Security Now 1043 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for security now. Steve Gibson is here. Who would have thought it? Russia's new enforced messenger has startup problems. What a shock. Steve's going to tell the story of how he hacked the dorm washing machines. And then we're going to talk about an amazing improvement Apple has made to its own chips that may eliminate 90% of security problems. Wow. All that coming up next on Security now, podcasts you love from people you Trust.

Leo Laporte [00:00:34]:
This is TWiT. This is Security now with Steve Gibson. Episode 1043 recorded Tuesday, September 16, 2025. Memory integrity enforcement. It's time for Security now.

Steve Gibson [00:00:53]:
Yay.

Leo Laporte [00:00:54]:
It's Tuesday, the show where we explain and help you understand understand everything that's going on.

Steve Gibson [00:01:02]:
Do we have one today?

Leo Laporte [00:01:04]:
Oh, this is Steve Gibson, ladies and gentlemen. Get your. Is this a propeller hat episode?

Steve Gibson [00:01:10]:
Well, it's titled Memory Integrity Enforcement, which is technology in the A19 chips that Apple announced a week ago.

Leo Laporte [00:01:20]:
Is this like aslr? Is it like this is.

Steve Gibson [00:01:23]:
No, this is if. If the only problems that security created were use after free and buffer overruns or use of memory you don't own. Yeah, they would all be gone.

Leo Laporte [00:01:41]:
Well, that's good.

Steve Gibson [00:01:43]:
It's huge. It is.

Leo Laporte [00:01:45]:
Because that's where most of the security exploits start.

Steve Gibson [00:01:48]:
Right way most. And in fact I was before I remembered that it was possible to have other types of bugs. I was dancing around thinking, well, it's over, they've won. But oh, there are. It is possible to have a different kind of problem, but oh, far and away. Mostly like that dumb Adobe DNG image problem that Apple, you know, that embarrassed Apple a couple weeks ago and was. And that coupled with the WhatsApp exploit created. It allowed targeted attacks on what app? WhatsApp users.

Steve Gibson [00:02:27]:
That would have never happened if this, if MIE was in place. I mean this they five. They spent five years. Although of course they had to blow it up half a decade. It's like, okay, yes, also known as five years to. To get this done. But anyway, our listeners always say they like our deep propeller head episodes. Well, get out your galoshes because it's.

Steve Gibson [00:02:50]:
This one's gonna be deep. But Leo, I interrupted your.

Leo Laporte [00:02:55]:
Well, I was just gonna say here's Steve Gibson. So that's good enough.

Steve Gibson [00:02:59]:
So we've got security now number episode 1043 for the 16th. This time the show notes are properly dated at the top. We're gonna look at whether Bitcoin ATMs are ever anything more than just scamming terminals. The two instances of ransomware I wanted to Talk about one that hit the unfortunately well known Uvalde school district and also Jaguar which had some some surprising downstream consequences. We're going to ask the question did the the self named scattered Lapsus Hunters hybrid group just throw in the towel? Germany has said they're going to vote no on chat control. Russia's newly released Max messenger is having some startup troubles. Who I know who would be surprised. Samsung has following Apple's change in the WhatsApp patch chain and shocker Leo UK school hacks turn out to mostly be made by students.

Leo Laporte [00:04:09]:
Yeah they thought they could rein them.

Steve Gibson [00:04:13]:
In but no we have some numbers also unfortunately hacker1 was hacked which is not good but again it's that, it's that centralized hack that just keeps on giving. We've also got connected washing machines in Amsterdam having been hacked. The university is going to take measures. DDoS has broken another record. Blue sky has announced they're going to be implementing some conditional age verification in other states. We're going to look at enforcement actions coming for global privacy control. That's that GPC notice that sort of replaced DNT the do not track which never got off the ground. And we're going to ask the question might Apple have finally beaten vulnerabilities? Actually most vulnerabilities but it's a huge win.

Steve Gibson [00:05:06]:
So we're going to do a deep dive into what it is that they did. The history of this campaign and you know what this is this that this is new hardware introduced last week in the A19 chips and as Apple put it it, they, they I don't remember now the exact word it was, it wasn't astonishing. It wasn't. There was some. They said they dedicated a huge. They had a different word. I'll end up sharing it when we get there. A huge percentage of silicon to this.

