Security Now 1037 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

0:00:00 - Leo Laporte
It's time for security now, steve Gibson. He's mad as heck and he's not going to take it anymore. He's pretty upset about how Microsoft did its patches for the SharePoint server fiasco. You might be upset, too when you hear about it A warning about a signal leaving Australia rather than help the Australian government spy on people, plus a solution to verify your age. That might not be too bad, or is it All that and a whole lot more coming up? Next, on Security Now Podcasts you love From people you trust. This is Twit. Trust, this is twit. This is security now with steve gibson. Episode 1037, recorded tuesday, august 5th 2025. Chinese participation in map. It's time for security now. The show. We cover the latest in security, privacy and, uh, computing and, like that I don't know, all sorts of stuff. It's really up to this guy over here. This cat. Steve Gibson is the king of security now. Hi, steve Yo.

0:01:17 - Steve Gibson
Leo, here we are. We have entered August, which is our birth month.

0:01:25 - Leo Laporte
The show's birth month. Yeah, we're approaching our 20th anniversary in just a few days.

0:01:30 - Steve Gibson
That's right. Yeah, I got that wrong one year and Elaine corrected me because, of course, she's been transcribing for almost 20 years now.

0:01:38 - Leo Laporte
Has she been doing all the shows Really?

0:01:40 - Steve Gibson
Yeah, we got her like a ways in and then I went back and I said let's catch up, let's do them all. So she said, oh, I'd be happy to.

0:01:50 - Leo Laporte
If you go to our website, twittv, slash SN1, you can actually see the very first episode, which was August 9th 18th, I'm sorry 2005. So that will be our birthday. It will yeah, the 18 minute version of the show.

0:02:14 - Steve Gibson
So what happened this week, Steve? Not really anything. There was nothing to talk about back in the day Ingrown toenail, no it it didn't stay 18 minutes for very long.

0:02:25 - Leo Laporte
We found there was a lot to talk about.

0:02:27 - Steve Gibson
You were worried at first there wouldn't be I thought we're just gonna run out of stuff to say, yeah, it's like, uh no 20 years?

0:02:33 - Leo Laporte
no, there's no way. Either of us thought we'd be doing this 20 years later, though that's for sure, but here we are nope, we're going strong and, fact, we're going to talk.

0:02:43 - Steve Gibson
This week we got China on our mind after the SharePoint fiasco. There's two different aspects of the unfortunate tension that our two countries, China and the US, are continuing to manifest and arguably increase, so we're going to look at both of those. Some things that have come to light since last week we'll start with, but we're going to end up talking about Microsoft's deliberate sharing, weeks in advance, of their release to, you know, of their release to legitimate, accredited, great Chinese security companies. But China's got the possibility of influencing them. So, anyway, we're going to look at that. There were some really, really, I think, very fair analysis that I want to share about where that is, and we'll see where we come down on that afterwards, but first we're going to, as I said, we're going to follow up on a different aspect of what's come to light about the SharePoint server patch mess. We're going to look at how Russia arranges to spy on other countries' embassies within its borders. It turns out that Dropbox has a password manager who knew, but not for much longer. I just wanted to give our listeners a heads up in case they might have stumbled into that at some point. Signal is going to leave Australia rather than Spy.

Youtube deploys viewing history age estimation heuristics, which we're going to touch on. Chrome has added a very clever, lightweight extension signing option which will help its developers to prevent the abuse of their own reputations for extensions. Ah, and a domain registrar is coming right up to the line of losing its rights to be a registrar. That's something we've never talked about before. We've looked at it on certificate authorities, but not registrars. So there's some fun stuff there. Tp-links router there's a particular model that our listeners if anyone happens to have one, I'd say I really get inertia right, Unless there's a reason to stop doing something. The industry doesn't. We see this at every end of the spectrum, all across the spectrum. So here's another instance. Also, we're going to look at what is true age and might it be useful for age verification.

I have my own brief update on Artemis. A few comments and then. With US-China tensions on the rise, should Chinese security companies, even having signed Microsoft's NDA, their non-disclosure agreement, continue receiving weeks of advance notice for forthcoming Microsoft flaw patches? Can they really be expected to honor their commitment not to let something that might be really juicy come along when their own nation seems hell-bent on attacking ours. So interesting questions and of course, we've got a great picture of the week that I've already had. The email with these notes and the picture of the week went out yesterday early afternoon. I got a lot of work done on Sunday and Monday and I got a lot of great feedback about this one. Leo, you want to center yourself over your ball before you see this picture.

0:06:44 - Leo Laporte
I haven't looked at it. I haven't looked at it.

0:06:45 - Steve Gibson
Our listeners. They're all saying, oh, I can't wait to hear what happens when Leo sees this. I try to save it for the show, so not always easy, but I always go like this when I open your document my mother would have once said hold your horses. I'm not sure that keep. Keep your powder dry. Maybe you know it's like yeah, all of the above, yeah all right.

0:07:10 - Leo Laporte
A great show ahead, as always, with security now, and we're thrilled to have steve here and even more thrilled to have you here now. I have to tell you, before we go any farther, about our sponsor, bit warden. They've just done something that I needed badly a couple of weeks ago. Bitwarden is, of course, as you know, the trusted leader in password, passkey and secrets management. It's the password manager I use. Steve uses actually, many of you use, for good reason, bitwarden's consistently ranked number one in user satisfaction by both G2 and software reviews more than 10 million users across 180 countries, 50,000 businesses. But they just added something that a lot of coders will be very happy to learn about, I will be very happy to learn about. Bitwarden just launched their own MCP server. It's now available on bitwarden's github. Now, what this does? It lets, it enables secure integration between your ai agent and your credential workflows. How often have you used in fact, I so.

I was working on vibe coding a twit, uh, a client for the twit api, and my biggest concern was not putting the api key into the code and then pushing it up to github. Well, now there's a way to do it securely. Uh, they're, they're. The documentation is maybe a little scant right now, don't worry, they're. They're expanding the documentation. They're also going to expand how it's distributed, but right now you can go. I wanted to give you a heads up because you can go get it at github right now. Don't worry, they're expanding the documentation. They're also going to expand how it's distributed, but right now you can go. I wanted to give you a heads up because you can go get it at GitHub right now.

The MCP server is a secure, standardized way for AI agents to communicate with Bitwarden. Okay, so you've got your Claude code or whatever you're using. You tell it about the Bitwarden MCP agent. It can even fetch it and then say now use that to store those secrets. You'll benefit from, first of all, local first architecture for security, right?

The Bitwarden MCP server runs on your local machine. It keeps all client interactions within the local environment, minimizing exposure to external threats. You're not sending passwords or API keys or secrets across the internet. It integrates with the Bitwarden command line interface too. How many I mean? This is another great thing about Bitwarden they have a CLI Users. You know I use the GUI most of the time, but occasionally, especially when I'm on Linux, I like having the command line, the GUI, most of the time, but occasionally, especially when I'm on Linux, I like having the command line. Users can also opt for self-hosted deployments, for greater control over system configuration and data residency. It's an open protocol for AI assistance.

Mcp servers enable AI systems, as you probably know, but if you don't, to interact with commonly used applications that can be content repositories, business platforms, developer environments. It's nice because it's a standardized, consistent, open interface Driving secure integration with agentic AI. The Bitwarden MCP server represents a foundational step towards secure agentic AI adoption. Ultimately, right, we're going to have an agent doing all the work, going out and now you can tell the agent and, by the way, the passwords, the keys, whatever you need stored securely in my Bitwarden and you can use their MCP server to get a hold of it. Isn't that awesome.

Infotech's research group has a paper Streamline Security and Protect your Organization. This report highlights how enterprises in the Forbes Global 2000 are turning to Bitwarden to secure identity and access at scale. The report emphasizes growing security complexity. If you listen to the show, you know all about that. With globally distributed teams, fragmented infrastructure, credentials dispersed across teams, you've got contractors, you've got devices, some of them byod enterprises are addressing credential management gaps and strengthening their security posture by investing in scalable, enterprise-grade solutions like, of course, bitwarden.

We love bitwarden. The is easy, it supports importing for most password management solutions and, because it's open source, there's always something new happening with Bitwarden, like this MCP server. It's so cool. The Bitwarden open source code, of course, is regularly audited by third-party experts and you don't have to worry about security. Bitwarden meets SOC 2 Type 2, and you don't have to worry about security. Bitmore meets SOC 2 Type 2, gdpr, hipaa, ccpa compliant ISO 27001-2002 certification.

Another thing I want to let you know about their sixth open source security summit is coming up next month, september 25th. It's virtual, so you don't have to travel, everybody can go and it's free. But you have to register for this virtual free industry event at opensourcesecuritiesummitcom. Opensourcesecuritiesummitcom to explore advancements in open source security and to see how using open source tools can build trust with customers and consumers. We love Bitwardens. Get started today with Bitwardens free trial of a Teams or an Enterprise plan, or get started for free across all devices and individual user at bitwardencom slash twit. That's bitwardencom slash twit. I just I love being able to tell you the news Bitwarden just keeps getting better and better. Bitwardencom slash twit. Thank you, bitwarden, for supporting the important security work Steve does here and for supporting the security of all of our listeners. Bitwardencom slash twit. Okay, shall I scroll up Steve.

0:13:02 - Steve Gibson
Well, I gave this picture of the week the caption not every solution that works should be recommended. Yeah.

0:13:11 - Leo Laporte
That could be the caption of a lot of your pictures of the week.

0:13:14 - Steve Gibson
This one will hit you, not every solution.

0:13:22 - Leo Laporte
You want to explain this, okay.

0:13:24 - Steve Gibson
So what we have is a very's a very simple device. Oh, yes, it's an ac plug. Yes, with uh wires coming out, maybe five inches or so, that had been stripped and wrapped together and stuck, and a wire nut stuck on the end.

0:13:41 - Leo Laporte
Shorted out.

0:13:42 - Steve Gibson
Shorted out in other words, it is the definition of a deliberate short circuit. What makes this funny is that it's got a tag on it. Just in case someone wasn't sure what this was for, it's labeled breaker finder. Yeah, and of course the idea here we fill in the gaps is that if you're trying to figure out which is the circuit breaker for that plug because you'd like to turn the power off, actually this does both features, it does both jobs at once. You really it's. You know, finding the breaker is then secondary. Normally you want to turn off the breaker because you're going to do some. You know electrical rewiring and you want the power off on the circuit that you're using. So here you just plug this handy-dandy little plug into the plug, which creates a dead short circuit, certainly more than the 15 amps of your typical residential breaker. That'll snap off immediately.

0:14:43 - Leo Laporte
One hopes it'll snap off before things start getting exciting.

0:14:48 - Steve Gibson
Well melting your hand, or the wires, or the interior house.

0:14:54 - Leo Laporte
I hope he threw this out after he made this obviously joke tool.

0:14:59 - Steve Gibson
Well, one of our listeners wrote and said look at the prongs on that plug. I don't see any black scorch marks. So it's questionable whether this was actually ever used.

0:15:11 - Leo Laporte
Certainly hope not Certainly can't recommend it.

0:15:15 - Steve Gibson
And just so people know, there are neat little tools that homeowners can use where you plug a little transmitter into an outlet and it sends a signal out the wires and then you're over by the breaker box. You're able to use a probe in order just to get it near the handle of the breaker and you'll hear the sound increase when you're over the breaker that's associated with that particular plug. So there are actually recommendable solutions. This will not hurt anybody In a pinch, I mean if you had no choice. But no, don't do that. Probably better to just to shut the whole house down if you're unable to find the specific breaker. But anyone who's been in a house for long has probably encountered this problem, and one person had an enterprising, not recommended- solution.

Okay. So a bit of additional interesting information surfaced about the Microsoft SharePoint zero-day remote code execution vulnerability after our coverage of this last week. I'm glad I was skeptical of the register's allegation that someone within Microsoft's MAPP program had leaked the information. We're going to be talking about the MAPP program at the end of the show, of course, but we don't have any evidence of that. I believe the register picked this idea up, however legitimately, from someone at Trend Micro's zero-day initiative, and that was unfortunate because speculation really doesn't have a role here. That initial pre-release of the SharePoint was not the big issue. You know it's true that somebody was found to be exploiting this vulnerability on July 7th, the day before, you know, one day before the official patch was released on July's Patch Tuesday. But the big mess did not occur until after Microsoft's botched patch was made public. At that point everyone was able to compare the modified new code against the original old code to immediately zero in on the location of the problem and design a workaround for it. But it was still troubling that someone did exploit the original, completely unpatched vulnerability the day before anyone was supposed to know about it. All supposed to be, you know, nondisclosure agreement, secret. Nobody knows until the patches come out. So how'd that happen?

