ensue if that were to be true. Hp wrote, with a general audience unable to assess the original paper, only the abstract was published in English. The reports generated real anxiety. However, there was little credibility in the claim that RSA had been broken, and expert consensus rapidly emerged. With a bit of scrutiny, it was established that the researchers had only broken a very small-scale, simplified RSA, and their solution did not scale to the kind of numbers used for security and was therefore not a credible threat. Again, after a week or so, concerns about pre-quantum cryptography having been broken were largely quelled. However, for several months afterwards, incorrect reports still appeared, sparking fresh waves of concern among those who had missed the initial reporting.

One benefit of these events is that they test the security community's preparedness for the sudden removal of some fundamental underlying cryptographic primitive. From that perspective, these alarms have been like the safety briefing before an airplane flight, forcing the community to grapple with what to do in the worst-case scenario If the event were real. Are we ready? What preparation should be in place, and are they? The fact that a broad audience was alarmed tells us that there is a growing understanding of the critical impact of the quantum threat and that action will increasingly be called for. The successful resolution of these incidents underscores the importance of a measured and collaborative approach to evaluating cryptographic research, for the community has shown it can be relied upon to robustly evaluate these complicated ideas.

Unfortunately, analyzing such academic papers is inherently complex, requiring expertise that is rarefied and spans multiple fields cryptography, mathematics, quantum algorithms, quantum computer engineering and physics.

So we should anticipate regular moments of doubt in the security of our cryptography and have the patience to wait for assessment before panic-induced reactions. One day, there could be surprise news, or even a significant rumor, of a real breakthrough. Rather than panic, we should instead ensure we're prepared and have put in place quantum-resistant protections, starting with our priorities. This said, there's also concern that too many false alarms related to quantum computing breakthroughs could eventually lead to a false complacency and inaction. This might cause people to believe the quantum threat ignored as just another false alarm when it finally does arrive. So what becomes clear is that where we need to be, and as soon as is practical, is at a point where we're no longer reliant upon classical pre-quantum crypto, so that the eventual announcement of a true breakthrough is just met with a yawn and a shrug. So where exactly are we today? What is the current true level of alarm we should be feeling? Hp addresses that and we will address it after this final break.

2:20:59 - Leo Laporte
Well, fascinating, and I take it well, I don't know cause for concern.

2:21:07 - Steve Gibson
Cause for real caution. Yeah, cause for real caution. I think when I'm done here, after this next piece, our listeners will understand that as soon as post-quantum stuff, post-quantum solutions are made available, they really should switch. For example, there will be. You know, here we were talking about obsoleted Juniper routers. Well, they're all pre-quantum. So when Juniper offers post-quantum protected router technology, you don't want to wait. You don't want to wait until you know let's hope there's enough time between the availability of post-quantum safety and that breakthrough that the natural life cycle of router death will have, you know, taken all of the pre-quantum technology out of service. But we know, leo, there's some dusty back cabinets and some back rooms that have stuff running. There's still a wind-up key on some of these things.

2:22:28 - Leo Laporte
Well, we'll talk about preparing for, I guess, inevitable future in just a bit. You're watching Security Now. Steve Gibson, leo Laporte. We do this show every Tuesday. We're glad you're here watching. A reminder you can watch live if you tune in. You know it's right after MacBreak Weekly and that time varies Roughly 1.30 pm Pacific, 4.30 Eastern, 20.30 UTC. The live streams are well. Well, there's eight of them. Uh, discord for the club members. There's youtube, twitch, tiktok, xcom, facebook, linkedin and kick watch wherever you like. But, of course, the best thing to do is download a copy of the show. Uh, you can get it from steve's site I'll tell you more about that in a bit. Our site, of course or subscribe, and that way you'll get the audio or the video the minute it's available. I'll have more information about that in a second, but now let's get back to security. Now Steve.

