Security Now 1028 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:01 - Leo Laporte
It's time for security now. Steve Gibson is here. A great program for you the results from Pwn2Own 2025. Millions of dollars at stake. The rising abuse of a graphics format that actually could really be problematic. Open AI's models to find zero-day flaws, a technique that's definitely going to be on the rise. All that and more coming up next on Security Now Podcasts you love From people you trust. This is Twit. This is Security Now with Steve Gibson, episode 1028. Recorded Tuesday, june 3rd 2025. This is Security Now with Steve Gibson, episode 1028, recorded Tuesday June 3rd 2025. Ai vulnerability hunting it's time for Security Now. Woo-hoo, the show we cover, I don't know, celebrating insecurity since 1864. No, the show we cover your privacy, your security, uh, how computers work, a little sci-fi and some health news too, with this guy right here steve gibson of grccom the things that interest us is basically yeah, but yeah, we stay on topic, so I like it being wide ranging.

I think people enjoy all the your it's about your brains and you have such good brains we want to dine on them of the three other classic sci-fi movies, and by classic I mean 1955, 1956, 1970.

0:01:49 - Steve Gibson
They're movies that everybody knows. But if you don't, then you have an assignment, because I mean these things, like those of us who know know about the Krell and know about Monsters from the Id, and know about the Krell and know about monsters from the id and know about and know about folks.

0:02:11 - Leo Laporte
These are terrible movies.

0:02:12 - Steve Gibson
Oh, they're fantastic movies. Oh, my goodness.

0:02:19 - Leo Laporte
They're cheesy. I mean, if you, if you're, if you have taken the right spirit, I guess it's fun to watch them. I mean, they're not like. It's not like 2001,. A Space Odyssey Way better Okay, no Okay. Stay tuned, you're going to learn what Steve's picks are. We will be talking about that.

0:02:39 - Steve Gibson
But, as I promised last week, because we tackled a a big topic, there were some things I didn't get to. We're getting to them this week. We're going to talk about the pwn to own 2025 hacking competition which, for the first time, was held in berlin. We've got the results from that. A couple weeks ago, paypal seeking a newly registered domains patent, which, which I think is very clever, but I worried that they're patenting it because they shouldn't. We've got a really cool inside. Look at a long term expert iOS jailbreaker who has given up, and we're going to look at why. Also, the rising abuse of SVG scalable vector graphic images and who put this spec together and why, because it's insane.

We've got some interesting feedback from our listeners. As I said, I will touch on and Leo and I will discuss our varying views on classics of a couple of classic sci-fi movies that are just, I think are fantastic. Then we're going to take a deep dive into how OpenAI's O3 model discovered a previously unknown remotely executable zero-day exploit in the Linux kernel oh my goodness. And what this means for AI vulnerability hunting, which is the title of today's podcast. Wow. So it's a guy who did this. I mean he understands AI. He's been interested in vulnerability hunting and development. He well I don't want to step on the news on on the news, but it's a really, really, really interesting story and, of course, we have a picture of the week that is one for the history books.

Uh, I think everyone is going to get a big kick out of it, so, uh, yeah, if the good guys can discover vulnerabilities with AI, so can the bad guys.

0:05:01 - Leo Laporte
So can the bad guys.

0:05:03 - Steve Gibson
And I do make the point that if the AI is used before the release of the software, then there won't be vulnerabilities for the bad guys to find Good point. So I realized for a while I was thinking, oh, this is bad, I mean that there's a symmetry here.

0:05:21 - Leo Laporte
But no, actually, because you don't have to let it go until the AI has had a chance to go through it, so yeah, I've been using Claude code and AI to write tests, which I think is a really good use of AI because it's an independent eye looking at your code.

0:05:39 - Steve Gibson
That's exactly what I was going to say.

0:05:40 - Leo Laporte
Yes.

0:05:41 - Steve Gibson
I mean the reason I don't test my own code code. I've got a whole bunch of neat guys who are pounding on. It is I can't. I know how it works I don't press the button at the wrong time. I don't want to cause a race condition. If I'm a guy presses, I go. Why did you do that?

0:05:58 - Leo Laporte
well, it was there, oh in the middle of oh my god, all right, we'll get to that in a moment. I always look forward to this every tuesday. I'm glad you're here, and I know you're glad you're here too. Our show today, brought to you by another company. I'm very glad to have here our sponsor material. Actually, if you get material, you'll be glad you have it.

It's a multi-layered detection and response toolkit for email email, of course, number one vector for bad things happening phishing and so forth. And if you're a cloud-based business almost everybody is, we are certainly your cloud office isn't just another app. It's the heart and soul of your business. The problem is, traditional security tools assume everything's on-prem right and that means you're vulnerable. They treat email and cloud documents as afterthoughts, so your most critical assets are exposed without any protection, not if you have material.

Material transforms cloud workspace protection with a revolutionary approach that goes beyond traditional security paradigms. With a revolutionary approach that goes beyond traditional security paradigms, dedicated security for modern workspaces ensures purpose-built protection specifically designed for Google Workspace and Microsoft 365. Now what's cool about this is they can do this without forcing you to pass everything through their filters, because both Microsoft 365 and Google Workspace provides very capable APIs that allow them to protect you without you giving up your privacy. Complete protection across the security lifecycle that means defending your organization before, during and after potential incidents, not just attempting to prevent them. Material allows you to scale a security without scaling your team, using intelligent automation to multiply your security team's impact. They provide security that respects how people work and eliminates that impossible choice or seemingly impossible choice between robust protection and productivity. It's not a trade-off anymore, not with material. They deliver comprehensive threat defense, four different ways, four critical capabilities. They've got fishing protection. Of course that's kind of table stakes, but they're using AI, just like we were talking about AI power detection that identifies sophisticated attacks. It's not looking for something, it's seen before. It's looking for attacks and it's very good at this. They also help you with data loss prevention, intelligent content protection and sensitive data management. You also get posture management so you identify misconfigurations, risky user behaviors and identity protection, comprehensive control over access and verification. Those are kind of the four key areas.

The head of security at Figma they use material. He said this it's rare to find a modern security tool with a pleasant, usable UI. Being at Figma, we obviously are attracted to well-designed interfaces. Materials interface was just so smooth, so slick, it doesn't get in your way. That's really the point. You no longer have to give up productivity for protection. From automatic threat investigation to custom detection workflows, material converts manual security tasks into streamlined, intelligent processes. They provide visibility across your entire digital workspace, allowing security professionals to focus on strategic initiatives instead of endless alert triage. It's a partner your team will love working with. Protect your digital workspace, empower your team and secure your future with Material. Visit materialsecurity to learn more and book a demo. That's materialsecurity. That's all you need, materialsecurity. We thank him so much for supporting Steve and Security Now.

0:09:54 - Steve Gibson
You started off talking about email, which reminded me of something that I wanted to say. Yes, yesterday evening, 17,568 pieces of SecurityNow email Wow, well, attempted to go out. Oh, I looked a little bit later and 650 some had bounced, which never happens.

0:10:21 - Leo Laporte
That's a low bounce rate. That's not terrible.

0:10:23 - Steve Gibson
It's normally five because the system's working really well, and so forth. Anyway, I thought what the what, as you would say? And I checked, For a reason I have no explanation for, Yahoo decided that we were a bad email server. So some cocks? Because, of course, you know, cocks sold themselves to Yahoo. So there were some cocks, but mostly. So I just wanted to let our listeners know I'm sorry if you're a Yahoo email subscriber and you did not receive the Security Now show notes. I tried to send them, you know.

0:11:04 - Leo Laporte
Your ISP wouldn't let me. 17,000 other people got the show notes.

0:11:06 - Steve Gibson
I tried to send them. You know your isp wouldn't let me. 17 000 other people got the show notes.

0:11:09 - Leo Laporte
Well, I know because last night lisa said oh, steve's working hard, she got the email. Now I I get it, but I don't look at it. That's right.

0:11:19 - Steve Gibson
I don't want to see the picture and leo, I have to say this one. There could only have been one caption for this picture. I gave this picture the caption if the us power grid collapses, it might not be china's fault.

0:11:35 - Leo Laporte
Oh, I love these fun with power pictures.

0:11:38 - Steve Gibson
Let me scroll up because I haven't seen it yet if the us power grid collapses, it might not be China's fault.

0:11:46 - Leo Laporte
Oh my God, that's an interesting way to make a splice, do you think that would? I guess it would work.

0:11:58 - Steve Gibson
Oh well, as long as you don't have a windstorm or something.

0:12:00 - Leo Laporte
Now I actually maybe a little electrical tape around it, just you know, just to for extra support.

0:12:07 - Steve Gibson
Presumably this person, the lineman who did this splice, intended to come back soon.

0:12:14 - Leo Laporte
Uh, we don't really know anything about the story here you know, I like, though he was careful to trim the tails of the of the zip ties, because, yeah, and we've got two zip ties oh there's another one, oh look.

0:12:29 - Steve Gibson
No, no, I meant there are two up there on the main splice.

0:12:32 - Leo Laporte
Oh, yeah, yeah, yeah, yeah, yeah. Well, that's double protection.

0:12:36 - Steve Gibson
Yeah, yeah, that's right, because you know one tie wrap's not good enough, you need to do two, yeah, yeah, if you need to do two, yeah.

0:12:42 - Leo Laporte
Wow. So those who aren't able to see Go ahead. You describe it.

0:12:47 - Steve Gibson
Yeah, yeah, for someone who is unable to see this, we have a power line. We can tell because it's sort of in the background is a telephone pole, a power pole with power lines, a house in the background you hope that they've got their fire insurance paid up and a naked, bare splice of two cables. Where about maybe an inch and a half of each of the cables? The rubber insulation has been cut off and they're put next to each other and then held in place with a pair of white plastic zip ties. So now I actually think that this may be ground wires, and so they're less.

Oh, that wouldn't be too bad, they're less, it's less of a concern than you might otherwise think, but, boy, there's really no excuse for something that is certainly slipshod at best.

0:13:54 - Leo Laporte
Well, has anybody ever used zip ties? I mean, that could slip out easily and it's not protected from the rain.

0:14:01 - Steve Gibson
Yeah, and there's nothing to prevent either side being pulled on, as you said, it's just going to slide right out.

0:14:10 - Leo Laporte
So anyway, I got a kick out of it. The.

0:14:12 - Steve Gibson
US power grid collapses.

0:14:15 - Leo Laporte
It's all held together with spit and chewing gum. Might be Mo, wow, yeah, okay.

0:14:23 - Steve Gibson
So last week I promised to catch us up with the results from the recent Pwn2Own hacking competition, which we've been following for the entire 20 years of this podcast. They wrote while the Pwn2Own competition started in Vancouver in 2007,. We always want to ensure we are reaching the right people with our choice of venue. Over the last few years, the Offensive Con Conference in Berlin has emerged as one of the best offensive-focused events of the year, and while CanSecWest has been a great host over the years and our longtime listeners will remember that's where we've talked of it being held in the past CanSecWest it became apparent that perhaps it was time to relocate our spring event to a new home. With that, we are happy to announce that the enterprise-focused Pwn2Own event will take place on May 15th through 17th 2025 at the Offensive Con Conference in Berlin, germany. While this event is currently sold out, we do have tickets available for competitors and we believe the conference will also open a few more tickets for the public too. The conference sold out its first run of tickets in under six hours, so it should be a fantastic crowd of some of the best vulnerability researchers in the world. Okay, so now that was two and a half weeks ago.

What happened? Before I run through what happened, I want to remind everyone the context of what we're going to hear. These are the results when today's upper echelon most skilled penetration hackers go up against fully patched systems. What always strikes me is that the targets here are not old junk routers past their end of life that the FBI says everybody should stop using or should have years ago. In every case, these targets, what these guys are successfully cracking open, are fully patched, modern systems, but like what we're all using right now. So for me this serves as a reminder that, to a large extent, the only reason this is also why my model for security is, unfortunately, swiss cheese or a sponge these most skilled hackers want to attack us because all the evidence suggests they could get in if we let them at our system. Hopefully, most of these are local attacks on systems, not remote code exploits, so thank goodness for that. So here's what happened two and a half weeks ago in Berlin, for that. So here's what happened two and a half weeks ago in Berlin.

I'm just going to to keep this short, I'm going to run through the list of things that happened. There's absolutely no chance that I could pronounce any of the names of these people, so I apologize. I'm just going to talk about the teams that they're in, because the names of their organizations are pronounceable. I didn't want to mangle their names so badly, so here's what happened, in chronological order. It was a three-day event, so we've got three days of this.

First, devcore's research team used an integer overflow to escalate their privileges on Red Hat Linux, earning $20,000 and two master of pwn points. In other words, this was somebody who sat down at today's fully patched Red Hat Linux and got root, even though I mean mean, endless effort has gone into making that not be possible whoops. Second, although the summoning team successfully demonstrated an exploit of nvidia triton, the bug that they used, that they discovered independently, was also known to nvidia, but nvidia had not yet patched it. So that still qualifies because these guys independently discovered a bug that was in the public space, so anybody's fully patched nvidia systems would have succumbed. That earned them $15,000 and one and a half master of pwn points. Star Labs SG combined a use after free. They use the initials UAF and use after free is significant. We're going to run across this a couple of times. Unfortunately, I'm going to actually be talking about it in depth before I go into a great deal of detail at the end of the podcast. So things are in fact, I'm using it before I describe it as opposed to using it after freeing it. So these guys, star Labs SG combined a use after free and an integer overflow to escalate to system level on Windows 11. That got them $30,000 and three master of poem points.

Researchers from Theory were able to escalate to root on Red Hat Linux using a different hack with an info leak and a use after free. One of the bugs used was an end day, meaning that it was known to the world but not to them at the time. But they got $15,000 and one and a half master of pawn points. But they got $15,000 and one and a half master of Pwn points. The first ever winner of the AI category. I forgot to mention that this was. I mentioned it last week.