Propublica offered an interesting theory that did not require any of Microsoft's MAPP program participants to leak anything. Anything. Propublica's headline was Microsoft get this used China-based engineers to support product recently hacked by China. In other words, oops. Propublica's subhead noted Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software, but did not mention that it has long used China-based engineers to maintain the product. Okay, that's news. They wrote security. The company did not include in its announcement, however, that support for SharePoint meaning patches is handled by China-based engineering team that has been responsible for maintaining the software for years. Propublica, they wrote, viewed screenshots of Microsoft's internal work tracking system that showed China-based employees recently fixing bugs for SharePoint on-prem, the version of the software involved in last month's attacks. Microsoft said the China-based team quote is supervised by a US-based engineer and subject to all security requirements and manager code review. Then they also said work is already underway to shift this work to another location. Unquote. Yeah, it's unclear, they wrote, if Microsoft's China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on US government systems can pose major security risks. Laws in China grant the country's officials broad authority to collect data, and experts say it's difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement.

The Office of the Director of National Intelligence has deemed China the quote most active and persistent cyber threat to US government, private sector and critical infrastructure networks, unquote ProPublica revealed. They wrote in a story published last month that Microsoft has, for a decade, relied on foreign workers, including those based in China, to maintain the Defense Department's cloud systems, with oversight coming from US-based personnel known as digital escorts. But those escorts often don't have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable. The investigation showed. Okay, now I'll just note also that this escort service Microsoft runs would not prevent foreign coders from learning about vulnerabilities. They must know about vulnerabilities in order to fix them. So this entire digital escort concept seems like a crock, at least as regards controlling leakage of information. Who were concerned about the company's foreign employees and to meet the department's requirements that people handling sensitive data be US citizens or permanent residents.

Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives quote substantial revenue from government contracts. Unquote. Propublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, treasury and Commerce. So this, of course, is where we march out our favorite byline or slogan what could possibly go wrong? Favorite byline or slogan what could possibly go wrong? In response to the reporting, microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems and that it was considering the same change for other government cloud customers. Change for other government cloud customers. Additionally, defense Secretary Pete Kedseth launched a review of tech companies' reliance on foreign-based engineers to support the department. Senators Tom Cotton, an Arkansas Republican, and Jeanine Shaheen, a New Hampshire Democrat, have written letters to Kedseth, citing ProPublica's investigation, to demand more information about Microsoft's China-based support, and they ended their coverage of this by writing. Microsoft has said that, beginning next July, it will no longer support on-premises versions of SharePoint.

0:24:03 - Leo Laporte
It's almost a year.

0:24:09 - Steve Gibson
Yeah, it has urged customers to switch to, and this is the problem is nobody wants to switch, and I actually I've got some great feedback from one of our listeners that I'll share next week, who explains in some detail what enterprises really do face. I mean, and it is such a mess, leo. I mean, oh, you know, it's you know you'd rather buy Well, there's a solution.

0:24:33 - Leo Laporte
Fix your software.

0:24:33 - Steve Gibson
Microsoft yes exactly that's, ultimately. That's the problem. Exactly right, they wrote it. Microsoft has urged customers to switch to the online version of the product, which generates more revenue. This is ProPublica I know it sounds like me, but no Generates more revenue because it involves an ongoing software subscription as well as usage of Microsoft. The Azure cloud computing business has propelled Microsoft share price in recent years. On Thursday, it became the second company in history to be valued at more than $4 trillion. Wow, and that's because subscriptions, baby, you can get those, yeah, yeah, baby, if you can get those, yeah, yeah, yeah, okay. So now it might be, leo, that the call was coming from inside the house.

Microsoft's own china-based coders were the maintainers of the sharepoint code base. Oh no, this means, oh my god, that they were the ones who directly received the early information about the SharePoint vulnerability from the Pwn2Own competition by way of Trend Micro's zero-day initiative. It was Chinese coders who prepared the patch. Coders who prepared the patch. But knowing this begs another, even greater and, frankly, far more worrisome question Could the patch, whose initially defective design caused the majority of the damage, been deliberately botched by these Chinese developers? I'm not saying that that happened, but the circumstances at least present the question, and I think it at least needs to be asked.

We would always assume that any botched patch from Microsoft could only be a mistake. What could Microsoft possibly have to gain from fumbling a patch of a critical CVSS 9.8 vulnerability in their own widely deployed enterprise file sharing server? At the very least, it's significant reputational damage. The tech press is now comparing the SharePoint fiasco to the similar 2021 exchange server debacle. That's widely viewed as having been a catastrophe, but now we learn that the flawed patch didn't really come from Microsoft, at least not directly. Patch didn't really come from microsoft, at least not directly. The bad patch actually came from china, apparently subject only to some low level oversight by a microsoft escort well, by the way, did you read who these escorts are?

they're not technical, they're military, they're just some guys right that the dod said, okay, we're gonna, you know, give you a chair, yeah, and and you, you just sort of you know they're not sufficiently technical to, for instance, notice the patch fixes the symptom, not the cause.

0:28:00 - Leo Laporte
Right, right.

0:28:04 - Steve Gibson
And so then we learned that Microsoft has decided to change now, has now decided to change that development process to move it away from China. Chinese state-sponsored attackers are actively attacking US assets. There's no denying the fact, and we know from backtracking the IP addresses that were found to be attacking Microsoft's on-prem SharePoint servers. It was those same well-known Chinese state-sponsored attackers who jumped on this vulnerability with a vengeance. There's one other aspect that's been missing from all the reporting state-sponsored attackers who jumped on this vulnerability with a vengeance. There's one other aspect that's been missing from all the reporting, and that's to note that the fact that the first attack on SharePoint servers was detected on July 7th, the day before July's patch Tuesday, does not mean that July 7th was the first day of any attack.

We've talked about this many times before and we've seen it in practice. The optimal strategy for anyone who's in possession of an unpatched critical unknown, of an unpatched critical unknown, zero-day remote code execution exploit, is to use that unique advantage with extreme care so as to remain off the radar and prevent the raising of any alarm for as long as possible. You want to carefully choose your targets, remain quiet and infiltrate the most valuable networks first, before the rest of the world wakes up to the fact that on-premises SharePoint servers can be remotely compromised. No-transcript. What we now know is that Chinese developers working for Microsoft would have been informed of this shortly after May's pwn-to-own competition. And now even Microsoft appears to be uncertain of where their loyalties lie. And now we also know that the patch did not completely work, whether or not this occurred deliberately. In this instance, it seems the height of recklessness for Microsoft to be outsourcing its software development to China, while China is actively and successfully attacking the same software systems it's developing for Microsoft. What's wrong with this picture?

0:31:19 - Leo Laporte
It's really suspicious.

0:31:21 - Steve Gibson
now that you say this, I mean, it was a bad patch it didn't work right and and that, and, as a consequence, the us suffered tremendous damage yeah, all the damage was subsequent to the first patch.

0:31:35 - Leo Laporte
Right, and who did that benefit? Yeah, and who did that hurt? Yeah, microsoft wouldn't have done it on purpose.

0:31:41 - Steve Gibson
No no, it would have been reputational damage for them, but by making it a bad patch, she's okay. Oops, and we've seen it before. It's not like it's the first time this has happened, and so even microsoft now appears to have reached a similar conclusion and has said they'll be moving this activity elsewhere. Well, not a moment too soon, microsoft ouch unbelievable yeah and, and you couldn't make this up.

0:32:13 - Leo Laporte
This is like fiction I know it's amazing but nobody would believe it. Nobody'd say, well, of course they're not going to use china to fix the the the bug. Oh boy, yeah, jace louise yeah and leo.

0:32:30 - Steve Gibson
They have an escort. What could possibly go?

0:32:32 - Leo Laporte
wrong, a babysitter who doesn't know anything about coding. Yeah, well, good, good reporting from pope publica. Uh, they're really good. I'm very impressive, yeah they did a.

0:32:46 - Steve Gibson
they did a great job on saying you know you might want to think about this, yeah.

0:32:51 - Leo Laporte
And somebody made a point in the Discord that even if you did the patchwork in the United States, we're so compromised at this point you don't even know if that would be good enough. If that would be good enough I mean, I they are they needed clearly, wherever they're doing it, a a chain of command of competent people reviewing the code. Yeah, multiple people. Why wouldn't they have that? Reviewing the patch, why?

0:33:18 - Steve Gibson
wouldn't they have that? Well, and and you know we've talked about this too, it, it, it been remember those printer flaws where it took it was month after month, after. I mean, they kept trying to fix it and it just like seemed unable to get it right.

0:33:33 - Leo Laporte
You said they probably have an intern working, a summer intern working on it.

0:33:39 - Steve Gibson
Yeah, I mean. So it's. Not only can they not get it right initially, but when someone says, I mean, the people finding the flaws were pointing at it and said here's the problem, here's what you need to fix, and they didn't, they said, oh, I mean it's like the guy that it was assigned to fix it said oh, look, here's the symptom. I've got to keep this from happening.

0:34:05 - Leo Laporte
Right, no, fix the underlying flaw. Isn't that what the AI did? We were talking about that vibe coding. Yes, and that was Microsoft too, by the way.

0:34:14 - Steve Gibson
Yes, it was. It was over on GitHub. There was a flaw, and the guy who was doing the oversight pointed to the AI and said aren't you? Just it was like it was a regular expression that had a when it was backtracking, it underflowed the stack, and so the question was why is the algorithm causing the stack to underflow? Instead, it put a test on it to prevent the underflow.

0:34:49 - Leo Laporte
We didn't find it without fixing the problem so yeah, by the way, I was talking to paul. That guy is a very senior guy at microsoft and he caught it. But this is the problem you have non-senior people looking at these patches who don't have the skills to say, hey, you just fixed a symptom.

0:35:09 - Steve Gibson
And, when you think about it, having a highly skilled person overseeing AI doesn't help. What's going to happen is that AI is going to end up getting one of these DOD. You know escorts. Let's give the ai an escort well, but in this first.

0:35:29 - Leo Laporte
In that case, though, you had this senior guy caught it and and blocked it. It's pretty clear that you didn't have anybody senior looking at this patch, right you?

0:35:40 - Steve Gibson
know that, you know, does it fix the problem? Yep, doesn't happen anymore. Okay, okay, good.

0:35:45 - Leo Laporte
They're going to start taking this stuff more seriously.

0:35:51 - Steve Gibson
That's terrible. Yeah, Again, you know, China is the one attacking us and they're writing the software which they're attacking. I'm sure they're very adept coders. Oh yeah, they're as good as we are.

0:36:06 - Leo Laporte
Yeah, better. In many cases Everybody very adept coders.

0:36:09 - Steve Gibson
Oh yeah, they're as good as we are yeah, better in many cases. Everybody's got great coders. That's a thing. Now let's take a break and we're going to talk about.

0:36:20 - Leo Laporte
Russia attacking their own embassies within their borders, and how that happens. What a day, what a life, what a world. I don't know how we got in this timeline.

We're not running out of things to talk about. We're so not running out of stuff. Well, I'll tell you one thing we have the sponsors to help your business if you are facing these kinds of issues. This episode of Security Now brought to you by BigID, the next generation AI-powered data security and compliance solution. Bigid is the first and only leading data security and compliance solution that can uncover dark data through AI classification, that can identify and manage risk, that can remediate just the way you want it to remediate, that can map and monitor access controls, that can scale your data security strategy. This is such a great tool, along with unmatched coverage for cloud and on-prem data sources. Bigid also seamlessly integrates with your existing tech stack. So, yeah, you already have great stuff. We're not going to make you throw it out, but now you can coordinate security and remediation workflows from all your tools. Big id lets you take action on data risks, to protect against breaches, to annotate, delete, quarantine and more based on the data, all while maintaining an audit trail, so important for compliance. And it works with everything. Partners include ServiceNow, palo Alto Networks, microsoft, google, aws and on and on and on All the tools. With BigID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Intuit named it the number one platform for data classification and accuracy, speed and scalability. But you know, maybe the best way to tell you how great this is is by a testimonial, if you think about it, from a group that has more data in more different places than anybody the United States Army places than anybody the United States Army. Big ID equipped the US Army to illuminate dark data, to accelerate their cloud migration. That's been a big priority for the service right To minimize redundancy and to automate data retention. And they got this great testimonial from US Army Training and Doctrine Command. They said, quote the first wow moment with Big ID came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured data, across emails, zip files, sharepoint databases and more. To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings us together like Big ID does. That is the US Army Training and Doctrine Command talking.

