Security Now 1033 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show
0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here. We'll talk about zero days and what we're doing is the United States to stockpile them, and what Israeli companies are doing, using their zero days to attack journalists in Italy. Also, now that the Supreme Court has decided it's okay to have age verification, how will that impact the internet? That and a lot more coming up next on Security Now Podcasts you love From people you trust. This is Twitter. This is Security Now with Steve Gibson, episode 1033, recorded Tuesday, july 8th 2025. Going on the offensive. It's time for security now. The show where we cover the latest in security privacy, how computers work, the greatest science fiction in the world and whatever else Steve Gibson is into. He is a polymath and we all give you the salute.
0:01:03 - Steve Gibson
Live long and prosper One never knows, we're all counting on it I'm gonna have to bring you up to speed uh soon about what's that?
0:01:12 - Leo Laporte
oh, what's that that's is that a little buzzer? That's the evolution of the device that you and lisa experimented we were putting electrolyte gel on our, uh, our temples, foreheads and on our forehead no, I didn't ever do the tongue with you, I do that with the other thing, and then and then and oh cool, I know laurie uses this right in her practice uh, she does.
0:01:39 - Steve Gibson
I couldn't sleep if I didn't. It's. It's just completely resolved. My iomnia.
0:01:44 - Leo Laporte
Well, I need something to help me sleep. I've done everything under the sun.
0:01:47 - Steve Gibson
And I meant to ask you how's the GLP-1?.
0:01:51 - Leo Laporte
It's going well. We've upped the dose now to 0.5 milligrams. Is that double what you were at? Yeah they start you on a basically inconsequential dose, and then they slowly double it up to a point Until things start to fall off, and so you start you get the shakes and you can't go on I think what they're really looking at is what my numbers look like, uh, and then they want to give you the least amount that's effective.
So in fact, uh, I'm on 0.5 and they said, before we we go up, I want to see your numbers.
0:02:24 - Steve Gibson
So I have to say it's helped the blood glucose a lot it's really and you wait 90 days between changes in order to get an A1C.
0:02:31 - Leo Laporte
Yeah, four weeks.
0:02:33 - Steve Gibson
Cool.
0:02:34 - Leo Laporte
Oh, for the A1C? No, yeah, 90 days, so I don't know when. My A1C? Yeah, it wouldn't make sense to do it more than every 90 days, so I don't know when my next day, when c, is. It's been a couple months, I think, but uh, well, I see I have. I'm wearing one of those continuous glucose monitors so I know exactly how I'm doing.
0:02:51 - Steve Gibson
That's very cool yeah, and I heard someone say that it mod. Oh, it was uh uh, calicanus, I think, who was also experimenting with one, saying that it modified his eating. Oh, it definitely does like you when you see the consequence of what you eat in near real time.
0:03:08 - Leo Laporte
Well, it's almost like you can't eat what you used to eat.
0:03:11 - Steve Gibson
Your stomach hurts One of the negative side effects of it is no, no, I meant having a real-time blood glucose feedback.
0:03:19 - Leo Laporte
Oh, that, absolutely. That was Alex Lindsay talking about that.
0:03:22 - Steve Gibson
Oh, okay, right.
0:03:23 - Leo Laporte
Absolutely, that's right, absolutely. But I've worn real-time, continuous glucose monitors in the past. It's only a suggestion. You sort of get used to it after a while. Yeah, it's a suggestion, it's like ah, that thing. You know this. For me, the real problem I'm on Ozempic for folks who don't know, my doctor prescribed it. I'm not doing it on my own, uh, but for me the thing that really helps is I, you know, and I think people like you and normally thin people don't understand this but those of us who have weight problems often have this constant hunger and, uh, sometimes people on ozymic call hunger noise or you know it's, it's shouting at you, uh, pretty frequently oh, I'm hungry, I'm hungry, that's gone. You don't hear the background noise anymore. So that's a huge more than anything else. That's a huge help.
0:04:16 - Steve Gibson
You would be surprised how much I understand that. Oh good, because I had it and it's and I How'd you get rid of it? It was my first. I didn't know whether it was crashing into ketosis or my first experimentations with the zapper, because I was. I did both around the same time keto helps and it changed my life?
yeah, well then, and that's why I was so reluctant. I was scared to leave keto, worried that that would. I would resume, like you know, a constant battle, and it never came back. If you could get rid of that hunger noise without being on a, I would resume like a constant battle, and it never came back.
0:04:46 - Leo Laporte
If you could get rid of that hunger noise without being on a medication. Obviously that would be far preferable, but I also am a type two diabetic, and so my blood sugar was going up into the danger zone.
I just saw a study you'd probably be interested in this that showed that all this excess glucose we talked about how it's damaging it's also damaging to the brain and it can actually be involved in Alzheimer's. And it's one of the reasons now they're starting to think, because they do notice that semi-glutide and related drugs are effective in lowering Alzheimer's. Yeah, so I'm happy about that, because both my parents in their 90s uh are physically fine but they're mentally not so good, I know I mean yeah, she's, she's, she's in a happy place.
She doesn't remember what happened yesterday, but she remembers everything that happened in the past and we have perfectly normal conversations. Yeah, but she's definitely diagnosed with Alzheimer's, so I would like to keep all my faculties as long as I possibly can.
0:05:52 - Steve Gibson
Sometimes, oh my God, my screen blanker just.
0:05:54 - Leo Laporte
Uh-oh, that's just light, by the way, folks.
0:05:57 - Steve Gibson
I thought I had set it up. Sometimes, google 40 Hertz Alzheimer's. Google, uh, 40 hertz, you know, 40 hertz alzheimer's.
0:06:06 - Leo Laporte
You will be astonished by what comes up well, let me know when you, when you're ready to distribute the box research out of mit is astonishing, does it? Break up the, the plaques or something like that. It reverses nice. Oh well, I'll bring it over to her. And she went hey mom, just strap this to your head and see what happens here okay, let's talk about what's going to be on actually here, believe it or not, folks.
0:06:34 - Steve Gibson
Yes to to do a podcast about nominally about technology. Yes, not body technology, but internet technology. I ran across an amazing I guess you'd call it a policy paper out of a Washington DC think tank, which, by an ex Google what's the google security group? I, I'm blank. Oh, the project zero. Uh, it's there, it's the, it's the related. It's not project zero, it's they. They have an acronym for it. Okay, I will end up encountering it anyway.
Uh, this gal winona really knows her stuff and I mean she organizes DEF CON conference content and so forth. Anyway, she's with the Atlantic Council and addressed the question of what it will take for the US to be effective in offensive cyber war, that is. And she's got fantastic quotes from people on the inside who say things like you know, we could be effective if we were only not afraid to pull the trigger and things like that. Anyway, the context is us versus China, of course, like the big two tech superpowers, and we know how much trouble we're getting from China and I've often opined on the podcast gee, I wish you know, I hope we're given as good as we get. Anyway, we've got some great actual factual content here to share, so I titled today's podcast number 1033. When I came home yesterday to Lori I said, well, number 1033, the mailing is on its way out, and she just kind of shook her head. She said 1033. I said, yeah, I know. Anyway, amazing, and I think we're approaching our 20th birthday here Next month, right.
0:08:49 - Leo Laporte
Yeah, anyway.
0:08:52 - Steve Gibson
We have to do something.
0:08:52 - Leo Laporte
We got to get you a cake or something.
0:08:54 - Steve Gibson
You'll just get me a little pointy hat, so I titled this one going on the offensive, because that's what we're going to look at for the first time ever on this. You know, 20 years into this podcast, august 18th is the 20th Nice.
We have another Israeli spyware vendor surfacing. We've got the news of Windows 11 choosing to delete its restore points more quickly. Just a heads up in case anybody is worried about that or is depending upon them sticking around. Heads up in case anybody is worried about that or is depending upon them sticking around. The EU accelerating its plans to abandon Microsoft Azure. We briefly touched on that previously. Also, the EU has set a timeline for its post-quantum crypto adoption, so they're on that road now.
Russia creating a massive IMEI database what could possibly go? I'm glad I'm not living there. Canada and the UK creating a common good cyber fund. The US cracking down on Bitcoin ATMs amid growing scams. We'll talk about congressional staffers no longer being allowed to use WhatsApp on government devices.
Livexml2 is an open source software. The sole maintainer very lonely I don't think he's in Nebraska, but he's actually I think he's in Germany talks about the problems with and we will commercial use of open source software, why that doesn't really work out well and seem fair. We've got another remote code execution vulnerability in WinRAR. Have I Been Pwned? Has just got a very cool data visualization site. We look at Sophos' analysis of how ransomware is getting into organizations. Windows offering hopefully safe, non-kernel penetrating endpoint security. And it looks like proactive age verification will be coming to porn and other sites.
Uh, near you, maybe far from you, if you use a vpn, uh, we'll look at. You know what? What that means. Also, canada saying bye-bye to hick vision. Germany, uh, will be banishing, uh, deep seek. Uh, the whole au may be following, and also has Russia throttled cloud flare. Anyway, lots of stuff to talk about before we get to. What must the US do to compete in global exploit, acquisition, which is what this all boils down to. And, leo, I know I've got a picture of the week that's going to. You know, if you were still on your ball, it would knock you off the ball.
0:11:49 - Leo Laporte
Well, you'll see my reaction soon, steve, after a word from our sponsor. It's going to be another great Security Now episode, starting with a picture of the week in moments. But first a word from ExpressVPN. We talk about VPNs all the time on this show and I know you know a vpn is a very vital tool in your toolbox. I have to say it's the one I use, it's the only one I use.
Going online without expressvpn, how can I what? What's an analogy? It's like leaving your laptop, uh, unattended at the coffee shop while you run to the bathroom. You ever do that Most of the time. You're probably fine, but what if one day you come out of the bathroom and your laptop is gone? Right, everyone needs ExpressVPN because every time you connect to an unencrypted network whether it's in that coffee shop, a hotel, for me, airports I'm always nervous. When I see free SFO Wi-Fi, I go geez, is that safe? Well, it isn't.
Your online data is not secure on those open Wi-Fi access points. Any hacker on the same network and that could be anybody in the terminal or the hotel or the cafe can gain access to and steal your personal data. In fact, it's easy. It doesn't take much technical knowledge to hack someone, just some cheap hardware widely available. Fact it's easy. It doesn't take much technical knowledge to hack someone, just some cheap hardware widely available. And it's worth it too. Your data is valuable. Hackers can make up to $1,000 per person selling personal info on the dark web. Expressvpn stops hackers from stealing your data by creating a secure, encrypted tunnel between your device and the internet.
Expressvpn is the one I use and it's the best VPN out there. In fact, it's the only one I recommend because they're committed to keeping your privacy private. I use it when I travel, to keep up my shows, to watch football games, f1. Expressvpn is the best VPN because it's super secure. It would take a hacker with a supercomputer over a billion years to get past ExpressVPN's encryption. It's easy to use you fire up the app, you click one button, you get protected. It works on all devices phones, laptops, tablets and more so you can stay secure on the go. Optional dedicated IP service engineered with innovative zero-knowledge design. Not even ExpressVPN can trace an IP address back to the user. It's rated number one by top tech reviewers like CNET and the Verge, and it's the only one I use. Secure your online data today by visiting expressvpncom slash security now. That's E-X-P-R-E-S-S vpncom slash security now. Oh, and you can get an extra four months free when you buy a two-year package. Expressvpncom slash security now. All right, steve, I am ready to scroll up, as they say.
0:14:35 - Steve Gibson
I gave this picture the caption ad hoc signage is typically added after a need for it has occurred. Ad okay, ad hoc signage, all right, all right, I'm gonna scroll up, all right after a need for it has occurred god?
0:14:56 - Leo Laporte
I hope not. I don't know what stimulated this one holy moly. All right, let me see if I can switch over the camera so everybody else can see it too.
0:15:05 - Steve Gibson
So for those who do not have video. What we have is somebody having very deliberately printed on an 8.5 by 11 sheet of paper and stuck it on the wall over the elevator call buttons. A sign, a very important sign. Yeah, it can be. Attention, please make sure elevator is there before stepping in that's got to be a joke.
Uh, it looks like it's there. It is on on a marble wall and you, you and you can see the little. In case of fire, elevators are out of service. Warning below 36 point font type and put a sign on the wall that warned people. Make sure it's actually there when the doors open. Wow, One has to imagine that they opened at one point and there was no elevator present. So you know yikes there Yikes.
I don't know how else to explain this sign, but wow, yeah, okay. So I have no idea why all of the major commercial spyware publishers seem to be Israeli, but that's what case, and it's really not a good look for Israel. I mean, I've often felt sort of self-conscious on their behalf, because why? You know, israel is the home of Celebrite which is that famous iPhone unlocker, been for years and still is, a group called Quadream, which has been formed, apparently from former ex-NSO group members. They offer a spyware called Rain. We have Kandaroo, also known as Sato Tech Limited. But what brought this to the fore today was news of yet another Israeli commercial spyware vendor known as Paragon, which sells a smartphone penetration solution which they call graphite. I guess kind of, I don't know. It's like let's slicks the way in, it lets people into your phone. So this brings a total to five such companies, all Israeli, that we currently know about. Well, of course, we don't know what we don't know, but there's five we do know. In mid-June, the Citizen Lab groups they're the University of Toronto, I believe, is where they're located, of Toronto, I believe, is where they're located. They posted under the headline Graphite caught first.
Forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted was what they said, and they wrote. On April 29th 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices their physical phone devices are first, our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist who requested anonymity, and an Italian journalist, ciro Pellegrino, were targeted with Paragon's graphite mercenary spyware, they said. Second, we identify an indicator linking both cases to the same Paragon operator. Actually, it's an IP address, as we'll see. And then, third, apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43-200. They said our analysis is ongoing. So some of the interesting revelations from their posting include they wrote we analyzed Apple devices belonging to a prominent European journalist who is requested to remain anonymous. On April 29th 2025, this journalist received an Apple notification and sought technical assistance.
Our forensic analysis concluded that one of the journalist's devices was compromised with Paragon's graphite spyware in January and early February 2025 while running iOS 18.2.1. We attribute the compromise to graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same period, matched our published fingerprint P1. We linked this fingerprint to Paragon's Graphite spyware with high confidence. Graphite spyware server contacted by the journalist's device was at https, colon slash slash, 43.183.184.91. The server appears to have been rented from VPS provider EDIS Global. The server remained online and continued to match fingerprint P1 until at least April 12th, up to 1.25.