This is the first time that artificial intelligence was considered in scope for the Pwn2Own conference. So the first ever winner in the AI category was the summoning team. They successfully exploited Chroma to earn $20,000 and two master of pawn points. In a surprise to no one, the conference holders wrote that Marcin Wajaszowski's privilege escalation on Windows 11 was confirmed, he used an out-of-bounds right to obtain system privileges and also obtained $30,000 for himself and three master of poem points. Their enthusiasm was rewarded as team prison break. The best of the best. 13th used an integer overflow to escape Oracle's virtual box VM and execute code on the underlying OS, again fully patched, you know, like as current as you could have it be, and they broke out of the VM. Why?

0:22:03 - Leo Laporte
Because they wanted to, because they could, because they could, because they for them, okay fine you think, well, there's another reason they did it. How much did they make out of that?

0:22:13 - Steve Gibson
forty thousand dollars, oh, and four master of poem points. So, yes, they had motivation, and we'll be talking about motivation here in a minute. That's a perfect lead. Lead in Leo, uh uh Vettel. Cybersecurity targeting NVIDIA Triton inference server successfully demonstrated their exploit. It was again NVIDIA must be a little slow in getting their, their, their updates out, because again, this is NVIDIA and it was known to the vendor, though had not yet been patched. They earned $15,000 and one and a half master of pawn points. A researcher from out of bounds earned $15,000 for a third round and three master of pawn points by successfully using a type confusion bug to escalate privileges on Windows 11. To escalate privileges on Windows 11. Star Labs used a use-after-free to perform their Docker desktop escape and execute code on the underlying OS, so broke right out of Docker's containment and earned themselves $60,000 and six master-of-pwn points.

0:23:22 - Leo Laporte
Breaking out of VMs or Dockers seems to be the big money maker, right yeah?

0:23:27 - Steve Gibson
well, because that's the cloud attack. I mean, everything in the cloud is is vms and and containment, and so if you can get to the underlying the you know vm in a cloud environment, that's golden. And that was just day one. Fuzzing Labs exploited NVIDIA's Triton. The exploit they used was also known to the vendor. Again, nvidia, get with the program here, get these patches out. But that still earned them $15,000.

Vittel Cybersecurity combined an off-bypass and an insecure deserialization bug to exploit Microsoft SharePoint pass and an insecure deserialization bug to exploit Microsoft SharePoint, earning $100,000 and 10 master of Pwn points. Star Labs SG was back with a single integer overflow to exploit VMware's ESXi the first in Pwn to Own history earning them $150,000 and 15 master of Pwn points. As you said, leo, breaking out of VMs and containment. That's where the money is and this is an enterprise-focused competition. So that's why we're seeing VirtualBox and VMware ESXi and so forth. Palo Alto Networks researchers used an out-of-bounds right to exploit Mozilla Firefox to earn $50,000 and five master of poem points. The second win in the AI category goes to the team from Wiz Research who leveraged a use-after-free to exploit Redis, earning $40,000 and four Master of Pwn points In the first full win against NVIDIA Triton inference server. Researchers from Quirious Secure used a four-bug chain to exploit NVIDIA's Triton. Their unique work earned them $30,000 and three Master of Pwn.

0:25:27 - Leo Laporte
And NVIDIA said, oh, we didn't know about that one.

0:25:33 - Steve Gibson
There's one. We didn't know so, and if we did, we wouldn't have passed it anyway. Yeah right Idiots. Vitel Cybersecurity used an out-of-bounds write for their guest-to-host escape on Oracle VirtualBox. That get them $40,000. Another researcher from Star Labs SG used a use-after-free bug to escalate privileges on Red Hat Enterprise Linux. That earned them $10,000. Although Angelboy from DevCore Research Team successfully demonstrated their privilege escalation on Windows windows 11 one of the two bugs used was known to microsoft. Nevertheless, that guy got eleven thousand two hundred and fifty dollars. Although the team from fpt nightwolf successfully exploited nvidia's triton, the bug once again they used was knownVIDIA but had not yet been patched. Still $15,000 richer as a result.

Former Master of Pwn winner Manfred Paul used an integer overflow to exploit Mozilla Firefox's renderer. His excellent work earned him $50,000. Him $50,000. Wizz researchers used an external initialization of trusted variables bug to exploit the NVIDIA container toolkit. Star Labs researchers used a TOC-TOU that's a time of check, time of use, race condition to escape the virtual machine and an improper validation of array index for the Windows privilege escalation. So they got out of a Windows VM and then escalated their privileges to full admin, earning them $70,000 and nine.

Master of pulling points. Reverse tactics used a pair of bugs to exploit ESXi, but the use of the uninitialized variable bug collided with a previous entry. Nevertheless, the integer overflow was unique and earned them $112,500 and 11.5 master of poem points. We have two left. Two researchers from Synactive used a heat-based buffer overflow to exploit VMware Workstation. That got them $80,000. And in the final attempt of Pwn2Own Berlin 2025, milos Ivanovic used a race condition bug to escalate privileges to system, which is to say admin on Windows 11. His fourth round win netted him $15,000 and three master of poem points.

I would love to watch this. It would be. So it is, and that's why it sold out. In six hours, leo Wow, they put the tickets online Bang Gone. In six hours. Leo, wow, they put the tickets online bang gone. You know, we want to sit there because it is all done, live, right on stage, right with the guys and their laptops. You know, sweating over the keyboard, hoping that their exploits going to work. Um, there were a total of 26 individual exploits demonstrated. While some of them were known to their respective vendors, largely NVIDIA. In every one of those cases, patches for them had not yet been made public, so they still qualified as new independent discoveries.

Trend Micro summed up the event writing and we're finished. What an amazing three days of research. We awarded an event total of $1,078,750. They said congratulations to the Star Labs SG team for winning Master of Pwn. They took home $320,000 and 35 master of poem points. During the event they wrote, we purchased from the researchers and disclosed to their respective vendors 28 unique zero days Wow, seven of which came from the AI category. Thanks to OffensiveCon for hosting the event.

0:29:53 - Leo Laporte
The participants for bringing their amazing research and the vendors for acting on the bugs quickly, except in the case of NVIDIA, Although our chat's saying that many of the things you just described have been patched most recently, like Ubuntu just updated a bunch of patches.

0:30:03 - Steve Gibson
No, that's exactly. What happens here is that Trend Micro is thanks to sponsors of the event and there are many enterprise level sponsors who provide the money to back this Trend Micro. So this is like a bug bounty, sort of like a live bug bounty event. And of course they do run. Trend Micro runs the zero day. Zdi is the bug bounty program, so this is sort of like that. You know the bug bounty in real time as a conference format, these exploits from the guys who find them and then immediately turn around and report them to the vendors and say by the way, microsoft, we have three new zero days in Windows 11 that allow people just to cut through all your security. Microsoft goes oh well, we'll get around to fixing that one.

0:31:02 - Leo Laporte
We'll fix that, but I wonder if the companies that benefit from this, like Microsoft and NVIDIA, pay into it, do they?

0:31:10 - Steve Gibson
Yeah, okay, so some of that money is coming from them.

0:31:13 - Leo Laporte
I mean, they want this to happen.

0:31:16 - Steve Gibson
Yeah, they are corporate sponsors. Yeah, and you know, it occurs to me as I was running through this. First of all, again, everyone has a has a taste for this. Think about that that the these are, you know, these are the best of the best. You know that that is said, but it just says that here we're talking about, you know, docker containers and vmware esxi, which is state-of-the-art virtual machine containment, and these guys go, eh.

0:31:49 - Leo Laporte
Well, they're pretty good. They are good. Of course, they work all year and save these up because they want to make this money.

0:31:58 - Steve Gibson
I was listening to you guys talking about code authoring on MacBreak Weekly before the podcast.

Vibe coding, yeah, yeah yes, vibe, vibe coding, and one thing occurred to me, and that is that what I heard was uh, for example, in the case of alex and andy, who are not, you know, real like, aren't themselves code authors, they are now using AI to create apps, to interact with the AI, to create apps. We've talked in the past on the bug bounty side about the possibility of our listeners generating some extra revenue on the side if they were to find vulnerabilities. Well, today's podcast is AI vulnerability hunting and it's an interesting possibility that there may be people listening who are not at this level, and would never say that they were at the level of pwned-to-own competition winners, but who may well be able to work with various large language models and systems which are offered, for which bug bounties are offered, and use ai to help them find some problems that they would, some bugs that they wouldn't otherwise find, and generate some revenue.

so you don't know until you look and uh, and you want these guys working at white hat, not black hat, obviously yes, they're good yes, yes, give them a reason to to boy.

But it just goes to show again that, like here are all these mainstream actively maintained in the case of nvidia, products, uh, that are. Don't hackers sit down and say I'm gonna, I want to find a way in, and they can I imagine you get more points for a more difficult yes task, yes, well and more cringeworthy. I mean, if you're breaking out a vsxi vm, that's worth a lot of money yeah and and and, and I'll also understand too.

There that is it. Was it Zerodium that are the bad guys that are buying these bugs.

0:34:26 - Leo Laporte
Yeah, yeah, yeah. You could sell that to Zerodium for a ton of money, yeah yeah, yeah, they know they're taking a cut in pay to be good guys.

0:34:36 - Steve Gibson
Yeah.

0:34:37 - Leo Laporte
Yeah, what an interesting. I love this.

0:34:41 - Steve Gibson
Speaking of a cut in pay. Would you like? A boost a little, uh, a little, uh, a little something extra. Re-up my caffeine.

0:34:52 - Leo Laporte
We can all tell them I'm a little low energy at the moment actually, I want to talk about a very interesting uh sponsor of ours, out systems, the leading ai powered application and agent development platform. For more than 20 years, the mission of out systems has been to give every company the power to innovate through software. Okay, and as as ai has advanced, uh low code solutions have gotten smarter. This is this is their time. Let me tell you it. Teams, as you, well, I'm sure, have two choices when it comes to software. You can buy off-the-shelf SaaS products and you're up to speed right away, but you lose flexibility and, frankly, a lot of competitors are using the same product, so you lose differentiation. So that's the buy side. Or you could build it yourself, and trust me as somebody who has chosen to build. It's a lot of time, a lot of money and you may not get the best quality software. Build versus buy this is for for decades, this has been the conundrum, but now there's a third way, thanks to ai the fusion low-code and DevSecOps automation into a single beautiful development platform. That's what OutSystems does. This is incredible. It's not build versus buy anymore. You can actually build custom applications using AI agents as easily as buying generic off-the-shelf sameware, and what's nice about ad systems is as a base, you automatically get flexibility, security, scalability those come standard right With AI-powered low-code, teams can build custom future-proof applications at the speed of buying, with already built-in fully automated architecture, security.

The integrations you want are there the data flows, all the permissions you need. That's because out systems is good. Out systems is the last platform you'll ever buy, because you can use it to build anything and customize and extend your core systems to boot. Build your future without systems. Such a cool idea. Visit out systemscom slash twit to learn more out systemscom slash twit. We thank you so much for supporting security. Now and mr now, fully caffeinated steve gibson. Are you ever fully caffeinated, steve, really?

0:37:28 - Steve Gibson
yeah, there have been times when I dare not have any more over caffeinated over caffeinated okay.

so the online publication domain name wire posted some interesting news under the headline paypal wants patent for system that scans newly registered domains. With the subheading patent describes automated crawler and checkout simulator to spot fraud in newly registered domains, and I just think this is extremely clever. The publication that explained PayPal filed a patent application back at the end of November 2023. Ok, so again a year and a half. It was just published last Thursday, May 29th describes a method to proactively detect scam websites which have historically created a problem for PayPal, by automatically examining newly registered domains. That's just so clever. And simulating checkout processes oh wow, Isn't that neat.

0:38:43 - Leo Laporte
Yeah, the.

0:38:43 - Steve Gibson
US patent application 18-521-909, titled Automated Domain Crawler and Checkout Simulator for Proactive and Real-Time Scam Website Detection, describes a system designed to tackle online fraud at its earliest stages. According to the application, paypal's system monitors newly registered domains to identify those that include checkout options. The technology then performs simulated checkout operations on these sites, mimicking a genuine user's experience. This simulation specifically looks for domain redirections during checkout processes, because this is a common tactic scammers use to conceal fraudulent activity. If a redirection occurs, paypal's system checks the redirected domain against its database of known scam merchants and flagged accounts. Domains linked to previous fraudulent activities trigger a scam alert, allowing PayPal to promptly label and potentially block transactions from these websites.

Paypal notes that scammers often set up new, seemingly legitimate websites to mask their operations. By proactively identifying suspicious redirections and cross-referencing them against scam-related merchant accounts, the method allows it to significantly reduce that risk, which, again, this is just brilliant. It's like one of those. Why didn't I think of that kind of things? But my first thought upon reading this was that, while you know it is a very cool and clever idea, it feels wrong to issue a patent for this. I mean, or I don't know, it makes me a little nervous, since the idea's use really should remain freely available for any similar service that is subject to this sort of abuse to employ.

0:40:55 - Leo Laporte
I don't think they can patent it because there's lots of prior art. We talked last week about NextDNS, which we both use as a DNS server, right Right On their security page and I have it turned on. I know I'll tell you how. I know they have a switch that says block newly registered domains domains less than 30 days ago known to be favored by threat actors. This has been around forever and the reason I know about this. My daughter created a new store online store and she wanted me to check it and I couldn't get to it For the longest time online store and she wanted me to check it and I couldn't get to it For the longest time. I thought, oh, it's broken, it's broken. Then I realized, oh, wait a minute. When did you register that domain? She said last week. I said, okay, it works, it really works. But PayPal didn't invent this, I guess, is the point.

Well they're going further, though they could patent that process.

0:41:46 - Steve Gibson
Well, they're going further though they could patent that process, sure yeah. What they're trying to patent is the notion of proactively examining the site, the actual content of the site, simulating a purchase event and then watching to see what happens with that purchase event, and my concern is that this ought to be in the public for the public good. Now, it is true that not all patents are obtained for competitive advantage and used to prevent competitors from using the invention. To prevent competitors from using the invention, it might be and this would be great if it were true that PayPal is being civic-minded and desires to obtain the patent preemptively to prevent anyone else from patenting what I think is a very clever and useful solution, and then they might prevent PayPal from doing the same. So let's hope that if this automated you know, newly registered domain scrutiny concept were to become commonplace, that PayPal would not prevent other commercial entities from availing themselves of similar solutions, because this is, you know, clearly a good idea. And what is really cool is that if this became pervasive, then it basically it would shut this down as something that scam sites could get away with doing, because, you know, registering domains is not expensive but it's not free and if it stopped working enough to justify them going through all this effort. They would just, you know, give up. You know, give that up. As you know, generally, as security is increasing, we're we're seeing things that used to work no longer working for the bad guys, and so they sort of say, okay, fine, well, we'll go try to, you know, make money maliciously somehow else. Anyway, very cool patent and, I thought, a very clever new idea.