2:23:22 - Steve Gibson
Okay, hp said. With so many possible quantum breakthroughs to be assessed and uncertainty about what is credible, it can be difficult to understand the landscape of quantum computing and separate fact from fiction. Let's take a closer look at the reality To gauge the true alarm level. We should examine the process of quantum computing technology. Over the past year, there has been impressive advancement in several technologies, with multiple promising pathways emerging. Even if some fail, others may succeed. And, of course, remember, we only need one to succeed to be in trouble, they said. Compared to a year ago, large-scale quantum computing now seems more likely. We look to experts to qualify this likelihood. The Global Risk Institute's 2024 report highlights a quote significant chance unquote of a quantum threat emerging by 2034, of a quantum threat emerging by 2034, posing an quote intolerable risk from a cybersecurity perspective. Unquote. So a significant chance of a quantum threat emerging in 10 years posing an intolerable risk from a cybersecurity perspective. Okay, so how significant. Nearly one-third of the 32 experts surveyed estimate a 50% or greater chance of quantum computers breaking cryptography by 2034. Ok, one third of 32 experts. So 10 of the 32 experts estimate a 50 percent or greater chance of quantum computers breaking cryptography by 2034, 2034, with an average estimate of 27 percent. So the experts on average think there's a 27% chance of crypto being broken in 10 years. They said the highest in the six annual surveys conducted so far. So they've been polling every year. To summarize recent changes, the report states, quote the progress in the last year has included many people both within and outside the quantum research community to realize that the quantum threat may be closer than they thought. The German Information Security Authority, bsi, recently updated their comprehensive assessment of quantum computer technologies. The report concludes that, due to major roadblocks being resolved, quantum computers are likely to break cryptography within, at most, 16 years, but recognizes that new developments could lead to a breakthrough as soon as a decade.

Progress has been made not only in various quantum computing candidate technologies, but also in aspects like scalability, scale, interconnectivity and operating software. Stability is a major challenge for current quantum technologies, as they do not hold their state for long before deteriorating. Reducing noise and using effective error correction, where more errors are corrected than introduced, is crucial for long-term stability. Demonstrating this effectiveness is a milestone that has been achieved by four technologies superconducting, transmons, ion traps, neutral atoms and color centers. Of course, sizes of systems have increased as production processes mature, with Google announcing their 105-qubit Willow, ibm introducing the 156-qubit Heron, along with a roadmap for processor scaling, and Microsoft and Quantinium upgrading the H2 trapped ion processor to 56 qubits. The stability and size of the relatively new neutral atom technology whose key elements were only demonstrated as recently as 2022, has shown a massive improvement, with potential for acceleration. The Q-Era startup that came out of this research has just this February been backed with a $230 million investment, providing an indication of the high interest in this research. A very recent note a new technology with greater natural stability, the topological Qubit, has been demonstrated for the first time as a proof of concept by Microsoft, who claim the technology offers a quote clear path to fit a million qubits on a single chip unquote, which would be needed for scaling quantum states between different chips are starting to show promise for enabling the distributed quantum computation needed for large-scale quantum computers. Additionally, an ecosystem of organizations are developing the necessary developer tools and software stack for operating quantum computers and creating quantum programs. This stack, like the classical computation stack, ranges from physical machine instructions to higher-level programming languages, allowing specialists to effectively use their expertise and enhance progress.

Given all these advancements, scott Aronson, a quantum computing expert, recently said he believes that quote the race to build a scalable, fault tolerant quantum computer is actually underway unquote. His position on the urgency of addressing the quantum threat to cryptography has shifted from maybe, to quote unequivocally worry about this, now have a plan. Unquote. In summary, in just the past year, breakthroughs in quantum computing have strengthened the consensus that quantum computers are capable of breaking today's cryptography may become feasible soon. It may only take a surprise acceleration from one of the promising technologies to break cryptography in less than a decade. Therefore, it's crucial to assess our preparedness and take action to ensure we're fully ready. And then HP notes almost needlessly under migrating quantum vulnerable cryptography is on a whole new level compared to patching a zero day vulnerability, Although I'm sure our listeners are aware that we're talking about a sea change that requires us to scrap everything we've built. It's worth hearing HP out on this.

They write it's tempting to think the problem of fixing. Of course they're writing for a different audience than ours. It's tempting to write. The problem of fixing quantum vulnerable cryptography is like patching a zero-day vulnerability in code. However, this analogy under-represents the scope of the quantum threat. A zero-day vulnerability is an error in a specific sequence of computer instructions, in a specific program or library, which can typically be identified and then patched. Even if the error occurs in a pervasively common library, such as the log4j vulnerability, it is still fixable by developing a patch. Unlike a zero-day, the quantum threat does not apply to a specific sequence of computer instructions, but instead applies to all implementations of vulnerable asymmetric cryptography. These implementations vary widely, potentially manifesting in millions of different code sequences. When quantum computers become viable, each of these will need replacement individually by upgrading the cryptographic algorithms and keys used, requiring a global effort and collaboration by security practitioners, business leaders and cryptographic experts. And you know, the more I think about it, the more I'm glad that this podcast will probably not be around to see this disaster befall humanity.

2:32:27 - Leo Laporte
It's going to be worse than Y2K, that's for sure.