We identified an iMessage account present in the device logs around the same time as the phone was communicating with the Paragon server at 46.183.184.91. We redact the account and refer to it as attacker, one. Based on our forensic analysis, we conclude that this account was used to deploy Paragon's graphite spyware using a sophisticated iMessage zero-click attack. We believe that this infection would not have been visible to the target. Apple confirms to us that the zero-click attack deployed here was mitigated as of iOS 18.3.1 and has assigned CVE-2025-43200 to this zero-day vulnerability. Now I want everybody to keep in mind we're talking about a zero-day vulnerability that Apple did not know about, that this group, this Paragon group, used, because at the end of this podcast we're going to be talking all about zero-day vulnerabilities, which is what it turns out everything today comes down to in the field of offensive cyber war, it's it's zero days period.
Cyril Pellegrino is a journalist this is another guy and head of the Naples Newsroom at fanpageit, where he has reported on numerous high-profile cases. On April 29, 2025, mr Pellegrino received an Apple notification and sought our technical assistance. We analyzed artifacts from Mr Pellegrino's iPhone and determined with high confidence that it was targeted with Paragon's graphite spyware. Our analysis of the device's logs revealed the presence of the same attacker one iMessage account used to target the journalist from the first case, which we associate with a graphite zero-click infection. It is standard for each customer of a mercenary spyware company and it's interesting that they're using these terms, we'll see in a second where they got that term to have its own dedicated infrastructure. Again, it's standard for each customer of a mercenary spyware company, right? So we're talking about that. Somebody used Paragon's spyware, purchased it from Paragon, set up an infrastructure which they then used with the spyware in order to do the spyware's business.
0:24:05 - Leo Laporte
I think it's often the case that the company you buy it from does the infrastructure. I know that's the case with Pegasus. Okay, they would, because they want to control the zero.
0:24:15 - Steve Gibson
That is true and we've talked about that in the past. They don't want just anybody letting this thing loose, because this zero day is so vulnerable to them that they want to keep it under control. So in this case they're writing and maybe they know more than we do. But they said it is standard for each customer of a mercenary spyware company to have its own dedicated infrastructure. They said thus, we believe that the attacker, one account, would be used exclusively by a single graphite customer or operator. Now that could again be a division of Paragon, as you say, leo. They said, and we conclude that this customer targeted both individuals, so a single person targeting both.
0:24:59 - Leo Laporte
That would make sense, because you don't want your customers to interact with each other either, right they? Should all be on a separate channel now.
0:25:07 - Steve Gibson
Could you explain to me why some journalist is worth this? I mean?
0:25:13 - Leo Laporte
well, I mean, it depends what he's uh, exposing high profile cases. He's in naples could be, uh, maybe he was writing about the mafia. I, I don't know. There's a lot of organized crime in Naples, okay, who knows it?
0:25:27 - Steve Gibson
was obviously. To me, it seems like.
0:25:32 - Leo Laporte
Usually these are nation states right Using these tools.
0:25:34 - Steve Gibson
Yeah, but we do often hear that activists and journalists and do-gooders of various ilk are the targets of these.
0:25:45 - Leo Laporte
It's not just spy versus spy.
0:25:48 - Steve Gibson
Yeah, okay. So their use of the term I thought mercenary was interesting Turns out it's the official Apple term which Apple uses in their formal threat notifications when they are informing targeted individuals. I have a screenshot of their redacted Apple notification which these journalists received and it says you know, it's got the little Wi-Fi antenna at the top and it's very clear. Threat notification, you know, is make sure the elevator is there. But when, before you know, uh threat notification, and it's dated 29 04 25 at 1403 and it says alert in all caps apple detected a targeted mercenary spyware attack against your iPhone, apple sent the following threat notification via email, to which they have redacted, and via iMessage, to which they redacted we also sent a short notification to the recovery addresses associated with your account. So these guys identified a total of seven Italians who've received and, to your point, leo, apparently they're frisky Italians who've received notifications either from Apple or WhatsApp. So this Paragon group is definitely now on the map and active as another source of is, you know, israeli spyware.
0:27:26 - Leo Laporte
Well, now you may. Now I may be thinking it's the italian government, right? Ah, okay, yeah, they might have been writing exposes on the corrupt italian wow, uh, okay.
0:27:40 - Steve Gibson
Then a few weeks later, the publication publication Security Week wrote Meta-owned WhatsApp told Security Week that a recent free-type vulnerability, flagged as potentially exploited at the time of disclosure, has been linked to an exploit of Israeli surveillance solutions provider paragon. So now they're calling paragon an israeli surveillance solution in mid-march because that's what they are.
0:28:13 - Leo Laporte
Yeah, that's calling, that's naming it as it is yeah, that's right.
0:28:16 - Steve Gibson
If you could pay the price you get to surveil pretty much anybody you want to. They wrote in mid-march. Meta publish an advisory on the Facebook security advisories page to inform users about this. Is a CVE 2025, different one 27363, an out-of-bounds vulnerability in the free type open source library that could lead to arbitrary code execution. The advisory said the vulnerability may have been exploited in the wild. Meta knew this because the University of Toronto that's what I was remembering Citizens Lab Research Group reported that a WhatsApp zero-day vulnerability had indeed been exploited in Paragon spyware attacks.
Whatsapp representatives at the time told Security Week that the zero-day attacks involved the use of groups and sending PDF files and that the weakness had been patched on the server side without the need for a client-side fix. And that's kind of cool to be able to fix. Fix it so that you're not so. Whatsapp is no longer going to send a will no longer send a pdf that exploits a vulnerability in the client's use of of free type fonts when it renders that page. So security week explainsType is a development library designed for rendering text onto bitmaps and provides support for other font-related operations. 2.13.0 and earlier. Meta said the issue is triggered when attempting to parse font sub-glyph structures related to true type GX and variable font files.
0:30:15 - Leo Laporte
It's those damn interpreters again Every time. Right, that's right, baby.
0:30:20 - Steve Gibson
It's so hard to get those right. You're right, right, every time. Meta's advisory explains uh, the vulnerability code assigns I'm sorry, the vulnerable code get this assigns a signed short value to an unsigned long and then adds a static value, causing it to wrap around and allocate an undersized heap buffer. The code then writes up to six signed long integers out of bounds relative to this buffer, which can permit the execution of arbitrary code. It's a buffer overflow.
0:31:05 - Leo Laporte
Baby, a buffer overflow.
0:31:06 - Steve Gibson
The way it happens yep citizen lab wrote that paragon is known for developing sophisticated exploits that do not require any interaction from the targeted user. Right? So they just they send your phone an I message, or or they they send you a whatsapp, whatsapp PDF, and you don't have to do anything. Zero click, yeah, zero click, and your phone is compromised Unbelievable. They found indications that the company was, until recently, able to hack up-to-date iPhones, and that their spyware has been used in countries including Australia, canada, denmark, italy, cyprus, singapore and Israel.
0:31:49 - Leo Laporte
So Pellegrino, the journalist who was attacked. His editor-in-chief was also attacked with the same spyware. The newspaper they work for is known for its investigative journalism critical of the italian government, including exposing connections between the youth ring of prime minister georgia maloney's party and neo-nazi activities. The italian government denied ordering the surveillance of the journalists, although the head of italian intelligence said yeah, well, we use paragon spyware, but merely to monitor migrant rights activists. So, uh, I think it's pretty safe to say you know, this is why they were targeted. They were investigating the government. And, by the way, these companies like paragon and pegasus, uh, only they say well, we only sell to responsible governments not known for their human rights violations, like italy.
0:32:49 - Steve Gibson
Maybe unbelievable well and and again. Like are they? Are they? Did they want to get dirt on these guys so they blackmail them into silence? I mean, I just don't. I'd like I guess I don't understand what, having your phone hacked by the government because you're like, are they going to delete your article before you publish it?
0:33:12 - Leo Laporte
I just Pellegrino says his phone contains sensitive personal data, medical records and confidential journalistic sources.
0:33:19 - Steve Gibson
That's what they're going after. Okay, that's that's yes, because protecting your sources is your lifeblood for a journalist. Okay, that's that's yes, because protecting your sources is your lifeblood for a journalist. Right, and so if you can't do that, no one's going to talk to you.
0:33:31 - Leo Laporte
And every government feels justified in saying, well, we're just trying to track down these leaks, we don't, we don't want any leaks.
0:33:38 - Steve Gibson
So, and the journalist is never going to say, well, we saw our own government go ape shit a few few months ago when someone questioned whether the bombing of the Iranian nuclear facilities was as devastating as it was initially claimed. Somehow someone said it wasn't. It was like, oh, we got to find that guy.
0:34:08 - Leo Laporte
I would be shocked. Shocked if the US intelligence agencies don't also use Paragon spyware.
0:34:15 - Steve Gibson
Well, we're, I'm sure, a customer. Yeah, I think probably all five of the.
0:34:20 - Leo Laporte
We're probably buying it from all the companies and so you know, god bless Apple for patching these every time they find them and for setting those alerts out. That's huge right?
0:34:31 - Steve Gibson
Well, and this is that lockdown mode which is not fun to use because suddenly it's. You know you don't get balloons exploding on your birthday and all this random knobs, but is lockdown mode sufficient to stop these zero click attacks? I don't know, don't it does what it can? Wow, yeah, unbelievable the world we live in today. Leo, let's take a break and then we're going to talk about.
0:34:59 - Leo Laporte
I have got a bunch of little quickie bits of news that I think everyone's going to find interesting I'm always up for a quickie let's uh quickie bits of news that I think everyone's going to find interesting.
0:35:11 - Steve Gibson
I'm always up for a quickie. Let's talk about news News, I meant that I did say little bits too.
0:35:14 - Leo Laporte
Our show today, brought to you by Melissa, the trusted data quality expert Since 1985, we love Melissa, melissa's address validation app oh, this is cool. So if you use Shopify, their address validation app is available for merchants. It's in the Shopify app store, all right, which means you can enhance your business's fulfillment and, of course, keep customers happy using Melissa. Why? Well, melissa offers enhanced address correction so you can cleanse data, you can fix data, you can even fix data as your customer is entering it to make sure those bad addresses don't get in your database in the first place. And Melissa standardizes addresses in more than 240, 240 countries and territories. Melissa will add missing components postal codes, for instance and ensure compliance with local formatting rules. They know them all in every country. Melissa's address engine is certified by leading postal authorities worldwide. Oh, and I love this, the smart alerts will warn in real time if there's a potential issue with a shipping address. So the customer sees that it pops up saying you know, did you get that right? And the customer can then, before the order is even processed, update the information so that that is going to be deliverable. So you don't send stuff into, you know, thin air Now. A business of any size will benefit, of course, from Melissa, and they offer price points for every size business.
But their data quality expertise goes a lot farther than just data validation. There's data cleansing and validation and fields like healthcare, for instance, your physicians, your hospitals 2% to 4% of the contact data they have becomes outdated. Every month. Millions of patient records in motion demand precision, which only Melissa can deliver. Slight variations in addresses or misspelled names can cause duplication and fragmentation errors as well. As in the healthcare industry, you don't want misidentification or lost records. Data inconsistencies can delay treatments, introduce errors in care delivery, complicate the billing process. You know this is a pretty important area. Melissa's data enrichment services remove that gap. By using Melissa's enrichment as part of their data management strategy, healthcare organizations build a more comprehensive view of each patient, which supports continuity of care, timely follow-up, make sure the right medications go in the right bottle to the right person, and all of that. This approach also aids in predictive analytics, allowing providers to identify patterns this is really cool Inpatient behavior or medical needs that can inform preventative care.
Now, of course, with HIPAA, it's very important, but in many businesses, in almost every business, data privacy and security is paramount. Don't worry, data is safe compliant completely secure with Melissa. Melissa's solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC 2 and, yes, hipaa high trust standards for information security management. Get started today with 1,000 records cleaned for free. Melissacom slash twit for more information. That's melissacom slash twit. Thank you, melissa, for support and security now and steve's important work here. All right, ste. Now let's get some quickies.
0:38:47 - Steve Gibson
So just in case anyone listening might have some reason to depend upon of Windows 11 has deliberately reduced restore point life to 60 days. I doubt anyone will care, but I thought it was just worth noting. I saw that pass by. You know it cuts it off by 50% or by a third.
0:39:23 - Leo Laporte
That's significant.
0:39:24 - Steve Gibson
Yeah, I don't know, yeah, it is, and so if you were like, depending upon a 90-day lifetime before, you were like, okay, then we're going to restore this, and then you look and it's gone. Now you'll know why, or maybe get to it before it disappears. I don't know if they're wishing to save space, uh, on users machines or tightening security, because they figure, well, we don't. You know, no one really uses them after 60 days, and so it's just a more of a security problem. You know, or what you know, but there it is. So if you're up with the latest Windows 11 and you routinely use restore points now, you'll need to do so within 60 days, otherwise Windows is going to clean them off for you.
I noted last week when talking about the French city of Lyon, which a listener corrected me it's not Lyon, lyon, lyon, lyon, which is working to move away from Microsoft solutions to Linux and other open source alternatives, that also the entire European Union is also working to eliminate their dependency upon Microsoft Azure for cloud services. Since then, it's come to light that they've almost closed the deal with the French company OVH Cloud. They're now in what's considered advanced talks to dot the I's. The reporting about this indicated that a little more urgency had been put on the EU's need for increased sovereignty and its distance and dependence upon US solutions, after the US administration imposed sanctions on four judges of the International Criminal Court in early June, so early a month ago. One result of those sanctions was that those judges had their Microsoft accounts closed. Just bang, sorry, goodbye. So the EU will be working to provide alternative services that are no longer subject to the prevailing policies and politics of the US, and so you know that's probably for the better for the EU. They want to be more independent, and so they're going to work out how to do that.
Also on the EU, they've published their post-quantum cryptography roadmap. This instructs EU member states that they need to begin transitioning all of their systems everywhere to post-quantum crypto by the end of 2027. For all high-risk systems, such as critical infrastructure, this transition should be finished by the end of 2030. So essentially, four and a half years from now. Anything considered high-risk critical infrastructure can no longer be solely dependent upon pre-quantum crypto. You could do things like Signal did, where you use a hybrid which is belt and suspenders. Why not have both a pre and a post crypto and require that both be useful so that if either are broken, you're still able to rely on the other. Anyway, for the less mission-critical systems, another five years are available. States should have finished the migration of as many systems as feasible is the way it was put by the end of 2035.
So nine and a half years from now here we are mid 2025 for non mission critical you know, non critical infrastructure and four and a half years before in with move, in my opinion, has been handled with remarkable planning and grace tested and stress tested and now they're being rolled out.