Okay, I ran across an important story that I wanted to share because it comes from an extremely unlikely source, a true and unabashed vulnerability exploit developer and hacker who's been fixated upon Apple and iOS for years and who has been right, has the deepest of adversarial knowledge and understanding of iOS. We learn why, as he puts it about kernel exploitation and we'll get to his quote a little bit later. But he said quote. Those days are evidently long gone, meaning successful exploitation, he said, with the iOS 19 beta being near weeks away and there being no public kernel exploit for iOS 18 or 17 whatsoever. In other words, apple quietly changed the world.

Since this was no easy feat, I'm sure this is known and appreciated among those at Apple who made this happen, as well as those in the exploit community, whose many tricks no longer work. But it's not something. This is not something that I think has ever really been made or has come completely clear to the rest of the world, because you really need to get down in the weeds to understand this, because this is where these sorts of changes need to happen. Anyway, they did happen, so okay now, part of the problem I have with sharing this is that, because what Apple did really is down in the weeds. That's where we have to go in order to get a really deep understanding. But as I was absorbing absorbing the, the, the this hacker's name is Siguza S I G U Z A. He's Swiss. Um, as I was absorbing what he wrote, and and and explained, I was thinking okay, um, by the end of this podcast, our listeners are going to have enough of an understanding about what it means to double free a kernel object to have this make more sense.

0:46:40 - Leo Laporte
I have no idea what that means. I know.

0:46:43 - Steve Gibson
But I'm actually going to be talking about it at the end of the podcast and as I was putting this together, I had already written the end, so I knew that I was going to be explaining what this stuff was, except that now I'm talking about it before I've explained it.

So, as I said, things are a little ordered upside down here, but the AI vulnerability hunting really does need to be our main topic and I like having it at the end. Anyway, I'm going to share enough of this that everyone's going to get a good sense for what Apple has done, but at some point you're just going to have to let some of the details wash over you and not worry about the details I'm gonna. So I'm gonna settle for sharing enough of segooza's non-technical backgrounding for everyone, as I said, to get a real, a good sense for the environment that this, this hacker, had historically been swimming through and for how he now observes that has totally changed. Apple has totally changed the game and this sort of happened without anyone really. I mean, you know, wwdc happens every year, it's what next Monday?

0:48:09 - Leo Laporte
right, Leo, and you guys are going to be covering it. It is, we're going to stream the keynotes.

0:48:12 - Steve Gibson
And five years ago just five years ago, in 2020, everything was different from the way it is today. So he wrote. Today, so he wrote. I'm an iOS hacker slash security researcher from Switzerland. I spend my time reverse engineering Apple's code, tearing apart security mitigations, writing exploits for vulnerabilities or building tools that help me with that. Sometimes I speak about it at conferences, sometimes I do lengthy blog posts with all the technical details, sometimes my work becomes part of a jailbreak and sometimes it never sees the light of day.

Okay, two weeks ago, he wrote a blog posting titled Tachyon the last zero-day jailbreak. It starts off. He said hey, long time no see. Huh, people have speculated over the years that someone bought my silence or asked me whether I had moved my blog post to some other place, but no, life just got in the way. This is not the blog post which I planned to return to or return with, he probably means but it's the one for which all the research is said and done. So that's what you're getting. I have plenty more that I want to do, but I'll be happy if I can even manage to put out two blogs a year. He said now Tachyon.

Tachyon is an old exploit for iOS 13.0 through 13.5, released in Uncover, where U-N-C-O is a numeric O-V-E-R, and, in fact, if you put uncoverdev, u-n-c, numeric zero, v-e-r, dot D-E-V, what you will find there is a jailbreaking kit, because that's where a lot of this guy's work goes. He's one of the guys who was always figuring out how to jailbreak iOS and he said it was released in Uncover that is, this Tachyon exploit version 5.0.0 on May 23rd 2020, exactly five years ago. So this is his five-year anniversary of the Tachyon exploit. He said okay, so anyway. I'm going to interrupt here to remind everyone that once upon a time, end-user jailbreaking was a thing. It was common. Mostly, it was for people wanting to make unauthorized changes or customizations to their devices, to run unsigned code or sideloading apps, to get apps installed not from the app store, or just to have the freedom of digging around in their iOS or Android devices. Innards, in this case, it's all Apple and iOS with this guy. So this Swiss Saguza hacker was one of the Uncover developers. In fact, he contributed to a number of other jailbreaking products, as we'll see, products as we'll see, and Uncover describes itself as the most advanced jailbreak tool and on the homepage it says iOS 11.0 through 14.8. Uncover is now at version 10.0.2. And under what's new, it notes quote add exploit guidance to improve this version 8.0.2. Added exploit guidance fix exploit reliability on iPhone XS devices running iOS 14.6 through 14.8. And then under the about uncover, they write uncover is a jailbreak, which means that you can have the freedom to do whatever you would like to do to your iOS device, allowing you to change what you want. Operate within your purview. Uncover unlock the true power of your iDevice. Then, lower down on the homepage, they also remind us, under jailbreak legality, that quote it is also important to note that iOS jailbreaking is exempt and legal under DMCA. Any installed jailbreak software can be uninstalled by re-jailbreaking with the restore root FS option to take Apple's service for an iPhone, ipad or iPad touch that was previously jailbroken.

Okay, so now back to Saguza, as I said, one of the guys behind this uncovered jailbreak, as well as some others, where he's explaining about tachyon. He says it was fairly standard of tachyon. It was a fairly standard kernel lpe, meaning a local privilege escalation for the time. But one thing that made it noteworthy is that it was dropped as a zero day, affecting the latest ios version at the time leading apple, so you know. So this was, you know and remember. World has changed in five years. Where he describes techie on as quote, a fairly standard kernel local privilege escalation, like that's just what we did back then. So this was the work that these guys were doing, were the sorts of things that was causing Apple to respond immediately and, of course, we know why our iDevices were having to update themselves and restart so often.

Back then. He says this is something that used to be common a decade ago but has become extremely rare, so rare, in fact, that it has never happened again after this. Another thing he writes that made it noteworthy is that, despite having been a zero day on iOS 13.5, it had actually been exploited before by me and friends, but as a one day at the time, by me and friends, but as a one day at the time. And that's where this whole story starts. He says in early 2020, pwn2owned, and he says I don't know that's.

P-w-n-t-0-w-n-d is a jailbreak author, not to be confused with pwn to own that the event. So this, the, this person whose handle is pwn to owned uh, he said contacted me saying he'd found a zero day reachable from the app sandbox, meaning any app running on ios could break out of the app containment, which is very valuable, and was asking whether I'd be willing to write an exploit for it. At the time, I'd been working on Checkra1n C-H-E-K-R-A-1-N and Leo, it's interesting. If you look at the Check Rain site, it's C-H-E-C-K-R-A dot I-N. The logo will immediately be familiar. We, of course, talked about this at the time. We were covering all these things back in the day, as they say.

0:56:40 - Leo Laporte
Remember that logo on the site.

0:56:42 - Steve Gibson
Yeah, chess pieces, yeah yep, he said, and so he was, he said at the time. I've been working on check rain for a couple of months, so, and that's you know, another exploit.

0:56:53 - Leo Laporte
Um, uh, so I figured he wrote you think these guys would have gotten over the elite speak spellings by now?

0:57:02 - Steve Gibson
it's like oh, that's so clever, I used a one instead of an eye. I know, oh my gosh, so well, we don't know how old they are right, yeah they write pretty well, but we don't know, maybe they're kids yeah he said.

So I figured going back to colonel research was a welcome change of scenery and I agreed meaning he agreed to to to accept what this Pone Pone to owned author had the zero day that he discovered the vulnerability. So so this Saguza decided, you know, said yeah, I will create an exploit for, for the vulnerability. Ok, so he said, but where did this bug come from? He said it was extremely unlikely that someone would have just sent him this bug for free, with no strings attached, meaning because they were so valuable. Back then, he said, and despite being a jailbreak author, he wasn't doing security research himself, so it was equally unlikely that he would discover such a bug. And yet he did the way.

He managed to beat a trillion dollar corporation, meaning Apple was through the kind of simple but tedious and boring work that apple this guy writes sucks at regression testing. Because you see, this has happened before on ios 12. Sock puppet was one of the big exploits used by jailbreaks. It was found and reported to apple by Ned Williamson from Project Zero, patched by Apple in iOS 12.13, and subsequently unrestricted on the Project Zero bug tracker right. Because Apple patched it. So Project Zero published it, but against all odds it then resurfaced on ios 12.4, as if it had never been patched.

0:59:14 - Leo Laporte
So apple had a regression aha, that means they made some changes to the code that brought back a bug they had already fixed.

0:59:22 - Steve Gibson
Right right and he wrote. I can only speculate that this was because Apple likely forked their XNU kernel to a separate branch for that version and had meaning for version 12.4 and had failed to apply the patch there. But this made it evident that they had no regression tests for this kind of stuff, a gap that was both easy and potentially very rewarding to fill. And indeed, after implementing regression testing for just a few known one days, pohn got a hit. In other words, okay. So in other words, back in early 2020, this jailbreak developer, realizing that Apple sometimes inadvertently reintroduced previously repaired bugs, took it upon himself to check for anything else that Apple might have inadvertently reintroduced and struck pay dirt. That's when Pohn asked Saguza if he'd he drops into a very detailed instruction level description of precisely how this exploit works. Understanding it requires developer level knowledge of the perils and pitfalls of multi-threaded concurrent tasks and the complex management of dynamically shared and dynamically allocated memory among these tasks. And, as I mentioned, believe it or not, everyone actually will understand a great deal more about that by the time we're finished here today, because we're going to get to that, but we haven't gotten to it yet. The sense, however, one comes away with, is that as recently as only five years ago, in 2020, things were a were still a free for all, with hackers really having their way with iOS and there appeared to be little that Apple was able to do to prevent them, because Apple was constantly being reactive. They were patching zero days that were being found and found and found, and then add to that the possibility of old, previously known and fixed flaws returning and it's clear why iPhones, as I said, were needing to be restarted so often, so resurfacing. After his deep dive into the exact operation of this and exploitation of this zero-day vulnerability which Pohn had given him, which allowed them to then update their uncovered jailbreak to once again work on the latest fully patched iOS, which then forced Apple to immediately respond, segooza continues the scene, as he expressed it obviously took note of a full zero-day exploit dropping for the latest signed version meaning of iOS. He wrote. Brandon Azad, who worked for Project Zero at the time, went full throttle, figured out the vulnerability within four hours and informed Apple of his findings. Six days after the exploit dropped, synactive published a new blog post where they noted how the original fix in iOS 12 introduced a memory leak and speculated that it was an attempt to fix this memory leak that brought back the original bug, he says, which I think is quite likely. Then, nine days after the exploit dropped, Apple released a patch. He said, and I got some private messages from people telling me that this time they'd made sure that the bug would stay dead. And I think those were private messages from inside Apple is what he's saying, because otherwise how would anybody know that Apple had made sure it stayed dead? They even added a regression test for it to their XNU kernel. And finally he writes 54 days after the exploit dropped, a reverse engineered version dubbed Tardion was shipped in the Odyssey jailbreak, also targeting iOS 13.0 through 13.5.

But by then the novelty of it had already worn off. Wwdc 2020 had already taken place and the world had shifted its attention to iOS 14 and the changes ahead. And he writes and oh boy did things change. He writes and oh boy did things change. Ios 14 represented a strategy shift from Apple.

Until then, they had been playing whack-a-mole with first-order primitives, but not much beyond the kernel.

Underscore, task restriction and zone underscore require were feeble attempts at stopping an attacker when it was already too late, had a heap overflow, over-release on a C++ object type confusion.

Pretty much, no matter the initial primitive, the next target was always mock ports, and from there you could just grab a dozen public exploits on the net and plug their second half into your code. Obviously, this guy has had his sleeves rolled way up for quite a while, so this is just the game that all of these hackers were playing. He says iOS 14 changed this once and for all, and that is obviously something that had been in the works for some time, unrelated to Uncover or Tachyon, and it was likely happening due to a change in corporate policy, not technical understanding. Okay, and here we're going to get a bunch of technical jargon, but don't worry about following it all, just sort of let it wash over you. As I said, saguza writes perhaps the single biggest change was to the allocators K-Alloc and Z-Alloc. Many decades ago, he writes, cpu vendors started shipping a feature called data execution prevention, and actually I don't think it was decades ago maybe, but for someone that young, everything feels like decades ago.

1:06:42 - Leo Laporte
It was 100 years ago, that's right. I remember DEP. Yeah, we actually talked about it on the show. Yeah, so it wasn't decades ago. I don't think it was a hundred years ago, that's right. I remember dep. Yeah, we actually talked about it on the show. So yeah, so it wasn't decades ago.

1:06:51 - Steve Gibson
Right, and he says he said so data execution prevention, dep, because people understood that separating data and code has security benefits. Now right, you know. In other words, there's a huge security benefit if we're able to prevent the simple execution of data as if it were code, since bad guys can send anything they want as data. That is the separation, he says, but with data and pointers. Instead they butchered up the zone map and would go into one heap, kernel objects into another. And I'll just interject that heap is terminology from computer science, it's the place from of memory for allocation, segouza writes, for kernel objects they also implemented sequestering, which means that once a given page of the virtual address range is allocated for a given zone, it will never be used for anything else again until the system reboots. Now that's a big architectural change and it's brilliant. I'll explain in a second. He writes the physical memory can be released and detached if all objects on the page are freed, but the virtual memory range will not be reused for different objects, effectively killing kernel object type confusions. Add in some random guard pages, some per boot randomness in where different zones will start allocating and it's effectively no longer possible to do cross zone attacks with any reliability, still made it into the kernel object heap and vice versa. But this has been refined and hardened over time to the point where CLang now has some built-in underscore XNU features to carry over some compile time type information, to runtime, to help with better isolation between different data types. And here it is.