Cnbc recognized Big ID as one of the top 25 startups. For the enterprise, they were named to the Inc 5000 and the Deloitte 500, not once, but four years in a row. The publisher of Cyber Defense Magazine says Big ID embodies three major features we judges look for to become winners Understanding tomorrow's threats today, providing a cost-effective solution. And innovating in unexpected ways that can both mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives, at bigidcom security Now.

Get a free demo to see how BigID can help your organization reduce data risk and accelerate the adoption of generative AI. Ai again, that's bigidcom security now, oh, when you get there, by the way, there's a free white paper that provides valuable insights for a new framework. You might have heard about this ai trism trism that's ai, trust, risk and security management. This will help you harness the full potential of AI responsibly at bigidcom slash security now. Bigidcom slash security now. We thank him so much for supporting the so important work that Steve does here, helping you understand what's going on out there. So can Big ID Steve.

0:40:49 - Steve Gibson
So Microsoft's threat intelligence group posted a report detailing one way Russia has arranged to intercept and monitor the internet traffic of the foreign embassies operating within its borders. It was so diabolical that I wanted to share it with our listeners. Russian ISPs all have something called SORM, s-o-r-m, which is the System for Operative Investigative Activities. That's this equipment installed on their premises that gives the Russian government the ability to tap and intercept access to any of the ISP's customers. But of course, all communications are encrypted and authenticated, right, well, that's what Russia somehow needed to get around. What Microsoft discovered has been going on for at least a year. The company attributed the attacks to a group it tracks as Secret Blizzard, and it's a group we've talked about before. They're also known as Terla. Previous reporting has linked the group to something known as Center 16 of the Russian FSB Intelligence Agency, which manages most of the FSB's signal intelligence units. So all that tracks and makes sense. The group first selects specific targets and redirects them to an ISP captive portal, which happens when you're sometimes connecting through ISPs. That portal explains to the person wanting to get you know connect to the internet that they need to update their Kaspersky antivirus. Of course, kaspersky is a Russian brand, so it's trusted within Russia. The alleged AV update package actually installs a new root certificate into the victim's computer along with a malware strain known as Apollo Shadow. The malware relaxes the victim's firewall rules, while the new root certificate, as we know.

Root certificate, as we know, serves to legitimize malicious traffic, or at least to accept malicious certificate signatures. So from that point on, russia is able to freely impersonate any remote site the compromised target may visit. They perform an adversary in the middle attack, synthesizing a certificate for a remote website on the fly for the target to obtain fully unencrypted and visible plain text traffic. So they get to see everything that's going on. Anyone using an SSL TLS, even an SSL TLS style VPN, whose server certificates chain down to standard local root certs, will have all of their VPN network decrypted and inspected. So I hope that internal embassy IT staff are routinely checking for the appearance of any extra certs or any change to the root stores of the machines that they're responsible for, since otherwise this would be a tricky attack to catch because we know as users routine users of remote HTTPS sites. There's no visibility unless we go deliberately looking into which certificate we've received and who has signed that certificate. You've got to bring up the certificate, view the certificate, look at the certificate's chain of trust and see who the signer is, and that can be spoofed as well. So it's a mess.

Microsoft didn't say which embassies Turla had attacked, but taking into account that Turla uses a fake Kaspersky update, their assumption is that it may be Russian-friendly countries from Africa, the Middle East and Latin America that still use software that's been largely banned from official government use across most Western democracies. One would hope that no one in a US embassy in Russia if we even still have one that's open, I think I remember that we pull everybody out of there a long time ago but any Western democracies embassy, hopefully, is saying I don't think we want to update our Kaspersky AV because, after all, we're not using Kaspersky AV, so why would we be updating what we're not using? So hopefully you know, a little bit of caution would go a long way, but for Russian friendly countries maybe not so much, and this gives Russia complete access to all of their embassy traffic. I was unaware that Dropbox offered their own password manager. You know, and obviously, leo, you and I are not using it and I probably never have, but if any of our listeners might have ever used it, inertia being what it is, who knows, some may still be be. So I just wanted to mention that dropbox passwords, which is the name of this password manager, is being discontinued this coming october 28th, so get ready to switch. I would make the switch now, uh. And of course we recommend one of our sponsors, bit warden as a, as a terrific alternative, getting better all the time.

Good old Meredith Whitaker is once again threatening to leave another country. Signal Foundation's president has been pushed to once again threaten to withdraw all availability of their Signal app, their Signal Messenger app, this time from Australia. She recently proclaimed that Signal would leave Australia if the government attempted to force it to backdoor its encryption or demand unencrypted user data through any means. As we know, she's voiced similar threats to pull signal from other countries that explored encryption backdoors In the past. We've seen that happen in France, sweden and the UK and, as we noted last week, the European Union's newest head plans to once again push forward on legislation this coming October. October is going to be a busy month for the security world. Leo, we got all of Microsoft stuff is ending and the EU is now planning to leave the encryption itself alone and to instead attempt to perform surveillance outside of the encrypted channel, since this might not involve signal which accepts incoming data from the underlying OS and asks for its display by the OS you know.

I wonder what signal's position would be in that case, because it's not signal that is being in any way changed or compromised. And of course, that begs the equally interesting question, which is what would Apple's position be, since this would make the design of iOS complicit in turning everyone's iPhone into known surveillance devices. Everything we know about Apple suggests that they would never be willing to turn their iDevices into state surveillance tools. Some sort of reckoning appears to be on the horizon. In the present case of the signal uproar, the publication Information Age added a little bit of background. They said laws enabling government access to encrypted private messaging platforms would make signals Australian operations a gangrenous foot that would have to be cut off by shutting down all local operations. And this is a gangrenous foot. That's what Meredith called it. That was her term.

0:49:48 - Leo Laporte
Sounds like another Chinese ransomware gang, but okay, that's right.

0:49:53 - Steve Gibson
Ongoing demands from the likes of ASIO, whose director, mike Burgess, has been trying for more than five years to get more power to monitor encrypted messages, have maintained friction between the two communities that has yet to be resolved. Citing the importance of human rights and secure communications as key privacy rights. Signal's president, meredith Whitaker, told the Australian that quote for many people, private communication is the difference between life and death. Unquote. Even if it were technically possible to snoop on signal messages, which it is not, due to the platform's zero-knowledge encryption design, she warned that Australian laws mandating access via engineered backdoors would risk user security worldwide. With millions of Australians using Signal, whitaker said withdrawing from the country would hurt the people who rely on us those are in quotes but added that she would not hesitate because quote if you let the gangrene spread, you poison the body. Unquote. Among the users affected by such a move, they wrote, would be the government itself which, despite police bans on the use of the apps, has allowed Signal and its disappearing messages to be used by Home Affairs, which is an official office, and other agencies, since COVID began. A recent review of 22 Australian government agencies by the Office of the Australian Information Commissioner, the OAIC, found widespread use of secure messaging apps, even though many lacked appropriate policies for security and transparency. Individuals grilled over their use of Signal included Foreign Affairs Minister Penny Wong and Burgess himself. Even as he continues to agitate for access to apps, he says our go-to platforms for extremists and quote aggressive and experienced spies targeting Australia.

Whitaker's comments come from reports the government, whose encryption act stopped short of requiring backdoors, has been intensifying pressure on Signal amidst an escalating campaign to strengthen investigation, interrogation and other powers. The focus on Signal is notable, they wrote, given that it has only 40 million users worldwide WhatsApp's $2.5 billion, wechat's $1.37 billion and Messenger's $1.36 billion and accounts for just 0.85%, so less than 1%, of the US messaging app market last year. Yet its user base skews towards government executives, journalists, whistleblowers and other highly security-aware individuals. We know why right, because it's the best Attracted to perceptions that it offers higher security that cannot be compromised by court orders, and, of course, that's the reputation it's got due to Meredith's continual proclamations. They finish writing concern about laws compromising that security have grown so much that media outlet the Guardian recently tapped the University of Cambridge to develop an open source tool enabling end-to-end secure messaging for whistleblowers inside of its own news app inside of the Guardian's own news app.

So it's interesting that the Australian government is targeting Signal. Australian government is targeting Signal and I wonder whether they might be deliberately aiming at a smaller fish first to see whether they can get capitulation from them, then use that to climb the ladder to larger targets, saying well, signal did it for us, so why can't you too? Of course, one problem is that it seems very clear that Signal is never going to do anything for them. The other is that politicians who have no understanding of the technology are making these requests. Industry keeps telling all the politicians no and they keep insisting that the industry is just being stubborn and just doesn't want to do it for them. They assume they can ask for any feature they may want and the techies will somehow figure out how to deliver it. In the case of Signal, they may be failing to appreciate that Signal's entire existence surrounds their. Refusal to capitulate Meredith's repeated, clear and well-publicized public refusals. To compromise on Signal's integrity is of significant marketing value to Signal. As Information Age's article said, that's why the government is using signal is. They're the ones the government trusts to be safe and secure for their own internal messaging. Given the well-publicized moves that the eu may soon be making that.

Is that stuff coming in october? I would be surprised if australia can, if Australia increases its pressure further, I expect that the world will now be waiting and watching the EU. I know that everybody on this podcast will be and of course we'll be covering that. As it happens, I gave this next piece the title YouTube Deploys Age Estimation Heuristics. We've spoken about heuristics solutions broadly in the past.

I generally dislike them because they're inherently fuzzy, touchy, feely rules. They're rules of thumb that don't always do what we intend, but there are times when they're all that's available. Last week, the official YouTube blog posted under the headline extending our built-in protections to more teens on YouTube with the subhead we're extending our existing built-in protections to more teens on YouTube using machine learning age estimation. So here's what they wanted the world to know. They wrote people come to YouTube to learn and to be entertained. This is true even for the youngest audiences, and it's why we remain laser-focused. And, leo, every time I see that phrase I think, well, you don't have to focus a laser. So I'm not really sure about that.

But okay, focused like a laser maybe Focused like a laser that's good On making sure they have a safe and age-appropriate experience. Over 10 years ago, we launched YouTube Kids and four years ago implemented supervised accounts for pre-teens and teens. Back in February, we shared that we would soon introduce technology that would distinguish between younger viewers and adults to help provide the best and most age-appropriate experiences and protections. Set of users in the US to estimate their age so that teens are treated as teens and adults as adults. We'll closely monitor this before we roll it out more widely. This technology will allow us to infer a user's age and then use that signal, regardless of the birthday in the account, to deliver our age-appropriate product experiences and protections. We've used this approach in other markets for some time, meaning non-US markets, where it is working well. We're now bringing it to the US and, as we make progress, we'll roll it out to other markets. We will closely monitor the user experience and partner with creators to ensure that the entire ecosystem benefits from this update. Here's how it works we will use AI to interpret a variety of signals that help us to determine whether a user is over or under 18. These signals include the types of videos a user is searching for, the categories of videos they have watched in the past or the longevity of the account. When the system identifies a teen user, we'll automatically apply our age-appropriate experiences and protections, including disabling personalized advertising, turning on digital well-being tools and adding safeguards to recommendations, including limiting repetitive views of some kinds of content.

If the system incorrectly estimates a user to be under 18, they will have the option to verify that they are 18 or over, such as using a credit card or a government ID. We will only allow users who have either been inferred or verified as over 18 to view. They will lose access to content that they may have had access to before, because YouTube will decide. Okay, based on the history of your viewing experience. We think you're under 18. So now the over 18 content is no longer, you know, showing up in your search results, you don't have access to it, it's not being selected for you and the behavior of the platform changes in age appropriate ways.