We've already found some problems early on with a couple and they've been strengthened or, in some cases, abandoned. Academia has had plenty of time to pound on them and vet them and we're all seeing our own protocols are beginning to adopt them. We've updated the underlying protocols, like TLS for example, to be able to smoothly accommodate the evolution, the retirement and the introduction of anything new that may be required today and going forward. You know, all indications are that just as we uh, uh, uh, I'm sorry just as we're present during the original design and birth of the internet, it feels like a bunch of very smart people got together to carefully define and establish these next steps in the evolution of the world's networking and security, and I mean it's just gone beautifully. Now, of course, this all gets spoiled if someone has some massive quantum computing breakthrough immediately. But I think what we're up to factoring, was it seven?
bit numbers, bit numbers, yeah, so we're safe because we got to get to four four thousand ninety six before we start having well, I don't know.
0:45:11 - Leo Laporte
Uh, ibm and microsoft both think they're getting close, so although, yes, and these things can tend to go exponential.
0:45:18 - Steve Gibson
So, but anyway, I, just I, I'm just as you stand back and you look at this. This has just been like somewhere, amid all the chaos that we typically see in our industry, where we're talking about, you know, cisco having monthly 9.8 and 10.0,. You know, remote execution vulnerabilities and just this catastrophe of being unable to get salt typhoon out of our systems. All the while, there are good people just calmly saying, okay, here are lattice-based crypto that won't rely on the factoring problem, so that's probably not going to be, you know, collapsing in the face of quantum computing. And so here's how we do that and here's the timeline. And we need to update our underlying protocols in order to be able to smoothly, you know, begin using these without having any, you know, any interruption at any point. All of this is happening and it's just like, you know, somewhere there are adults who are somewhere. Yeah, yeah, I don't know where, but they're doing a good job. Yeah, it's great, nothing to hide.
It's receiving a stress test in Russia with the government's recent announcement of their plan to create a single national database of IMEI numbers. Oh, wow, talk about big brother. The Russian Ministry of Digital Affairs says the database will be used. Ministry of Digital Affairs says the database will be used. This is, of course, the way it starts right to combat financial fraud. Banning IMEI codes will allow authorities to block individual devices from mobile networks, even after fraudsters change phone numbers. Of course, that's the story, just as you were saying, leo. Governments talk about their use of of surveillance only for you know legitimate instances.
Yeah, yeah, and then journalists are. You know who you would think have rights to privacy. Have this crap on their phones. As we know, the imei numbers indelibly identify physical mobile phone handsets. You know they are the approximate equivalent of the globally unique Mac addresses that are assigned to every Ethernet NIC to identify and differentiate it from any other. But IMEI numbers must be known to the user's service-providing carrier, since they're what identifies the mobile device handset. To the user's service-providing carrier, since they're what identifies the mobile device handset to the cellular network. This means that they're never really secret or private. But needing to subpoena individual carriers on a per-subscriber basis would be far less convenient than simply requiring every carrier to provide an exhaustive dump of their entire current subscriber IMEI database and then require them to notify the Russian Ministry of Digital Affairs of any changes to that data over time. And, as I said, I'm happy to be in the US, I think you know. Wow, talk about overreach.
On June 23rd the UK and Canada announced their establishment and initial funding under the heading New Common Good Cyber Fund Launches to Strengthen Internet Security Globally. And we need more of this. Their announcement said the Internet Society, isoc and Global Cyber Alliance, the GCA, on behalf of the Common Good Cyber Secretariat today announced the launch of the Common Good Cyber Fund, an initiative to strengthen global cybersecurity by supporting nonprofits that deliver core cybersecurity services, that protect civil society, actors at high risk and the internet as a whole. This first-of-its-kind effort to fund cybersecurity for the common good, for everyone, including those at the greatest risk of intimidation, harassment, harm and coercion, has the potential to fundamentally improve cybersecurity for billions of people around the world.
The Common Goods Cyber Secretariat members working to address this challenge are the Global Cyber Alliance, the Cyber Threat Alliance, the Cyber Peace Institute, the Forum of Incident Response and Security Teams, global Forum on Cyber Expertise Institute for Security and Technology and the Shadow Server Foundation. In other words, a whole bunch of nonprofit organizations that are the good guys sort of the same people who brought you post-quantum crypto in the right way, who are just quietly doing the right thing for everyone. In the background, in a joint statement between the Prime Minister of the United Kingdom and the Prime Minister of Canada on the 15th of June, the prime ministers announced that they would both invest in the joint Canada-UK common good cyber fund, and I think it's the tune of 5.7 million dollars. They're initially funding A million, Just a million.
0:51:01 - Leo Laporte
What are they?
0:51:01 - Steve Gibson
cheapskates? Well, it's just the beginning. Okay, a million. What are they cheapskates? Well, it's just the beginning. On June 17th, and these are lean organizations.
0:51:11 - Leo Laporte
They're not big money. I'm so used to billions now, everything's billions. The million sounds like chicken feed.
0:51:17 - Steve Gibson
Yeah, I agree, I was surprised. On June 17th, during the G7 Leaders Summit in Alberta, canada, all the G7 leaders announced they would support initiatives like the Canada-UK Common Goods Cyber Fund to aid members of civil society who are actively working to counter the threat of transnational repression. Despite serving as a critical frontline defense for the security of the internet, nonprofits working in cybersecurity remain severely underfunded, exposing millions of users, including journalists, human rights defenders and other civil society groups, to heightened risks of digital transnational repression involving the misuse of cyber capabilities to conduct surveillance, track individuals and facilitate physical targeting. This underfunding also leaves the wider public exposed to increasingly frequent and sophisticated cyber threats. Philip Retner, the president and CEO of the Global Cyber Alliance, said. Quote common good cyber represents a pivotal step toward a stronger, more inclusive cybersecurity ecosystem by increasing the resilience and long-term sustainability of nonprofits working in cybersecurity, improving access to trusted services for civil society organizations and human rights defenders, and encouraging greater adoption of best practices and security. Oh my god, security by design principles. Please maybe talk to cisco. Give cisco a call, my god.
The common good cyber fund ultimately helps to protect and empower all internet users, so the fund will support non that, for example, maintain and secure core digital infrastructure, including DNS, routing and threat intelligence systems for the public good, like somebody is maintaining all of the root servers, right?
Not all of those are being run by big organizations, so they need money and they need, for example, help with DDoS attacks, which the bad guys are doing. Also, deliver cybersecurity assistance to high-risk actors through training, rapid incident response and free-to-use tools, and give Cisco a call incident response and free-to-use tools and give Cisco a call. The announcement indicated that the fund would initially receive $5.7 million to support these efforts, so this is great. The world has become utterly dependent upon a sophisticated system that just sort of known as the internet, that just sort of blossomed organically. It needs support, so this will be very welcome and bravo to the UK and Canada for leading this. I hope that the US is ready or planning to step in and toss in some money. We can certainly afford a few million because, as you said, leo, this is not wasting a lot of funds.
No, it's very, it's very economical, really arms yes, yeah, um, axios had some good coverage describing recent us state regulations being enacted, uh, and I thought this was really interesting in response to the rise of crypto ATMs and, not surprisingly, unfortunately, the high level of abuse thereof. So here's what we learn deposits and tighten oversight on cryptocurrency atms, seeking to cut off a favorite tool of scammers and extortionists. You can just see, like you know, some scammer or extortionist telling you know gramps to you know, go to the crypto atm and put your money in there and then put in this code and we won't out you to the world or whatever. Anyway, these crypto ATMs they write kiosks are the easiest way for ordinary people to turn cash into crypto. Crypto and their use by fraudsters has surged to no one's surprise over the last few years, especially with scams targeting older Americans. What Crypto, what's that? Where do I get crypto? Well, you just go to this ATM. These are popular tools they write of scammers because cryptocurrency provides criminals with a way to receive money that a third party cannot roll back.
These kiosks have popped up all over the country and over the last few years, scammers have increasingly utilized them in all manners of schemes. And, leo, wait till you hear why they popped up. Oh boy, they're making the poppers some money here. Oh boy. Up, oh boy, they're making the the poppers some money here. Oh boy, oh yeah. Axios wrote.
Last september, the ftc reported that fraud losses specifically involving crypto kiosks jumped nearly 10x from 2020 to 2023. The fbi reported 2477 million in losses. Okay, so a quarter billion dollars. Why can't the cyber do-gooder guys get that money? That would be some money instead of you know 5.7 million. Let's give them. The crypto kiosk lost $247 million Wow, in losses tied to the kiosks in 2024, with a 99% increase in complaints from the year before. I put my money in and nothing came out. Yeah, that's right. Schemes have particularly impacted older Americans. Both the FTC and the FBI warn people 60 and over were more than three times as likely as younger adults to report a loss using a crypto kiosk.
They states taking action include Illinois. The state legislature sent a bill to Governor JB Pritzker in early June, who had called for legislation to address the issue earlier in the year. Among other things, the law would require crypto ATM operators to include details on every receipt, such as the blockchain address where funds were sent. That would help law enforcement with any future fraud investigation. Other states have taken similar actions. Vermont passed a law in May. One thing it does is put a daily limit on usage for these machines to throttle how much criminals can gouge their victims.
Nebraska stamped a new law in March that establishes a licensing system for crypto ATM operators. Nebraska has been eager to bring crypto business to the state, but they want it to be under license, established a law in May that requires funds on fraudulently induced transactions. I'm sorry, that requires refunds on fraudulently induced transactions. A new Oklahoma law, which survived a veto by the state's government I guess he tried to say no will go into effect on November 1st, establishing similar protections, and Rhode Island's governor signed a new law last Monday.
In addition to enacting similar measures as other states, rhode Island's law requires and I love this a warning about the irreversibility of cryptocurrency transactions to be clearly posted on the kiosk, like don't go into the elevator until you check that there's a floor there, yeah, so yeah, make it put it like you know. I've always said that that, that that enterprises that have problems with employees not understanding that their use of the company computer is not private just need to post a sign across the top of the monitor. You know, this is our computer, our network, our bandwidth. What you do is ours too, and like who could complain? So yeah, signage on the kiosk. It's like when you put your money in the week it's gone. So be careful.
Axios said. Cities have also homed in on the issue. On June 16, you and they've been a topic in Minnesota cities including St Paul, stillwater and Forest Lake. So this is an issue. Much of this legislation, they wrote, has been at the urging of the AARP, of course, the well-known American Association of Retired People who've been after me for quite a while, leo. They want to get me to join.
1:00:46 - Leo Laporte
You're not retired. I hate to tell them.
1:00:48 - Steve Gibson
That's right, I'm not done yet which has been urging state legislators to pass these bills. The AARP says they've endorsed 12 bills that have passed in different states so far. Because those old people we vote. So pay attention to the double aarp. Uh, it came as a, as a. Uh, oh, uh. What came as a surprise to me, leo, was that there is a high fee for the use of these services, as I said there's a reason.
All these kiosks are popping up all over. Somebody's gonna pay for all that hardware. They're not exactly. And and I and all over Somebody's got to pay for all that hardware. They're not, yeah, exactly. And presumably that's what's going to pay the fines when complaints are filed against these things. So they're going to have to take some responsibility for who's on the other end of these transactions. One crypto ATM provider depot report.
That's right, bitcoin which is right next door to repo depot, so that's good yeah, reported an operating profit margin of 20, so they're making 20 on the on the money, generating $33 million in profits just for the first quarter. I need to get me a kiosk Of this year. Oh, wow, yeah, yeah. Just don't cash the money that you make. You may be giving it back if the state that you're in requires that you license and stand behind your transactions. So I think of all of this. Do you even?
1:02:27 - Leo Laporte
get bitcoin. What do they give you? Like a little wooden nickel or it's a good question.
1:02:32 - Steve Gibson
Um, it did say that the receipt you get must indicate the bitcoin uh address that it was put on, okay so they give you a wallet, basically yes, so I think what's happening is it's creating a wallet. You get back the bitcoin address. So so when, when some scammer says you need to pay for this in bitcoin, what's your address?
well, and and and, and you say I don't know what that is. They say, well, go to Bitcoin Depot and put your money in there. That will give you Bitcoin. And then you come back and you put that in to our webpage and then we're going to send you your auto. Warming socks are going to solve the problem that you got with no more cold feet.
1:03:29 - Leo Laporte
That's right. Yeah, yeah, yeah.
1:03:32 - Steve Gibson
So, anyway, we live in a country where, you know, individuals wish to preserve as much of their freedom and privacy as possible possible, so this seems like a tough problem. You know, I like more than anything the signage that says all transactions are final. You know, no money ever comes out of this thing, it only goes in, and so you know you're not getting your money back.
1:04:02 - Leo Laporte
I like that no money ever comes out of this thing. It's a roach motel for money. That's right, wow.
1:04:12 - Steve Gibson
Bitcoin Depot. It ought to be Bitcoin black hole, yeah, okay. So one more little bit of news and we'll take another break. It occurs to me that the way to improve an app's security is to widely and publicly ban its use due to exactly its demonstrated lack of security. So, to that end, the US House Chief Administrative officer recently informed all congressional staffers that the messaging app we all know of as WhatsApp is now banned on all their government devices. The ban centers on the vulnerability of staffers' data at rest, and it comes as Congress is also taking steps to limit the use of AI programs, which it deems similarly risky. In recent years, the chief administrative officer has set at least partial bans on. I have DeepSeek. Is that what I mean? Deepseek? Yeah, that's the Chinese.
1:05:24 - Leo Laporte
The Chinese much faster yeah.
1:05:27 - Steve Gibson
Also ByteDance's apps, of course, TikTok, famously, and Microsoft CoPilot Whoops, what, how'd that get in there? It is also heavily someone told them that it's going to store everything you ever do and very much like the Bitcoin Depot your data goes in and it never comes out. Uh, it's also heavily restricted staffers use of chat gpt, instructing offices to only use the paid version chat gpt plus, which okay anyway I don't know.
1:06:00 - Leo Laporte
That's more private. I don't know either.
1:06:02 - Steve Gibson
Now they have your name, address, credit card number these people have no clue what they're doing, but anyway. The congressional affairs office wrote in an email quote the office of cyber security has deemed whatsapp a high risk to users due to the lack of transparency in how it protects user data. I really wanted to ask you about this. Sounds like what's his face? Piss somebody off, oh Mark.
1:06:29 - Leo Laporte
Zuckerberg, Zuckerberg. I don't think WhatsApp's doing anything different than, for instance, Apple Messages. Well, WhatsApp is Signal Right. So here's the problem with WhatsApp that we know because it happened to Corey Lewandowski is that if you back up WhatsApp, it backs up the app, the data, in the clear so and so it would go up to iCloud account and then there was a subpoena and they got it from the iCloud account. But that's true of a lot of messaging apps, including the one they recommended, Apple's messages.
1:07:01 - Steve Gibson
We know it's true of iMessage, unless you turn on advanced data protection Right.