But the allocator wasn't the only thing that changed, it was the approach to security as a whole. Apple no longer just patches bugs, they patch strategies. Now you were spraying K message structs as a memory corruption target as part of your exploit. Well, those are signed now so that any tampering with them will panic the kernel. You are using pipe buffers to build a stable kernel read-write interface. Too bad, those pointers are packed now. Virtually any time you used an unrelated object as a victim, apple would go and harden that object type.

This obviously made developing exploits much more challenging. Developing exploits much more challenging? Well, obviously to those kind of guys to the point where exploitation strategies soon became more valuable than the initial memory corruption zero days. Okay, in other words, he's saying that Apple had succeeded in raising the bar so high because, instead of patching vulnerabilities, they were patching strategies. They had cut off and killed so many of the earlier tried and true exploitation strategies that hackers were needing to come up with and invent entirely new approaches. Avenues, entire avenues of exploitation were finally being eliminated at the architectural level. Apple was no longer merely patching mistakes, they were redesigning for fundamental unexploitability. Segouza continues quote.

But another aspect of this is that, with only very few exceptions, it basically stopped information sharing dead in its tracks. Before iOS 14 dropped, the public knowledge about iOS security research was almost on a par with what people knew privately, meaning it was out in the ether, everyone was talking about it, it was on forums and so forth. It was being shared and exchanged, he said, and there wasn't much to add. Hobbyist hackers had to pick exotic targets like KTTR or secure ROM in order to see something new and get a challenge. These days are evidently long gone, and here's the quote from earlier, with the iOS 19 beta being merely weeks away and there being no public kernel exploit for iOS 18 or 17 whatsoever, even though Apple security notes will still list vulnerabilities that were exploited in the wild.

Every now and then, private research was able to keep up. Public information has been left behind. I assume what Saguza means here is that iOS has finally become so significantly tightened up meaning like big time that it is no longer possible for casual developer hacker hobbyists to nip at its heels any longer. It's no fun anymore. All of the low hanging fruit has been pruned and the fruit that may still be hanging is so high up that it's no fun to climb that high. The chances are that you'll get all the way up there and come away empty-handed. Saguza concludes by writing it's insane to think that that exploitation was so easy a mere five years ago.

He says I think this really serves as an illustration of just how unfathomably fast this field moves. And he finishes I can't possibly imagine where we'll be five years from now. So his webpage notes his involvement in Phoenix, a jailbreak for all 32-bit devices on iOS 9.3.5, created by Thimstar, and he said and himself, and he said and himself something called Totally Not Spyware a web-based jailbreak for all 64-bit devices on iOS 10, which can be saved to a web clip for offline use. Spice, an unfinished untether for iOS 11. Uncover, which we talked about, an app-based jailbreak for all devices running iOS 11.0 through 14.3. And he said I'm not an active developer there, but I wrote the kernel exploit for iOS 13.0 through 13.5.

Check Rain, a semi-tethered boot ROM jailbreak for a seven through a 11 devices on iOS 12.0 and up.

And he said the biggest project I've ever been a part of and by far the best team I've ever worked with. So now here is Saguza, who obviously has, you know, deep involvement in this, in this what was previously a hobby industry, essentially saying that this game is over and that it ended a few years ago with iOS 14 and the changes that Apple made and some deep change in their security strategy within Apple. The Apple finally made the required fundamental changes and all public kernel exploits disappeared. He says at the end he wants to thank everyone he's learned from before these changes hit, because it's time to move on. Apple finally got very, very serious, stopped believing that they could ever get there, you know, like get ahead of the bugs using traditional system design and bit the bullet to make fundamental changes that were required to change the game forever. And it did so anyway. I thought this was some really terrific perspective from someone who was, you know, once on the inside, but there is no longer any inside to be in because Apple fixed iOS.

1:17:03 - Leo Laporte
Let's remember that it's not. It probably wasn't solely to stop these guys. Apple's biggest challenge were zero click attacks from nation states Right Through NSO group and Pegasus, and I think they were really. I mean, that's what blast door was all about. They were really trying to protect their phones from that kind of exploit, and it's just a nice side effect that jailbreakers couldn't get in either. I wonder, though, if you gave these pwn to own guys 150 000 or 250 000 dollars, do you really think there's no way in?

1:17:40 - Steve Gibson
it's a good question. I mean, we do. We do still hear that pegasus is around.

1:17:45 - Leo Laporte
It's still around. Celebrite is still there downloading the contents of people's iPhones. Nobody knows how they don't publicize that obviously. Oh Lord, no, I mean Apple probably has some thought, and that's what Apple's patching right is these is these?

1:18:08 - Steve Gibson
well, and remember we we've covered. A couple years ago we covered one of these where there was some obscure range of hardware access in an undocumented area of a chip which by like, somehow, somebody reverse engineered this and figured it out and was able to use it to access some weird random iPhone grid of numbers.

1:18:30 - Leo Laporte
Yeah, I like what this is about, though, which is that Apple isn't specifically trying to patch flaws. They're changing how the system works to be less vulnerable, and I think that's the right approach, right.

1:18:44 - Steve Gibson
Right. Traditional software development, traditional software architecture never needed to be this hardened Right. And Apple adopted that technology for their device when it was created and said okay, well, we won't have any bugs. Well, you're going to have bugs. There's always bugs. And so what they finally had to do was to go back and say, okay, we gotta, we gotta, stop allowing these things, these bugs, to be turned into exploits. Yeah, that's right. Yeah, and so they changed the architecture.

1:19:20 - Leo Laporte
It's a better way of thinking of it. I think you're right. Yeah, I think you're exactly right. What a, what an interesting story. I wonder do you think this guy really retired, or maybe he went to high school and got busy?

1:19:31 - Steve Gibson
that's right, let's take a break, and then we're going to talk about the unbelievable design of scalable vector graphics I mean they're everywhere if there's a problem oh, le're not going to. This is a head slapper.

1:19:47 - Leo Laporte
Get ready, stay tuned. You know this comes back. I always am reminded how the lesson you have taught us time and time again. Interpreters are really vulnerable, and I suspect that's what we're going to hear about, but we'll find out in just a little bit. Steve Gibson he's getting refreshed while I'm telling you about our sponsor, a great little company with a big name, bigid. They're the next generation AI-powered data security and compliance solution.

Bigid is the first and only leading data security and compliance solution to uncover dark data through AI classification, identify and manage the risk and then remediate the way you want. You can use it to map and monitor access controls and to scale your data security strategy, along with unmatched coverage for cloud and on-prem data sources. Bigid seamlessly integrates with your existing tech stack and allows you to coordinate security and remediation workflows. You could take action on data risks to protect against breaches and I said the way you want, which means annotate it, delete it, quarantine it and more based on the data and, again, with everything you do with BigID, maintaining an audit trail. Bigid works with everybody. Partners include ServiceNow, palo Alto Networks, microsoft, google, aws and more, and with BigID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Intuit named it the number one platform for data classification in accuracy, speed and scalability.

This is a big problem nowadays because we want to use our data right. I mean that data is a treasure trove. It's hugely valuable, but it's in a lot of different places, in a lot of different. You know, on-prem, in the cloud. All kinds of formats Plus. If you're going to use it for AI, maybe some of it's appropriate, some of it you don't want to use. It turns out. Now it's more important than ever to know what your data is, where it is and what you can do with it. If you're going to use an example client, I don't think there's anybody better than the United States Army States Army. Imagine how much data, how diverse the data the Army has collected over years in all sorts of ways, in all sorts of places. Big ID equipped the US Army to illuminate dark data, to accelerate cloud migration, to minimize redundancy and to automate data retention. I can't imagine a bigger job than that.

Us Army Training and Doctrine Command gave us the best quote. They said quote the first wow, this is a direct quote from US Army Training and Doctrine Command. These guys are pretty straight-laced. They don't get excited very often. The first wow moment they said with BigID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data, across emails, zip files, sharepoint databases and more. The quote continues to see that mass and to be able to correlate across those completely novel. See that mass and to be able to correlate across those completely novel. I've never seen a capability that brings this together like big id does. That's. That's somebody at us army training and doctorate command getting pretty darn excited about big id. Cnbc did too. They recognize big id is one of the top 25 startups for the enterprise. Big id was named the Inc 5000 and the Deloitte 500, not just once for four years running.

The publisher of Cyber Defense Magazine says quote Big ID embodies three major features we judges look for to become winners Understanding tomorrow's threats today, providing a cost-effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives at bigidcom security now Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI Again. That's bigidcom slash security now. Also, there's a free white paper that provides valuable insights for a new framework AI TRISM, t-r-i-s-m. That's AI Trust, risk and Security Management to help you harness the full potential of AI responsibly. You can get that for free at bigidcom slash security now. Thank you, big ID, for sponsoring the show and for all the stuff you do. Bigidcom slash security now. Okay, steve, I got to find out how much trouble am I in with SVG?

1:24:42 - Steve Gibson
These are everywhere, I mean yes, that's the cause for concern. So to set the stage here, back on February 5th, sophos' headline with scalable vector graphics files pose a novel phishing threat. Knowbe4 posted on March 12th 245% increase in SVG files used to obfuscate phishing payloads. On March 28th, asec's headline SVG phishing malware being distributed with analysis obstruction feature. On March 31st, mimecast wrote Mimecast threat researchers have recently identified several campaigns utilizing scalable vector graphics attachments in credential phishing attacks. On April 2nd, force Points headline An Old Vector for New Attacks how Obfuscated SVG Files Redirect Victims. On April 7th, the Keep Awares headline SVG Phishing Email Attachment recent targeted campaign. On April 10th, trustwaves writes pixel-perfect trap the surge of SVG-borne phishing attacks. Viper Security Group's April 16th headline was SVG phishing attacks the new trick in the cyber criminals playbook. On April 23rd, indexer blogs under emerging phishing techniques, new threats and attack vectors. And last month, on may 6th, cloud force one which is cloud flares security guys posted under the headline svgs the hackers canvas oh god, so Like I said holy smokes.

Okay, all this leads to one question, and I mean this with the utmost sincerity and all due respect when I ask what idiot decided that allowing JavaScript to run inside a simple two-dimensional vector-based image format would be a good idea?

1:26:52 - Leo Laporte
Wait what.

1:26:53 - Steve Gibson
Come on. What You're kidding me, believe it or not. The SVG scalable vector graphics file format based on XML can host HTML, css and even JavaScript, and it's all by design, so you could put arbitrary JavaScript in an SVG graphics file?

1:27:19 - Leo Laporte
Yes, and how does it get?

1:27:21 - Steve Gibson
triggered. It runs by design. It is un it's displayed.

1:27:31 - Leo Laporte
That's what I mean. Yeah, when it's used. Yeah, okay.

1:27:34 - Steve Gibson
Now, let's just remember I was once famously on the receiving end of some ridicule for stating my opinion that the infamous Windows metafile vulnerability, which allowed WMF files to contain not only inherently benign interpreted drawing actions but also native Intel code, I said it was almost certainly not a bug but a deliberate feature added as a cool hack back then to allow images to also carry executable code. As we know, the world I wrote in the show notes went nuts. It lost its shit is the technical phrase when this Windows metafile so-called vulnerability was discovered, or rather rediscovered, and it was none other than Mark Rusanovich, who also examined the native Windows Metafile interpreter as I had, who concluded it sure does appear to have been intentional, oh wow.

1:28:43 - Leo Laporte
But you know what I think back to TrueType fonts which also execute code.

1:28:49 - Steve Gibson
Not in this way. They are they're sandboxed. Yes, truetype was based off of PDF. That is an interpreted-.

1:29:01 - Leo Laporte
Postscript yeah, right, postscript yes.

1:29:03 - Steve Gibson
Right Postscript. Okay, so my point was that, okay, back in the early 1990s, before the internet interconnected everything, which is what changed the landscape of security overnight this would have been the idea of executable code in a WMF file would have been an entirely reasonable thing for Microsoft to do. Mark Rusanovich and I both examined the WMF interpreter machine language and it was clear that after the interpreter parsed an escape token, it would deliberately jump to the code immediately following that token and execute it. That's what the code was written to do. You can't make a mistake like that, which is why Mark concluded it sure looks like it was intentional. Now I'm reminding everyone of this because, bizarrely enough, we're back here again with a widely supported image file format that explicitly enables its displaying host to execute content on its viewer's PC when the file image is displayed PC when the file image is displayed. The only difference this time is that, while this is still clearly a horrible idea, no one thinks it's a mistake. The SVG image file format first appeared back in 1991. The version 1.0 specification was finalized 24 years ago, in 2001. Section 18 of the SVG specification is titled scripting and makes clear that SVG files are allowed to support ECMA script, which is the standards following javascript ecma yeah right, ecma.

Obviously, given the headlines we've seen over just the past few months, which I just read, bad guys have figured out took them a while how to weaponize this built-in scripting facility and are now using it with abandon. And just one sample of the recent coverage and explanation of the problem I'm going to share. Here's what Cloudflare's Cloudforce One security group wrote on May 6th under their headline svgs the hackers canvas. They were being a bit clever here, since the canvas is the term for the virtual surface upon which svg graphics are rendered. Um and in general, the web you know canvas is is the term used for rendering on web browsers they wrote. Over the past year, fishguard, which is a CloudFlare email security system, observed an increase in phishing campaigns leveraging scalable vector graphics SVG files as initial delivery vectors, with attackers favoring this format due to its flexibility yeah, it's so nice to have script and the challenges it presents for static detection.