Steve Gibson [00:05:47]:
I mean they are serious about keeping those targeted attacks from happening. Remember none of no normal users are ever hit by this anymore. You know that we, we, we covered the news of that hobbyist who'd given up hacking Apple long time ago you know because it was no fun anymore. It, it got to the point where all the low hanging fruit was like up so high that you just couldn't reach.

Leo Laporte [00:06:11]:
There is no low hanging fruit. Yeah, no, no. Well it's anyway fruit is now way up there.

Steve Gibson [00:06:18]:
That's right. And costs millions of dollars to pluck so and of course we've got a great picture of the week which we'll get to after our first announcement.

Leo Laporte [00:06:27]:
We will show you in moments but first my friends A word from our sponsor. This show brought to you, and it's an appropriate sponsor if you care about privacy. Brought to you by Deleteme. If you've ever wondered how much of your personal data is on the Internet for anyone to see, you could do a search. I don't recommend it. It is not good. It's a lot more than you might imagine. Your name, your contact info, your Social Security number.

Leo Laporte [00:06:53]:
Yes, Steve and I both found our Social Security numbers in that big breach some time ago. Your home address, even information about your family members. And here's the thing. It's not just on the Internet. It's being compiled by data brokers. They're building a dossier on you right now and then selling it online to the highest bidder. Not just marketing, but law enforcement, foreign governments. Anyone on the web can buy your private details, and you can imagine the consequences.

Leo Laporte [00:07:23]:
Not just identity theft and phishing attempts, but doxing harassment. Well, now, you could protect your privacy with Delete me. Look, I live in public, and I know what that means. Anybody who talks about what they think online means, you got to think about your safety and security. But I would say I would go even farther. A lot of people think, well, I'm not that, so I'm okay. But if you, for instance, have a company and you've got managers who have, you know, information online, as just about everybody does, that can be used against your company. It happened to us.

Leo Laporte [00:08:04]:
Our CEO was spoofed. They sent out a fake text message to her direct reports saying, I'm stuck in a meeting, but I need some Amazon gift cards right now. Please buy $500 worth. Use your TWIC credit card. We'll reimburse you and send it to this address. Now, fortunately, her direct reports are our employees. They're smart. They've heard these ads.

Leo Laporte [00:08:27]:
They know what's going on. But what it did is it opened my eyes to the information that's online, not just who our CEO is. What her cell phone number is came from her number. What her direct reports are, what their cell phones are. And now, in this age of AI, how to craft a message specifically targeted at them. And all of that because it's so easy to find personal information about people online if you're a company, not just an individual. Obviously, we individuals, we want our privacy, too. But if you're a company, you should really think about this as part of your company's security.

Leo Laporte [00:09:02]:
That's why we use a twit. We use and recommend Deleteme. Delete me. It's a subscription service. It removes your personal info from hundreds of data brokers. So here's how it works. You sign up, you give Deleteme the information you want deleted as much or as little as you want. Now of course they treat that information securely, but they need to know what is it that you don't.

Leo Laporte [00:09:25]:
Your social, you don't want to see that online. And then their experts take it from there. They will remove it from data brokers, but more than that, they'll continue to monitor. They send you regular personalized privacy reports showing what info they found, where they found it, what they removed. It's not a one time service. Delete me is always working for you. We just got another email from Deleteme a couple of weeks ago saying here's what we found and removed. Deleteme is always working for you.

Leo Laporte [00:09:51]:
Constantly monitoring and removing the personal information you don't want on the Internet. To put it simply, DeleteMe does all the hard work of wiping you, your family, your company's personal information from data broker websites. Take control of your data. Keep your private life private by signing up for Deleteme at a special discount for our listeners. Right now. Get 20% off your delete me plan when you go to joindeleteme.com twit and use the promo code TWIT at checkout. The only way to get 20% off is to go to JoinDeleteMe.com TWIT Enter the code TWIT at checkout. That's JoinDeleteMe.com TWIT offer code TWIT There is another company at DeleteMe.com that's not the one you gotta go to JoinDeleteMe.com twit Please don't get that wrong.