1:07:07 - Leo Laporte
So they're recommending something that does the same thing.
1:07:10 - Steve Gibson
Yes, so the issue is reportedly WhatsApp's lack of on-device encryption, which is exactly what you're saying, that the data on the device is not kept encrypted by the app. It's in the clear and then subject to backup and subpoena Data on the device is not kept encrypted by the app.
1:07:35 - Leo Laporte
It's in the clear and then subject to backup and subpoena. So is that an unusual behavior? I mean, I thought that was the problem is, if somebody has access to your phone, they have access to your messaging, no matter what you do in transit, it's true, but WhatsApp could be.
1:07:50 - Steve Gibson
Yeah, um, yeah, oh yeah, on the phone it is stored, encrypted and and so it's not in, it's not in the clear. I mean on the iphone is so locked down, you know, it's all, it's all in, you know it. It encrypts it on the fly in the pipe to the drive and then decrypts it on the fly on the way out. So Apple has to. I mean, apple does have a key that encrypts people's iCloud data, but the point is they have the key, which is the same for WhatsApp. Yeah, although maybe WhatsApp is not encrypting on the device, though the reporting said that it is. It has does not have on device encrypted, and this the cao, the congressional affairs office, said that microsoft teams, wicker signal, I message and facetime are acceptable alternatives to whatsapp but I don't know if they're doing anything differently.
Yeah, I mean I don't know you would have to take, you have to do, have to have someone take a look at it forensically and see Right because Apple's not telling. And, as I said, if, if in fact WhatsApp is not doing it, then they should you know.
1:09:02 - Leo Laporte
I can tell you for sure that Apple is is.
1:09:04 - Steve Gibson
I mean, if I can see the messages on the screen at some point, they're unencrypted on the device yes, well, but we don't know if they're unencrypted stored on the device or when displayed, but we know that we know I could scroll through old messages and they're all there.
1:09:23 - Leo Laporte
you think it's, think it's unencrypting them on the fly?
1:09:26 - Steve Gibson
Sure, absolutely could be Okay, yeah, so just to finish this, to share the other side of this, Andy Stone, a spokesperson for Meta, said in a statement to Axios, who covered this story, quote we disagree with the House Chief Administrative Officer's characterization in the strongest possible terms. We know members and their staffs regularly use WhatsApp and we look forward to ensuring members of the House can join their Senate counterparts in doing so. Officially, Messages on WhatsApp are end-to-end encrypted by default. We know that because they're using the signal protocol, meaning only the recipients and not even WhatsApp can see them, but that doesn't address the issue. He says this is a higher level of security than most of the apps on the CAO's approved list that do not offer that protection so so apple says that your messages are encrypted until you enter in your code, until the device is unlocked.
1:10:32 - Leo Laporte
Unlocking the device is the process of unencrypted and backing your device up to iCloud right, we know, but then they have the keys Right, yeah, right, okay. So maybe WhatsApp is less safe.
1:10:50 - Steve Gibson
You know, early in our password manager days there were issues with password managers that we were, you know like. I don't even remember them Like ones we never recommended.
1:11:00 - Leo Laporte
They're long gone now, steve, yeah.
1:11:03 - Steve Gibson
Where they. You know like somebody would discover the file, and there was all your passwords. It's like wait a minute. You're telling me you're not keeping this encrypted on. No, we decrypt it on your system when you log in, exactly, and then we re-encrypt it when it's like wait a minute, that's not safe.
1:11:21 - Leo Laporte
But nowadays machines are so fast that you can decrypt and encrypt on the fly.
1:11:26 - Steve Gibson
Or incrementally decrypt individual entries. Right, yeah, okay, great time. Then we've got an interesting story about the collision of commercial use of open source software and remembering XKCD's famous cartoon of the lonely guy in Nebraska.
1:11:46 - Leo Laporte
Right, right. Incidentally, you are not freezing. I don't know if anybody's seen a freeze but, I, haven't seen a freeze.
1:11:55 - Steve Gibson
So that's good news. Yes, that means a restart of the cable modem did the trick.
1:12:00 - Leo Laporte
Yeah that. Or maybe it just was freezing at the beginning and then once it got settled in, I don't know.
1:12:04 - Steve Gibson
We don't know.
1:12:11 - Leo Laporte
We don't know, we don't know, we don't know. Okay, happiness, knock on wood. Yay, I don't have any. I have formica, I have. All I have is from micah as well. What's wood? What's wood, daddy? Well, there used to be this thing called trees.
They had a grain they were green uh, ladies and gentlemen, our show today, brought to you by one password over. This doesn't surprise me, but it's a scary stat. Over one half of it pros say their biggest challenge, their biggest challenge is securing sas apps. With the growing problems of sas sprawl and shadow it, I mean, let's face it, people are not just using the sass apps you approve, but whatever they uh, whatever the heck they want to. It's not hard to see why this is a problem.
Thankfully, there's trellica by one password. Trellica can discover and secure access to all your apps, managed or not. Nice. Trellica by one password inventories every app in use at your company, even shadow it apps. Then pre-populated app profiles assess sas risks, letting you manage access, optimize spend and enforce security best practices across every app your employees use, which means now you can manage shadow IT. It means it's easy to securely onboard and off-board employees and meets your compliance goals. Trellica by 1Password provides a complete solution for SaaS access governance and it's just one of the ways that extended access management helps teams strengthen compliance and security.
1password's award-winning password manager is trusted by millions of users, over 150,000 businesses from IBM to Slack, and now they're securing more than just passwords with 1Password Extended Access Management. 1password is ISO 27001 certified, with regular third-party audits, and the industry's largest bug bounty. We know how important that is. We talk about that all the time. 1password exceeds the standards set by various authorities and is a leader in security. So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1passwordcom slash security. Now. That's 1passwordcom slash security now. Do it all in lowercase, okay. 1passwordcom slash security now. We thank him so much for supporting security now. And Mr Stephen Tiberius Gibson, you do you ever think about where does shadow it? Where does that name come from? I mean, I know what it is. I mean it's unmanaged apps, but I I just don't.
1:14:56 - Steve Gibson
Yeah like what is it it's? I think it's just a made-up name. Just well, obviously somebody made it up. All right, I'm just curious.
1:15:05 - Leo Laporte
Somebody will write you and explain the origin of it.
1:15:08 - Steve Gibson
Yes, yes, you're right, they will. We will have a listener who will go? Steve, I was there. What was on the mind of a German developer and the maintainer of the open source live or lib? But I like saying live.
1:15:30 - Leo Laporte
You say live, man. It's okay. Nobody's ever told us how to pronounce it, as in library not library Library Live XML 2.
1:15:39 - Steve Gibson
Okay, so live XML 2. Xml2. Uh, and I guess what put a point on it for me was learning that this library is being used by mac os, windows and linux.
Uh-oh, and of course, when we hear about a lone maintainer of a library that's being used by all top three of the industry's operating systems and thus, indirectly, by anyone using those. Features of those top operating systems were put in mind of the classic XKCD cartoon. So here's what Nick Wellenhofer recently posted under the topic triaging security issues reported by third parties. So this is the guy who's maintaining this library that Mac, windows and Linux are all using. He wrote I have to spend several hours each week dealing with security issues reported by third parties. Most of these issues are not critical, but it's still a lot of work. In the long term this is unsustainable for an unpaid volunteer like me.
I'm thinking about making some changes to allow me to continue working on LiveXML 2. The basic idea is to treat security issues like any other bug. They will be made public immediately and fixed whenever maintainers have the time, meaning whenever he has the time. There will be no deadlines. This policy will probably make some downstream users nervous, but maybe it encourages them to contribute a little more. The more I think about it, the more I realize that this is the only way forward. I've been doing this long enough to know that most of the secrecy surrounding security issues is just theater. All the best practices, like OpenSSF scorecards are just an attempt by big tech companies to guilt trip OSS maintainers and make them work for free. My one-man company recently tried to become an OpenSSF member. You have to become a Linux Foundation member first, which costs at least $10,000 per year. These organizations are very exclusive clubs and anything but open. It's about time to call them and their backers out. In the long run, putting such demands on open source software maintainers without compensating them is detrimental. I just stepped down as live XSLT maintainer and it's unlikely that this project will ever be maintained again. It's even more unlikely with Google Project Zero the best white hat security researchers money can buy, breathing down the necks of volunteers.
So he posted that over and on GitHub and that was his issue opening posting which evoked a thoughtful reply from Red Hat's Michael Catanzaro, who is on the GNOME release team, the Fedora workstation working group and the desktop team at Red Hat. So somebody to listen to. Michael's reply was Problem is, many of these bugs will actually be exploited in the wild if we do this, both in targeted attacks against specific disfavored individuals and mass attacks against vulnerable populations like Uyghurs. So he had three points. He said I agree that reducing the disclosure deadline for live XML2 vulnerabilities might be strategic, at least for the time being, but there's a cost Downstream vendors might stop reporting bugs here, which is probably worse than the status quo.
If you want to do this, then I suggest applying a short disclosure deadline of 14 days rather than zero days. It might not even be necessary to make any changes to the disclosure deadlines at all. Please take a few days to think about what you prefer. Since you are the only active maintainer, I will follow whatever you decide. Second, he wrote if you're burning out, then one option worth considering is to reduce your focus. For example, you might consider focusing on triaging issue reports, reviewing merge requests and optimistically mentoring new maintainers, rather than trying to fix security issues yourself. It's unreasonable to expect you to handle every problem alone, and it's time for downstream vendors to step up if desired desired. Many extremely wealthy corporations have a stake in fixing LIBXML2 security issues and they should help out by becoming upstream maintainers. If nobody else wants to help maintain LIBXML2, then the consequence is security issues will surely reach the disclosure deadline, whatever it is set to, and become public before they are fixed. This is not your fault. And finally, he said I'm very grateful to Project Zero defending Google and other vulnerability research groups for reporting issues. Their reports are invariably excellent and we should encourage them to continue reporting vulnerabilities as quickly as they can find them. Warning us that problems exist is not a problem. That said, project Zero has notably reported zero security vulnerabilities in LIBXML2. Since the start of the year, they have reported three vulnerabilities in LIBXSLT, three vulnerabilities in LiveXSLT, and Nick, the original poster and maintainer of this, answered Michael's reply writing.
The point is that LiveXML2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made LiveXML 2 a core component of all their OSs. Then Google followed suit and now even Microsoft is using LiveXML 2 in their OS outside of Edge. This should have never happened. Originally it was kind of a growth hack. Now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own or by trying to improve LiveXML 2. The behavior of these companies is irresponsible. Xml2. The behavior of these companies is irresponsible, even if they claim otherwise. They don't care about the security and privacy of their users. They only try to fix symptoms. I'm not playing a part in this game anymore. He writes it would be better for the health of this project if these companies stopped using it.
I'm thinking about adding the following disclaimer. And he writes quote this is open source software, written by hobbyists, maintained by a single volunteer, badly tested, written in a memory, unsafe language and full of security bugs. It is foolish to use this software to process untrusted data. As such, we treat security issues like any other bug. Each security report we receive will be made public immediately and won't be prioritized Unquote. That's like the sign on the Bitcoin kiosk. Like the sign on the bitcoin kiosk.
And then he finishes most core parts of live xml2, he writes, should be covered by google, should be covered by google's or other bug bounty programs already. The rest of the code isn't as security critical. I don't care if I don't receive security reports as early as possible. Most issues should be easily fixable by anyone. As soon as a patch is available, my job is done. I won't embargo security issues until a release is made. The only time you really want to embargo are on non-trivial issues that take longer to fix. I can live with that risk. Regarding Michael's bullet points, he says I'd love to mentor new maintainers, but there simply aren't any candidates, I'm not burning out. Thanks for asking so.
Earlier I was admiring with some awe the graceful way our industry has been managing the growing threat of quantum computing, which has the potential to overturn our well-established public key crypto systems. That's in the sharpest possible contrast to the sad and arguably pathetic mess the same industry has made of the open source model. Xkcd's famous teetering tower is so poignant exactly because it's so true. The idea that Apple, microsoft and Google are all using this code for free, then Google's Project Zero is finding and reporting flaws while starting a disclosure deadline countdown clock as a means of forcing the software's developers to fix the discovered mistakes is so deeply wrong on so many levels. Yes, so I can see the logic behind Nick's solution.
Yes, next follow-up posting made it clear that he's well over the glory and flattery of having all of the big OSs incorporating his code into their commercial offerings. Thanks very much. How about paying for the privilege of having me maintaining this code base for you to use year after year after year? And that's the problem, of course. Year after year. And that's the problem, of course.
The open source software concept has always been that it's there to be freely used by anyone for free, and that's what happened. When another hobbyist uses it for their own little project, that's different from when a massive multi-billion dollar corporation does so. In the latter case, the value proposition there seems unbalanced. Those multi-billion dollar corporations are paying for their own code maintainers to keep their code working, but then they also take whatever they want from the open source community, without ever returning anything other than complaints when there's a problem. Now we know that there are more socially responsible large corporations that do employ developers to work on improving open source software. Certainly, google does a great deal of that as well, but not everybody. You know. This open source movement, while it certainly has its heart in the right place, hasn't yet, I think, managed to figure out how to manage a fair exchange of value.
1:27:46 - Leo Laporte
Right on Steve, right on Yep. Great A hundred percent.
1:27:52 - Steve Gibson
Okay, I have to report the second remote code execution vulnerability that we've talked about on this podcast in a utility, an app for Windows that a great many of us use, and that's WinRAR Windows. That a great many of us use and that's WinRAR. I'm a registered and paid RAR and WinRAR user, so when I hear of an exploitable remote code execution vulnerability in WinRAR, I'm quick to download an update. Winrar just moved to version 12, point, I'm sorry, to version 7.12. And everyone using it should update. You just go to win-rar. You know win-rarcom slash downloadhtml.
Their notes, winrar's notes, said directory traversal remote code execution vulnerability. And this was. It's got a ZDI, so it came from the zero day initiative. It's their number 27198. They wrote in previous versions of WinRAR, meaning before 7.12. So in previous versions of WinRAR, meaning before 7.12,.
So in previous versions of WinRAR, as well as RAR, unrar and UnRAR DLL and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction. User interaction is required to exploit this vulnerability, that is, you have to extract things which could cause files to be written outside the intended directory. Whoops, this flaw could be exploited. They wrote to place files in sensitive locations, such as the Windows startup folder, potentially leading to unintended code execution on the next system login. This issue affects only Windows-based builds. Versions of RAR and UnRAR for Unix the portable source code on Unix and RAR for Android are not affected. We thank WHS3-Detonator, working with Trend Micro's Zero Day Initiative, who are responsibly reporting this vulnerability. So the danger would be that miscreants would would arrange to induce Windows users to download malicious files that can be overwritten, causing them to be written anywhere the miscreants choose.