2:32:30 - Steve Gibson
Oh, Leo, oh, every light switch and router and webcam and toaster and microwave oven. I mean we're IOTing everything and it's all bad, because none of this stuff, this is all $5 ESP.

2:32:49 - Leo Laporte
You forget how widespread this would be. I mean, this is it's everything, yeah yeah, it's, it's everything.

2:32:57 - Steve Gibson
Yeah, given you know the reluctance to change that we've witnessed throughout the past 20 years, you know what chance is there that we're going to be the least bit prepared for this? Oh, you know, we're talking about replacing everything and doing it, even while it's not obviously necessary that it needs to be done at all. That's the problem is that you know it's working great. What's the problem here?

2:33:26 - Leo Laporte
Yeah, and unlike Y2K or 2038, we don't know when this is going to be Right exactly. It is not an approaching deadline, Unlike Y2K or 2038,.

2:33:32 - Steve Gibson
We don't know when this is going to be Right Exactly. It is not an approaching deadline. We knew when the elevators were going to stop running on Y2K.

2:33:43 - Leo Laporte
Wow.

2:33:44 - Steve Gibson
Yeah, I'm glad you got it.

2:33:46 - Leo Laporte
I hadn't really thought about how widespread this issue would be. I thought, oh, it's just encryption, it's not a big deal.

2:33:57 - Steve Gibson
And remember that security is only as strong as the weakest link. Yeah, you know who's not going to have some old webcam, light switch, thermostat router lying around that continues relying on pre-quantum crypto, and that's the bad guy's way in.

2:34:11 - Leo Laporte
HP wrote Go ahead, go ahead. No, you go ahead. I want to hear more.

2:34:15 - Steve Gibson
Okay, hp wrote. This process of patching has already started and is part of the migration to quantum resistant cryptography that the security community is currently undertaking. But how should organizations be responding? But how should organizations be responding? Across government, industry, academia and standards bodies, mechanisms to protect against quantum attacks are being put into place with some urgency. Our advice is to start by inventorying what would be vulnerable to quantum attackers, what wouldn't be. Then prioritize what needs migrating and protecting. First, the most urgent priorities for most organizations include protecting data with long-term confidentiality requirements. That's right. All everything backed up and stored in the cloud is vulnerable.

Protecting long-lived systems by upgrading cryptography in hardware, because all of their hardware is vulnerable today. The cost of upgrading hardware is expected to be significant. In July of 2024, the US Office of the National Cyber Director published a report estimating the total cost of quantum resistant cryptography migration for prioritized US government systems this is only the US government between 2025 and 35 at somewhere around 7.1 billion dollars. In their calculation, they specifically call out that migrating the cryptography hardwired into hardware or firmware would constitute a significant portion of that overall cost. Government authorities are uniquely positioned, with expert insights and the responsibility to protect national assets. Protect national assets, understanding their strategy and policies for critical systems and infrastructure should help any organization plan for migration with appropriate urgency, and let's hope that we have a vital and functioning CISA to keep this on the forefront of everyone's mind. Hp continues saying let's start with the US, who have a comprehensive plan and set of actions in place In 2022, us authorities established a tempo for migration.

This has led to all federal agencies planning, taking inventories and reporting on progress annually. A timetable to migrate national security systems was also established, with all new acquisitions from 2027 needing to be quantum resistant and all non-migrated products to have been phased out by the end of 2030. So just five years hence. That's great, they said. Migration of firmware signing is prioritized as even more urgent, with migration of firmware roots of trust, the firmware integrity protections in the hardware expected to be implemented for some long-lived signatures this year, in 2025. Since 2022, authorities have put in place guidance, including a guide published by CISA, nsa and NIST, and organized outreach to help engage and ready the industry.

Most recently, the Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity of 16th of January this year, 2025, further emphasized the urgency to migrate. It specified that when procuring products, federal agencies must require quantum-resistant cryptography when it is widely available in a product category and require quantum-resistant protection in networks as soon as practical. Now, that's cool, because that means it becomes a competitive advantage and requirement. As soon as any is available in a category, that's the one that must be purchased, which means one early mover forces the movement of all of their competitors. The movement of all of their competitors, hp said. Alongside this, nist recently released its draft plan to deprecate classical asymmetric cryptography. Deprecate classical asymmetric cryptography, rsa and relevant ECC From the end of 2023, I'm sorry, from the end of 2030,. The plan to deprecate asymmetric crypto, rsa and ECC from the end of 2030, five years and entirely disallow it for security purposes after 2035. This will be highly influential in establishing migration urgency because it means there is an end date within the lifetime of many current systems, maybe even this podcast. Even during 2031 to 2035, data owners will only be able to use quantum vulnerable cryptography by exception, where they evaluate and accept the risk. Beyond the US, the Australian Cybersecurity Center, acsc, is also setting up urgent timeline for migration. The ACSC recently updated its cryptography guidelines for government and industry to disallow quantum vulnerable cryptography after 2030. Five years Disallow its use.