Leo Laporte [00:10:38]:
And of course the offer code twit helps us, lets them know you saw it here. But it helps you by getting individuals 20% off. Join DeleteMe.com TWiT we thank him so much for their support of security. Now I think most security now listeners know how important privacy is.

Steve Gibson [00:10:56]:
Now I guarantee you.

Leo Laporte [00:10:58]:
Leo. Yeah, yeah, I think we, we have a pretty good idea.

Steve Gibson [00:11:01]:
Okay, so this picture raised some questions. I gave it the headline. What exactly is the plan here?

Leo Laporte [00:11:11]:
All right, I'm going to scroll up. I have not seen it. Okay, there's a tree and a fire hydrant. There's a very important gate around three quarters of the fire hydrant and and.

Steve Gibson [00:11:26]:
The business end of the fire hydrant where the hose connects is blocked by the gate. Okay so, okay, now because this because this email went out yesterday afternoon, I've had some feedback from our listeners with their conjectures answering my question, implicit, what exactly is the plan here? So first of all, for those who aren't seeing the video, there is a beautifully painted fire hydrant. The fire hydrant is red. It's wearing a yellow painted cap on top. I mean it's lovely. And so. Okay. The problem is that, you know, a fire hydrant is all about access need.

Steve Gibson [00:12:12]:
The fire department needs to hook their hose up if, if they need water badly. And this fire hydrant, beautifully painted though it is, has been surrounded, as you said, Leo, on three sides. The front business side included by this weird sort of. I mean it's got to be a custom.

Leo Laporte [00:12:33]:
It's a beautiful gate.

Steve Gibson [00:12:35]:
Gorgeous. It's got a. Yeah, but I mean you can't, just can't go. What would you put in Amazon? I would like a fire hydrant fence or. I mean it looks like it was made to order for this fire hydrant. So you know what, Anyway, the best feedback that I've seen from one of our listeners was, you know, after the guy painted his fire hydrant, he probably was upset at the idea of dogs peeing on it. Yeah. So.

Steve Gibson [00:13:06]:
And given the fact that the ground is the grass below it and in front of it is brown.

Leo Laporte [00:13:12]:
Yeah.

Steve Gibson [00:13:13]:
There may have been some urination.

Leo Laporte [00:13:15]:
Yeah, yeah. Something going on. Yeah.

Steve Gibson [00:13:18]:
So, yeah, that was, That's. I think that's the best idea. I mean obviously if the fire department actually needed it, they'd. Some. One of the burly firemen would just grab it and toss it up in the air and get it out of the way. I. Presumably it's not cemented into the grass and I, I mean I zoomed in and looked to see whether it could open with. Does the gate hinge? Doesn't look to me like it does.

Steve Gibson [00:13:40]:
It's just some weird like. Okay, like it's sort of like in case of fire, break glass. Right. So I. Presumably in case of fire, throw fence. And. And that's quite cute though.

Leo Laporte [00:13:55]:
It's quite, it's a, it's a nice.

Steve Gibson [00:13:57]:
Little look, it's a statement set up.

Leo Laporte [00:13:59]:
Yeah, it's a statement. Yeah. Yes. Yeah.

Steve Gibson [00:14:02]:
The only question is what is it saying?

Leo Laporte [00:14:03]:
What is it saying is the question. Exactly.

Steve Gibson [00:14:06]:
Just keep your dog walking. Don't stop here. So, okay, so the District of Columbia's office of the Attorney General has filed. When you hear the facts, this is a well deserved lawsuit against the largest crypto ATM operator in the US That's A company known as Athena Bitcoin. And we've talked about the problems, sort of endemic problems with, with crypto at crypto ATMs. Excuse me, I have a hiccups. This lawsuit alleges, with again, ample evidence, as we'll see, that the company knew Athena Bitcoin, knew its Bitcoin ATMs were being used to collect funds from victims of illegal scam operations. But rather than stopping the transfers, it instead charged large hidden fees, then refused to provide victims with refunds when they were due.