We covered a similar problem with RAR and WinRAR many years ago, and I recall that by the time we reported it, that problem was under active exploitation, so fixing it was extra imperative. This time, rar users have the opportunity to get ahead of the day. I've not heard yet of this being exploited in the wild, but it's just going to be a matter of time. My Windows 10 machine had version 5.18, and the installer simply overwrote that. With the newer version, registration remained intact and I now have a much more current release of rar and winrar on my machine, so I just wanted to make sure everybody knew about this. Um oh uh, we have a very cool new site for everyone to check out.
Have I been pwned dot watch. You're probably going to want to bring this up, leo H-A-V-I-B-E-N-P-W-N-E-D. You know, pwned P-W-N-E-D dot watch. A security engineer named George Andrei Iosif, who is with Snap, created HaveIBeenPwnedwatch. It is a portal to display the data from live data from the HaveIBeenPwnedcom website in very easy to use graphs and infographics. The headline of his page reads open source, no fluff charts showcasing have I been pwnedcom's pwned account data, and his charts support mouse hovers so you can float your mouse around to explore the charts. Anyway, just I just want to give everybody a heads up about it. It's just a very cool facility.
1:32:56 - Leo Laporte
I'm trying to pull it up, but I think I'm being. It's probably newly registered domain and I'm being blocked.
1:33:02 - Steve Gibson
It worked for me. Do you have maybe something? Oh?
1:33:04 - Leo Laporte
no, I have all that weird security.
1:33:07 - Steve Gibson
Of course you do.
1:33:08 - Leo Laporte
Stuff on there.
1:33:09 - Steve Gibson
Yeah, of course you do Stuff on there. Yeah, sometimes, when your guys are sending me a link to like a different Zoom session or something, it's like oh crap, that's on a different computer which is well firewalled, even for me. And so it's like how do I get it over to it?
1:33:25 - Leo Laporte
Let, me see, I just added it to my allow list.
1:33:29 - Steve Gibson
It takes a little while to be, but you're right, I've never seen a watch top-level domain.
1:33:35 - Leo Laporte
Yeah, I don't know, I'm unable to connect. It's blocked somehow. I'm sorry, leave this as an exercise for our listeners at home.
1:33:44 - Steve Gibson
Let me see if I can bring it up.
1:33:46 - Leo Laporte
I'm sure you can. It's NextDNS yeah.
1:33:50 - Steve Gibson
Ah, right, right, right. Actually, I think I told you that I stopped using NextDNS. Yeah, yeah, Ah, right, right, right. And actually I think I told you that I stopped using NextDNS because I'm developing the DNS benchmark, right.
1:34:01 - Leo Laporte
It gets in the way.
1:34:02 - Steve Gibson
Well, yes, and it produces a burst. Actually it no longer does. Actually it no longer does. But I was experimenting with removing the throttling so that it was just unthrottled and it looked like a DDoS attack on NextDNS.
1:34:20 - Leo Laporte
I said oops, sorry, sorry guys, I put the throttle back in.
1:34:24 - Steve Gibson
Yeah, never had a problem again. Okay, so Sophos tells us how the bad guys are getting in. No-transcript. So 2023, 2024, and so far, like the first half of 2025.
I wish they had shown this as three pie charts, one for each year. Then we could more easily see the relative percentages for the year overall among the six different ways of getting in and then, by looking across the pies, we could see how those vary from year to year. But I just didn't give it that much thought, not as much as I did putting this into the show notes, thinking well, this is not done right and I guess I could have done it myself. But no, anyway, the six categories in order of clearly increasing incidence, so from least likely to most often occurring, regardless of the year. So there's no change from year to year. The least often is just a download of a file Doesn't happen very often, like one or two percent. Brute force attacks, around three to six percent. Three to 6%. Fishing, between 11 and 18%, and that's across the three years. Malicious email, from 18 to 23%. Compromised credentials Now we're getting there. That's between 23 and 29%. And finally, the biggie is exploited vulnerabilities, and that's at 32 to 36%, regardless of the year.
One category, that biggest one, exploited vulnerabilities, was responsible for a little over one-third of all ransomware attacks and you know, can you say? Cisco, compromised credentials, as we saw, took a strong second place and, in fact, for every year, the sum of exploited vulnerabilities and compromised credential percentages accounted for over half of all across all six causes of all, across all six causes. So compromised credentials, exploiter vulnerabilities, and, not surprisingly, that's why that's what we end up talking about so much and seeing so much in the news. That's the way the guys are getting in. You know, there were slight differences in the percentages, uh, from from from year to year, but no real pattern. It's not like anything got better over time.
So we don't appear to be doing any better from 2023 than we are through the first half of 2025. And in fact, the reverse is clearly the case. Since these bars represent percentages, we don't see actual numbers, but down in the fine print of Sophos' caption, we see the statistical N values for the number of ransomware attacks tracked, from which those percentages were taken. For 2023, all of that year, that number is 1,974. For all of 2024, it was 2,974. Oh, big jump Exactly 1,000 more during 2024 than 2023. But for 2025, year to date, we're already at 3,400. Wow, wow, that's about twice that, probably, right? Yes, twice what we had last year. Wow and hello Cisco. Anyway, I don't mean that.
1:38:44 - Leo Laporte
You said that like 12 times in the show today. Are you a little salty about Cisco? I'm a little annoyed yeah. This is actually very interesting from Sophos. It's not so much downloaded or even brute force. It's vulnerabilities, it's a big problem.
1:39:00 - Steve Gibson
Yeah, and we're going to see that. Acquiring those is the way you win this game, leo.
1:39:07 - Leo Laporte
Yeah, not a surprise.
1:39:09 - Steve Gibson
By the way it was NextDNS.
1:39:10 - Leo Laporte
I have been able to go to the haveibeenpwnedwatch site. Yeah, nice site Lots of cool stats. Yeah, really cool. Very interesting. I love it that haveibeenpwned has an API.
1:39:22 - Steve Gibson
Yes, isn't that?
1:39:23 - Leo Laporte
cool.
1:39:24 - Steve Gibson
And are you able to hover your mouse and pick up stats?
1:39:28 - Leo Laporte
Yeah, oh yeah, yeah, cool breaches per year. Yeah, yeah, wow, pwned accounts per year. Why was 2019 so bad, I wonder. Maybe one or two really big ones right?
1:39:42 - Steve Gibson
you know, uh, we got hit with those credential attack surprises, yeah, and you know we were talking about that a lot, uh, back then look at this and that. Yeah, those little stacked bars are very cool because you're able to explore them.
1:39:57 - Leo Laporte
Yeah, very nice. Anyway, thank you for blocking it. Nextdns, I'm going to turn you back on now.
1:40:05 - Steve Gibson
Probably. That is probably just a block, unless we know otherwise, right? So the bad guys are not cooking up new random TLDs and using that in order to get through until NextDNS is able to add a block on it. So if we don't know, it's okay, we're just saying no, that's very cool. What is also cool, leo, we're at an hour and a half. Oh, we're going to talk about what Microsoft hopes they have done to fix the CrowdStrike flaw which brought down all those 8.5 million machines last summer.
1:40:46 - Leo Laporte
But first let's take a break.
1:40:47 - Steve Gibson
I'm going to take a sip of coffee and then we're going to look at that.
1:40:50 - Leo Laporte
I want to look one more time at this chart, snowfo's chart. See that big stack there Malicious email, the root cause of ransomware attacks. Between 18 and 23% of all these attacks are email that comes in over the transom. That's why you need our sponsor for this segment of Security Now Hawks Hunt. As a security leader, your job, your paycheck, depends on protecting your company against cyber attacks. But it's getting harder right with more cyber attacks than ever. And now, thanks to AI, these phishing emails used to be you could say, oh, obviously a phony. Look at the grammar or not. An English speaker or whatever. Right Now they're generating phishing emails with AI and perfect grammar, perfect spelling.
Unfortunately, training your staff can be a challenge. Legacy training programs, these one-size-fits-all awareness programs they're not good. They don't stand a chance. They send at most four generic trainings a year, every quarter. Most employees. You know they have a heave, a deep sigh when they get these and they just ignore them. And then, when somebody actually clicks, they're forced into embarrassing let's face it, embarrassing training programs that feel more like punishment. Nobody learns if they're embarrassed and they're feeling punished. That's why more and more organizations are trying Hawks Hunt H-O-X-H-U-N-T.
It goes beyond security awareness. It actually changes behaviors by gamifying the whole thing. Employees love it. It actually changes behaviors by gamifying the whole thing. Employees love it. It's fun. Hawks Hunt rewards good clicks, coaches away the bad clicks. Whenever an employee suspects an email might be a scam, they click a button. Hawks Hunt will tell them immediately. You know big flash. It's really cool. It's a game providing them with that gaming rush, that dopamine rush that incents your team to click, learn and protect your company. They do it because they love it, because it's fun. As an admin, hawks hunt makes it easy for you to automatically delivering phishing simulations, by the way, just not just email, in fact, if you look at this chart again, phishing is a big reason, right well, it goes through email. It works on slack, it works on teams using ai to mimic the latest real world attacks, and I love this. Simulations are personalized to each employee based on department location and more. The bad guys are doing it. The simulation's got to do it Well.
Instant micro trainings not big, long, complicated, boring punishment trainings, but instant micro trainings solidify understanding and drive lasting, safe behavior. You can trigger gamified security awareness training. This is, I think, really the secret sauce. They've made it fun. They reward employees who spot the bad guy, who spot the bad, clicks with gold stars and it works. And I'm not surprised it works. They get badges. This boosts the completion rates. This ensures compliance and you can choose from a huge library of customizable training packages. Generate your own with AI. It's fun for you, it's fun for them. Everybody learns. Your company is protected.
Hawks Hunt has everything you need to run effective security training on one platform, meaning it's easy to measurably reduce your human cyber risk at scale. You don't have to take my word for it. There are over 3,000 user reviews on G2, making Hawks Hunt the top-rated security training program. For the enterprise it won easiest to use, best results. It's also recognized as customer's choice by Gartner and thousands of companies like Qualcomm, aes and Nokia use Hawks Hunt to train millions of employees all over the globe. Visit hawkshuntcom slash security now, today, to learn why modern, secure companies are making the switch to Hoxhunt. That's hoxhuntcom slash security now. Don't add to these numbers, don't be part of these statistics. You want to use Hoxhunt and your employees will thank you. Your boss will thank you. He'll thank you because your life's easier hawks huntcom security now. We thank them so much for their support of the show back to you, steve okay.
1:45:21 - Steve Gibson
So we were recently remembering last july's windows mess, which was triggered by a flaw in crowdStrike's endpoint security system. Yes, oh, what a mess that was. It resulted in more than eight and a half million Windows systems crashing hard and staying crashed hard. Although, leo, we should be sensitive to the fact that this is no longer the official term for such events. I'm pretty sure that Microsoft would prefer that we refer to those 8.5 million systems as taking an unplanned group vacation. In any event, once those eight and a half million machines returned from vacation and went back, officials to discuss strategies for improving resiliency and protecting their mutual customers. In other words, how the F do we prevent that from ever happening again? Because boy was that a mess.
So that brings us to today's news. Microsoft is close to launching a new security platform Next month. They've said that they will begin privately previewing their new technology that will allow antivirus and security tools to run without kernel access and, as we know, this has been the great challenge for Windows. To provide truly strong endpoint security, third-party vendors have needed to dig deeply into the OS to get their hooks into all of the various APIs that malware might attempt to abuse Basically being able to watch what Windows is encountering and preventing malware from taking advantage of that. If there's a weakness that lies behind and this is not something that any operating system wants to permit that is allowing anything else to hook deeply into it. For precisely the reasons that befell all of Microsoft's and CrowdStrike's customers last summer. When something goes wrong, it's bad. When something goes wrong, it's bad. So Microsoft has been caught between a rock and a hard place because they've also been unwilling, apparently until now, to provide any workable alternative solution, to keep an alternative solution to the need for deep API kernel hooking. We're now being told that this will finally be changing, so I'm just reporting that It'll be interesting to see whether the vendors themselves, who have been actively participating in this process, end up being satisfied with what microsoft ends up doing.
Um, the, the, the one of the issues is performance. You know the the, you know coming in and out of the kernel is expensive. This is the reason that the graphics device interface, the gdi component of Windows, which was deliberately kept outside the kernel because can you say, interpreter, it's so much potential for problem. Unfortunately, this GDI, the graphics device interface portion, needed to be talking to the kernel all the time. So Microsoft analyzed the overhead of that dialogue and decided we can't afford not to move GDI into the kernel. What happened was Windows got faster and its security collapsed. That's worse, yes, yes, much worse. So they've been recovering from that decision for a long time. And what's really annoying is it was transient because now systems are so fast and GPUs are ubiquitous that you don't know. You no longer have this problem with having a slow graphics device interface portion of Windows. But you know, we have history.
Anyway, I think we're going to have to wait to see. It's only being released for preview on a selected basis, not even broadly, as I understand it. So they're going to, you know, creep this out and we'll see how that goes. It would be good if we could move endpoint security out of the kernel without incurring a performance problem. No one's done it yet, so let's hope. And they've been working on it for a year, basically since this disaster last July.
1:50:45 - Leo Laporte
Nothing should run in the kernel. I mean ring zero should be sacred right.
1:50:50 - Steve Gibson
And the concept is a micro kernel, right, you know, you want a little small bunch of code whose integrity you can be absolutely sure of it. It, it manages processes, it manages threads, it manages memory, uh, and that's pretty much all it does. That everything else is around it. Our clients of this micro kernel, that's the I mean everyone starts out that way and then, just like anything else it's like. It's like our U S tax code starts out looking great. It's like well, but you know those, uh, those farmers, they need some extra help. So let's, let's cut out a little current. You know a little little change in the tax code. Similarly, it's like oh, well, yeah, but then you know this networking api. It turns out that this is a little slow to do outside the kernel, so let's just put a little move, a little bit of that code into the kernel and before you know it, you end up with a big bloated operating system and you no longer have any control over it.
1:51:52 - Leo Laporte
It's even happened on the Mac. The mock kernel they use was a microkernel, but at this point you'd be hard pressed to call it that.
1:52:04 - Steve Gibson
Yeah, it's just it's. I know it's one of the unsolved problems of computer science. We have not yet figured out how to evolve software in a way that doesn't cause it to just get really ugly over time. Okay, the US Supreme Court just upheld a contentious Texas law. You know where I'm going with this I do.
1:52:24 - Leo Laporte
We talked about it extensively on Sunday, yeah.