So I think, until we obtain, you know, proper online age verification solutions, heuristics are probably the best we can do at this point, and it's more responsible than doing nothing, and I think it's. I think it's it's reasonable for YouTube to examine a user's viewing history and if they're clear, if they clearly appear to be a younger viewer, Modify the platform's behavior to better suit that viewer. And you know they do offer a path for optionally allowing people to assert that whoop, you've made a mistake. In my case, I'm not under 18, and you know I'm willing to prove it to you you so, and leo, when they talk about the longevity of the account, I assume they mean that if an account is newly created, they'll be much more skeptical, right, because they don't have a history yet to, or if it's 18 years old, then they know you're at least 18, that's a very good point, isn't it?

1:01:57 - Leo Laporte
yeah, I mean, youtube hasn't been around that long, but it's getting there. You know, if you've had it for 10 years, you're probably not a 12-year-old, right.

1:02:06 - Steve Gibson
That's a very good point. Yeah, google has just rolled out an optional feature they're calling verified CRX upload. Now we talked about the danger presented by the compromise of high-profile extension developer accounts, and it's happened, right? If bad guys are able to somehow get into a developer's account, until now, nothing would prevent them from maliciously modifying the extension, uploading it to the Chrome store and causing all instances of Chrome to update and begin using the malicious code. Now Google allows developers to create a 2048-bit RSA public-private key pair and to provide the public key to Google for use in verifying the signature of any Chrome extension that's subsequently offered by the developer.

Google's instructions to developers make very clear that they must not in any way store their private key in any of their Google assets. Right, because you don't want to put the key where it could be compromised. It should never be uploaded. And in fact, they provide the OpenSSL one-liner, the OpenSSL command one-liner, to generate the key pair in a console session outside of any browser. You know, open SSL space genpkey-algorithm-rsa-pkeyopt-rsa-keygenbits-2048,. And then they set the output to privatekeypem. And so, once the public key has been provided to Google, no Chrome extension that is not properly signed by its matching private key, which no aspect of Google will ever touch that private key. No Chrome extension not properly signed by the matching private key will be accepted for publication. So I love this. It's very clear. It's very clean and as lightweight as could be. They're adding another, completely independent layer of authentication to the process.

The onus is on the developer to not misplace their private key, as well as to keep it out of the hands of any attackers. You know, but? But the flip side is the developer gets absolute protection that, if anything should ever compromise their account the fact that they have an offline private key and know that Google will be checking it against the public key they gave them previously that protects the developer. So, yeah, the developer's got some responsibility, but they're getting a tremendous benefit in return. Google's instructions say benefit in return.

Google's instructions say don't upload the private key to any public repository or other place. Don't store your private key in your Google account. This means someone with access to the developer dashboard through your Google account could publish on your behalf. Consider storing your private key securely using a key store like PKCS 12 or Java Key Store. And then warning don't lose your private key. Otherwise you must reach out to CWS support and replacement can take up to one week, because, of course, they're going to want to make sure that you're you and not a bad guy trying to compromise this protection.

So, anyway, this is terrific Minimal sufficient and bulletproof. No need for any certificate rigmarole, since the authenticated developer is creating the key pair and uploading only the public key to Google, where it cannot be changed once it's been set. So it is a perfect, free and lightweight solution, and this is the kind of this is like. Why did it take them so long? But I'm glad it's there now. It's just a perfect way to solve this problem. Okay, leo, we're going to take a break. Then we're going to look at the interesting case of a domain registrar that's on the ropes right now. We've not talked about this before, but wait till you hear what these clowns have not been doing and what the consequences are. Wow.

1:07:02 - Leo Laporte
Good Coming up, but first a word from from delete me, our sponsor for this segment of security. Now, if you've ever ever wondered how much of your personal data is on the internet for anyone to see, how would you find that out? How would you figure that out? Oh, how about googling your name? Oh, I don't recommend. There's a lot more than you think, not just your name, contact info, your social security number. Steve and I found ours on the dark net from a breach. What did they breach? By the way, a data broker Home addresses Even information about your family members.

All of this data is being compiled and, by the way, completely legally by data brokers who then sell it online to anyone who wants it, including foreign governments, our government law enforcement hackers. Anyone on the web can buy your private details, and I mean. The consequences range from identity theft to phishing attempts to doxing, harassment. We've had all of that happen. In fact, I think every business should be protecting their privacy with Delete Me, especially for your managers. That's why we started using Delete Me, because people impersonating my wife and our CEO and using it to kind of try to hack our employees. Look, I am a public personage. I share my opinions online. I think about safety and security all the time, but for me, because I'm a public person, I don't expect privacy. But if you're a private individual, a manager in a company, if you are somebody whose personal information can be used against you, you should do what we did and hire Deleteme. It's so easy to find personal information about people online and until we have a federal privacy law which I don't think is ever going to happen I recommend and, by the way, use Deleteme.

Deleteme is a subscription service. It removes your personal info from hundreds of data brokers. It starts by signing up for Deleteme, obviously, and then giving them, like there's a questionnaire what information you want deleted, what you don't want on the internet, what's okay to keep on the internet and you get to control that, by the way. Then their experts take over. Deleteme will send you regular personalized privacy reports the internet, and you get to control that, by the way. Then their experts take over. Delete me will send you regular personalized privacy reports. We just got another one for lisa the other day showing what they found, where they found it, what they removed.

The point is it's not a one-time service. Delete me is always out there working for you, constantly monitoring, removing personal information you don't want on the internet. It's not enough just to take it down. Once it repopulates, new data brokers spring up all the time. The worst thing is many data brokers, once they get some scrutiny, change their name. They go out of business and then start the business under a new name with all the data. So you've got to constantly be vigilant.

Fortunately, you don't have to do it for yourself. Delete Me will do it for you. To put it as simply as possible, delete Me does all the hard work of erasing you and your family's personal data from those data broker websites, and they keep doing it. Take control of your data. Keep your private life private. By signing up for Delete Me at a special discount just for our listeners, today you get 20% off your Delete Me plan for individuals when you go to joindeletemecom slash twit and enter twit at the checkout. Join delete me dot com. Slash twit. Offer code twit for 20 off. This really works well. I know it works because lisa's stuff is not on the internet, mine is steve's but, not lisa's JoinDeleteMecom slash twit.

Let me thank them so much for their supportive security now.

1:11:08 - Steve Gibson
Back to you, steve. Okay, so through the past 20 years we've looked at many instances where a certificate authority was repeatedly found, documented and proven to be acting irresponsibly, either by design or through carelessness. In those instances, when that behavior did not change, those certificate signers had their signing privileges revoked and their businesses were effectively ended. It's a privilege to be able to charge people for a digital signature, and with that privilege comes the responsibility to do so properly. There's another, somewhat related privilege that the Internet offers, which is the privilege to charge people for domain names they wish to use and to have those domain names registered with the Internet's DNS servers, so that traffic addressed to those domains will be able to find its way to the registrant's domain-based servers and services. I don't recall that we've ever encountered a story of misconduct on the part of a domain name registrar where their continued right to register domain names and charge a nice fee for the privilege was close to being lost. Today we have such a story.

Last Wednesday, the publication Domain Name Wire there actually is such a thing posted some news under their headline. Some news under their headline ICANN sends breach notice to domain registrar WebNIC and Leo, you should bring up WebNICcc. It looks like a going concern. I mean, it's like who wouldn't trust these people. But just wait till you hear you know, wow. But just wait till you hear you know, wow. The subhead of Domain Name Wire's coverage was Domain Industry Overseer, which you know would be. Icann says domain registrar is lax, and boy are they when investigating and responding to DNS abuse complaints. They, when investigating and responding to DNS abuse complaints. Here's how the story was told by Domain Name Wire and we've got it here on the screen, leo. I mean, it looks like a legitimate, like who would not trust these guys right.

Oh, look at that DigiCert Wow, wonderful. And you know they're name dropping and they've got logos for everybody. Turns out they're doing something wrong with the ICANN logo, which is part of this.

1:13:47 - Leo Laporte
Yeah, the ICANN logo is on here.

1:13:49 - Steve Gibson
Yeah, yeah, and apparently it's not supposed to be in the way that they did it. Anyway, the guys wrote ICANN, you know I-C-A-N-N has sent a breach notice to Web Commerce Communications Limited DBA, doing business as webniccc, a fairly large domain name registrar in Asia. Webnic has about 500,000 com domain names under management, in addition to domains in other extensions. Icann says the registrar is not complying with section 3.18.2 of the Registrar Accreditation Agreement, that's RAA We'll be hearing that abbreviation a lot the Registrar Accreditation Agreement, which addresses DNS abuse mitigation. In other words, people who have registered domains there are abusing their domain names egregiously without any consequences. They wrote the organization said WebNIC failed to follow appropriate steps when receiving DNS abuse complaints. Icann's notice, said, and then now they're quoting ICANN.

Icann has observed a concerning pattern regarding DNS abuse mitigation requirements in cases involving WebNIC. In multiple instances reviewed by ICANN contractual compliance that's an official department, icann contractual compliance actionable evidence of DNS abuse was provided to the registrar through abuse reports. However, mitigation actions were repeatedly delayed and, in some instances, only taken after the abuse reporter escalated the matter by submitting a complaint to ICANN. The registrar frequently issued repeated requests for evidence to abuse reporters, even when the abuse reports appeared already to be actionable and failed to fully consider information or clarifications provided by the abuse reporter, icann or otherwise, reasonably accessible to the registrar. In other cases, the registrar requested evidence from the abuse reporters that did not appear to be relevant to the reported activity, causing additional delays. In other words, this registrar is just not doing their job, not holding up their end of the agreement. Literally, the reporting said ICANN said the registrar frequently responds to ICANN contractual compliance notifications on the last day of the deadline or after it is passed, and those responses are incomplete. Additionally, icann says the registrar is not displaying information on its website that is required, including the details of the registrar's deletion and auto-renewal policies, the registrar's renewal and redemption slash, restore fees, the methods used to deliver pre and post-expiration notifications, the name and positions of the registrar's officers and the name of the ultimate parent entity. Icann compliance has been contacting the registrar about issues since at least February of this year. Finally, webnic has until August 19th, that's two weeks from today, to cure the violations or ICANN will begin the termination process.

So once again, this just makes me shake my head. More than 500,000 dot-com domains in addition to many others. That enterprise is probably generating at least 10 to 15, probably much, many, many more million dollars per year for basically just setting up an e-commerce website, taking registration information and maintaining accounts. And apparently, just as we've seen several times in the past with the certificate authority business, the owners and managers appear to have lost sight of the fact that this ability to print money is a privilege, it's not a right, and it's a privilege that can be withdrawn and lost, and we have seen that happen over on the ca side. So this made me curious to know what these webnic people had and had not done. So I tracked down the notification that ICANN had sent to WebNIC and once again we see that ICANN is falling all over themselves to give these apparent cretins every benefit of the doubt and chance and opportunity to save their own skins. The notice that I found indicated that it had been sent on July 29th, that's exactly a week ago, and it was transmitted finally, after months of communication failures via electronic mail, facsimile and courier.

Here's what ICANN sent with the title RE Notice of Breach of Registrar Accreditation Agreement. They wrote Please be advised that, as of 29 July 2025, web Commerce Communications Limited, dba, webniccc here and after referred to as WebNIC or Registrar is in breach of its 2013 Registrar Accreditation Agreement with the Internet Corporation for Assigned Names and Numbers, icann, dated 25 October 2023, the RAA. This breach results from WebNIC's failure to comply with Section 3.18.2 of its RAA concerning domain name system abuse mitigation. So, under apparent concerns in this notice it then lists those website documentation issues that were mentioned in the ICANN logo on WebNIC's website does not appear to conform with the requirements in the logo. License specification of the RAA breach.

Webnic must take the following actions by 19 August 2025, 21 days from the date of this letter, and since that was one week ago, that's two weeks hence. So that's exactly you know. Here are the steps that ICANN requires of WebNIC by two weeks from today. First, they wrote explain all steps the registrar took to reasonably investigate and reach a determination regarding the use of the domain names us-ledgercom, uni-stores-infocom, tronlinktrading, tronincnet, theuni-swapcom, radiumxorg, kodiak-financeorg, app-uni-infoscom and Kepler-appsnet for DNS abuse. Before and after being contacted by ICAN. Contractual compliance regarding these cases. The explanation must include evidence of each step taken and the date each step was taken.