Steve Gibson [00:15:12]:
So overall, the concept, you know, theoretical, the idea of a Bitcoin atm, of having one, I think is cool, right? It serves as a real world interface to a purely ephemeral digital currency. But we've learned that the number one enabling factor for ransomware was the emergence of cryptocurrency. One of the principal lessons to be learned broadly from the Internet is that sadly, anytime there's the freedom of anonymity, there will be abuse. So it should come as no surprise that scammers were quick to jump onto Bitcoin ATMs as the means for suckering the uninformed into all manner of online scams. We've previously touched on the problem of bitcoin, I'm sorry, of ATM abuse, as I said, and now this lawsuit gives us a window into how bad exactly it is. What's somewhat surprising is that these Bitcoin ATMs see such low levels of non fraudulent, which is to say, you know, legitimate use. Believe it or not, only 7% of Athena's Bitcoin ATM transactions were legitimate. Officials say that 93% of, of all deposits made across the seven Bitcoin ATMs which Athena operates in, in Washington D.C.

Steve Gibson [00:16:50]:
were the result of scams. 93% were is crap. Is, is like, you know, someone sending you email saying that, you know, your, your webcam was on and they saw you doing something that you don't want the world to know about. And unless you pay them, you know, go to your local Bitcoin ATM and, and, and send some money, they're going to release this to the world, that kind of nonsense. So scammers would trick victims into going to an ATM to transfer funds into the scammer's bitcoin account. Okay, that's bad enough that. But the D.C. attorney general alleges first that Athena knew that allowing users to deposit funds into accounts they don't own would be abused for scams.

Steve Gibson [00:17:40]:
They did nothing to SCO to stop the scams, beyond displaying what was obviously an ineffective warning on the ATM screens because, you know, nobody took, took the warning to heart. The Attorney General's name is Brian L. Schwal. He claims that Athena instead applied large fees. Instead of like adequately warning people and making it clear that there was a high percentage, a high likelihood of them being scammed, they charged horrendous fees. The fees which were not visible to the customers, thus hidden, reached up to 26% of the transaction amount, which is almost a hundred times the fees practiced by Athena's competitors, which go from around 24% to as high as 3%, but not even approaching 26. As a consequence, scammed individuals were victimized essentially twice, first by the scammers themselves and then by Athena. That was riding along a, a, a 26% surcharge for the, the, the privilege of being scammed in the first place.

Steve Gibson [00:18:53]:
So the median loss per victim, meaning that the, the, the number where as many paid more than as the number of people who paid more than as paid fewer than that was $8,000. Meaning that half of the people scammed paid more than $8,000 and the other half paid less. I don't know what the average amount was. The victim's median age was 71. So half of the people who are being scammed were older than 71 and they were. The scammers were deliberately specifically targeting the less technical elderly population in Washington D.C. the Attorney General brought the lawsuit as a means of forcing Athena into compliance with anti fraud measures and to secure financial restitution for its victims, as well as to pay financial penalties to the District of Columbia. He said Athena knows that its machines are being used primarily by scammers, yet chooses to look the other way so it can continue to pocket sizable hidden transaction fees.

Steve Gibson [00:20:12]:
Today we're suing to get district residents to their hard earned money back and put a stop to this illegal predatory conduct before it harms anyone else.

Leo Laporte [00:20:20]:
What do they, so do you think these elderly. By the way, we're both under 71, so we're okay, but do you think that these elderly people, what did they think they were make, they were going to put cash in this machine and get a solid gold Bitcoin?

Steve Gibson [00:20:36]:
What did they, I think they, they, they believed that they were going to get something obviously in return for, for giving more than $8,000. Like, like you know, we know email comes in and you read it and it motivates you to take some action.

Leo Laporte [00:20:56]:
So they were, so maybe they were thinking they were gonna maybe pay a ransomware or something like that. Right.

Steve Gibson [00:21:02]:
Could have been paying A ransom. Maybe they believed that their bank was actually going to, you know, foreclose on their home and let just anything.

Leo Laporte [00:21:14]:
Yeah. And it wasn't Athena doing this, but they knew there was a reason why people were spending all this money on Bitcoin.