1:52:28 - Steve Gibson
It requires proactive age verification before accessing pornographic content on the Internet and, as I've noted before, this is fundamentally different from mom and dad setting the dates of birth into Johnny's and Sally's phones so that they'll be able to use Facebook. This is mommy and daddy needing to prove their own ages to some of the websites they have every legal right to visit. This is made tricky by the fact that at the moment we have no technology for providing anonymous age verification, and the challenge of providing unspoofable, anonymous age verification remains an unsolved problem. Us Supreme Court upholds Texas porn ID law and the subhead is. In a 6-3 decision the Supreme Court held that age verification for explicit sites is constitutional In a dissent. Justice Alina Kagan warned it burdens adults and ignores first amendment precedent. The first four paragraphs of wired's extensive coverage I want to share because that you get the gist of everything they said. If you try to access porn hub, one of the world's biggest websites, from any of 17 US states, you'll be blocked. Pornhub's parent company, alo Holdings, has restricted access in response to a slew of laws. That says Pornhub itself should be responsible for checking that every visitor is over 18.
Now the United States Supreme Court has made a decision on a key age verification law which could have ramifications for the entire country and the wider internet as a whole. On Friday, in a six to three decision that could reshape the landscape of online privacy and free speech, the Supreme Court upheld in full the Texas Age Verification Law, one of the first passed in the country, requiring many websites publishing pornographic content to check that all visitors are over 18. The law Texas HB 1181, says sites that are quote more than one-third sexual material unquote can face fines of up to $10,000 per day if they don't put in place age verification systems, plus extra penalties of up to $250,000. It also states websites should display health warnings about the potential health risks of pornography. Writing. For the majority.
Justice Clarence Thomas said that because the law quote simply requires proof of age to access content that is obscene to minors, it does not directly regulate adults' protected speech unquote. Adding quote adults have no First Amendment right to avoid age verification unquote. In her dissent, justice Alina Kagan argued that the Texas law imposes a direct and unconstitutional burden on adults' access to protected speech. Writing quote. A state may not care much about safeguarding adults' access to sexually explicit speech. A state may even prefer to curtail those materials for everyone, she wrote. But the First Amendment protects those sexually explicit materials for every adult unquote.
So I had no idea that Pornhub could be described as one of the world's biggest websites. I did a little bit of checking and sure enough it is. It's unbelievable. So, from a technology standpoint, it seems clear to me that this creates a market in the short term for VPN services, which provide for virtual internet relocation. But I suppose that anyone living in any of those 17 blacked out US states who wishes to obtain access to this proscribed content will have already found a way to appear to be connecting from a non-blacked out location. But I said in the short term, because VPN services operating within the United States are also subject to the law, and the law doesn't say no one connecting from within Texas. It says no one residing within Texas. So once the use of VPNs for geo relocation becomes commonplace, we can expect our duly elected representatives to close that loophole too. So this is going to be interesting to watch, and it's another intractable mess we've gotten ourselves into, where the cyber world collides with the physical world.
1:58:08 - Leo Laporte
Yeah, I mean, no one would contest that. You know. Grocery store owners should be able to age check kids buying adult material on the newsstand. That's not a problem.
1:58:19 - Steve Gibson
This, though, has a much larger impact, because age verification is inherently a privacy violation, and, furthermore, the definition of what is adult material is very flexible, and it's not hard to imagine, at some point, texas or some other state's legislators saying LGBTQ content is adult, or content about contraception, or even content that is unfriendly to the administration, increasing the breadth of the band yeah well, and and I've made the point that in the physical world you know, a 14 year old trying to sneak into a to a strip club is going to be stopped at the door by the bouncer right because you're obviously 14, exactly right, but they don't check your id at every, at every person right, but on the internet no one knows how old you are exactly exactly.
1:59:18 - Leo Laporte
It's a very, very bad precedent.
1:59:20 - Steve Gibson
It really undermines the first amendment, I think, and well it is an intractable mess and I don't mean, you know, coming from up from a technology standpoint, I can. I can solve the problem of mom and dad wanting Johnny and Sally to have their phones identify their age. That's not a problem. But dad or mom needs to prove that they are of age if they want to access this now prescribed content. And we've also made the point too that if a 14 year old wants to get around, yeah, I mean that's just not going to block anybody who's determined. I mean, were I 14 years old, I'd be having a lot of fun selling access to my peers.
2:00:11 - Leo Laporte
I look, I think it's probably a laudable goal to try to selling access to my to my peers. I look it's a I think it's probably a laudable goal to try to restrict access to that kind of content.
2:00:16 - Steve Gibson
Yes, I mean kids, I don't think that's a bad thing, but having a yes, I'm 18 button, that does nothing right. I mean we know that does nothing. It's like you know, is look the. The handle on the door is unlocked every website that sells liquor.
2:00:31 - Leo Laporte
Every whiskey site we go to on wednesdays has that age verification thing on there. That's nonsense. But I wouldn't want to have to present id before I could go to a liquor site.
2:00:43 - Steve Gibson
That's a very different thing and that is the problem, is that you know, I'm sure, that a lot of people who do want to visit porn hub do not want to identify themselves I wonder why because of this interest that you don't want to give your government issued id to porn hub or jack daniels.
2:01:04 - Leo Laporte
Either way, it's a bad idea yeah, all right okay, a few other bits.
2:01:12 - Steve Gibson
Uh, hick vision is another controversial chinese company. We've talked about them in the past. I remember at one point, leo years ago, when they were like in the doghouse, you brought up a picture of their website that had like cameras up in the sky and it was like it was quite spooky. So they know they manufacture security cameras and the Canadian government has just ordered them to close their Canadian operations, basically kicking Hikvision out of Canada. Interesting, wow. The Canadian official said that the company's business is an active threat to Canada's national security and banned government agencies from purchasing new Hikvision products, even using stores outside of Canada. And, as we know, when we covered this previously, the US sanctioned Hikvision for aiding the Chinese government's surveillance of the Uyghur minority in western China. So you know, there again, another instance of this growing divide that, unfortunately, that we are seeing. Meanwhile, berlin, germany's data protection agency, is seeking to ban DeepSeek throughout Germany over what they're claiming is DeepSeek's illegal transfer of user data to China. Germany's data protection agency has reported both apps to the Apple and Google app stores for GDPR violations. In other words, get them out of the store. According to CNBC, this initial action in Germany may lead to a European Union wide ban on deep sea. So Germany first, maybe all of the EU, and I do regard. All this is unfortunate but, I guess, inevitable.
Early last month, russian ISPs began I love the word throttling in this reporting. Isps began throttling traffic from Cloudflare to their customers and, as we've talked about recently, what a massive percentage of the internet is now being hosted by Cloudflare. So if Russian ISPs are throttling Cloudflare's traffic, then that means that all of the customers of those ISPs are going to have a problem. Well, they're going to have a bigger problem than throttling would suggest. You would think that that meant forcing pages to load more slowly. No, russian ISPs are get this, only allowing 16K bytes of data to load from a page before completely blocking anything more. Now you could actually surf GRC with 16K pages, but probably nothing else on the internet.
2:04:17 - Leo Laporte
Yeah, that's pretty remarkable.
2:04:18 - Steve Gibson
Because I'm still hand coding all of the HTML and there's no libraries or scripts or anything.
The only rationale that I could imagine would be that it would be possible to have a Cloudflare site return an HTTP redirect in fewer than 16 Kbytes. I mean, it only takes a few hundred bytes, which would redirect to a Russian located site. So I don't know, maybe that was the idea. I mean 16K. You can't even get off the ground on a webpage with 16K these days. Any Russian sites hosted by Cloudflare could re-host themselves in Russia and redirect any previous Cloudflare visitors to their Russian-hosted site. But on the other hand, why not just repoint the domain to a Russian-hosted IP, and that would be easier.
So I don't understand it. I mean, if you want to block Cloudflare, just shut it off. I don't get what 16Kbytes does. It seems crazy to me. But okay, um, just a brief update, leo. Having caught up with rick brown's frontiers saga series over the weekend, I started into my reread of project hail mary. Oh good, I had forgotten how much I must have enjoyed it the first time. Yeah, since I am astonished by how much fun I am having with this book and you, and even though you know what's going to happen, you're still loving it oh well, that's me.
I, yes, um, we, uh. There are some things that my wife Lori will do more than once. We really like. Well, there are a number of movies that we've seen several times, but generally if she knows what's going to happen, she has no interest. Now she loved the martian and, uh, uh, I don't think she really paid attention when I was reading project hail mary the first time. Um, she may have been in the middle of another book, but when I came home last week with the news of this trailer that we talked about last week and we started watching it, she immediately stopped me before like we only got like I don't know, a third of the way in, because she didn't want any spoilers. She wanted to read the book because she liked the martians so much. She finished that book. She finished project hell mary this weekend and really enjoyed it, although she thought the ending was sappy. I thought it was wonderful and it was sappy but okay, yeah, well, we're old softies, I guess.
2:07:22 - Leo Laporte
right, she's a hard woman, a hard woman Anyway.
2:07:27 - Steve Gibson
so for what it's worth, for anyone listening to as geeky a podcast as this, who obtains pleasure from reading or listening to books. You will likely love Andy Weir's writing. You know his science and his humor. He's great. You know I missed reading Andy's second book, artemis, when it was released eight years ago in 2017. I must have been deep into some other series at the time, but I'm not now. So once I finish my reread of Project Hail Mary, I plan to follow that with Artemis. It's not as good, and that's okay. I don't need it to be as good.
2:08:11 - Leo Laporte
I've interviewed him, as you know, every time. I think three times now, because I did an interview for Artemis as well. Oh, okay, and Artemis was his plan. He had some really interesting ideas. It was his plan to create a new series and it has a great protagonist. It's a moon colony. It's a moon colony. It's kind of interesting. I'd be very curious what you think of it. The problem was he started with the Martian and everybody was expecting another Martian.
2:08:40 - Steve Gibson
It's like a high bar.
2:08:42 - Leo Laporte
Yeah, and it wasn't another Martian. And Project Hail Mary is much more in the Martian vein of, you know, sciencing the crap out of it.
2:08:50 - Steve Gibson
Oh my God, and it's funny too, because I mean I'm, you know, I love physics and I love the science. And there there have been several points because because I, I, I use uh, continuous scroll on my kindle right and and so there have been points where I've like gone and laurie's, and like laur, lori's, sitting next to me, she says what, and I said, oh, I know what the next page is going to have on it, because I'm following all of the science and I'm surprised. I said to Lori, I said I'm very surprised that he is this good with the science.
2:09:28 - Leo Laporte
He really is, isn't he?
2:09:29 - Steve Gibson
Yeah, but I think he has lots of advisors.
2:09:32 - Leo Laporte
Oh, maybe.
2:09:33 - Steve Gibson
He gets it really right. I mean, it's astonishing. I like, I like. Anyway, I don't want to give any of it away, but I just wanted to say again to our listeners what's wrong with you.
2:09:45 - Leo Laporte
What's wrong with you?
2:09:49 - Steve Gibson
You know, the only thing that I could see that's wrong is that it's not free. You know, the only thing that I could see that's wrong is that it's not free.
2:09:54 - Leo Laporte
Free is a lot easier than asking anyone to pay, you know, 750 or whatever it is yeah on kindle um apparently I can't wait till the uh um, the movie, the movie, I you know, but I I wonder I'm dying to know how they're going to do this, because all of this is in his head.
2:10:12 - Steve Gibson
We're listening to his thoughts. So the only way I can think they're going to do this is that we're just going to hear his inner dialogue. You know, throughout the entire movie, because all like I'm, I'm a quarter of the way in. I think now, and it's mostly inner dialogue, it we have to be hearing his voice telling us what he's thinking here andy we're is, was on triangulation 428 talking about project hail mary.
2:10:38 - Leo Laporte
That was in 2021. Uh, we had him on uh after the martian in 2014, which is pretty wild. I didn't realize it'd been such a big spread and I feel like uh. We also interviewed him on the new screen savers and uh, there's another one. Uh, oh, for artemis. Yeah, triangulation 322, which is in 2017. Ah so, yes, I I've spent a lot of time with andy weir.
2:11:06 - Steve Gibson
Love the guy and well, and apparently there was, there were plans for an artem, this movie, which fell through, yeah, maybe because that it just didn't, you know, do as well as it was expected to. I mean, after you do the martian you, it's pretty hard. You get the rights grabbed before you even go to print on well and that's, and that's what happened.
2:11:25 - Leo Laporte
I remember him telling us, with project hail mary, he knew, uh, that lord and miller were going to direct it and that Brian Gosling was going to star in it, even before it was published, I mean, he already knew all of that. So, yeah, I don't know what happened to Artemis. I think it's actually quite a good book If it hadn't come on the heels of the Martian To be compared by, yeah, because it's such a different kind of book, but I love his protagonist. I think it's a great story. It's about the moon colony and I think you'll like the science in it. There's some good science in it.
2:12:01 - Steve Gibson
Cool. Yeah Well, I will let everybody know what I think. Let's let everybody know what we think about this final sponsor. Our last ad for the show today, and then we're going to look at going on the offensive uh, what it's going to take for the us to get nasty this episode of security now brought to you by.
2:12:23 - Leo Laporte
Well, I've got it right here, thanks canary. If you are in the business of protecting your company's security, you have probably very strong defenses right Surrounding you. Perimeter defenses, yeah, but how would you know if somebody got through them? Because you know once these wily hackers get in, they're good at covering their tracks, they delete logs, they're very careful not to set off any tripwires.
Everybody agrees that detection is as important as prevention Of course, even if somebody gets in, they can't they usually, in fact, on average companies don't know they've been breached for 91 days. Why? Because the guy guys don't set off the ransomware that day. They spend some time. They get this is the latest thing, right? They exfiltrate customer information, private emails, they blackmail you. They say, hey, we have all this stuff. Then they set off the time bomb and meanwhile they've had three months to wander around. Look for all the places you might be backing stuff up. It's really, it's a nightmare. That's why you need the Thinkst Canary. It's a honeypot that can be deployed in minutes. You know, traditional honeypots are very tricky to write and maintain, but Thinkst Canaries they've done it all.
The folks at Thinkst are experts in this. They teach penetration to governments and companies. They've been doing this for years. They took everything they've learned and they've created a honeypot that is irresistible to hackers. Let me show you the. This is the console. I have a ThinkScanary right next to me right now and I'll show you how easy it is to configure.