So there's a list of domains that have been under significant abuse such that the registrar was contacted, told what was going on, given evidence of what was going on by probably legitimate security firms you know CrowdStrike, palo Alto Networks you know, we know them all. We report on their actions. They're the guys who see bots and spam and phishing and all this and say to the registrar hey, you've got some bad guys who registered domains with you and you need to take them down. Silence, static, nothing. When nothing happens, then the security firms contact ICANN and say, hey, we've reported to this webniccc gang that bad guys are abusing their domain name privileges and we've never heard anything from them. They're just ignoring us. So ICANN tries to do it and they ignore them too.

Second thing on the list explain why the evidence that the registrar possessed regarding the use of the domain names listed in item one at the time the registrar investigated the initial abuse reports submitted by the reporters was deemed insufficient to compel WebNIC to reasonably investigate and determine whether the domain names were being used for the specific type of DNS abuse reported, if applicable. In other words, we're going to assume you are honoring your agreement. So we're confused. Explain to us in each case why, after investigating these reports as we assume you did, because after all you're a domain registrar in good standing Well, how the evidence that you obtained from your investigations failed to motivate you to take action. We need to understand that and you need to provide evidence that convinces us Right. Good luck.

Point 18 of the RAA and this description must include A each step of the process and the date the step was implemented. B the target response and mitigation timelines at each stage of the process and how unnecessary delays are prevented and tracked. Three the criteria that the registrar will generally use for evaluating the sufficiency and relevance of evidence submitted in DNS abuse reports. And. D an explanation of how and how often the registrar will monitor and measure the effectiveness of this process to ensure continued compliance with DNS abuse mitigation requirements. In other words, you guys are so deeply dug into this doghouse that you're going to have to really shape up here. You're going to have to really shape up here.

Number four provide a link to the location on the registrar's website where WebNIC displays the following information it's renewal and redemption restore fees, because you know we've been unable to find it so far. A description of the methods used to deliver the registrar's renewal notifications. The registrar's deletion and auto renewal policies. The names and positions of the registrar's officers. The names of the registrar's ultimate parent entity. The correct ICANN logo, in accordance with the logo license specification of the RAA or remove the ICANN logo from WebNIC's website. Five provide evidence that the registrar's registration agreement includes a link to the fees and descriptions referenced in items 4A and 4B above, and Provide the remediation measures the registrar has implemented, including the dates of implementation, to ensure that WebNIC provides full and timely responses to ICANN contractual compliance matters.

If WebNIC fails to timely cure the violations explained in this notice of breach and provide the information requested by 19 August 2025, ican may commence the RAA termination process. In other words, we have finally run out of patience with you. You have exactly three weeks to explain your past flagrant lack of compliance with the agreement under which you are being allowed to print money to bring yourself into compliance and to prove it. If you once again fail to heed these warnings, as you repeatedly have all year, you will find that all of the domains you have had the privilege of renting to your customers will cease to function. They will be deregistered from the internet's DNS and you can deal with the fallout from that. Have a nice day. And you can deal with the fallout from that. Have a nice day. No, it was all?

1:29:28 - Leo Laporte
Did they write have a nice day, or did you add that, no, no, no, that's okay, that's going to be a very bad day. Yes, what happens to somebody who has a domain registered with them. If they get there, we're going to get to that.

1:29:42 - Steve Gibson
Okay, good. Yes, there was also an attachment to this which was interesting. It was titled Failure to Comply with DNS Abuse Mitigation Requirements and it read Section 3.18.2 of the RAA requires registrars to take prompt mitigation actions when they reasonably determine that a registered so so. So this is also this was an attachment to this notice, which is also what they received by email, fax and courier a week ago. So just like no excuse for not knowing what agreement you signed a few years ago, which you're no, which you're in blatant breach of, they said, Section 3.18.2 of the RAA requires registrars to take prompt mitigation actions when they reasonably determine that a registered domain name sponsored by the relevant registrar is being used for DNS abuse, which for the purposes of the RAA is defined as malware, botnets, phishing farming and spam Prens, when spam serves as a delivery mechanism for the other four forms of DNS abuse, as those terms are defined in Section 2.1 of SAC 115. The registrar did not demonstrate compliance with these requirements. With respect to the reports addressed in the compliance cases in the chronologies below I'm not going to go into those we then have the paragraph that was originally cited in that article and that was about ICANN, having observed continued pattern of neglect and abuse regarding these issues, and they also they said this pattern was observed in multiple cases beyond those referenced in this notice of breach, including compliance cases. And we got four serial numbers. So I mean, they've just documented the crap out of. You know the fact that this registrar is basically completely ignoring the work side of their money printing business and just taking people's money and getting the domain set up for them. So the attachment said on 25 July 2025, the registrar informed ICANN Contractual Compliance that WebNIC had implemented certain improvements to its DNS abuse mitigation processes as of 11 June 2025. However, a review of case records and communications after 11 June 2025 demonstrates that the registrar remains out of compliance. In other words, you lied to us and we know you lied to us, so we're just writing it down here so that you don't try to say you didn't.

The registrar has also developed a pattern of responding to ICAN contractual compliance notifications either on the last day of the specified deadline or after the deadline has passed, often providing incomplete responses and causing further delays and escalations. Moreover, ICANN continues to receive new complaints exhibiting similar allegations and patterns of non-compliance involving a large number of domain names registered with WebNIC. This ongoing behavior constitutes repeated violations of Section 3.18.2 of the RAA and facilitates the prolonged exposure of DNS abuse to potential victims. In other words, people are being hurt, actively being hurt, by this. So then they have chronologies stating day by day, week by week, dating back from February, of all the back and forth, and basically nothing has happened. They said in the compliance cases detailed in the chronologies below, ICANN notified the registrar of the violations, including the relevant ICANN policies, agreements and processes. Each communication requested the evidence, information and actions needed from WebNIC to become compliant.

Each subsequent communication to the compliance notifications constituted an additional attempt by ICANN to obtain evidence of compliance from the registrar. The telephone call details below described further attempts from ICANN to communicate to the registrar the details of the cases and to make an ICANN contractual compliance staff member available to address any questions in order to assist WebNIC in becoming compliant. All efforts were unsuccessful. Basically, ICANN had just been blown off, as they say. So the bottom line is that the bad guys are using this Asian domain name registrar. The bad guys malware authors using this Asian domain name registrar that's probably become known as a safe haven for registering malicious domain names that will never be taken down because these guys want to take their money, their registration money, and just ignore all the complaints that come in. So they're using this registrar to establish domain names that are being used for various malicious purposes, and when the abuse of these domain names, with ample evidence, is brought to this registrar's attention, they blow it off. Eventually, those reporting the abuse of domain names you know, as I said, probably well-known and respected security organizations decide they need to escalate this to and involve ICANN. At this point we see the same sort of falling-all-over-themselves attempts from ICANN to not abuse their ultimate power of pulling the plug, and we've seen the same thing repeatedly from the CA browser forum members who really don't want to put a certificate authority out of business, but they're really left with no choice. Here ICANN is giving these webniccc guys every possible chance to save themselves and to not be kicked off of the gravy train.

I went over to their website, as I said, and Leo, you brought it up wwwwebniccc and it looks fantastic. It's got every bell and whistle you could ever want. Stuff is sliding in from offstage, it fades in and out and it spins around as I scroll. In and out and it spins around as I scroll. There are photos of happy people working and children playing in the sun. Life is grand and everything looks great, but apparently that's all just surface glitz, created by some fancy web designer and a bunch of JavaScript. We know that underneath this fancy facade, this registrar is behaving so irresponsibly that they may soon be out of business. This, of course, begs the question, as you said, Leo, what then happens to all of their hundreds of thousands of customers who were seduced by the glitzy website into entrusting their cherished domains to this registrar?

Icann has a procedure for handling that. Icann asks around among other domain registrars in good standing to determine who would like to take over in this case WebNIC's domains and their customers. Icann appoints what's known as a gaining registrar and you bet they're going to gain to take over the affected domain names. There's even an acronym for this. Btat stands for bulk transfer. After termination, All of the terminating registrar's domains are assigned to the gaining registrar, with the current domain registrants not needing to take any action. There's no discontinuity of service. They don't even know anything happened. Icann then notifies the domain holders via email and public announcement and, importantly, the current domain holders' rights are retained. Their domain registrations remain valid, with their expiration dates and other settings preserved and the new registrar has agreed to honor the remaining registration term, and existing registrants are then given the option to transfer their domain elsewhere if they prefer.

So, yes, down in the mess, down in the trenches, it's a mess, mess, but it's the best that can be done under the circumstances. It's difficult to imagine that these guys are not going to come up with some, you know, some sort of face-saving attempt to hold on to their registrant status. Maybe this final notification will come to somebody's attention. They've got two weeks to somehow cook up a bunch of cockamamie excuses and stories to explain their previous negligence or to somehow convince, I can, that they they'll deal with all of the past and and do right going forward. It's going to be interesting to see what happens in two weeks. But, boy, what a sad thing to happen to a registrar. I mean, you know they'll simply be out of business.

1:40:43 - Leo Laporte
Do you want to take a break here?

1:40:45 - Steve Gibson
let's take a break. Yeah, okay, because then we got, we got some uh feedback and and and we're at about an hour and a half, so that's yeah, this would be good time to do it all.

1:40:52 - Leo Laporte
righty, you're watching security now with the inestimable steve gibson I don't know what that word means, but I think you are inestimable Sounds good, this episode of Security, now brought to you by the inestimable Melissa, the trusted data quality expert since 1985, longer than we've been doing this show practically, actually, literally. Melissa's address validation app is available for merchants in the Shopify app store now, which is awesome, makes it so easy to use. Enhance your business's fulfillment and keep your customers happy with Melissa. Enhanced address correction, for instance. Certified by leading postal authorities worldwide. It corrects and standardizes addresses in get this more than 240 countries and territories. That's pretty much all of them. Smart alerts allow customers to update their information before the order is processed. How many times have you seen that happen? You're probably using Melissa If you're on a ShopPay site. You're entering the address, you mistype something, hit return and then it pops up and says do you mean this? With a business of any size, you can really benefit from Melissa, because their data quality expert goes far beyond just address validation. It's not just e-commerce you get data cleansing, data validation. It's vital in so many fields. Think of like well, healthcare, for instance, in healthcare, two to four percent of contact data gets out of date. Every single month. Millions of patient records in motion demand precision, which Melissa delivers, and it's a life or death situation in healthcare. By using Melissa's enrichment as part of their data management strategy, healthcare organizations build a more comprehensive view of every patient. This also adds in things like predictive analytics, allowing providers to identify patterns in patients' behavior or medical needs, and that can inform preventative care.

Etoro's vision was to open up global markets for everyone to trade and invest simply and transparently. But global means now you got to handle everybody worldwide. To do this, they needed a streamlined system. Because they're in finance right. They needed it for identity verification know your customer. After partnering with Melissa for electronic identity verification, etoro received the additional benefit of Melissa's auditor report containing details and an explanation of how each user was verified. The eToro business analysts shared this great quote with us. Quote we find electronic verification is the way to go because it makes a user's life easier. Users register faster and can start using our platform right away.

Development of the auditor report was an added benefit of working with Melissa. They knew we needed an audit trail and devised a simple means for us to generate it for whomever needs it whenever they need it. If you're global, you've got KYC regulations of all kinds right. Melissa can handle it. Melissa can handle it. Data is safe, compliant and secure with Melissa. Melissa's solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC 2 and HIPAA high trust standards for information security management. So get started today with 1,000 records cleaned for free at melissacom slash twit. That's melissacom slash twit. We thank them so much for being supporters of this show and all our shows for many years now not not since 1985, but for quite a while. Thank you, melissa. Melissacom slash twit steve okay.

1:44:32 - Steve Gibson
So if any of our listeners might still have an old tp link, archer c50 I think a lot do.

1:44:40 - Leo Laporte
That was recommended by Wirecutter for years as the best router.