Steve Gibson [00:21:21]:
Well, and when. And when the AG is able to look at the transaction history and follow the money trail, which Athena could just as easily do since they're the people running the atmosphere, and conclude that only 7%. Like you know, like for example, what would 7% be? Etsy allows you to pay with Bitcoin to get the sofa that you want or something. I mean, so it was still a.

Leo Laporte [00:21:48]:
Bad deal because of the fees.

Steve Gibson [00:21:51]:
Right on top of. Exactly. So so the person gives them their bank transaction data and these people take an additional 26% just for a. Essentially a zero cost to them transaction. Their competitors are, are charging a quarter of a percent up to 3%. These guys are charging 26% and they're the leading ATM in the country. Which makes you wonder what they're doing everywhere else because this is just, this is just the Washington D.C. aG that is going after them.

Leo Laporte [00:22:30]:
Yeah.

Steve Gibson [00:22:32]:
So again, we have great technology and it's good. You know, the bad guys, the scammers, they find a way to. They love it, to abuse it. And in this case, half of the people that were victimized were older, were 71 years or older. So Leo, not long from now.

Leo Laporte [00:22:53]:
Get ready next year, Steve.

Steve Gibson [00:22:55]:
That's right for me. Yeah, that's right. Okay. And speaking of ransomware, the Uvalde School District is shut down all this week following a ransomware attack. If that name sounds familiar to our listeners, that's because three years ago in. In 2022, an 18 year old former student in fatally shot 19 students and two teachers, injuring 17 others. But I doubt that this ransomware attack on the district had anything to do with that. As we know, such attacks are almost always the result of just targets of opportunity.

Steve Gibson [00:23:38]:
Uvaldi's cyber security was likely wanting and it was not adequately protecting the or protected from, you know, someone clicking on a link that they shouldn't have. The incident impacted the district's phone system, their security cameras, their visitor management and the thermostatic controls for the school. The schools in the district. Consequently, classes will be closed all this week while the district gets back on its feet. And I deliberately wrote in the notes, Uvalde cybersecurity was likely wanting and was not adequately protect protected from someone clicking on a link they shouldn't have. I don't know that's the case, but that's almost always now the way we're seeing these things happen. And I mentioned this thought before and I. And it's gonna be something people are going to be hearing from me going forward.

Steve Gibson [00:24:37]:
The evidence clearly shows, and I firmly believe that the new goal for any enterprise's internal security must be to harden itself against random people inside the organization clicking on links. They should not.

Leo Laporte [00:24:58]:
Yeah, the threats coming inside the organization, really.

Steve Gibson [00:25:01]:
That is exactly right. You know, today's podcast topic is about the tremendous lengths Apple has been forced to go to to harden their system against the inevitability of. Of bugs in software. For a long time, the focus was on eliminating those bugs, but we've learned that's apparently never going to happen. So Apple has committed massive resources to being able to immediately terminate any process where misbehavior is detected to protect the phone's owner. Similarly, we've talked many times about the need for to train employees not to click on that link in the email that appears to be from their mom or on that link that says they only have two days remaining before their bank account will be closed unless they respond.

Leo Laporte [00:25:55]:
Go down to that convenience store and find that Bitcoin machine. Because that's the solution.

Steve Gibson [00:26:01]:
Exactly right. Exactly right. You know, so. So telling people employees not to click on the link is analogous to telling every coder of every piece of software on an iPhone that they may never make another mistake. In other words, you can ask, but you're not going to get it. My point is that regardless of how much training employees receive, you know you're going to have a new hire, somebody on the loading dock who missed the last training because, you know, they couldn't make it. They are. Somebody is gonna click on a malicious link.

Steve Gibson [00:26:44]:
It's inevitable. So similar to what Apple has finally been forced to do, the only sane recourse is for enterprises to get very, very serious about hardening their internal security against anyone who. Who might click on anything that they receive over the Internet. Whatever it takes. I'm not suggesting it's easy, but that's the bar. That's where it is. Now, if that means implementing new VLAN network segmentation to give up the massive convenience of having everyone being able to participate as equal peers on the same network, then so be it. That's what's going to be necessary.