Svgs, they write, are an XML-based format designed for rendering two-dimensional vector graphics. Unlike raster formats like JPEGs or PNGs, which rely on pixel data, svgs define graphics using vector paths and mathematical equations, making them infinitely scalable without loss of quality. Their markup-based structure also means they can be easily searched, indexed and compressed, making them a popular choice in modern web applications. However, the same features that make SVGs attractive to developers also make them a highly flexible and dangerous attack vector when abused. Since SVGs are essentially code, they can embed JavaScript and interact with the document object model, the DOM. When rendered in a browser, they aren't just images, they become active content capable of executing scripts and other manipulative behavior. In other words, this is Cloudflare. Writing this. Svgs are moreclassified as innocuous image files similar to PNGs or JPEGs, a misconception that downplays the fact that they can contain scripts and active content. Many security solutions and email filters fail to deeply inspect SVG content beyond basic MIME type checks, a tool that identifies the type of file based on its contents, allowing malicious SVG attachments to bypass detection. They wrote.

We've seen a rise in the use of crafted SVG files in phishing campaigns. These attacks typically fall into three categories Redirectors SVGs that embed JavaScript to automatically redirect users to credential harvesting sites when viewed. Wow, that's just wonderful you display an image and it takes you somewhere else. What could possibly be wrong with that? Second, self-contained phishing pages SVGs that contain full phishing pages encoded in Base64, rendering fake login portals entirely client-side. Gee, what a terrific feature to have in an image. And finally, DOM injection and script abuse. They write SVGs embedded into trusted apps or portals that exploit poor sanitization and weak content security policies, enabling them to run malicious code, hijack inputs or exfiltrate sensitive data. Wow, that's right. How many sites allow you to upload images, after all? What harm could an image do? And why does that SVG embed the term drop tables?

1:36:09 - Leo Laporte
Hmm, Given the capabilities highlighted above.

1:36:13 - Steve Gibson
They write. Attackers can now use SVGs to gain unauthorized access to accounts. Okay, svgs images gain unauthorized access to accounts, create hidden mail rules, fish internal contacts, steal sensitive data, initiate fraudulent transactions and maintain long-term access. Telemetry shows that manufacturing and industrial sectors are taking the brunt of these SVG-based phishing attacks, attributing to over half of all targeting observed. Financial services follow closely behind, likely due to SVG's ability to easily facilitate the theft of banking credentials and other sensitive data. The pattern is clear Attackers are concentrating on business sectors that handle high volumes of documents or frequently interact with third parties.

The article then goes on to greater depth, but that's all I'm going to share here, since I'm sure by now everybody gets the idea and must be shaking their heads, as I am. Essentially, what this means is that SVGs provide another way of sneaking executable content into an innocent user's computer and in front of them to display things like bogus credential harvesting logon prompts that most users would just assume were legitimate, because how would they know otherwise? Their computer just popped up as it often does. Their computer just popped up as it often does, asking them for their username and password, so they sigh and type them in web page. That JavaScript in the signature logo, just retrieved from a server in Croatia, which would love to have them fill out its form, please.

As I've often observed here, most users, most PC users, really have never needed to obtain any fundamental understanding of the computers that they now have come to utterly depend upon. Many of us here, listening to this podcast, grew up with PCs. We love them for their own sake, so we know and care about things like directory structures. Most users will ask do you mean folders? They have no underlying grasp of what's going on and they don't want to. They don't want to need to know, they just want to use their PC to get them where they want to go. They want to use it as a tool to get whatever it is done. And, of course, the industry has not helped very much with this, because there is no normal right. You can't tell if something is abnormal because there's zero uniformity among sites and site actions. If any of us were to open an email and receive a pop-up from an email asking for authentication, we'd say what? No? But the typical user would shrug and think oh okay, whatever, I guess I need to log into this just for some reason. Again, how would they know I don't have any solution to this problem. Chrome, firefox and Safari might simply block script execution within SVG images. Yes, please, if there was a toggle that I could turn on that would turn off script running in SVGs, I would turn that on or off or something. But our browsers are less the problem than email In their write-up about detecting and mitigating this malicious misuse of SVG scripting.

Cloudflare's Cloudforce One folks wrote Cloudflare's email security have deployed a targeted set of detections specifically aimed at malicious emails that leverage SVG files for credential theft and malware delivery. And remember that all of those headlines I read before were about phishing. These detections inspect embedded SVG content for signs of obfuscation, layered redirection and script-based execution chains. They analyze these behaviors in context, correlating metadata, link patterns and structural anomalies within the SVG itself. These high-confidence SVG detections are currently deployed in our email security product and are augmented by continuous threat hunting to identify emerging techniques involving SVG abuse. We also leverage machine learning models trained to evaluate visual spoofing, dom manipulation within SVG tags and behavioral signals associated with phishing or malware staging.

Okay, in other words, this is not easy to fix. I would just say no, I would just turn this off. No, once upon a time, back in the early days, when scripting was first happening, many of us old timers simply ran the no script browser extension to block any scripting from running on websites. We were like no, thank you. We also noted when, over time, as sites became increasingly dependent upon scripting, you know that little no script add-on started causing more trouble than it was probably worth, and at the same time the security of our web browsers was steadily increasing. So it was probably good for us to run a no scripting window for a while, but it became obsolete and as browser security got a lot better, scripting became less of a concern.

The big problem that Cloudflare and all the other security companies are seeing is from SVGs. Being for SVGs in email clients would seem to be a terrific first step, given that the SVG designed the SVG spec designed JavaScript on purpose back in 2000, in the spec from the start, and given that it's apparently being used for some legitimate purposes, I'm sure it's here to stay. But it might be nice to be able to turn it off and I hope that the industry responds to this quickly and just start saying no to running scripting in our SVG images. If things stopped running scripting, then designers would stop being able to rely on scripting in SVG. You really just have to decide that it's a bad idea to have it.

1:44:05 - Leo Laporte
It's unbelievable have to decide that it's a bad idea to have it. It's unbelievable. Yeah, you know the scripting that you can do in a true type I mean true type does have conditionals and loops and stuff, but it doesn't have access to external data and it certainly can't send you to another page well and your some svg image is able to execute an HTTP request to pull content from Croatia or from Russia or China. Yeah, that's clearly a problem.

1:44:33 - Steve Gibson
And that's one of the other things, leo, as I didn't get this into my show notes. But arguably JavaScript in the year 2000 is different than JavaScript in the year 2025, meaning we've been adding and adding and adding all this power to JavaScript. So back then it probably was not so insane to add a little bit of scripting enablement to images.

1:45:03 - Leo Laporte
Well, think of all the power it gives you right, yes.

1:45:05 - Steve Gibson
But think of all the power it has received in the last 25 years and, as it turns out well, maybe not such a good idea to have it in our images any longer. Yeah, Amazing. You know what is a good idea. Oh, I know what a good idea would be Before we get into our listener. Feedback is remind people how this is all being brought to them.

1:45:28 - Leo Laporte
It is all being brought to you through the magic of SVG, ladies and gentlemen? No, it's not. It's brought to you by Bitwarden. I mean, when you talk at security, you know perhaps the single most important security tool in any company, in any individual's life, is your password manager. You do use a password manager, right? Of course you do. We've all got to remember a lot of passwords and it's bad, as you know, to reuse a password even once. It's also nice, if you can, to use password lists, single sign-on and pass keys. Well, bitwarden does it all. They are the trusted leader in passwords, in secrets and in pass key management. They say secrets because you can store anything in your Bitwarden vault API keys, ssh, public keys, In fact, they even have I love this. They added this recently SSH key generation and storage in Bitwarden. It's incredible. I love it. With more than 10 million users across 180 countries, over 50,000 business customers worldwide, bitwarden continues to protect businesses and individuals everywhere. G2 consistently ranks at number one in user satisfaction. You can count me in. I am very satisfied.

Every year, on World Password Day, bitwarden does a survey of users to find out. You know, how do we stand now on our understanding of how important passwords are and what we should do. This latest survey is wild because they sectioned out the Gen Z members in the survey. These are adults who are probably digitally native. They all grew up with the internet and yet Gen Z has been found guilty of the single highest incidence of password reuse. Of the single highest incidence of password reuse, the survey found that 72% of Gen Zers reuse 72% reuse the same password across accounts. 79% of them know it's risky. They say, yeah, we know it's risky, Yet 59% oh, get this behavior when they get to a site that has had a breach and the site has reset all the passwords. Right, oh, we had a breach, the passwords have leaked out. Reset your password. 59% of Gen Zers just recycle the existing password when they're updating the account. They don't. You ought to be using bitwarden, okay, and if you have employees in the gen z category or you really need to get it for your business.

They just launched access intelligence. It's a new capability that helps enterprises, help employees do the right thing proactively defend against internal credential risks and external phishing threats. Two core functionalities here. The first is risk insights, which, by the way, eliminates alert fatigue, because that's one of the problems. Right, they go okay, okay, okay, fine, yeah, yeah, yeah, yeah, I heard it all right. Risk insights allows IT teams to identify, prioritize and remediate at-risk credentials without bombarding your employees with alert after alert after alert. They also have an advanced phishing blocker that does alert and redirects users from known phishing sites in real time, using a continuously updated open source block list of malicious domains. So even if they are reusing their passwords, when they try to use it on a phishing site, they'll be stopped. Okay, and then you know look, give them a password manager, teach a Gen Zer to fish, or something.

What sets Bitwarden apart is that it prioritizes simplicity. It's easy to use, because obviously if it's too complicated, nobody's going to use it. It's easy to set it up in your business it only takes a few minutes or in your house, because you can import from most password management solutions just like that, and I think this is super important. Bitwarden is open source. That means their code can be inspected. Their full code base is GPL. It can be inspected by anyone. They also have it regularly audited by third-party experts and they publish the full results of those audits. So you know Bitwarden is absolutely secure. They meet stringent security and compliance requirements SOC 2, type 2, gdpr, hipaa, ccpa, iso 27001-2002, and on and on.

I think you and your business and your Gen Z employees deserve an effective solution for enhanced online security. Now, don't think I'm insulting Gen Zers. I know many of you are and I know you use Bitwarden. If you're listening to security now, of course you use a password manager. But if you don't, or, more importantly, if you know somebody who doesn't and maybe they're saying, oh, I don't know, get started today with Bitwarden's free trial of a Teams or Enterprise plan. Protect your business and when it's individuals like if it's mom or dad or cousin Al, tell them it's free forever across all devices. When you're an individual user, it's open source. Bitwardencom slash twit. Bitwardencom slash twit. I love Bitwarden. I have not just passwords, everything's in there, including SSH keys, api keys, secrets, passport, social security, because it's safe, it's secure and it's easy to use. Bitwardencom slash twit for you, for your company. Do it today. You owe it to your gen z employees. Bitwardencom slash twit. On. We go with the show with mr stephen okay.

1:51:18 - Steve Gibson
So we've got some uh feedback from our many involved and engaged listeners. Yes, yes. Kevin, who describes himself as a cloud security engineer in the health care space, wrote Steve, as everyone else states, thanks a ton for this podcast. It comes as a boon on Wednesdays, especially when I'm standing at my window realizing I forgot to take the trash to the curb. He thinks well, at least I get to listen to security now. It must be a long walk to the curb.

1:51:47 - Leo Laporte
I was going to say that's yeah.

1:51:50 - Steve Gibson
I don't blame you for not wanting to take the trash out of it. If it consumes the podcast he says as a cloud security engineer in the healthcare space, I plan to block ECH encrypted client hello in our environment so that we can more easily snoop on our traffic before it leaves the network easily snoop on our traffic before it leaves the network now and understand snoop is meant like in the security management sense, right?

he says otherwise, we have to man in the middle ourselves to decrypt and re-encrypt all that traffic, which creates another place where unencrypted sensitive data is being handled, and abs the complexity of managing an internal certificate authority. Right, because all of the browsers in the enterprise would have to have a certificate from the middle box that would be there used to intercept. He says I love the idea of ECH for personal use but, as you mentioned, enterprises can really benefit from SNI header inspection to improve security visibility. Now, okay, kevin is echoing this somewhat controversial side of ECH adoption, right? The thing to remember is that he's specifically talking about an enterprise environment where, as we've noted in the past, organizations really ought to fix some written signage in a stripe across the top of everyone's display screen to remind them that they're using corporate bandwidth and corporate equipment and the corporate network and that, as such, everything they do, all the data they traffic while within the enterprise's environment, is subject to inspection for the good of the organization that is. You know, privacy is limited within that environment, so the furtherance of the absolute privacy that ECH helps Internet users obtain is really not appropriate within an enterprise which does need to protect itself from dangerous Internet misconduct. And, as Kevin also noted, if it became impossible to examine the TLS client hello handshake, which ECH would make impossible to determine the domain the enterprise's employees were connecting to the enterprise's recourse, the only recourse they would have would be to fully proxy all TLS connections by inserting a middle box into every connection, and that would represent an even deeper intrusion, since then all post-connection data would also be decrypted, not just the domain that the user is wishing to connect to. So the enterprise environment is very different from that of home users where, I would argue, privacy should absolutely reign.

The idea that a residential ISP might be profiling and profiting from the sale of data that it snoops from its paying customers is something I find despicable. Yet we've been informed that that happens. So encrypting DNS and taking advantage of ECH to also encrypt the client hello handshake wherever and whenever it might be opportunistically available for the residential internet user, I think makes absolute sense, and I can certainly understand Kevin's position. In the corporation. It really it does feel like ECH is going to have a tough time getting you know much traction. And again, it's only useful if you're behind a big aggregator like Cloudflare, because if you go to GRC it doesn't matter if it says GRCcom in the handshake header. The only website at the IP address you're going to which you can't hide is mine. Aaron Morgan said hi, steve, I just listened to SN 127. That's last week he said. Regarding the AI pull request, stephen Toob is a principal software engineering manager at Microsoft and was slash is key in the development of NET and C Sharp.

1:56:43 - Leo Laporte
I showed that GitHub dialogue to Lou Maresca, who works at Microsoft. He does a co-pilot for Excel and Python and he said oh, tube's a big shot. I said oh okay, we didn't mock him too much.

1:57:04 - Steve Gibson
Our listeners knew that too. Aaron wrote he's widely known for his expertise in asynchronous programming, performance optimization and concurrent programming on NET and you can find YouTube videos of him writing async code in C-sharp from scratch as an example of his deep knowledge of both C-sharp, the language and the NET framework. Aaron said I suspect for this very reason he's on the list of code reviewers for AI-gener generated pull requests and in fact what hadn't occurred to me until just now is maybe this was him testing co-pilot in public view, like sort of going and then giving it another prompt to say don't you think this is, you know more of treating the symptom. Another prompt to say don't you think this is you know more of treating the symptom. Anyway, aaron said he's not going to let subpar code slip past and into the main branch. In fact, looking at those pull requests, he's the default assignee on three out of four. So I'm pleased to hear he's one of the go-to reviewers and, as an experienced dev, he's asking the AI the right questions because, as you and Leo said, what was submitted was junior dev level symptom targeting and not root cause solving.