1:44:44 - Steve Gibson
Unfortunately, it turns out it's got a problem. It's got a CVE-2025-6982. Tp-link made the mistake of encrypting its settings using DES, not triple, just one DES in the least secure of all cipher modes, which is ECB electronic codebook, where there's no chaining among successive blocks. You just independently encrypt each block. What this means is that it's possible for attackers to obtain all of the settings in the router, including the admin credentials, the Wi-Fi passwords and everything else that the router knows. So the routers are end of life and TP-Link is strongly advising that people you know just say goodbye router, it's time for a new one. It's not an emergency, it's not a remote code execution vulnerability, but there's, you know this is a serious concern for these routers, and newer routers offer much better security. A router is the kind of thing that I, you know. I would give it a five-year life and then it's probably time just to to, to rotate the router out of service and and put in a new one new ones are better, faster, etc.

1:46:16 - Leo Laporte
Etc.

1:46:17 - Steve Gibson
Right, yeah, yeah and they'll, you know, support the latest wi-fi standards and so forth. So anyway, I just wanted to give everybody a heads up. If there happens to be an Archer C50 around, you might want to go to TP link. You'll probably find some information there saying you want to get rid of it. I think even SISA said you know, stop using these because they're just not secure any longer.

Okay, before we examine specific listener feedback, I got one neat piece of feedback I want to share which launched me on an interesting journey. I wanted to note that many listeners said they're now going to give the Brave browser another try and many others sort of asked rhetorically in an email that I received what took you so long, gibson? You know, some said that they looked at Brave in the past and they were not impressed. But they looked at it again and it seemed like it had gotten better. I'd never really looked at it before. I like it from a privacy enforcing standpoint. So anyway, I just wanted to. I didn't. I got so many pieces of email from our listeners about Brave. I wanted to discuss it all at once from everyone and thank everybody for their feedback, which I appreciated. Aaron Schaefer wrote saying Steve, you seem to be entirely unaware of Apple's.

1:47:43 - Leo Laporte
I never finish emails that begin that way.

1:47:49 - Steve Gibson
I know you seem to be entirely unaware of Apple's state ID program for Apple Wallet. Several states already have it deployed. A digital version of my Ohio driver's license has been in my wallet for the last year. For example, the state of Ohio has a free app that someone else can use for me to tap my phone to their phone to verify age from that digital ID. Correct me if I'm wrong, but it seems that all we need is some kind of API call to do the same validation for websites. Thank you for all your good work. I've been a listener since episode one, aaron. Okay, so Aaron was completely correct in concluding that I had not been keeping up with the state of smartphone wallets and existing efforts, so I spent some time since seeing this note looking into what's been going on in that space.

In California, as in Ohio, we have a digital driver's license program. It goes by the abbreviation M, lowercase m, capital D-L M-D-L for mobile driver's license, and it looks like that's going to be a US-wide abbreviation. There's a California DMV wallet app for both Apple and Android phones and it offers a system known as TrueAge. I installed the apps under both platforms into my iPhone and into that $39 Samsung A15 smartphone that I had just purchased that I talked about a couple of weeks ago for Android and I configured it. The app setup was quick and easy. The apps required me to show them the front and back of my California driver's license and to then pose for facial recognition, while it brightly illuminated the screen in various colors which were reflected off my face. Once that was done, the apps were satisfied and I had effectively installed a biometrically locked digital driver's license into my phones.

Next up was figuring out what TrueAge was all about. The TrueAge system was developed by NACS, the National Association of Convenience Stores, together with a non-profit entity known as Connexus C-O-N-E-X-X-U-S. Connexus is a retail-focused technology standards developer. Today, nacs and Connexus, or together NACS and Connexus, developed the TrueAge technology for the retail convenience store industry to support the purchase of age-restricted consumables such as alcohol and tobacco. In bragging about TrueAge, they explain, they say, quote TrueAge verifies only age, not identity name, address, eye color, etc.

Unlike many legacy ID scanners that may capture over 30 personal fields, the encrypted token cannot be linked back to you and data is not sold or shared. Unfortunately, however, the cannot-be-linked-back-to to you portion is not entirely true. I was immediately suspicious when I saw that the token presented was described as a single use encrypted composite consisting of the presenter's driver's license number, whoops, the issuing state, the license expiration date and the presenter's date of birth. And sure enough, the cagov FAQ page says, in answering the question, what happens to the data you do capture? They answer TrueAge encrypts your data points and then protects them even further by creating anonymous tokens. These anonymous tokens cannot be traced back to you without legal authorization from a court-ordered subpoena.

1:52:21 - Leo Laporte
So they can be traced back to you as a matter of fact? Exactly, oh, but you have to have a court order.

1:52:31 - Steve Gibson
Yeah, they finish saying neither retailers nor cashiers retain any of the extracted information. Okay, so it's true that in a retail convenience store, setting true age will be far more privacy preserving than the traditional requirement of revealing a driver's license which discloses the individual's entire identity, with their name, home address, exact date of birth and everything else in the clear and everything else in the clear. But unfortunately, true age also fails the minimal information sharing test when the only thing being required is a proof of biological age. However, less than three months ago, this past May 15th, the NACS Association, that association of convenience stores, proudly published a press release with the headline TrueAge's technology named the de facto standard for digital age verification, with the subhead the World Wide Web Consortium, that's, the W3C, has incorporated true age's underlying technology into its new verifiable credentials. Okay, now that suggests that at least some aspects of the true age verification system will be coming soon to a web browser near us. So here's what they wrote. They said true age. You know, and again I'm going to do a little padding on the back the innovative, universally accepted age verification system that makes it easier to more accurately verify an adult customer's age when purchasing age-restricted products, and its core technology have been incorporated into the latest W3C verified credentials Verifiable Credentials 2.0, that were introduced today. The World Wide Web Consortium is an international council created in 1994 to create and publish web standards to ensure the growth and development of the web. The new W3C verified credentials, which were ratified in late April by its governing body, are a comprehensive update to web standards and affirm that true age technology is the centralized standard for digital personhood, making true age the accepted standard for all applications that involve age verification. Paul Ziv, true age's vice president of technology and operations, said quote TrueAge was developed to address strong consumer interest in using a trusted and reliable digital ID that combined consumer privacy and ease of use with the potential for mass retail integration, and it has delivered on that promise. It is very gratifying that W3C agrees with our vision and solution. Unquote.

Then back to the press release from TrueAge. Verifiable credentials are increasingly important as communications and commerce continues to go digital, because they can contain all the same information as physical credentials. Because they can contain all the same information as physical credentials similar to driver's licenses and other identification cards. Importantly, by adding technologies such as digital signatures, verifiable credentials can be tamper-proof and seen as more trusted than their physical counterparts. Trueage scans all US driver's licenses and is also incorporated into the state of California's mobile driver's license and digital wallet. The W3C announcement makes TrueAge the de facto standard for age verification that could be incorporated into all relevant code for pertinent products developed by companies including Microsoft and Apple.

While Verifiable Credentials 2.0 was approved to improve the ease of expressing digital credentials, there were also several privacy-preserving goals that were important. Both of these objectives are central to the core of TrueAge. Anyway, the article continues to elaborate and congratulate itself at some additional length, and it goes again to assert that it also provides admissible proof of age verification appended to retailers' transaction logs that can be unlocked under subpoena and submitted as evidence. So, because true age explicitly and deliberately binds the credentialed user's identity into their age assertion, it does not do what we want for general purpose online age assertion. So we're left with the question of how much of true age's over-identification is actually part. You know, actually survived the W3C's new verifiable credentials 2.0 specification. Since things like driver's license number and issuing state are explicitly US identifiers and the W3C's specifications need to be global and country agnostic. I assume that what the W3C may have inherited from TrueAge is just its broad single-use encrypting token technology without there being any requirement for what's encrypted within that token. We'll see.

Aaron's note started me looking into this with his mention of Ohio, but Ohio and California are not alone. The US states currently offering some form of smartphone wallet storable digital driver's licenses include Arizona, california, colorado, delaware, georgia, hawaii, iowa, louisiana, maryland, mississippi, missouri, new York, ohio, utah and Puerto Rico. Additionally, montana, new Jersey, pennsylvania and Texas have pending mobile driver's license legislation underway, and 10 other states, including or and Washington DC, have announced their intentions to adopt mobile driver's licenses that are secure enough to be honored and carried around in our phones. I have in my little Android I, you know, there's the you know California mobile driver's license app.

2:00:01 - Leo Laporte
I have yet to have any occasion to use that after several years.

2:00:06 - Steve Gibson
Unfortunately, I do regret the goofy picture.

2:00:09 - Leo Laporte
Well, that's the actual picture, though, isn't it? Yeah, that is, that's from your driver's license.

2:00:13 - Steve Gibson
Yeah, and that is from you know. It's the original digital storage that California made when I last updated my driver's license. But in the show notes I have a picture of one of the panels that's available where, under age check, you're able to open up a set of brackets where one of them is over 18, over 21, over 25, over 62, and over 65. Unfortunately, I qualify for all of those.

Yes, can I check them all Okay, and I don't know yet anything more about that. I've not taken the time to dig into the underlying technology, so it's unclear how all of this is going to shake out and fit together. But for what it's worth, my experience with setting things up at least in looked like so I could talk about it a bit. I've got iOS and Android apps in my phones that are able to scan, to look at my face. Decide, that's me. Scan a website's QR code to in some fashion assert my full identity if I wish, or, presumably, whether I am only above a given age. And while we know that the true age system itself is asserting more than just our ages, it's still early days and my guess is that what the W3C will wind up with will be a minimal information disclosure solution, because that is all most people are going to be willing to put up with. None of this. You know, I mean sure, maybe if you're buying tobacco or alcohol at a retail point, you know, at a retail purchase location, this is better than revealing your full driver's license, and you know, but it doesn't do what we want for minimal information disclosure.

Before we leave the topic, I should also mention that, as I had hoped, and I mentioned this last week Yubico's Stina Ehrensvard is all over this. Last Wednesday, after last week's podcast, she sent me a note which read Hi Steve, Hope all is well. Please find our white paper on age verification at Internet scale. She attached a short, five-page position paper authored by the Ciros S-I-R-O-S Foundation. Its title is Deployability First Making Age Verification Work at Internet Scale. It has the subhead a position paper for 2025 Joint W3C IAB Workshop on Age-Based Content Restrictions. Now we couldn't ask for anything more on point than that, and Stina is the founder of the Ciros Foundation. She's putting the money she made from first founding Yubico to very good use. And, leo, you and I both know Steena. God help anyone who stands in her way. She has a way of obtaining the results that she's after. So, with Steena on the case that she's after. So, with Steena on the case, the world's needs for online privacy, respecting age-based content restrictions, are in the best hands possible.

2:04:07 - Leo Laporte
Yeah, I'm really glad that she's taking this on. That's great.

2:04:11 - Steve Gibson
Yeah, she is, and she will not settle for anything less than what we know is technically possible, anything less than what we know is technically possible, which is no assertion other than a person is above a given stated age that they are wishing to assert. So you know, and as Yubico's founder, she has earned her sway. I mean people will listen to her so, and I mean she knows everybody in the business. I mean, again, we couldn't ask for this to be in better hands. So I was certainly uninformed when I recently commented that nothing was happening on the age verification front. A great deal is happening and the best possible people are at work on this problem. Possible people are at work on this problem, you know. In the meantime, you know I looked for any sort of true age demo site but I was unable to find anything. It looks like it's locked up in proprietary technology. At this point they're having to unlock whatever this encrypted token stuff is in order to have it be put into the W3C, because that's going to be all open standards and open source and open implementation. And besides, this is not a hard problem to solve. These guys just did it for a cash register where you sell vape products. So fine. I'm sure that what we end up with will be fully privacy enforcing.

And before we take our last break and talk about China, I wanted to take a moment to say that Andy Weir's second novel, artemis, is, in a word, wonderful. The synopsis that I saw of it being, without you know being about it's some form of lunar heist, doesn't begin to do it justice. Um, I'm at 60% and the book is just pure pleasure. It occurs to me that Andy is very good at creating anti-heroes. Project Hail Mary's Dr Grace was certainly no one's hero, and neither is Artemis' Jasmine.

2:06:27 - Leo Laporte
She's great, though, isn't she? Yes, she is. She's a real character. Yeah.

2:06:32 - Steve Gibson
Yeah, and if you consider the words science and fiction, you would be hard-pressed to find any book that better satisfied those terms. There are no neural implants, superhuman augmentation, anti-gravity repeller rays or trans-dimensional space folding utilizing energy tapped and funneled down from the 12th dimension. There's none of that. What there is, however, is a very satisfying, entirely plausible story penned by someone who's very comfortable with actual science and who writes very enjoyable prose. At 60% of the way through, I am fully engaged. I'm on pins and needles, I can't wait to get back to it and I have no idea what's going to happen next so I think it was good, probably, that I warned you that it's not the martian right um it's very different I, yeah, I I, if you were expecting another martian or maybe another Hail Mary.