Steve Gibson [00:27:30]:
Given all the evidence that we've been seeing for the last year here. All of these recent massive Shiny Hunter and Salesforce compromises are showing us. As you said, Leo that the calls are now coming from inside the house. The bad guys have clearly located our Achilles heel and it is us. So my message to our listeners who are in charge of such things is that if results are what matter rather than feel good, but ultimately failure prone measures, it's no longer sufficient to rely upon, quote, adequate training unquote of every single last employee. There is no such thing as adequate training. You know, and of course you have to include the bosses too, because they're just probably more prone and they're arrogant.

Leo Laporte [00:28:22]:
They don't need it.

Steve Gibson [00:28:23]:
I'm the boss. I don't need that. Exactly. I can click any link I want. That's right. Anyway, we've tried that, right? We've tried the training. It didn't work. So the only thing that will work is seriously thinking about arranging to make clicking on malicious links safe.

Steve Gibson [00:28:43]:
That is the next frontier for internal enterprise security. We need to figure out how to do that.

Leo Laporte [00:28:50]:
Do you think that's doable?

Steve Gibson [00:28:55]:
Again, it's. Yes, I would say it is. But I'm not a person, you know, a CISO inside of an enterprise who needs to figure out how, how Marge can print. Right. You know, Marge needs a way to print and, but Marge also needs her computer to. If the computer is malicious that through no fault of hers, it can't hurt the enterprise, even though it has some privileges on the network, which Marge needs in order to do her job. So we're, we're. I know it's not easy and, and it probably requires rethinking the boundaries of trust that exist.

Steve Gibson [00:29:42]:
The easy way to establish an enterprise is just to hook everybody up. That's what Microsoft did when the Internet happened. They put all Windows 95 machines on the Internet. How'd that work? Yikes. There was no firewall and I created shields up that greeted people by name when they came to my website because I was able to get the name of them and their computer and it was a wake up call. So we know that change is hard, but I think if CISOs continue to imagine that training is the solution, they will continue. Enterprises will continue to fall to ransomware and to data exfiltration and all the embarrassment that follows from that. The solution is recognize that, that the internal networks now need to be hardened against its own employees, not because they're malicious, but because the links they may click on could be.

Leo Laporte [00:30:49]:
Wow.

Steve Gibson [00:30:50]:
Yeah. I mean, it is a different scale, but that's where we are today. And, and so I just wanted to, to clearly throw the gauntlet down. I think any rational Examination of the, of the, of the types of exploits and problems we've seen for the last year would cause anyone to reach that conclusion. It's, you know, sorry, but training isn't going to cut it. People are, I mean, just. And again, the problem is it just, it's that the, the, the, the, the, the challenge is so difficult because it's the weakest link process in security. Security has to be perfect.

Steve Gibson [00:31:34]:
So every single person in an organization has to never even once click a bad link. It ha. One mistake is all it takes. And so the only way to protect against one mistake is to, is to figure out how to create an internal organization of privilege such that a, a, a computer, an employee's computer that falls to malware, that the damage it can do is minimal. If, if it allows a bad guy to get into it, they're frustrated, they can't do anything. And that is just not the case in today's enterprise.

Leo Laporte [00:32:22]:
Houston, we have a problem.

Steve Gibson [00:32:24]:
And speaking of clicking on a bad link, I wanted to touch on just one more recent ransomware attack. Because of its consequences, which were somewhat unique and interesting. More than two weeks ago, Jaguar Land Rovers automotive production lines were ground to a halt due to a ransomware attack. And today all production remains halted. The company has said. Yeah, the company has said that it expects that at least 3 of its production lines beyond may be able to resume operation later this week. But here's the interesting, yeah, here's the interesting bit. According to the BBC, several of Jaguar's smaller suppliers are now facing bankruptcy due to the prolonged production shortage by Jaguar.

Steve Gibson [00:33:20]:
So talk about a supply chain attack. The, the loss to Jaguar themselves is estimated to end up being between 50 and 100 million pounds since the attack. But the ripple effects of the incident are revealing it to be perhaps one of the most significant, as in the worst cyber attacks in Britain's history. It's expected to affect Britain's national economic growth stats. It's so bad. So, wow, wow. I don't know what the deal is with Jaguar and their cyber security, why all of their production lines are down. Obviously they weren't, they know they weren't set up to be resilient from an attack and an attack has, you know, hit them hard.