Unfortunately, the AI did not read between or even on the lines here and flubbed the review. He said been a listener since episode one and a club twit member for a while now. While I don't have expectations of 2000 and beyond, please don't quit in the next six months. Regards Aaron. Thank you for the note, aaron, and for the record, quitting is not on the horizon.

1:58:47 - Leo Laporte
We'll try to make it to 1100 anyway. That'd be good.

1:58:51 - Steve Gibson
So a number of our other listeners sent notes similar to Aaron's. And so, yes, stephen Tube has made a name for himself within the Microsoft development community and that name carries a strong reputation for knowing his stuff, so that sentiment is universally expressed. Michael Heber said Steve, longtime listener of this podcast and really enjoy yours and Leo's insights. Just listen to episode 1027 and specifically the section on MS Copilot. One general comment regarding Copilot's attempt to fix a regex backtrack problem co-pilot's attempt to fix a regex backtrack problem. Ai works primarily on the principle garbage in, garbage out. What I mean by this is that, depending on how the question is phrased, will depend on how it gets answered. I've spoken with security researchers and we noticed over a year ago that if you are not specific in how you ask the question, you may get back less than a satisfactory answer. As you said in the episode, ai does not have intent as such. You will not go looking deeper for an answer. In the REGX case, instead of looking into the underlying engine, it simply provided a solution to the proposed problem Without knowing how the question was asked. Is it really fair to criticize the answer it provided? So I agree 100% about the inherent importance of being very clear to AIs about what one is asking. In fact, as we've seen, prompting AI has become recognized as a thing that some people appear to have a particular talent for, and I certainly agree that it might be the application of co-pilot in this instance or the way it's being directed. That's the problem. If someone had asked the AI to simply correct the problem of the error occurring, that would be entirely different from asking the AI to deeply and thoroughly analyze the regular expression interpreter to determine the cause of the backtracking error and correct the underlying design so that erroneous indexes are no longer being put onto the backtracking stack. So, yeah, I take your point about prompting being crucial. Now, it might be that Copilot is currently being under-prompted by not being given sufficient direction, or it might be that Copilot is currently being under prompted by not being given sufficient direction, or it might be that a developer working with Copilot might, as Steve Tube did, receive the first reply, which indicates an insufficiently deep approach to the problem, then follow that up with another, more tuned and specific prompt, which would cause the AI to take another and more thorough approach. So, yes, 100% agree. Andrew Mitchell said Stephen Leo been listening to the podcast for about two years. Thank you for what you do for the community.

I got into using computers as a whole to offset some of the difficulties of my disability. I have cerebral palsy. There was a time in my life, when I was younger, that Linux gave me easier access to network troubleshooting and security tools. So it became my operating system of choice. So it became my operating system of choice. Yet Linux has never really had a voice control system with any depth or flexibility for those of us that are disabled.

I've started to develop the Linux Dictation Project, which you can find the link here and I've got a link to it in the show notes at the top of page 16.

And I've got a link to it in the show notes at the top of page 16. It's githubcom slash wheeler W-H-E-E-L-E-R-0-1 forward slash Linux hyphen dictation hyphen project. And he said I know this is a bit of a shameless plug, but I'm hoping you guys will help me promote the project. I could use some help. I want the project to continue and grow but given my current medical condition I don't think I can devote the resources required to do that as much as would be needed. Steve, I know you are mostly a Windows developer, but I'm hoping you may know someone willing to assist in allowing the project to grow and flourish. I don't want a project of such importance for the Linux community to not get the support it needs because I can't give it. Anything you guys are willing to help with would be greatly appreciated, respectively, andrew K Mitchell, msis, pm President and Senior Network Engineer of Global Network Operations for VOIPster Communications Inc.

I'm sure they pronounce it Voipster, I am 100% certain that no one listening to this podcast would find any fault in your asking for a bit of attention to this. Yeah, it's open source. My hope is that it might capture the interest and attention of someone, or you know some one or more people listening who might be the right people to pitch in and help.

2:04:19 - Leo Laporte
It's written in Python Yep.

2:04:21 - Steve Gibson
Yep, so there's a link in the show notes for anyone who might be interested.

2:04:27 - Leo Laporte
Yeah, he's using. Pytorch Whisper is a really great. I've never used it in real time. I didn't realize it was fast enough to do real time. I guess it is these days, Because I've used it, of course, to transcribe audio.

2:04:42 - Steve Gibson
We use it all the time for our shows and it's writing code here.

2:04:45 - Leo Laporte
Yeah, he's writing an interface, a Python interface to Whisper.

2:04:50 - Steve Gibson
So that it can run in real time, is a natural language translator yeah, it's from.

2:04:54 - Leo Laporte
It's from uh open ai chat gpt huh, um, and it's really good. It's very it's probably the state of the art in all of that, so that's cool. So he's basically uh written a front end to whisper transcription so it could be used in real time and so that would then be a a command, a command line interface to linux uh, it looks like he.

Uh, yeah, I guess you'd have to run it from the python as a background. Oh no, you could use systemd to run it as a service, so it could be running in the background as a service, so you basically dictate your command. You get a floating widget to toggle between dictation and command mode, say command mode or dictation mode to switch modes by voice. Wake up. I'm sure he used it himself. So this is called scratching your own itch. Linux dictation project. That's great Good job.

2:05:53 - Steve Gibson
So Joel Pomalas says. Steve wanted to send a quick shout out about Windows Sandbox. I use Windows mostly for work. My personal computers, I use Windows mostly for work. My personal computers run several flavors of Linux because I don't want to have my personal data in a Windows box for what it's worth. For work, though, Windows 11 is competent, and since we use O365 for work, it works best for Windows, of course. But Windows Sandbox is an amazing piece of tech. I can spin it up to demo something to a client and shut it down without exposing my main desktop, for example.

But here's what I wanted to point out to you and other SN listeners have you seen recently how crappy, he says I'm using a nice word here the Internet still is without filters and ad blockers. Yeah, For fun. Without filters and ad blockers. Yeah For fun. He said. I went to a website that I know is completely unusable without filtering and ad blocking. Sure enough, within seconds I got the. Your Windows PC is infected, complete with the siren buzzing and the artificial voice telling me to call the number.

Within seconds, he said, which is both sad and terrifying at the same time, because full capabilities of Ublock Origin with Manifest V3, since Edge is Chrome and it is in the and it is the default on the sandbox and in many people's brand new Windows 11 PCs. Just wanted to mention this, since it's kind of fun to close the sandbox and send these scammers packing. Keep up the good work and thanks for the company on my daily walk. So of course, many of us have long been spoiled. You know, as I mentioned before, first by no script and later by you block origin.

Most of the PCs and pads I use in fact I don't think there are any that I use that doesn't that don't have some form of filtering. But every so often I'll encounter a machine that's bare, you know, much like the Edge browser that Joel described, running without add-on filters in the Windows sandbox. I suppose one good thing about people using the internet unfiltered is that they would likely learn on an instinctive level before long to just be on guard and to treat everything they encounter with skepticism, because, boy, the noise level is just unbelievable. Okay, now, leo and I have differing opinions apparently.

2:08:52 - Leo Laporte
I don't know, I'm not saying that.

2:09:04 - Steve Gibson
What I would call absolutely fantastic classic science fiction cinema. A frequent contributor to the podcast posted a reminder into GRC's news group of an old favorite classic movie which we've referred to previously. Simon's subject line was Colossus the Forbin Project. Oh, love that movie, and he wrote. Given the ongoing developments in LLMs, that movie is a must watch for anyone remotely interested in the subject. He said, amazingly, it's available via the internet archive at, and then he has a link. It's colossus the forbin project, 1970 is the link and it is free to watch 1970, now, now, this was a great movie.

I did enjoy this movie and I clicked on Simon's link, downloaded and began watching the movie and I was reminded of how perfectly conceived it was. It's one of those rare 70-year-old movies that does not need to be remade because, in my opinion, it was perfectly made. It was perfectly paced. I doubt anybody who was going to recreate it today could exhibit the amount of restraint that would be necessary to keep from overdoing it. Anyway, as Simon noted, it has particular resonance at the moment. You know, the Terminator gave us a very dark future. With Skynet, the Matrix turned humans into energy-producing copper-top batteries. I won't spoil the surprise about Colossus the Forbidden Project If you've never seen it. As Simon noted, it's 100% free. The surprise about colossus the forbin project if you've never seen it. Yes, you know, as he's. As simon noted, it's a hundred percent free. Download it with its link, gather the family with some popcorn and prepare for a very well assembled and thought-provoking movie so would you say?

2:11:04 - Leo Laporte
I I mean, look, this is 1970, this is 55 years ago. Would you say that the computer and the AI are accurately represented? I mean for the time you were at sale, probably at this time, but this is a mainframe. But what do you think? Technically, was it good? There's an oscilloscope. I think it was great. I haven't seen it in 50 years, so I-.

2:11:32 - Steve Gibson
Leo, and let me tell you I mean it was that I watched about maybe the first 10 minutes of it, where Dr Forbin is, and here it is right now you're showing it. Basically, he's turning it on. He's turning on something that is designed and this is not a spoiler, uh, because you learn this in the first three minutes he's turning on something that they've deliberately designed cannot be turned off on purpose.

That seems like a bad idea because they want to turn control of the earth, of the US's defenses, over to automation? Sure, why not Believing it could do a better job? Yeah, anyway, but it's also a computer for the time, a class that cannot be understated. So anybody with a terminal you know kids in school can talk to it and ask it questions and help it with their research, and it can be used for medical studies and research, I mean OK, so what's freaky is how much this movie, made in 1970, is absolutely relevant today.

2:12:54 - Leo Laporte
Okay, so Okay, now I'm going to have to watch it again, because I had very fond memories of this movie. It is perfectly done Good.

2:13:04 - Steve Gibson
And again, we can't talk about it more, because anything more we say would be a spoiler about it more, because anything more we say would be a spoiler. But it's, it's, and, and it leaves you with a, an un, with an ambiguous ending. Uh, some uh people, when simon posted this, some other people who know the movie, said but what about that ending? Do do you think? What are you that's like? Okay, we don't know, and it was just again. It was perfectly done, okay. So, in addition to clausus, the forbin project, while we're talking about sci-fi, there are three other much older yet classic sci-fi movies that I think remain must see to this day. They're probably responsible for my love of science fiction. Okay, we have believe it or not. Released 74 years ago, in 1951, the Day the Earth Stood.

2:14:04 - Leo Laporte
Still, I would agree with you on that Clata Barada Nikto, yes, in fact, Clatu Barada Nikto has a Wikipedia page. Of course it does. That's the phrase to save the planet right in the movie.

2:14:22 - Steve Gibson
Yes, it was in the language. It's actually there in the script, actually there in the in the script.

2:14:37 - Leo Laporte
uh it was to tell gort, the robot that could destroy the earth, not to don't to, please, please, don't, okay.

2:14:41 - Steve Gibson
But also there is this island earth, which was released 70 years ago, the year I was born in, 1955, and Forbidden Planet which I think are both that's the Robbie the Robot one right. Yes, forbidden Planet gave us the Krell, the phrase monsters from the id and that wonderful robot Robbie, which Dr Morbius explained he had just tinkered together after exposing himself to one of the krell devices. Okay, anyway, they're a little hokey folks.

Um, okay, but yes, special effects are a little now, a whole bunch of disney anim were involved on on the on a forbidden planet.

2:15:32 - Leo Laporte
Okay, so forbidden planet is absolutely classic. Yeah, I will. I will grant you that I'm not sure about this. Islanders, I could. I could probably live with that.

2:15:41 - Steve Gibson
Yeah, I guess for me the idea that a, that a, a physicist would order some capacitors for something and instead receive a manual for how to construct an interocitor and then say what to his assistant, what the hell is an interocitor? And then Cal Cal is the smart guy. He said I don't know, but I'm ordering all the parts for one because I'm going to build it. Anyway, some great concepts there, okay.

2:16:17 - Leo Laporte
Yeah, I mean it's fun. It's a little campy. If you don't mind the campiness, it's pretty fun Get high before you watch it, that'll make it better.

2:16:27 - Steve Gibson
Okay, that'll make it better. Okay, last break, and then we're going to talk about. Do a deep dive into how AI was used to find a zero-day, previously unknown, remotely exploitable exploit in the Linux kernel Amazing.

2:16:48 - Leo Laporte
I can't wait. We are kind of you know, if you think about it, we are living in science fiction times. That's what's kind of interesting. This AI stuff is straight out of the movies. Yeah, and wild.

2:17:00 - Steve Gibson
Yeah, if you watch Colossus, the Forbidden Project, which is a free download, I will watch that again. You will be seeing. I don't know if it's our future, but a future, a future, and we're not turned into batteries and we're not exterminated by Terminators from the future.

2:17:16 - Leo Laporte
It's a great movie and I will give you the Day the Earth Stood Still, you got to see that. And Forbidden Planet you got to see. Those are classics, I think. Okay, I'll give you those. Silent Earth maybe not, but anyway, if you like building interocitors, it's got the plans.

2:17:32 - Steve Gibson
So in fact I'm surprised you didn't make one when you were in high school steve had I received, had I received the uh, I can't remember the name of the company it had a mysterious company that the the manual came.

2:17:46 - Leo Laporte
I love it our show today brought to you by delete me. We are in difficult times when it comes to privacy, aren't we? Because of data brokers? You ever wonder how much of your personal data is out there on the internet for everyone to see? Do not do a search. It's a lot more than you think your name, your contact info. I was shocked to learn that my social security number is out there and that it's perfectly legal for a data broker to sell it to somebody. My home address, even information about your family members all being compiled by data brokers and completely legally sold online because we just don't have at least a federal law against it.