Sweden, norway and Switzerland all urge preparation and are giving increasingly comprehensive guidance on how to migrate and prioritize. In April of last year 2024, the EU recommended establishing a strategy to migrate public services and critical infrastructures as soon as possible. Building on this, in November of last year 2024, 18 EU member states issued a joint statement urging nations to make the transition to quantum-resistant cryptography a top priority. However, we want to be able to see your texts and protect the most sensitive data as soon as possible. Latest latest by the end of 2030, again five years. The last 12 months have seen an intensification of the calls to migrate by national authorities. This underlines the need to act, assess cryptography dependencies, plan and prioritize for migration, and start to migrate priority assets. The heightening of the quantum threat to cryptography and the intensification of national calls to action during the last year have fortunately been met with significant progress in the range and availability of migration solutions.

New quantum-resistant cryptographic algorithms were released as NIST standards last year to celebration of government, academia and industry, following a collaborative selection process spanning nearly a decade. These new algorithms offer quantum resistance suitable for general use in protocols and applications. They also complement existing standardized quantum-resistant hash-based signatures suitable for special purposes, such as code signing. With this suite of standards, it has now become possible for industry to migrate in many scenarios. Scenarios. Standards capture community consensus and security best practice, while enabling interoperability between different elements across a system. As such, standards are a crucial part of industry migration to quantum resistance from standards that define new cryptographic algorithms through to protocols that use these algorithms and applications that adopt them. The community is carefully and steadily integrating quantum resistance into the technology stack and making resistance available to customers in products. This is why collaborating with other vendors and participating standardization efforts is essential. Notably, hp is engaged in NIST's National Cybersecurity Center of Excellence Migration to Post-Quantum Cryptography Project. This NCCOE project was convened to bring industry and end user organizations together to help solve the practicalities of quantum resistance adoption and transition.

To stay ahead of the quantum threat to cryptography, we cannot afford to take a wait-and-see approach. At HP, our strategy is to prioritize quantum resistance from the hardware up and securely migrate from there. When prioritizing and planning what protections to migrate, it is crucial to consider the cost, effort and difficulty of engineering the change. Migrating hardware and the solutions baked into hardware often requires changes to physically engineered parts, which can be slow and needs a lot of forward planning, and sometimes years ahead, so all that makes a lot of sense. We've seen, for example, in the case of HP's printers, how printers can become the home to advance persistent threats. You don't want your printers to get taken over by bad guys, so having them be proof against that is super important. So, anyway, hp's excellent state-of-the-art or state-of-the-race overview was heavily resourced with links to back up everything they said. I've included the link to their full article in the show notes for anyone who wants to follow and get more background information.

We really are in a time of significant change. Governments are tackling the tough problem of wanting to protect their citizens' privacy, while not wishing to allow criminals to evade responsibility for their crimes by abusing absolute privacy. The move from the physical to the cyber world has parents and their guardians wishing to protect their children from online harms, which means there's no way getting around knowing at least something about who's who on the internet. And on top of all, this is the fundamental technology that underlies. Any of our ability to do these things is strongly expected to collapse and be rendered completely useless Once quantum computers, whose arrival now appears to be inevitable, are brought to bear.

2:45:49 - Leo Laporte
So we certainly are living through interesting times, and I mean is it so severe a problem that I should, from now on, only buy iot devices that say nist approved cryptography? Can I buy anything like that?

2:46:07 - Steve Gibson
I don't think it's percolated down there yet um no, no and it will be a selling point where at some point you know, there will be a consumer seal that says you know, pqc, we got to yeah.

2:46:22 - Leo Laporte
Post quantum computing. We really got to get the word out. I'm really glad you brought this in and shared it with the class, because it's clearly an oncoming train.

2:46:35 - Steve Gibson
It is a looming yes, a looming problem. It went from academia to like oh look, lattice-based crypto. We got some new algorithms to replace what we have, and it was like you and me joking about okay. Well, they managed to factor four bits, so I guess we're safe for now.

2:46:55 - Leo Laporte
Uh times, that was a few years ago and they've been working hard on this problem there are a number of technologies looming, uh, artificial super intelligence, fusion, quantum crypto, quantum computing, all of which would change, uh, the world drastically. And it's kind of hard changing the world drastically. Yeah, right, it's hard, well, but, but but none of those three, I mean ai is ai is changing, but asi is not here yet no and it's.