Steve Gibson [00:34:12]:
But interestingly enough, it's also hit hard their suppliers who are like, didn't have apparently any margin, any operating margin to fall back on when Jaguar stopped ordering things from them and stopped paying their bills. I'm sure if, if that, that what's happened is that Jaguar's accounting systems Are were taken out too, so they don't have any payables operation in place. They can't pay their suppliers because they don't know who owes them what. I mean, it's a mess.

Leo Laporte [00:34:46]:
That's. Yeah. Why would it take three weeks to fix? Oh my God.

Steve Gibson [00:34:53]:
Again, I have no, no visibility into their operations, but it doesn't look good. Okay, so it's impossible for us to know what's actually going on here, but that hybrid group that was calling itself. Right, itself, named the Scattered Lapses Hunters, remember that was composed of individuals from Shiny Hunters, Scattered Spider and Lapsus. Remember that? They were the ones who threatened Google saying that they had to terminate two of their Threat Intelligence Group employees or else. Well, they posted a rambling goodbye note referring to their attack on Jaguar, by the way, and four moderate intrusions into Google. Now, I would normally post a. I would share with our listeners a rambling goodbye note, but this one was so rambling it didn't even clear that bar. I'm not going to bother because, I mean, this is just.

Steve Gibson [00:36:01]:
Was all over the place and is so often the case with these sorts of things. We're almost certainly going to never know what really happened here. Why was it that after they threatened Google with like dire consequences, they suddenly say okay, goodbye? Okay, maybe Google did not take that lying down. And remember last week we were saying we hoped they would not, but we've been covering the consequences of this group's actions, which, you know, while not really qualifying as a reign of terror. Jaguar might disagree, did at least certainly put this group squarely on the map. It might just be that they ran dry of targets of opportunity which they had previously acquired. Remember, they were, they were the ones who were leveraging all of these attacks against Salesforce or perhaps some counter cyber intelligence managed to penetrate their ranks to convince them to stand down. Whatever the case is, I wanted to keep our listeners current with the news that they had formerly said goodbye.

Steve Gibson [00:37:13]:
So we'll see what happens next. I have no idea what's going to happen. Except, Leo, I do know one thing. We're going to take a pause for.

Leo Laporte [00:37:25]:
Our next sponsor, or as they say, station identification.

Steve Gibson [00:37:31]:
Yes, indeed.

Leo Laporte [00:37:31]:
And our sponsor this week. Oh, wait a minute, let me turn on my camera so you can hear me and see me. Talk about Venta. This is the show where we like to talk about security solutions and this is a security solution you might be interested in. Compliance regulations, third party risk and customer security demands all growing and changing fast. Is your manual GRC program actually slowing you down. If you're thinking there must be something more efficient than spreadsheets and screenshots and all manual processes, you're right. GRC can be so much easier, all while strengthening your security posture and actually driving revenue for your business.

Leo Laporte [00:38:20]:
Vanta's trust Management platform automates key areas of your GRC program, including compliance, internal and third party risk and customer trust, and streamlines the way you gather and manage information. And the impact is real. A recent IDC analysis found that compliance teams using Vanta are 129% more productive, so you get more time and energy to focus on strengthening your security posture and scaling your business. Vanta GRC how much easier trust can be visit vanta.com securitynow to sign up today for a free demo. That's V a n t a dot com SecurityNow we thank you so much for supporting Steve and the work he's doing here on security. Now back to you.

Steve Gibson [00:39:12]:
Okay, so many of the governments within the European Union have by no means given up on legislation to obtain some sort of access or control of privately encrypted interpersonal messaging among its member citizens. But there is some disunion evidenced in news from last Wednesday posted by the German government which indicated that they Germany will have none of that period, they wrote. September 10, 2025 Berlin from the digital affairs and State Modernization Committee, they posted The Digital Affairs Committee met Wednesday afternoon to discuss the status of the csam. Of course, we all know what that is. Child sexual abuse material regulation, publicly known under the term chat control. Its purpose is to combat sexual violence against children and adolescents online. For over three years, various proposals have been under discussion at the EU level to require providers of messaging and hosting services to detect material related to online sexual child abuse. An agreement has not yet been reached, as a representative of the Federal Interior Ministry reported to the Members of Parliament.