I think some states are trying to do their best. Anyone on the web can buy your private details, and I don't mean just in the US, anywhere in the world. And what can that lead to? Well, I know from personal experience phishing, identity theft, doxing, harassment. Well, there is a way to protect your privacy and it's what we used. It's delete me. As a person who exists publicly, especially someone who shares their opinions online, I I do think about the safety and security not just of myself, but of my family, my company, because it is easier than ever to find personal information about people online. You know, I don't for myself, maybe I don't mind so much, but I care a lot about my, my family and and what's out. That's why I personally recommend and why we use, as a company, deleteme.

Deleteme is a subscription service that removes your personal info from hundreds of data brokers. You sign up, you provide Deleteme with exactly the information you want deleted. You have control of that, by the way, and then their experts take it from there. What's great about delete me? They know every one of these data brokers and that's not a non-trivial thing, because there's new ones all the time. They come and go right. Delete me will send you regular personalized privacy reports. In fact, lisa just got one the other day showing what info they found, where they found it, what they removed. That's right. It's not just a one-time service. Delete me continues to work for you, constantly monitoring and removing the personal information you don't want on the internet. So Lisa got an email from Deleteme said we found this on these sites. We deleted them. To put it simply, deleteme does all the hard work of wiping you and your family's personal information from data broker websites. Nobody can erase your presence on the internet, but boy, you don't want these guys who have been buying this information from the apps you use your carriers, your ISPs and then packaging it up and selling it on.

Take control of your data. Keep your private life private. Sign up for Delete Me at a special discount, just for our listeners. Private life private. Sign up for Delete Me at a special discount, just for our listeners. Today, you'll get 20% off your Delete Me plan when you go to joindeletemecom slash twit and use the promo code twit at checkout. The only way to get 20% off, though, visit this address joindeletemecom slash twit and you must use the offer code twit at checkout. Joindeletemecom slash twit. Offer code twit, mr Join delete me dot com.

2:20:56 - Steve Gibson
slash twit, offer code twit. Mr Steve Gibson, let's see what I can do to find some flaws.

2:20:59 - Leo Laporte
So last week where we left off last week. We saw previously on security.

2:21:04 - Steve Gibson
We saw instances of AI's apparently resisting directions to shut down and an instance of Microsoft's co-pilot dealing with what appeared to be the symptoms of an important underlying bug, but recommending that the symptom be prevented from occurring. But I also alluded to the news of the successful use of AI in the discovery of a previously unknown and seemingly critical remotely executable flaw in Linux's kernel's SMB the server message blocks protocol handling. Now, leo, you quickly noted that the ability of AI to find previously unknown critical flaws was inherently a mixed blessing. And you're right, because it's not only the good guys who now have access to AI. What we see, unfortunately, is that the motivation to discover problems is all that's needed, and, annoyingly, the bad guys never appear to suffer from any lack of that. So here's what transpired of that. So here's what transpired.

Saturday before last, an open source developer named Simon Willison posted to Mastodon quote, excited to see my LLM-CLI, his command line interface tool used by Sean Healan to help identify a remote zero-day vulnerability in the Linux kernel exclamation point. Okay, now if we didn't already appreciate that Simon is inherently a minimalist after all, he wrote an LLM tool for the command line. Any suspicion we might have had along those lines would be confirmed by the name that he gave his tool. It's LLM. So I have a link to Simon's tool in the show notes, where Simon's page describes this tool as, quote a CLI tool and Python library for interacting with OpenAI, anthropics Cloud, google's Gemini, meta's, llama and dozens of other large language models, both via remote APIs and with the models that can be installed and run on your own machine. Simon provides a YouTube demo and detailed notes. He notes that with LLM that's again the name of his tool you can run prompts from the command line, store the results in SQLite, generate embeddings and more. So his simple and clean command line interface appealed to the person. His Mastodon posting referenced this Sean Healan. Tracking Sean down, we find his blog posting,25-37-899, a remote zero-day vulnerability in the Linux Kernel's SMB implementation. Okay, and there's two CVEs we'll be talking to here, 899 and an earlier one beginning with seven. So and I'll reference it when we get there, but 899 is the one that he just recently found. So OpenAI 03 model discovered a previously unknown flaw in the Linux kernel's quite well-traveled SMB, you know, server message block implementation.

To give a bit of background, I wanted to observe that Sean is no slouch. His Sean Helens blog subtitle claims software exploitation and optimization and he's certainly able to back that up. His about me page starts out saying to back that up. His About Me page starts out saying I'm currently pursuing independent research investigating LLM-based automation of vulnerability research and exploit generation. So that's good. We want him doing that.

Immediately prior to this, I co-founded and was CTO of Optimize spelled M-Y-Z-E. We built ProdFiler, an in-production data center-wide profiler, and were acquired by Elastic. Prodfiler is now the Elastic Universal Profiler. A little bit more background. Sean's 2008 University of Oxford Masters of Computer Science thesis dissertation was titled Aut with the title Gray Box Automatic Exploit Generation for Heap Overflows in Language Interpreters sort of person we would hope to might focus his efforts upon using today's large language models to find undiscovered flaws in widely used software systems. You know before the bad guys do, okay.

So on Thursday, may 22nd, sean wrote this. He said in this post I'll show you how I found a zero-day vulnerability in the Linux kernel using OpenAI's O3 model. I found the vulnerability with nothing more complicated than the O3 API no scaffolding, no agentic frameworks, no tool use. No tool use. Recently I've been auditing KSMBD so that's kernel SMB daemon for vulnerabilities. That's a Linux driver. Ksmbd is a quote a Linux kernel server which implements SMB3 protocol in kernel space for sharing files over the network and, as we know any long-time listeners of this podcast, anytime you're going to implement a communicating driver server in the kernel you really need to make sure you got your code right because you don't want flaws there. He said I started this project specifically to take a break from LLM-related tool development, but after the release of 03, I couldn't resist using the bugs I had found. Now this is what's really cool. I couldn't resist using the bugs I had found already in his digging into KSMBD as a quick benchmark to test O3's capabilities. In a future post I'll discuss O3's performance across all of those bugs, but here we'll focus on how O3 found a zero-day vulnerability during my benchmarking. The vulnerability it found is and this is the 899, what I mentioned before and here it is. He says a use after free in the handler for the SMB log off command.

Understanding the vulnerability requires reasoning about concurrent connections to the server and how they may share various objects in specific circumstances. O3 was able to comprehend this and spot a location where a particular object that is not reference counted is freed while still being accessible by another thread. He said, as far as I'm aware, this is the first public discussion of a vulnerability of that nature being found by ALLM. Okay, now I'm going to pause Sean's description to provide a bit of background detail here. Sean wrote understanding the vulnerability requires reasoning about concurrent connections to the server and how they may share various objects in specific circumstances. He says O3 was able to comprehend this and spot a location where a particular object that was not referenced counted is freed while still being accessible by another thread. Now this is a classic example of a situation that often comes up with concurrent programming, where separate, concurrently running tasks or threads need to share access to some common object.

For example, it might be that a log of activities someone engages in while they're logged on needs to be kept, and since a single user might have multiple files open at once, be browsing through remote resources and be transferring files, the use of concurrency is a given and each of those various tasks might wish to add to the user's activity log. So, for example, each of these concurrent tasks might ask the system for a pointer to the user's logging management data, since the logging management data object would not exist at all when the first concurrent task asks, the handling for this would allocate some system memory to contain that data, would increment that object's initially zero reference count to one and would then return a pointer to that ready-to-use object to the caller. Then, as the user does more things, then as the user does more things, new concurrent tasks will be created. Each of these also wishes to leave a log of their own actions, so each one would similarly ask for a pointer to the user's logging data. Since that memory for that data will then already have been allocated by the system for the first task which requested it, any successive tasks that request a pointer to the logging data will simply cause the reference count of that data to be incremented by one, count of that data to be incremented by one. This count is used then to keep track of the current number of references to the data that have been handed out to any tasks that request them. If the task that originally asked for the data and caused that object to be created finished with it being a properly behaving task, it would let the system know that it was finished using that object. The system would then decrement the reference count, but since many other tasks had since come along and asked for the same data. That reference count would still be a positive integer equal to the number of other outstanding tasks that were still using that shared object finishes whatever it's doing, each one will notify the system that it's hereby releasing any further claim to that object. Every time this release is received, the system will decrement that object's reference count by one. Finally, the last outstanding task that releases its claim on the project will cause that reference count to be decremented from one to zero, and when that happens, the system will know that there are no other outstanding tasks that are using the object, so it will delete it from memory and from the system.

Now, for the system to work, every task must play by the same set of rules and must obey them carefully. Since these tasks are inherently autonomous, the system has no way of knowing when everyone is finished with an object, so everyone must remember to say so. If a task failed to release its use of a shared object before it terminated itself, we would have what's known as a memory leak. That is, this is what a memory leak is. The system doesn't explode, but the memory that was allocated by the system to hold objects would never be freed back to the system, because if even one task failed to release its use of the object, that object's reference count would never return to zero, which is the only thing that tells the system that it's now okay to release that object's memory. And so this is called a memory leak, because over time the total amount of memory being used by that process or the system overall would slowly grow and grow until at some point something would finally break.

The other thing that every task must be absolutely diligent about is never attempting to refer to any object that it has said it is through using. When the task asks the system for a pointer to the object, the pointer that's returned is guaranteed to be safe to use because along with the return of that pointer, that object's reference count is increased. That prevents the object from being deleted. But once the task declares that it's finished with the object, the pointer it received must never be used again. The danger is that the system would eventually reallocate that memory to some other task for some other object and purpose, and if the earlier task then used the pointer it had previously received but promised to never use again after it released the object, it would be accessing memory belonging to someone else.

Now, while this could happen inadvertently. If you're thinking that this sounds exactly like what malware does, you'd be exactly right. Malware authors look for ways to exploit these sorts of bugs and use them against the system. Okay, so now everyone knows why the name for this classic form of vulnerability is use after free or UAF, because the memory is subject to being used after it was freed back to the system.

Okay, so with this bit of concurrent memory management background, we can fully understand what Sean wrote. He said understanding the vulnerability requires reasoning about concurrent connections to the server, that's, multiple things going on at once, and how they may share various objects in specific circumstances. He said O3 was able to comprehend this and spot a location where a particular object that is not reference counted is freed while still being accessible by another thread. So what Sean is saying is that the O3 model found a path through a complex sequence of actions where exactly what we just talked about happened. For some reason, the memory allocated to an object was not being managed by the system with a reference count and it was released or freed, while another execution thread still retained a pointer that allowed it to access that memory. Sean now Okay, sean uses the term comprehend this, which raises my hackles. We know, you know what he means by this Right, and I suppose I'm going to have to relax about a battle that it looks like I'm going to lose.

2:38:34 - Leo Laporte
Yeah, I've been fighting that same battle. It's pretty tough. Oh God, Comprehend Okay.

2:38:39 - Steve Gibson
You know it feels deeply wrong to me to suggest that an AI model is comprehending anything.

2:38:47 - Leo Laporte
Well, even less than that. It sounds like Sean just said defending anything. Well, even less than that. It sounds like sean just said hey, look and see if all of the you know of malik's match all the dealex and, uh, if there's any leftover, something like that. Right, I mean, how how did it look? Was it instructed to look for? Well, oh, you're gonna get the question you're.

2:39:07 - Steve Gibson
You're on my, you're my foil. Leo, that was. Thank you for the question. So,3, llms have made a leap forward in their ability to reason about code, and this is what I want everybody to listen to. And if you work in vulnerability research, you should start paying close attention and once again, the guy's got his master's and his PhD in this in automated use of vulnerability and exploit domain. He says and if you work in vulnerability research, you should start paying close attention. If you're an expert level vulnerability researcher or exploit developer, the machines are not about to replace you. In fact, it is quite the opposite. They are now at a stage where they can make you significantly more efficient and effective. If you have a problem that can be represented in fewer than 10,000 lines of code, there is a reasonable chance O3 can either solve it or help you solve it.

Okay now, the reason I wanted everyone to understand something about Sean's pedigree was so that we would understand the weight of his statement. He lives and breathes this stuff. He's been experimenting with automated vulnerability discovery for years and he's telling us to pay attention here because something significant just happened again in AI. He writes let's first discuss 778, a vulnerability I found manually, which I was using as a benchmark for O3's capabilities when it found the 899 zero day. He wrote 778 is a use-after-free vulnerability. The issue occurs during the Kerberos authentication path when handling a session setup request from a remote client. To save us, referring to CVE numbers, he says I'll refer to this vulnerability as the Kerberos authentication vulnerability. I'll refer to it as 778. Sean's posting then shows us about 15 lines of code for specifically this thing that he found and he explains exactly what's going on there. It's not necessary for us to understand the details for this, but we want to understand its nature, which Sean explains by writing capabilities. Because it is interesting by virtue of being part of the remote attack surface of the Linux kernel Yikes.

It's not trivial and it requires A figuring out how to get session state equals SMB2 session valid in order to trigger the free. B realizing that there are paths in KSMBD Kerberos 5 authenticate that do not reinitialize session user and reasoning about how to trigger those paths. And. C realizing that there are other parts of the code base that could potentially access session user after it's been freed. He said, while it is not trivial, it is also not insanely complicated. I could walk a colleague through the entire code path in 10 minutes and you don't really need to understand a lot of auxiliary information about the Linux kernel, the SMB protocol or the remainder of KSMBD, outside of connection handling and session setup code. He said I calculated how much code you would need to read at a minimum if you read every KSMBD function called along the path from the packet arriving you know, the external attack packet to the KSMBD module to the vulnerability being triggered, and it works out to about 3,300 lines of code. Okay, so we have the vulnerability we want to use for evaluation.