2:07:41 - Leo Laporte
You might have been disappointed. I don't know. I don't know.

2:07:45 - Steve Gibson
I guess maybe I'm easy. I just think it's I, I think it's great.

2:07:49 - Leo Laporte
I think it's great.

2:07:50 - Steve Gibson
I like we know that I'm a sucker for good writing and he's a good writer and and it's so, and there's nothing that's like annoying or that bothers me. I I just just very pleasant. So, yeah, good, you know, I guess the only downside is it's not free. But we're pretty spoiled by, you know, free books on on kindle unlimited, and the fact is you often get what you pay for yeah, and so I don't think there's a lot of AI crap now on Kindle. Yeah, and for nine bucks. This is, I'm having a ball.

2:08:23 - Leo Laporte
By the way, I think I have a much better picture of my California ID. There you go.

2:08:30 - Steve Gibson
I look happy there. Yeah, you do. Well, I deliberately went like this. No, I did, I was happy, I was just having. No, I was being goofy, you look crazy. The guy who is looking through the camera did like a double take and like jerked back from it from his viewfinder because he's like whoa, is that a zombie?

2:08:51 - Leo Laporte
anyway, I uh you know I'm trying to do the true age thing, so that's, I didn't realize that california directly supports true age. I mean, they actually mention it in the yeah, it's right there.

2:09:02 - Steve Gibson
Yes, in their app yeah okay, and I don't quite understand the apple wallet integration. I don't think my my california driver's license is over in the apple wallet. I have like credit cards in there, but I don't have my driver's license because I have that don't I?

2:09:17 - Leo Laporte
I thought I did, let me look. I thought I put it in there, but I don't have my driver's license. Oh, I do, don't I? I thought I did, let me look. I thought I put it in there. I don't know how to put it in there. I didn't find that. Okay, anyway, yeah. But if you click on that button, let's see a fingerprint, the age verification button.

2:09:38 - Steve Gibson
No, the center one, the reader, and there you will see the minor check. Oh, mine's changed now, how did it change? Minor check over 18, over 21, over 25. Oh, senior check over 62, over 65. I mean, so you get to choose what you want to share. You can share your entire identity, your name. Dob sex issue date.

I think that's good and you choose. You're able to share something that law enforcement wants identity address, driving privileges or then something called custom, which is coming soon, where you can probably select which items you want to share.

2:10:18 - Leo Laporte
Yeah, and you get a QR code that you can give the checker at the convenience store.

2:10:24 - Steve Gibson
Yeah, I think it's. By the way, I am over 21,. So there you go. Oh, and here's getting a permission request. Allow CADMV wallet to find, connect to and determine the relative position of nearby devices.

2:10:42 - Leo Laporte
Oh, I don't know what that's for. There's a scanner right?

2:10:46 - Steve Gibson
Oh, it's for mapping while using the app.

2:10:48 - Leo Laporte
I guess it wants to know where I am. You still. You know if you get pulled over, you still have to give me a real driver's license.

2:10:57 - Steve Gibson
In fact, they say specifically you, you can't stop carrying your driver's license because of this yeah, oh, and the reason it asked me for that was that this but the android will do nfc, but ios won't let you do nfc. It forces you to do qr code. Ah, okay, so I'm able to switch to the qr code scanner I guess when they say wallet it's not the apple wallet.

2:11:17 - Leo Laporte
I remember that they were that some states you can put in your apple wallet. I remember california, I think decided not to make that possible. Not not sure why you would need that, except there isn't explore add-ons, but it doesn't and it's got.

2:11:32 - Steve Gibson
I've got the true age add-on, but there's no like.

2:11:34 - Leo Laporte
That's the only add-on I could see too yeah all right, anyway, we're getting there. I am ready to uh last do the last commercial.

2:11:45 - Steve Gibson
We're going to talk about the wisdom of china's participation and microsoft's mapp program. Uh, what could possibly go wrong?

2:11:55 - Leo Laporte
I also will refer you to something our club twit members have just put in the discord about a critical security flaw in the broadcom chips used in more than 100 models of dell computers, allowing attackers to take over tens of millions of user devices. Uh, five vulnerabilities, cve 24311 through 1522, quite a few, all in the broadcom chip. Oh boy, cisco. Uh, at it again. Thank you, uh, paul paul holder, put that in our club to a discord. Appreciate, appreciate that update.

2:12:38 - Steve Gibson
Well, I'm sure covering that next week posted over in the grc yes, he's a regular on your forums too, that's right.

2:12:44 - Leo Laporte
Yeah, yeah, big help. Yeah, I know he's a big help in our forums too. We, we appreciate, paul, this episode of security now brought to you by threat locker. We appreciate them. Zero trust done right.

Ransomware is just killing businesses worldwide not just businesses city governments, schools, hospitals, you name it but ThreatLocker can prevent you from becoming the next victim. Threatlocker's zero trust platform takes a proactive deny by default. That's the key deny by default approach. It blocks every unauthorized action, protecting you from both known and unknown threats trusted by global enterprises like jet blue. You know they can't afford to be down. You know what? You see what happens if an airline's down for a minute or? Or, uh, infrastructure plays like the port of vancouver. They use threat locker. Threat locker shields them and can shield you from zero day exploits something nobody's. Or infrastructure plays like the Port of Vancouver. They use ThreatLocker. Threatlocker shields them and can shield you from zero-day exploits something nobody's ever seen before.

Supply chain attacks, while providing complete audit trails for compliance as more cyber criminals turn to malvertising. Oh boy, we've talked about this before. You need more than just traditional security tools about this before you need more than just traditional security tools. Attackers are creating convincing fake websites that impersonate popular brands like AI tools or software applications. Then they distribute those links through social media ads and hijacked accounts. Then they use legitimate ad networks to deliver malware right to your doorstep, affecting anyone who browses on work systems. Oh, traditional security tools often miss these attacks because they use fileless payloads that run in memory and exploit trusted services that bypass typical filters. Threat lockers, innovative ring fencing technology, strengthens endpoint defense by controlling what applications and scripts can access or execute containing potential threats, even if malicious ads successfully reach the device and deliver the payload.

Threatlocker works across all industries. It supports Mac environments, provides 24-7 US-based support and enables comprehensive visibility and control. Just ask Jack Senesap. He's Director of IT Infrastructure and Security at Redner's Markets. He says quote when it comes to ThreatLocker, the team stands by their product. Threatlocker's onboarding phase was very good experience and they were very hands-on. Threatlocker was able to help me and guide me to where I am in our environment today. Get unprecedented protection quickly, easily and cost-effectively with ThreatLocker. Visit ThreatLockercom slash twit. You can get a free 30-day trial to learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. Threatlockercom slash twit. Threatlockercom slash twit. We thank them so much for their support of security now.

2:15:50 - Steve Gibson
Now let's get to this shocking story about okay, so, uh, I want to share what I feel is a very fair and balanced assessment of the consequences of the unfortunate but nevertheless very real geopolitical tensions that have been growing between the US and China and the consequences of China's longstanding early access. Torosoft's serious security vulnerabilities and leo, you're gonna love the, the the name of these guys. This was posted to the nato thoughts sub stack last thursday I read that one. Yeah, in the wake of the sharepoint, you are are amazingly well-read.

2:16:38 - Leo Laporte
Well, I do. I have feeds galore. I mean, I read as much as I can.

2:16:43 - Steve Gibson
So they posted this last Thursday in the wake of the SharePoint-driven global network breaches. They described themselves. For our listeners who are not aware, writing Natto Thoughts explores the intersection of culture, technology and security. With stories, analysis and insights into the humans of the information age, whether decision makers, criminals or ordinary users, we probe the language, culture, institutions, political systems and unwritten social rules that constrain and inspire their actions. Natto is a sticky japanese fermented soybean dish. It's very good with acquired with an acquired taste. They said fermented foods are slow foods. It helps keep your microbiome that complex ecosystem that helps you digest healthy. Like nat, our thoughts have had time to ferment. We're a group of experts with decades of experience in geopolitical analysis and cyber threat intelligence between us. We do research in a variety of European and Asian languages. So last Thursday, having fermented on this for some time, they posted under the headline when Privileged Access Falls into the Wrong Hands Chinese Companies in Microsoft's MAPP Program, and they added the subhead Chinese companies face conflicting pressures between maps, non-disclosure requirements and domestic policies that incentivize or mandate vulnerability disclosure to the state, since we've touched on the Chinese government's disclosure requirements for their Chinese enterprises in the past and since it's so relevant today having read what these guys have to say, I felt that this audience needed to hear it too. Microsoft is investigating whether a leak from its Microsoft Active Protections program, that's, the MAPP, m-a-p-p, allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Now we know from the first topic we covered, which is that Chinese programmers wrote the patch, that maybe there was another way, another exit path for those details, but that doesn't mean that this is not an issue to Microsoft attributed remote access Trojan used to three China-linked threat actors Linen Typhoon, violet Typhoon and Storm 2603. The attackers reportedly compromised over 400 organizations worldwide, including the US National Nuclear Security Administration Launched in 2008,. Okay, so that's when this program began, 2008, quite a while ago.

Map is designed before tensions with China were as they are today. Map is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, microsoft enables them to release protections such as antivirus signatures and intrusion detection rules, in sync with its monthly updates. The program, however, relies on strict compliance with non-disclosure agreements and the secure handling of pre-release data. Concerns about whether some Chinese companies violating M map requirements are violated. Map requirements are long standing. In 2012, microsoft removed chinese company hangzhou dp tech technologies company limited from the program for violating its non-disclosure agreement, according According to Bloomberg, in 2021, microsoft now Zai was. In 2012, and, according to Bloomberg, in 2021, microsoft suspected that at least two other Chinese map partners leaked details of unpatched exchange server vulnerabilities, enabling a global cyber espionage campaign linked to the Chinese threat group Hafnium. So this is serious business. The Microsoft Exchange hack affected tens of thousands of servers, including systems at the European Banking Authority and the Norwegian Parliament, and was met with global condemnation. Although Microsoft said it would review MAP following the incident, it remains unclear whether any reforms were implemented or whether a leak was ever confirmed. In light of the SharePoint case, today's piece examines how MAP operates, the risks posed by Chinese firms in the program and which companies are currently involved.

The core purpose of MAP is to minimize the window of risk between patch rollout and deployment. Simply releasing a patch doesn't mean systems are protected. Many organizations delay patching and attackers often exploit known vulnerabilities during this lag. By giving trusted vendors early access to vulnerability details, microsoft ensures they can build and distribute detection signatures and other defensive measures in advance, like CrowdStrike, for example. So these protections are already active when the patch is published. Without MAP, vendors will only begin creating protections after public disclosure, leaving many systems globally, including in China, exposed for critical hours or days.

To participate in MAP, security vendors must meet criteria that demonstrate their ability to protect a broad customer base, you know. They must demonstrate that they're worth disclosing these details to Applicants. Must be willing to sign a non-disclosure agreement, commit to coordinated vulnerability disclosure practices, share threat information and actively create in-house security protections, such as signatures or indicators of compromise based on Microsoft's data. Microsoft retains discretion over admission and may suspend or expel members who fail to meet participation standards. According to the MAP website, members are divided into three tiers based on the amount of time they receive vulnerability information before its public release and other criteria. Before its public release and other criteria entry level, which is 24 hours in advance. Ans, which is up to five days in advance. And validate, which is invite only and focused on testing detection guidance. However, recently admitted map partners and recognized experts have observed that Microsoft may provide critical vulnerability and threat intelligence as early as two weeks prior to public disclosure. Criteria for determining the criticality which warrants such early releases and to whom the intelligence intelligence flows is unclear. These companies operated within MAP present a unique risk due to national regulations mandating the disclosure of vulnerabilities to the state.

In September 2021, china implemented the Regulations on the Management of network product security vulnerabilities, the RMSV, which require any organization doing business in China to report newly discovered zero-day vulnerabilities to the government authorities within 48 hours. This gives Chinese state agencies early access to high-impact vulnerabilities, often before patches are available. Microsoft acknowledged the implications of this policy in its 2022 Digital Defense Report, noting that quote this new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. Unquote. While the RMSV serves as the primary legal pathway for the state to acquire zero days, it is not the only mechanism.