Right now it's posing as a Windows Server 2019 Office file share share. That's a pretty good thing to pose as a hacker sees that share and is going to go gee, that's uh, that sounds like something I should be looking at. He, of course he's going to look at the mac address, say, well, let's see if this is. Oh no, that's a microsoft mac address. He's going to look at everything he's going to and he's going to realize no poor rdp's turned on here. This is good news. It isn't, though. It's a honeypot. The minute he attacks it, I'm going to get an alert email, sms, slack, web hooks, syslog, whatever you want. Look at all the things it can be. It can be an IIS server, an XP desktop file share. That might be. That's just too obvious. That's too vulnerable, although I bet there's a few of those around. It could be a server. It could be Linux. It could be Mac OS server. It could be. Oh hey, maybe we should make it a Cisco router, steve, what do you think Bad guys love that Thing is? It's going to look in every respect. See, the mac prefix is going to be from cisco systems. If there's a login screen. It's going to look exactly like a cisco router in every respect, but when the bad guy hits it, you're gonna know. If someone's asking oh, I didn't show you the lore files, let's say I'm going to discard the changes for now, and I'll show you the lore files.
You can also create these canary tokens an infinite number of these, and they can be so many things, including a credit card. It can be an AWS credentials, it could be a MySQL dump, it could be a spreadsheet or it could be a Windows folder. The point is these you scatter around. I even put them on our cloud servers and if somebody attacks them again, you're going to get an alert that matters. If they try to brute force your fake server, you're going to get an alert, but only the alerts that matter. That's the key. The canary doesn't do false positives. The canary will never bug you. The things canary will tell you when you have a problem. Choose a profile on the console. You saw how easy it is. I could change it every day if I wanted to Register it for monitoring and notifications, and then you just sit back, you relax. Attackers who've breached your network or malicious insiders any adversary in your network will let himself known, because they cannot resist accessing your Thinks to Canary or those tripwires, those tokens you've spread around.
Visit canarytoolscom $7,500 a year for five Thinks to Canaries. You get your own hosted console, you get upgrades, you get support, you get maintenance and if you use the code TWIT in the how Did you Hear About Us? Box, you'll also get 10% off the price, and not just for that first year, but for life. You can always return your Thinks Canary with their two-month money-back guarantee for a full refund. Two months, 60 days plenty of time. However, I should point out, during the eight years that Thinks has been advertising with us, their refund guarantee has never not once been claimed, because once you have a Thinkst canary in your network, you're never going to want to give it up. Visit canarytoolstwit. Enter the code TWIT in the how did you hear about us box. Everybody always says security is about layers and you might have the outer layer, but who do you have protecting you against breaches?
You need your Thinkst Canary Canarytoolscom Offer code. Twit in the how Did you Hear About Us box for 10% off for life. Thank you, thinkst for the Thinkst Canary. All right, steve Arino on we go.
2:17:51 - Steve Gibson
So this podcast has often wondered what's going on with the United States cyber war posture. You know we're endlessly covering China's intrusions in the US networks and all the trouble that causes for us here in the States. For us here in the States, we recently looked at the concerns over the discovery of undocumented radios turning up in Chinese-made power inverters used in wind and solar energy production. Chinese-made security cameras are being increasingly banned from sensitive locations we talked about Hikvision just now and we're worried about the ubiquitous presence of DJI drones being used on military bases and other sensitive areas.
What I wonder is whether similarly cyber-aware Chinese citizens located in China, especially our counterparts, are covering the same sorts of stories about intrusions, plotting and planning being made by the US. Because we're here in the US, we don't have the same visibility into US operations in China as we do into China's operations in the US. So I've often wondered whether the US is giving as well as it's getting. Are things balanced? Is China worrying about us as much as we're worrying about them? And I just want to say, before we go any further, I always want to be very clear that this entire subject area and I've alluded to this from time to time always makes me feel a bit queasy, you know, I know we have Chinese listeners, and there are very few things in this life that feel more unjust to me than racism. So I want to be crystal clear here that in every instance we're talking about the actions of our respective governments and their militaries, not their people.
2:19:49 - Leo Laporte
No, I love the Chinese people, I love the Chinese country, but the CCP not so nice.
2:19:56 - Steve Gibson
So this has nothing to do with ethnicity. Although democracies elect their leaders, those leaders don't always do what many of those they lead wish they would. So we fill out our ballots and hope for the best. So I ran across a fascinating document which was prepared by Winona DeSambre-Burnson, a former security engineer at Google's oh, that's the name, leo TAG, the Threat Analysis Group, google's TAG group. You know, tag, you're it.
She's the founder of the Offensive Security conference district con held in Washington DC, and she has organized policy content at DEF CON and authored multiple pieces of offensive cyber capability proliferation. She's a fellow at the Atlantic council, a Washington DC based policy think tank, and in that capacity she interviewed a sobering list of people whom she lists at the end of her piece. In many cases she's only able to use their approximate titles because of the sensitive nature of their positions within the US government or military. She titled her piece crash. Well, it would be crash and burn, but she put after crash she had in parens, exploit and burn colon, securing the offensive cyber supply chain to counter China in cyberspace. So she's taking a, you know, a clearly US centric. How do we give, as well as we get, stance, and note that her use of the term offensive cyber supply chain. In other words, how can the United States reliably obtain the tools, meaning the exploits, we need to attack others?
The PDF of this report is 44 pages and I've placed a link to that PDF in the show notes for anyone who wishes to dig deeper. I'm certainly not going to go through all of that, but it's beautifully organized for the harried policy pusher. It makes all of its points quickly, then backs them up with data and specifics. So I only need to share the beginning of this well-organized, lengthy, in-depth and detailed report, since it contains a ton of very interesting insights and specifics that we've never covered on this podcast before because we didn't have the results of these interviews which she has made. So the report begins by posing a question.
As its thesis, she writes if the United States wants to increasingly use offensive cyber operations internationally, does it have the supply chain and acquisition capabilities to back it up, especially if its adversary is the People's Republic of China? She writes strategic competition. Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities like zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States fragmented, risk averse acquisition model with China's outsourced and funnel like approach. Our key findings are we have some bullet points.
First, zero-day exploitation is becoming more difficult, opaque and expensive, leading to feast or famine contract cycles and I'll get to explaining that in a minute. Cycles, and I'll get to explaining that in a minute. Middlemen with prior government connections further drive up costs and create inefficiency in the US and Five Eyes market, while eroding trust between buyers and sellers. China's domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia.
The United States relies on international talent for its zero-day capabilities and its domestic talent. Investment is sparse, focused on defense rather than offense, on defense rather than offense. The US acquisition process favors large prime contractors and prioritize extremely high levels of accuracy, trust and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements. China's acquisition processes use decentralized contracting methods. The Chinese Communist Party outsources operations, shortens contract cycles and prolongs the life of an exploit through additional resourcing and end-day usage, meaning not just zero-day. Us cybersecurity goals covered with big-tech market dominance are strategic counterweights to the US offensive cyber capability program, demonstrating a strategic trade-off between economic prosperity and national security. China's offensive cyber industry is already heavily integrated with artificial intelligence institutions and China's private sector has been proactively using AI for cyber operations. And finally, given the opaque international market for zero-day exploits, preference among government customers for full exploit chains leveraging multiple exploit primitives and the increase in bug collisions, governments can almost never be sure they truly have a unique capability. Okay. So it feels as though there may be an inherent conflict between the traditional way the US military has conducted its business and the faster, more furious and significantly less certain way the zero-day cyber marketplace functions. Way the zero-day cyber marketplace functions. It also sounds as though the US may still be stuck in a but we're the good guys mindset, whereas China's management may evidence more ofa just-get-it-done style which more closely aligns with the realities of cyber.
Winona next lists three recommendations. Writing. First, strengthen the supply chain by creating Department of Defense, dod vulnerability research accelerators, funding domestic hacking clubs and competitions, expanding the NSA's Centers of Academic Excellence in Cyber Operations and providing legal protections to security researchers. Second, improve acquisition processes by establishing a government-sponsored vulnerability broker in a federally funded research and development center to decentralize and simplify exploit purchases, while increasing cyber capability budgets and expanding research on automated exploit chain generation. And third, adjust policy frameworks to consider counterintelligence strategies in the zero-day marketplace. Burning capabilities of malicious actors while recruiting willing responsible actors into a more formal pipeline, funding end-day research through US Cyber Command, were appropriate in leveraging alliances to counter China's growing cyber dominance.
That all appears to amount to you know, quote you know. We need to be getting serious right now about zero-day exploit acquisition. That's where all the action is and where it's going to be in the future, and we're going to be in trouble if we don't rearrange our operations and priorities right away. She concludes. Without meaningful reforms, the united states risks ceding china whatever strategic advantage it has left in cyberspace. By fostering a more deliberate offensive cyber supply chain and adjusting acquisition strategies, the US can retain a steady supply of offensive cyber capabilities to maintain its edge in the digital battlefield. In the digital battlefield. Okay, it's unclear to me where the assumption comes from that the US currently has any edge at all in the digital battlefield. We don't know what we don't know, but I wonder if this isn't just a bit of soft peddling so as not to ruffle too many higher-up feathers who are reading this policy piece.
Her report then provides a pair of pull quotes to set the stage for a bit more background. The first quote is from Alexei Bulazel, incumbent special assistant to the president and National Security Council Senior Director for Cyber. Alexei says quote America has incredible offensive cyber power. We need to stop being afraid to use it. I dearly hope that America has incredible offensive cyber power and that the only reason we haven't seen more evidence of it is that we've been afraid to use it. That suggests that it might be available if and when needed. Jeremy Fleming, former GCHQ director, is quoted saying geopolitical conflicts are increasingly shifting to cyberspace, including tensions between the US and China. Technology is therefore no longer just an area for opportunity, but also a battlefield for control, values and influence. Unquote. Okay, so here's the background Winona provides to preface her more detailed analysis that follows, which I'm not going to share, but the background has got some good stuff in it.
She says China and the United States are engaged in strategic competition in cyberspace, while cyber operations are often an overlooked area of geopolitical power, both countries' militaries, intelligence communities and law enforcement agencies conduct cyber operations. They do so to obtain intelligence crucial to national security, assist conventional military operations and even create kinetic effects to achieve strategic goals. To make a cyber operation possible, one must have the capacity to break into a particular system. I want to repeat that, because this is where the whole thing turns To make a cyber operation possible, one must have the capacity to break into a particular system. Offensive cyber capacities, and particularly zero-day vulnerabilities, are the necessary strategic resources required to conduct such operations. In other words, that's it. That's what we need. That's the future Zero days, we need them, she writes.
The United States clearly wishes to further leverage its cyber prowess in the international arena, particularly against the People's Republic of China. Doing so would help the United States protect its vital national security and economic interests, international partnerships and norms. However, to operationalize a cyber power strategy, the United States must acquire enough high-end capabilities to ensure it can achieve such strategic goals. Moreover, the timeline for implementing these policies is urgent, given the increasing potential for conflict with China in the coming years. Thus, given the international privatized offensive cyber capability marketplace, let me say that again given the international privatized offensive cyber capability marketplace, how can the United States and its allies continue to ensure the availability of offensive cyber capabilities, she says, focusing on zero-day vulnerabilities, while limiting China's access to those same capabilities? In other words, we want to buy them, we don't want them to be able to buy them.
Cyber operations consist, she writes, of a variety of offensive cyber capabilities. Many of the most crucial cyber capabilities involve the exploitation of zero-day vulnerabilities, also known as zero days or O days. Zero-day vulnerabilities and I'm repeating, we all know this, but I'll just set the context vulnerabilities and I'm repeating, we all know this, but I'll just set the context Zero-day vulnerabilities are issues or weaknesses, bugs in software or hardware typically unknown to the vendor and for which no fix is available. In other words, the vendor has had zero days to fix the issue. Some of these vulnerabilities are exploitable. An actor with knowledge of the vulnerability could write code that takes advantage of said vulnerability. This results in a zero-day exploit code enabling a range of behaviors that could include establishing access into the computer system. The software is installed on escalating privileges on those systems or remotely issuing commands. You could tell this woman knows of what she speaks and she was, after all, in Google's exploit world.
The work of finding vulnerabilities and writing exploits, thanks to its strategic necessity to governments worldwide, has become get this the work of finding vulnerabilities, writing exploits, thanks to its strategic necessity to governments worldwide, has become a billion-dollar international services industry. In the last 20 years. During this podcast, a billion-dollar international services industry has appeared selling exploits to governments, she writes. Private firms now often create cutting-edge offensive cyber capabilities for governments. Given the sensitivity around supporting government cyber operations, many of these firms do not openly advertise their services, shrouding the industry in secrecy. Between this secrecy and the variation in products offered for example, governments target different technology systems and no two zero days are identical.
The supply chain for such capabilities is not only opaque to outsiders, but also to governments and even among players in the industry. Within this highly fragmented and opaque market, large firms like the United States L3, harris or Mantech frequently hold multimillion-dollar valuations. Notably, israel's NSO groups' worth reached $1 billion at its peak. Meanwhile, individual US government agencies receive millions of dollars to procure offensive tools. Such companies' tools have clearly been purchased by such government agencies and put to use in modern-day cyber operations exploited in the wild in 2023 and 2024 by Google, around 50% of them were attributed to commercial vendors that sell capabilities to government customers. Again, half of the zero days that Google found through 2023 and 2024 are directly attributable to commercial vendors selling them to government customers. She says. While this statistic only encompasses detected zero-day exploits, this is still a significant set of capabilities being provided by private sector actors, private companies selling to government customers.
She says the offensive cyber capability industry itself is international and ranges in professionalism depending on the region. Companies in Russia, israel, spain, singapore and the United States all have varying relationships with their home governments, other firms, including middlemen and brokers, international government customers and even cyber criminal groups. However, the study of offensive cyber capabilities has largely over-indexed on firms based in Israel and Europe, rather than the United States' greatest political rival, china. This is surprising, as the Chinese hacking and cybersecurity ecosystem is robust. Chinese companies have, on multiple occasions, been directly linked to Chinese government-sponsored cyber operations against the United States. Moreover, the development of offensive cyber capabilities in the United States remains largely unstudied or examined in a way that does a disservice to the domestic hacker community. In other words, she just said what I keep talking about on this podcast is that what's going on here. We don't ever see anything Right.
She asks why is this question important? At first glance, it can be difficult to see why the private sector zero-day exploit market a series of obscure companies selling code that can enable governments to break into widely used software would be important in preserving national interests in cyberspace, particularly against China. A simple explanation of this relationship is as follows the United States and its allies rely on an increasingly digital world, and China is both a savvy adversary and a hardened target in cyberspace. When any country's intelligence community wishes to infiltrate high-value hard-to-access digital targets, it likely must use zero-day exploits or other bespoke in other words, custom-made or tailored offensive cyber capabilities. Intelligence organizations from both the United States and China, due to decreasing internal supply and rising demand for such capabilities, have increasingly relied on acquiring such exploits from the private sector zero-day exploit market. However, the private sector zero-day market is murky and more international than policymakers expect. Even if the United States and China are truly entering a new Cold War, both countries' cyber capability firms and Cold War. Both countries still sorry. Both countries still source these capabilities from an overwhelmingly opaque international market of offensive cyber capability firms and do not know if they are being supplied with potentially overlapping capabilities. In short, any cyber operation that relies on an acquired capability conducted by the United States, china or anyone else carries a counterintelligence and operational security risk, with no guarantee that they can source a similar capability in the future. The cyber supply chain, which means understanding the industry, constraining malicious actors and ensuring availability from trusted parties, is important to address such risks.