And it's also possible to say that it seems unlikely that we'll get any of those three asi, quantum computing or fusion. It's speculative and it's easy to say, well, it's not going to happen, so I'm not going to worry about it. But it's prudent to say but what if it does happen? I, I still don't know. I mean, they gave it a 100% probability in the next 50 years or something right, but we don't know. It could be 10 years, it could be five years, it could be 100 years.

2:48:02 - Steve Gibson
It could be a breakthrough. A breakthrough could happen. It could be tomorrow.

2:48:06 - Leo Laporte
Yes, it could be tomorrow, and I guess the thing to point out is that companies are spending lots of money to make this happen. Uh, big companies are spending lots of money to make all three happen. Right, um, we had a guy on intelligent machines the other day who was very concerned about asi. He said it's the equivalent of five or six manhattan projects. We're spending hundreds of billions of dollars to develop this thing without any regard to the consequences. We are living in interesting times. You're right, steve. I'm glad we won't be around to report on it. The retirement's looking better and better. No, no, we need to. We have to stay here. You all, you know you're here so that we can cover this stuff.

2:48:51 - Steve Gibson
We appreciate it, uh, we will be back here next week on april fool's day oh, I will not take it. I have never taken advantage of april fool's day nor have I. I don't think that's fair to our listeners.

2:49:05 - Leo Laporte
So yeah, yeah, and I strongly encourage. The problem is that I'll read stories in the next week and I will not know are these legit? I really have to, yeah, dig deep to figure it out. I hate april fool's day. All right, steve, have have a wonderful week.

You could find this show on steve's site. He has actually. Every version of it he has is unique to steve's site, grccom. He's got a 16 kilobit audio version. We don't make that. He's got a 64 kilobit audio version. We used to make that but we don't make that anymore because we do 128 kilobit for complicated reasons.

He also has really good human written transcripts by elaine ferris. Those come out a few days after the show. Of course, she has to have time to transcribe our words here and you have the show notes, which are the next best thing to a transcript. You can read along as Steve does the show. All of that's at GRCcom. While you're there, pick up a copy of Spinrite, the world's best mass storage, performance, enhancer, maintenance and recovery utility. If you best mass storage performance, enhancer, maintenance and recovery utility, if you have mass storage, you have to have Spinrite. You heard the story from our Canadian truck driver. It is a must have Also lots of free stuff. That's fantastic.

If you want to email Steve, if you want to send him comments people email me like I have a path to you. I can't get through to Steve. If you want to get through to Steve, here's what you do you go to grccom, slash email, and you give him your email address. Now you're not going to do anything with that, except to whitelist it so that your email will come through to him. That's all it does. But you'll notice there are a couple of checkboxes, unchecked, but below there for his newsletters. One, of course, the weekly show notes, the other a very infrequent update on what Steve's doing. The next one will probably be his DNS Pro Benchmark, which I'm looking forward to. So that's one letter, one email I can't wait to get. So all that grccom, that's the place to be. Do you still post your show notes on Twitter?

2:51:13 - Steve Gibson
right or on X. Right, yeah, right, yeah. On x. Yeah, it's fun. I had a piece of feedback who said to solve this x versus twitter problem here here. Here it is it's spelled x and it's pronounced twitter yeah, uh, we are at twitstv.

2:51:29 - Leo Laporte
No relation to twitter. We predated twitter. They stole it from us. That's why I'm glad it's x. I want everybody to call it x. Forget that. You ever heard the word twitter. We're the one and only twitter. Even now, my autocorrect will replace twit with twitter every time. It drives me nuts, nuts.

That tells you, uh, twittv, slash sn for the latest versions of the show. Actually all the versions. All 1018 versions of the show. Actually all the versions. All 1018 versions of the show are on that website. Most audio and video, but the early ones just audio. Uh, you will also see link there to the youtube channel great place to share little clips. If you want to scare somebody, send them this thing, this post, quantum crypto problem. Uh, that might be of interest to some people. Easy to do on youtube. You can clip it right from the beginning or wherever you want in the show. And, of course, the best way to get it, I think, is to subscribe. You can subscribe to audio or video. Any podcast player will have it and that way you get it automatically and I think it's probably a good thing, something you want to hand down to your kids a complete set of Security now episodes so they can learn what it was like.

Thanks, dad to live in the 21st century, oh, dad wow, what's a honey monkey see you have a wonderful week I will see you next time on april fools. April Fools Bye.