In 2023, cybersecurity analyst Dakota Carey and he's one of the authors of this paper, by the way and Kristen Del Rosso uncovered a parallel, more opaque process involving the China National Vulnerability Database of Information Security, cnnvd, which is overseen by the Ministry of State Security, the MSS. Under this framework, chinese cybersecurity firms voluntarily partner with the CNNVD to report vulnerabilities, get this in exchange for financial compensation and prestige. These firms, known as TSUs technical support units are stratified into three tiers, based upon the number of vulnerabilities they submit each year. Tier one TSUs must submit at least 20 common vulnerabilities annually, including a minimum of three classified as critical risk, in order to qualify for their tier one status. So yikes. I imagine that everyone listening appreciates how traditional Chinese culture could factor into both the financial compensation and the prestige aspects of this, and how these minimal annual submission requirements to achieve and maintain tier status would tend to introduce unhealthy incentives, introduce unhealthy incentives. China's CNNVD handbook provides a requirements chart for the three participation tiers, where you have level one, level two and level three requiring higher and more frequent and more plentiful turnover of vulnerabilities in order to obtain that tier.

Who knows where they're getting them? The report continues. As early as 2017, the US threat intelligence firm Recorded Future, who we've often quoted here, demonstrated that vulnerabilities reported to CNNVD are assessed by China's Ministry of State Security for their potential use in intelligence operations. As of this writing, 38 companies are classified as Tier one contributors to CNNVD, 61 as tier two and 247 as tier three. Of these 10 tier one companies turning things over to China's Ministry of State Security for their potential use as intelligence operations, here's the number of those that are currently Microsoft MAP members Ten in Tier 1, one in Tier 2, and one in tier three. So they are receiving the intelligence from Microsoft in advance of its release and they're being paid and obtained prestige for obtaining some vulnerabilities over to the Ministry of State Security.

What could possibly go wrong? In addition to providing new vulnerabilities to the CNNVD, these technical support units are also required to provide vulnerability early warning support to the Ministry of State Security At least five critical alerts annually for tiers one and two and at least three for tier three. As cybersecurity and tech companies, many of these TSUs likely provide this early warning support by reporting newly observed attacks on their customers or systems. Nothing other than Microsoft's nondisclosure agreement precludes TSUs from sharing MAP data with CNNVD, which may view such submissions as fulfilling this vulnerability early warning support requirement and not be unhappy about it. They wrote. Our analysis of the MAP main page via the Wayback Machine shows that the number of Chinese companies listed in MAP increased from 13 in December. So this is the number of companies that Microsoft is disclosing this stuff to increased from 13 in December of 2018, which was the early available snapshot they could find with the Wayback Machine to 19 out of a total of 104 member companies globally as of this writing. China has the largest national representation after the US, so there are 19 Chinese firms currently as MAP partners. They wrote.

Since 2018, several Chinese companies have appeared and disappeared from the map list. Companies that have since disappeared include Beijing's Leedsec, huawei and Newsoft, which were removed between December 2018 and November 2019. Qihoo 360, between November 2019 and October 2020, hangzhou H3C technology between December 21 and October 22,. And Sangfor between October 22 and September 23. The reasons for a company's removal from the map list are not always clear. In the case of Huawei and Qihoo 360, the timing aligns with their addition to the US entity list in 2019 and 2020, respectively. For others, they wrote, we could not locate any public explanation from Microsoft, unlike the 2012 public notice from the Microsoft Security Response Center regarding DPT text removal for violating MAP's NDA requirements.

Of the 19 Chinese companies currently participating in MAP, 12 are classified as CNNVD TSUs Based on previous research into their vulnerability submissions to Microsoft's bug bounty program. Tier 1 TSUs such as Tencent, cyber, kunlun, sangfor, keanex and VenusTech operate dedicated labs with varying levels of focus on identifying vulnerabilities in Microsoft software products. It's also possible that individuals working at map companies in China individually decide to pass along or sell information to offensive teams, with access to valuable information and a clear market for buyers, insider risk at map partners themselves cannot be ruled out. Regardless of the specific mechanism for information diffusion, it is clear that China's incentives for reporting such vulnerabilities both economic and reputational, as companies seek to meet CNNVD quotas and maintain TSU status for potential business opportunities, create an environment which incentivizes abuse. Vulnerabilities reported to the Ministry of State Security-run CNNVD may be evaluated for potential operational use before being disclosed to the public.

Chinese APT groups are known for their speed and coordination in exploiting such vulnerabilities. According to advisories from multiple national cybersecurity agencies and threat intelligence firms, groups such as APT 40 and 41 have exploited vulnerabilities within hours of their public disclosure. Chinese APTs are also effective in sharing exploits across groups. Once a vulnerability has been successfully weaponized, it often circulates rapidly among operators. Both these dynamics were on display during the 2021 Microsoft Exchange campaign.

On February 23, 2021, map distributed proof-of-concept code to its members so they could engineer detections. Five days later, mass exploitation of the vulnerabilities with similar code to that distributed via map blanketed the web. According to threat intelligence firm ESET, exploitation began with a China-linked threat group, tick, and was quickly followed by other China-linked groups, including Lucky Mouse, calypso and the Winty Group. Microsoft made patches available for customers shortly thereafter, on March 2, 2021, seven days after distributing proof-of-concept code to map members. A similar pattern emerged with the exploitation of the SharePoint vulnerabilities first disclosed at Pwn2Own Berlin in May. The winning submission was reported to Microsoft shortly after the event. As per standard map procedures, microsoft distributed vulnerability details to selected partners up to two weeks before the public patch scheduled for July 8th. Yet CrowdStrike observed exploitation as early as July 7th, again suggesting that threat groups may have gained access to vulnerability details before protections were made widely available. Microsoft attributed the activity to no fewer than three China-linked groups on July 22nd.

Microsoft's stated mission is to quote empower every person, every organization on the planet to achieve more unquote. In line with this mission, and given Microsoft's strong global presence, including a vast user base in China, initiatives like MAP play a critical role in protecting users from malicious actors. However, such programs require strong safeguards and clear accountability, and ensuring full compliance can be difficult In unique contexts such as China's centralized vulnerability disclosure system. The inclusion of Chinese companies warrants special scrutiny, especially those participating in domestic programs that incentivize reporting vulnerabilities to the state. And they conclude, unfortunately for Microsoft's user base in China, the government incentivizes behavior which should jeopardize the continuing participation of legitimately defensive companies in MAP.

It is the role of the PRC government to enforce laws on companies operating within its jurisdiction and responding to its policies. In consideration of Microsoft's pursuit of adequate defense and support of its users statement, it may be appropriate for Microsoft to temporarily suspend PRC-based companies from MAP pending an investigation by the PRC government into the potential violation of Microsoft's NDA with local companies. Microsoft has the systemic importance to request such an investigation, as the behavior clearly jeopardizes the safe operation of critical information infrastructure under the PRC cybersecurity law. So, given all of the facts that these guys lay out and the future, if not the past potential for the rapid abuse of a critical global flaw in widespread Microsoft networking systems, I for one sincerely hope that Microsoft is seriously at this point reconsidering the trusting relationship they have long enjoyed with China's security firms.

One big happy planet. Then I'd say that Microsoft's historical position makes sense. Why not share these discovered vulnerabilities before they're patched and remediated? But the sad truth is tensions are escalating and there doesn't appear to be any reasonable end in sight, given that US intelligence agencies have firmly concluded that US interests are under constant cyber attack from Chinese threat actor groups which are being actively supported by the People's Republic of China. How can it possibly remain rational for Microsoft to be willfully providing Chinese researchers and, indirectly, the Chinese government, with the very means to attack us, perhaps devastatingly?

2:40:54 - Leo Laporte
From your lips to Microsoft's ears. Well, that sounds kind of creepy, but I hope they listen and pay attention.

2:41:01 - Steve Gibson
Yeah, I mean, I get it, it's valuable, but Leo Exchange Server is an example and SharePoint here is another. It's happening too much. There are defects, serious, critical remote code execution defects in microsoft's products, yeah, and, and that when they're discovered, they need to be fixed without them, without them being at risk of being weaponized against us before they can be patched? Yeah, and, unfortunately they're. They're willfully giving advanced notice to a hostile foreign entity.

2:41:42 - Leo Laporte
Well, Microsoft says they're going to eventually move it out of China. They don't say they're going to move it back to the US.

2:41:50 - Steve Gibson
No, actually, what they said they would move out was the fact that it's even worse. They have Chinese people writing the patches at the moment, yeah, but then also they have the map participants that are different than than that. So they have two different means by which you know they're like deliberately having knowledge of these problems in china before the patches are released I'm surprised they're even allowed to do this frankly I, I, I think it's only because microsoft is so strong and and our politicians don't really understand what's going on yeah, steve gibson.

2:42:31 - Leo Laporte
He's at grccom. He understands what's going on. That's why we listen to the show every tuesday. You can get a copy of the show from him. He's got 100 sorry, 64 kilobit audio, 16 kilobit audio transcripts written by an actual human being, elaine ferris, uh, and, of course, the show notes. All of that at grccom.

While you're there, take a look. Uh, you might want to pick up a copy of spin right, the world's best mass storage, maintenance, recovery and performance enhancingenhancing utility. 6.1 is the current version. If you have mass storage, you really should have a copy of Spinrite. There's also lots of other great stuff there, grccom, including a way to get a hold of Steve. People are always asking me can you send an email to Steve? It's easy Go to GRCcom, slash email, submit your email address. He'll whitelist it. From that point on, you'll also have the opportunity. There's two unchecked checkboxes right below it. One is for his weekly newsletter that's the show notes for this show and the other is for a much less frequent mailing about new products, and I think you'd want to know about those two.

2:43:39 - Steve Gibson
There's only ever been one. That's how infrequent it is.

2:43:43 - Leo Laporte
Every 12 years he sends an email, grccom slash email. You can also get this show at our website, twittv slash SN. We have 128 kilobit audio plus video on our site. There's also video on the YouTube channel. You'll see a link at that page, which is a great way to share little clips with your boss or your IT department or just whoever you think might be interested. Help us spread the word about the show. You can also subscribe in your favorite podcast client. That's an easy way to get it Audio or video, your choice. That's free, but but there are ad free versions of the show available.

If you're a member of club twit and I do want to encourage you to join the club club members, uh, are able to join us in the discord chat along with us. They're uh. They get a lot of special programming. Friday we're going to do stacy's book club, a great science fiction book called, uh, how to win the Time War. In fact, it's short enough you could probably still read it before Friday. Highly recommend it. Right after that, it's going to be Chris Marquardt's photo show. So we've got a busy week.

This week we also have coming up and if you're a member of the club, I want you to go to the ClubTwit Discord and vote. Micah wants to put together a Dungeons and Dragons one shot, but he's trying to figure out what would be the best way to do this. Like, who do you want participating? So he's got a little poll right there at the bottom of the events page. We want all the club members to vote on that. This page is a good page to know about. This is all the things that happen in the club the ai user group, micah's craftings corner. We're going to stream the pixel 10 announcement. Uh, home theater geeks, this is going to be a good one this week. Actually, I'm that was. Uh, oh, it's next monday, okay, good, august 11th he'll be talking about the value shootout, or maybe thursday, I'm not sure. Anyway, all of that is in the Club Twit Discord.

And the most important reason from my point of view to subscribe is you support the work we do here at Twit. 25% of our operating revenue now comes from the club Very important. If you're not a member, please join. We'd love to have you. Twittv slash club twit. We do this show live, by the way, every Tuesday right after Mac break, weekly 1 30 Pacific, 4 30 Eastern, that's 2030 UTC. You can stream it live if you're in the club in the discord, but you can also stream on youtube, twitchtv, tiktok, facebook, linkedin, xcom and kick. So pick your poison. But watch live if you want, but still subscribe so you get a copy of it, because you want to have the full archive of 1000. What is it? 35 shows, some huge, some huge number. It's amazing. Steve's going to keep doing it as long as you keep listening. So keep listening. Thank you, Steve, have a wonderful week and we'll see you next time on Security. Now, thanks, buddy, till then.