While former President Joe Biden's administration sought to constrain private sector actors with additional regulation and placing bad actors on the enemies list, these policies were framed around human rights concerns largely out of Europe and Israel. President Donald Trump's administration is moving away from this approach, focusing on China as a geostrategic threat over transnational digital repression framings, as well as signaling willingness to engage with private sector actors in the space. The Trump administration, as of 2025, has accelerated plans for a US Cyber Command 2.0, focusing on working better with private industry partners. This is a continuation of the first Trump administration's policies. Trump was the first president to delegate the authority for offensive cyber operations down to the Secretary of Defense, allowing US Cybercom more leeway to conduct operations without presidential approval, albeit still with a robust interagency review process. And finally, if the United States wishes to further leverage its cyber prowess in the international arena by leveraging private sector partners, does it have the supply chain and acquisition capabilities to back it up, especially if its adversary is the People's Republic of China?
Although the author does not condone general analogies between cyber and other domains, supply chain and acquisition analysis in the cyber domain can be similar to nuclear or other arms proliferation. For example, to answer whether a country has the capability to construct a nuclear weapon, one must understand how much enriched uranium the country can easily acquire. Similarly, she writes, to answer whether a country can become a cyber power that can access the hardest of digital targets, one must ask how easily it can source and acquire zero days and other offensive cyber capabilities. So Winona made assertions, a lot of assertions, in what I just read. In nearly every case, those assertions were followed by a reference in her text to their source. So none of this was just her opinion, regardless of how well-informed it may be. So we have a somewhat bizarre new world where governments need to purchase newly discovered zero-day vulnerabilities from anywhere they can be purchased, and where the anywhere they can be purchased is an entirely ad hoc mishmash of entities, from someone in their mother's basement to an international weapons dealer or a public government contractor. If we were to extend Winona's uranium acquisition analogy a bit, this would be analogous to tens of thousands of individuals, each with their own little backyard uranium enrichment operation, who then sell what they've created to the highest bidder or to someone they trust.
She offered some interesting numbers to give us a sense of scale of what's going on today. She wrote live hacking competitions, where hackers hack into systems live on stage, and bug bounty programs, usually company-run reward programs that encourage hackers to find and report system vulnerabilities, enable hackers to develop similar skill sets as those required for government-sponsored hacking. These programs and competitions are both common recruiting pipelines for defensive cybersecurity companies and offensive vendors alike. Common recruiting pipelines, she said. The number of individuals that participate in such programs globally is staggering. In 2020, hackerone, a well-respected bug bounty program, reported around 600,000 contributors spanning 170 countries. A 2024 survey of BugCrowd, one of the largest bug bounty and vulnerability disclosure companies on the internet, revealed most of BugCrowd's over 200,000 hackers hailed from India, egypt, nigeria, pakistan, nepal, vietnam, australia and the United States. 78% of them are self-taught. 78% are self-taught and 58% of them were under 25 years old. While not all of these individuals possessed the skills to find zero-day vulnerabilities and write code to exploit them, multiple security experts interviewed estimated that there are likely thousands of international individuals able to do so, with numbers in the low hundreds that could be trained to do so, with numbers in the low hundreds that can be trained to do so. Well, okay, so we have an informal community of hackers who are potentially able to make a bunch of money, but, as the saying goes, don't quit your day job. Winona provides some interesting background to that writing.
While selling offensive cyber capabilities, and particularly zero-day vulnerabilities, to governments is a lucrative profession, it's a risky industry. Creating a zero-day exploit to leverage against a widely used technology product may require between 6 and 18 months of full-time engineering and research work, unless an offensive cyber capability firm has multiple engineers working on different products or uses different payment schemes, meaning salaries. This timeline can lead to long down times between exploit sales, and this is what she means when she says this feast or famine payout schedule carries risks for companies that rely on one or two windfalls a year to pay their overhead and engineering costs. In addition, finding a customer to sell exploits to is more difficult than it first seems. In general, potential sellers must find an existing government contract through which to sell their exploits or know the right government individual to speak with. Unless an offensive cyber capability firm has hired employees who've recently left a government interested in such capabilities, actual buyers may be extremely hard to find. Thus, international hackers without former government connections normally sell their products to middlemen, many of whom operate internationally, like Zerodium.
Right, we've talked about Zerodium a lot in the past. This is exactly that. Even then, the exploit may go through multiple levels of middlemen to get to a government customer. This frustrates both buyers and sellers. Buyers know that exploits sold to them have extremely high markups given the number of middlemen involved, and often will not know who the original bug producers are. Meanwhile, the sellers are likely aware of the extreme markups, but they don't know whether their bugs were sold to multiple governments. So she quotes a former official with the Office of the National Cyber Director saying an individual researcher who is not informed on what bugs are selling for may sell a good bug for $100,000. By the time it makes it to a customer.
An individual bug could go for $750,000 to $1 million, and a senior this is the national cyber director saying this, and a senior DOD official working on offensive cybersecurity research programs, who thus knows exactly what he's talking about, says, quote the system by which zero day vulnerabilities are required is horrendously inefficient and broken, that there is a system of middlemen who are not contributing anything meaningful beyond their connections and contacts within government, and they almost certainly owe their loyalty only to the dollar, not to any nation. Nothing prevents them from double dipping. We know that money motivates, so if a program existed to cut out the middlemen, to protect hackers legally and to allow governments to purchase those vulnerabilities directly, hackers could be making 10 times the money and have 10 times the motivation. The motivation they would also have the assurance that their work would only go to help the company, the country they wish to help, and not their country's enemies. The problem is that there's a well-deserved, prevalent mistrust of government within the hacking community. Winona reminds us of a bit of this past writing.
Undermining all these efforts is the anti-government sentiment that remains strong within the US cybersecurity and hacking community, which likely contributes to difficulty in maintaining an offensive talent pipeline. Much of the original US hacking community emerged from countercultural activities like phone freaking, she says in parens. Ie bypassing Pac Bell telephone lines to make long-distance phone calls without paying. She said law enforcement responses from the 1960s to the early 2000s treated many hackers as criminals rather than as innovators. Data disks from teenagers in 14 American cities and charged individuals who managed the hacker magazine Frack with interstate transport of stolen property. The charge was based on information published by Frack that later proved to have already been widely publicly available. The arrests and subsequent court cases resulted in the creation of the Electronic Frontier Foundation. While the US government has made significant strides toward repairing their relationship with domestic hackers in recent years, anti-government sentiment still persists. And of course, leo, we all remember our friend being arrested and handcuffed at McLaren in Las Vegas as he was leaving, you know, trying to go back to England.
2:54:24 - Leo Laporte
So we also remember the wonderful scene in Good Will Hunting, where Matt Damon is. They attempt to recruit Matt Damon to the NSA and you know he has a fairly good, cogent reason why he would never work for the nsa. Yeah, so I recommend that if people haven't watched the movie. I wish I could play the sound, but I don't want to get taken down, it's a great scene, yeah, so yeah, uncle sam.
2:54:47 - Steve Gibson
Uh, you've been a big bad bully in the, and now you want and need the brains of those people whose rights and freedoms you blithely ignored out of your own fear of the unknown. Not cool, there is so much content in this fantastic 44-page paper that I've had to skip over, so all I can do is commend this to any of our listeners who are interested in knowing more. The paper goes into much more depth about the many significant challenges presented by the way the US is organized versus the comparative ease that China's processes face.
2:55:29 - Leo Laporte
So anyway, Well, also, they have a kind of compelling regime where you don't think you have a lot of choice. Yeah, right, yeah, by the way, I don't know if you saw it last night uh, one of the chinese nationals associated with salt typhoon was arrested in italy and the us is seeking extradition, so that will be interesting to follow.
2:55:51 - Steve Gibson
So we come away with a much better appreciation for what's going on out in the world of offensive warfare. Offensive cyber warfare is 100% about penetrating into one's perceived adversary's networks. That's it. And in turn that's all about leveraging exploitable zero-day which is to say currently unknown vulnerabilities that exist in the devices attached to that network. What's really interesting is that there's an inherently level playing field when it comes to discovering these potentially ultra-valuable zero-day exploits. I would like to be seeing hackers getting paid much more and not having this, you know, lining the pockets by huge factors, huge multiples of the middlemen. Anyone anywhere can make a discovery of a flaw in software, then work to engineer that into a working exploit, and we heard more than half of the what is almost three quarters are self-taught and more than half of these of these hackers are less than 25 years old. When you've created a working exploit, the holder of that intellectual property has an asset worth potentially a million dollars, but only if that intellectual property can be conveyed to a deep-pocketed government that in turn, has the means to exploit it for its own ends. Today, opportunists who may provide some value, such as mutual anonymity for both the buyer and the seller, are taking the lion's share of the value for a hacker's work, because only they are able to turn that highly valuable and volatile intellectual property into cash. Hackers who receive only 10 cents on the dollar are much less incentivized to hunt down tomorrow's exploit.
Yet what we have learned is that offensive cyber warfare is all about having that next exploit. It's called a supply chain because it creates a supply, and that's what it needs to do. It's clear that the US government itself needs to emerge from the shadows. It needs to become a well-advertised, high-value explicit buyer of zero-day exploits. It has to stop being ashamed or embarrassed by that. It needs to put the middlemen out of business. It needs to provide irrevocable protection to any hackers against any form of blowback for their work in discovering valuable cyber attack tooling. It needs to be widely known that it's possible to become wealthy from selling zero-day exploits to Uncle Sam. This is not the world I wish we had, but it's today's reality. If having a strong deterrent helps to keep the peace, then let's get one.
2:59:08 - Leo Laporte
Yeah, one, yeah, yeah, I mean I think there's also been some reluctance on our part to uh escalate cyber warfare because, uh, what? What happens when you escalate is uh, you escalate, yeah, you get, you get a reaction, but it's being escalated with or without us.
2:59:26 - Steve Gibson
so yes, it's how it's happening. Either way, yeah, yeah, and and there is this notion if we can maintain an inventory, the problem with zero days is that they're volatile. We have seen many instances in fact, we just covered them on that most recent Pwn2Own where the hackers believe they had zero days, but those just had not yet been updated from the vendors.
2:59:53 - Leo Laporte
Well, there's also the problem of once you use them, you've burned them, so you need many. Yes, exactly, they are consumables, the good news is there seems to be an unlimited supply.
3:00:08 - Steve Gibson
Isn't that bizarre, it's just amazing. Even Apple, with all the work.
3:00:13 - Leo Laporte
Apple has done. Yeah, you'd think we'd have fixed it by now. But you know perfect software and all of that. But I guess not. That's Steve Gibson, ladies and gentlemen. He writes perfect software the world's best mass storage, maintenance, performance enhancing and recovery utility. It's known as Spinrite. He writes it in assembly language. So's fast, it's small and you can get it from him directly at grccom. Just finished version 6.1. I'm gonna bet on the fact that it took a little while for 6.1 that we shouldn't worry too much about 7.0 yet I have some other things to do first.
I think it might be a little while, so get it. Get it right now, uh, if you don't already have it at grccom. While you're there, there's plenty of other things to do, including download copies of this show. Steve's uh got all the his versions are unique. All of them he we don't have. We don't overlap at all anymore. He has a 16 kilobit audio version which is a little scratchy but has the virtue of being small. He has a 64 kilobit audio virtue version which is a little bit bigger but sounds, uh, pretty much perfect. We do for some reason 112, so I know the reason, but it's 128 kilobit audio at our site. So if you want the smaller audio versions, go to Steve's site. He also has the transcripts written by Elaine Ferris. She does a great job with those. The show notes are there. Actually, you could get those show notes mailed to you ahead of time. Steve has a mailing list for show notes and a much less frequent mailing list for new product ideas and things like that. We're waiting for the DNS Benchmark Pro to come out and that'll be the next email you'll get from Steve If you want to sign up for that and get your email whitelisted on Steve's server. Go to grccom slash email grccom slash email. But remember when you enter your email address you still have to check those boxes for those newsletters, because steve's an opt-in kind of guy.
Uh, we have video at our website 128 kilobit audio. But also video at twittv. Slash sn is also. When you get there you'll see a link to a youtube channel a great way to share clips. If you see something you think, oh man, I gotta tell the it department about this, so the boss should know, or whatever. Or maybe you like our advertisers so much you want to send that to your boss. It's easy to clip on youtube and everybody can play back a youtube video.
Uh, you may also and in fact I think probably this would be the best way to get the show subscribe in your favorite podcast client, whether it's pocket casts or ipods or apple's itunes, I should say or google's or whatever it is that you use to get podcasts subscribe, and that way you'll get it automatically. You won't have to think about it. Audio or video, your choice. When you do go to those sites, if they allow reviews, please do us a favor, do steve a solid and leave a five-star review. Let the world know how great security now is if you are in the club. Well, thank you.
First of all, your membership supports everything we do, including this show. It's 25 of our operating expenses come from our club twit members. So you, you guys, are golden. You get access to the Discord. You get a special video feed just for you. You also get special programming. We're going to do our AI Users Group on Friday, chris Markroth's Photo Group coming up as well, our Science Fiction Book Club. A lot of great stuff in the club. Only Find out more at twittv slash club. Twit Club members, as I said, will watch inside the discord on that feed. But there are seven other ways. You can watch live every tuesday, right after mac break, weekly 1 30 pacific uh, that's 4 30 eastern time, 2030 utc. We stream on youtube, twitch, tiktok, facebook, linkedin, xcom and kick seven different places. You can go to watch the show live that way, but you don't have to watch live, download it or subscribe whatever works for you. Do all of them. Do all of the above. See if I have a wonderful week and we will see you next week right here, we'll do.
3:04:26 - Steve Gibson
I will probably have finished hail mary and beyond to artemis by then.
3:04:29 - Leo Laporte
So good, I'd love to get your uh, your thought thoughts on my report in. I'll have my report In hindsight. I really liked it. It just was different than the.
3:04:37 - Steve Gibson
Martian yeah, hard to follow the Martian, no kidding, it was uniquely good. Thanks, tim. Okay, my friend Next week. Bye.