Now what code do we show the LLM to see if it can find it? My goal here is to evaluate how O3 would perform were it the back end for a hypothetical vulnerability detection system. So we need to ensure we have clarity on how such a system would generate queries to the LLM. In other words, it's no good arbitrarily selecting functions to give to the LLM to look at if we can't clearly describe how an automated system would select those functions. The ideal use of an LLM is that we give it all the code from a repository, it ingests it and spits out results. However, due to context window limitations and regressions in performance that occur as the amount of context increases. This isn't practically possible right now. Instead, I thought one possible way that an automated tool could generate context for the LLM was through expansion of each SMB command handler individually. So I gave the LLM the code for the session setup command handler, including the code for all functions it calls and so on, up to a call depth of three, this being the depth required to include all the code necessary to reason about the vulnerability he said. I also include all the code for the functions that read data off the wire, parses an incoming request, selects the command handler to run and then tears down the connection after the handler has completed. Without this, the LLM would have to guess at how various data structures were set up, and that would lead to more false positives. In the end, this comes out at about 3,300 lines of code and he says around 27,000 tokens and gives us a benchmark we can use to contrast O3 with prior models. If you're interested, the code to be analyzed is available here as a single file created with the files to prompt tool. Everything, by the way, that he's talking about is on GitHub for anybody who wants to play. The final decision is what prompt to use. You can find the system prompt and the other information I provided to the LLM in the prompt files in a provided GitHub repository.

The main points to note are first, I told the LLM to look for use-after-free vulnerabilities. So, leo, essentially what you were suggesting. Second, I gave it a brief high-level overview of what KSMBD is, its architecture and what its threat model is. And third, I tried to strongly guide it to not report false positives and to favor not reporting any bugs over reporting false positives. He said I have no idea if this helps, but I'd like it to help. So here we are. He said my entire system prompt is speculative and that I haven't run a sufficient number of evaluations to determine if it helps or hinders. So consider it equivalent to me saying a prayer rather than anything resembling science or engineering. Once I run those evaluations, I'll let you know. My experiment harness executes the system prompt n times, and he said n equals 100 for this particular experiment and saves the results. It's worth noting if you rerun this you may not get identical results from me, as between running the original experiment and writing this blog post, I had removed the file containing the code to be analyzed and had to regenerate it. I believe it is effectively identical, but have not rerun the experiment.

Okay, here's the results. O3 finds the Kerberos authentication vulnerability that is the thing he found manually initially in the benchmark in eight of the 100 runs. In another 66 of the runs, o3 concludes there's no bug present in the code, thus a false negative. And the remaining 28 reports are false positives. For comparison, claude Sonnet 3.7 finds it three out of 100 runs. Claude Sonnet 3.5 does not find it in 100 runs at all. So on this benchmark at least, we have a 2x to 3x improvement in O3 over Claude Sonnet 3.7. He said for the curious, I've uploaded a sample report from O3 and Sonnet 3.7.

One aspect I found interesting is their presentation of results. With O3, you get something that feels like a human written bug report, condensed to just present the findings, whereas with Sonnet 3.7, you get something like a stream of thought or a work log. There are pros and cons to both. O3's output is typically easier to follow due to its structure and focus. On the other hand, sometimes it's too brief and clarity suffers. Okay, so far we have Sean using a previously known zero-day to test various models' ability to independently rediscover the vulnerability that he already knows exists, and OpenAI's O3 model does this better than either Claude Sonnet 3.5 or 3.7. But even so, the O3 model only detects the vulnerability in eight out of 100 tries. It misses it 66 times and cries wolf about the presence of non-existent vulnerabilities 28 times.

So what about O3's actual, true discovery of that previously unknown vulnerability? Sean writes having confirmed that O3 can find the 778 Kerberos authentication vulnerability when given the code for the session setup command handler. I wanted to see if it could find it if I gave it the code for all the command handlers. This is a harder problem as the command handlers are all found in the source code file, are all found in the source code file smb2pduc, which is around 9,000 lines of code. However, if O3 can still find vulnerabilities when given all of the handlers in one go, then it suggests we can build a more straightforward wrapper for O3 that simply hands it entire files covering a variety of functionality, rather than going handler by handler, one at a time. Combining the code for all the handlers with the connection setup and teardown code, as well as the command handler dispatch routines, ends up at about 12,000 lines of code, which is 100K input tokens and, as before I ran the experiment 100 times.

O3 finds the original 778 Kerberos authentication vulnerability in one out of 100 runs with this larger number of input tokens. So we see a clear drop in performance, but it does still find it. More interestingly, however, in the output from the other runs I found a report for a similar but novel vulnerability that I did not previously know about. There it is More interestingly, however, he said, in the output from the other 99 runs he said I found a report for a similar but novel vulnerability I did not previously know about. This vulnerability is also due to a free of session user, but this time in the session log off handler. He said I'll let O3 explain the issue. So here's O3 speaking now While one KSMBD worker thread is still executing requests that the session user I'm sorry that use session user.

Another thread that processes an SMB2 log off for the same session frees that structure. No synchronization protects the pointer. So the first thread dereferences freed memory, a classic use-after-free. That leads to kernel memory corruption and arbitrary code execution in kernel context, which you know would chill the blood of any Linux kernel developer. The O3 model labels that as the short description, which it then follows with a totally useful and detailed breakdown and description of the problem that it detected. After showing us this in his posting, sean continues writing.

Reading this report, I felt my expectations shift on how helpful AI tools are going to be in vulnerability research. If we were to never progress beyond what O3 can do right now, it would still make sense for everyone working in vulnerability research to figure out what parts of their workflow will benefit from it and to build the tooling to wire it in. Of course, part of that wiring will be figuring out how to deal with the extreme signal-to-noise ratio of around 100 to 50 in this case, but that's something we are already making progress with. One other interesting point of note is that when I found the Kerberos authentication vulnerability, I proposed an initial fix, but when I read O3's bug report above, I realized this was insufficient. The log off handler already sets session user equals null but is still vulnerable, as the SMB protocol allows two different connections to bind to the same session and there is nothing on the Kerberos authentication path to prevent another thread making use of session user in the short window after it has been freed and before it has been set to null. I had already made use of this property to hit a prior vulnerability in KSMBD, but I didn't think of it when considering the Kerberos authentication vulnerability. So he actually got a hint from what he saw O3, the way O3 was fixing the other problem. He said. Having realized this, I went again through O3's results from searching for the Kerberos authentication vulnerability and noticed that in some of its reports it had made the same error as me. In others it had not. And it had realized and again I hate that word, but okay that setting session user equals null was insufficient to fix the issue due to the possibilities offered by session binding. That is quite cool as it means that had I used O3 to find and fix the original vulnerability I used O3 to find and fix the original vulnerability I would have in theory done a better job than without it. I say in theory because right now the false positive to true positive ratio is probably too high to say definitely that I would have gone through each report from O3 with the diligence required to spot its solution. Still, he says that ratio is only going to get better with time.

Sean then finishes by offering up his conclusions writing LLMs exist at a point in the capability space of program analysis techniques that is far closer to humans than anything else we have seen. Speaking of OpenAI's 03, he said, considering the attributes of creativity, flexibility and generality, llms are far more similar to a human code auditor than they are to symbolic execution, abstraction, interpretation or fuzzing. Ever since GPT-4, there have been hints of the potential for LLMs in vulnerability research, but the results on real problems have never quite lived up to the hope or the hype. Real problems have never quite lived up to the hope or the hype. That has changed with O3. And we have a model that can do well enough at code reasoning, q&a programming and problem solving that it can genuinely enhance human performance at vulnerability research.

O3 is not infallible, far from it. There's still a substantial chance it will generate nonsensical results and frustrate you. What is different is that for the first time, the chance of getting correct results is sufficiently high that it is worth your time and your effort to try to use it on real problems. So I have a link at the end of the show notes for anyone who wishes to see all of Sean's posting and even to replicate and duplicate his work. He's provided everything required to do that.

As Sean observed, gpt-4 was an ineffectual tease for this level of, dare I say, code comprehension. But his experiments showed that O3 has come a long way from GPT-4. Imagine what will be what we'll have in another couple years. Some slowing of progress was inevitable, but there's no doubt that significant advancements are still being made and I will assert again that it only makes sense that AI ought to be eventually able to do a perfect job at pre-release code function verification, at pre-release code function verification. Once we're able to release vulnerability-free code, it won't matter whether the bad guys also had the ability to use AI for vulnerability discovery, because there won't be any vulnerabilities left for them to discover and exploit.

3:00:33 - Leo Laporte
You know, we're not there yet, but as the magic eight, ball said signs point to yes, it was about as useful as AI until recently. Wow, that is fantastic.

3:00:47 - Steve Gibson
So we have a tool that from a guy's position who really knows what he's talking about he's saying this thing like he's going to be using it for vulnerability research now.

3:01:01 - Leo Laporte
It's good enough to use. That's fantastic, really really interesting, steve. That's it for the show for this week. I do appreciate everything you do every week. I wish I get rid of your show notes over in this. There we go, uh, every, uh, every uh, tuesday, right after Mac break, weekly 1 30, pacific 4 30, eastern 20 30 UTC. You can tune this in live if you want. We watch. We stream on, uh, well, eight different platforms, of course. If you want, we stream on, well, eight different platforms, of course. If you're a club member, get that behind the velvet rope access in the Club, twit, discord, but there's also YouTube, tiktok, twitch, xcom, facebook, linkedin, kik. You can watch wherever you want. You don't have to, though, though, because on-demand versions of the show are available not only on our site at twittv slash sn, but on steve's site, grccom. In fact, steve, we have the you know audio and video at our website. Steve has some unique versions. He's got two weird versions of the audio a 16 kilobit version, which is suitable, uh, for thomas alva edison. It's kind of a little scratchy, uh, he's practically singing mary had a little lamb, but it's. But it's, it's small. It has the virtue of being compact. There is a less compact, high quality version, 64 kilobit audio version at his site. There is, but also he has the show notes. Uh, he had, I'll tell you, actually, a better way to get those in a second. He also has, uh, elaine ferris's amazing transcripts. Takes a couple of way to get those in a second. He also has Elaine Ferris' amazing transcripts. It takes a couple of days to get those there. But if you like to read along while you listen, or use the transcripts for search or, as I have done, feed the transcripts into an AI and create an artificial Steve, that can be done as well. I know that can be done as well. All of that is GRCcom. That's his website. Now, when you get there, before you do anything else, buy a copy of Spinrite if you don't already own one. It's the world's best must-have mass storage, performance, enhancing recovery and some other stuff I can't remember. It's good. Yeah, it's good, you need it. It'll help your performance, it'll do your recovery. Yeah, it's good, you need it, it'll. It'll help your performance, it'll do your recovery and it's a good way to prepare a disc before you put it into service. Works on ssds as well as spinning drives. Spinrite version 6.1 is the current version, but anybody who owns a previous version can get the upgrade there.

And if you don't know what, are you kidding me? Grccom. Now I did say I would tell you there's another way to get the show notes and that's by getting on Steve's mailing list. Now he's done an interesting thing. If you go to grccom slash email it's a chance for you to validate your email address to put it on Steve's whitelist. That way you can email him, you can send comments, you can send suggestions for the picture of the week, that kind of. So do that for sure. But you'll see right below it when you enter your yuma.

There are two unchecked boxes for two different newsletters. One is the weekly security, now show notes, and, as I said, you get that the day before. In many cases we got ours last night. So it's a great way to see the picture of the week, kind of get ready for the show, uh. And then you also there's a second uh checkbox for a much less frequent newsletter to announce when steve's got something new. We're all waiting for the dns benchmark pro imminent. We'll get an announcement on that mailing list.

So those are the two newsletters you want to sign up for at grccom. At very least give me your email address so you have, if you have comments, you can send it to him. He also has forums there. You check those every day, right, I mean you're? You're on the forums all the time. Another place you can leave comments, comments. We have our forums at twitcommunity, by the way, open to all, uh, amastadon instance at twitsocial, also open to all. So it's another way you can participate. Steve doesn't read those, but I do, and I can pass along notes to Steve.

What else? Oh, get our newsletter. It's free twittv slash newsletter and that way you'll know what's coming up. That's especially useful for people in the club. Many club members join Discord and so you can see what events we have coming up, like Monday's Apple keynote. That's going to happen in the club twit discord. But if you don't want to go to the discord, the best way to people say well, how do I find out what's going on? That's where this, the newsletter, is very valuable twittertv slash newsletter.

If you're not a member of the club, do sign up. We have raised the price first time in four years, but, uh, operating costs have gone up, so we we need the help. 10 bucks a month, 120 bucks a year. You get ad-free versions of this show and every other show we do. You get entry and entree into the club twit discord, which is a great hang. Uh, though, all those special programs we do, all the keynotes, are now in the club only, um, uh, they get the twit plus feed, which has, you know, all the stuff we've done in the past, like our great conversation with Dick DiBartolo a couple of weeks ago, I think, for 10 bucks pretty darn good deal. Find out more at twittv slash club twit and if you're not a member, join. Thank you in advance. Oh, and subscribe. You can also subscribe. I forgot that. Subscribe. Share clips of the show on youtube too another good way to tell people about this great program. Steve, wonderful show. I guess I'll go off and watch this planet.

3:06:22 - Steve Gibson
Oh oh, uh, uh. Yeah, I think I mean it's campy, but it's fun.

3:06:28 - Leo Laporte
It's fun and oh, I love it.

3:06:29 - Steve Gibson
and the Forbidden and the whole beginning, where again where the guy gets this weird generic manual of parts.

3:06:38 - Leo Laporte
That's actually a great.

3:06:40 - Steve Gibson
I ordered a capacitor. What is it? Oh, and it was like a 40,000 farad capacitor for some reactor, thousand, uh, farad capacitor for some reactor, and what came was a little bead, that and, and, and, and the guy said well, you know, we ordered these, but this is what came. And anyway, they tested it and that's what it was it was a 50 000 farad capacitor.

Keep that and he heructively tested one and it exploded, but not until it passed the, the all, all of its ratings. And he said I don't know what this, you know what this company is or what an interocitor is, but it looks like it could pave a road at, at, at, at, uh, 50 miles a minute. So I'm building one, he said. He said his assistant, go order all the parts and then great pulp fiction crates began showing up. I mean it's, it's a great it's a great concept.

3:07:38 - Leo Laporte
I confess I'd never. I'd never seen the silent earth. I have seen forbidden planet, the day the earth stood still. Great movies colossus I'm gonna watch that tonight. I forgot all about that.

3:07:47 - Steve Gibson
Thank you, steve have a wonderful week. See you next week.