Steve Gibson [00:40:37]:
The Danish presidency of the Council, in office since early July, is treating the matter as a high priority, meaning it hasn't been dropped by any means. They said a unified legal basis across the EU is urgently needed. Given that the current situation is worrying, it is clear that private confidential communication must remain private. At the same time, there is an obligation to take action against child abuse online. A representative from the Federal Ministry of Justice pointed out that the matter involves very severe intrusions into privacy, leaving open the question of how deep those intrusions are. He also pointed to the strict limits that have already been made clear in EU Court of Justice case law on data retention, and emphasized that a regulation is needed which will stand Legal scrutiny. Okay. Whoops.

Steve Gibson [00:41:42]:
In other words, the EU already has strong existing law that would make what chat control wants to accomplish illegal under their own law. The article finished writing. In their questions, MPs asked about the joint position of the federal government, the criticism from civil society about the regulation, and the further process in the negotiations. The representative from the Interior Ministry explained that the Danish position could not be supported 100%. For example, Germany is opposed to breaking encryption. The goal is to produce a unified compromise proposal also to prevent an interim regulation from lapsing. So Germany has just said, no, they're not. They're opposed to breaking encryption.

Steve Gibson [00:42:38]:
Sorry. So this has all the earmarks of being a very heavy lift. This chat control dream of theirs is still facing very stiff headwinds. I don't know what it means for Germany to declare that it's a firm no vote, but the EU's existing personal privacy laws would need to be changed for chat control to be legal even in the EU that wants it. So lots has to happen first. It's a mess and, you know, who knows what the answer is going to end up being. But maybe governments will go round and round Leo for a while and then just end up saying, well, we'll just have to, you know, make better use of the, of the provisions that we have, which is, you know, what the people who absolutely want no exception to, to privacy and encryption, mess of encryption and messaging say is the right course of action.

Leo Laporte [00:43:39]:
I think it's telling that even within the eu, countries can't agree. Like some right, some want it, some don't want it. Some say you can't do this. Some say we have to do this. If they can't agree, of course we know that even inside the nsa there's no agreement. So I don't. This is one of those things where the people who say, look, there's no way you can break encryption for some people without breaking it for all people are not necessarily widely understood. I mean, that seems like a notion that other people don't understand and maybe we need to work harder to get that through to them.

Steve Gibson [00:44:13]:
Well, and then we also have the issue of communicating with anyone in the EU from outside the eu. That presumably means that your messaging will be decrypted too.

Leo Laporte [00:44:24]:
Oh, yeah, yeah.

Steve Gibson [00:44:26]:
Much like the UK say we want.

Leo Laporte [00:44:28]:
To be able to.

Steve Gibson [00:44:29]:
Everybody's, you know, one way that do.

Leo Laporte [00:44:34]:
One thing that often brings this home to them is pointing out that, yeah, okay, well, so we're going to break encryption for those people, but it will also break it for you, you know that you won't have private communications anymore either. And often that stops legislators cold.

Steve Gibson [00:44:49]:
They go, oh right, you mean the government is not going to be an exception.

Leo Laporte [00:44:54]:
We don't have privacy. They think they do. That's the problem. Oh no, we got ways.

Steve Gibson [00:44:59]:
They want it forever. You know, they want to be able to check everybody else's message Privacy for me, not the. Yeah, right. It turns out that even when there are many Western models to follow, launching a new secure messaging service from scratch is not a slam dunk. The news out of Russia is that hackers immediately, immediately began selling. Yeah, immediately began selling hacked accounts for Russia's Max messenger for prices up to US$250 or access to accounts can be rented by the hour.

Leo Laporte [00:45:39]:
This is for the, the chat encrypted chat that the Russian governments are forcing phone manufacturers to put on the phones in lieu of everything else.

Steve Gibson [00:45:48]:
Exactly. And blocking the alternatives in order to force their citizenry right over. I mean we've heard from some of our Russian listeners who are saying, yeah, this is so that we're forced to use Macs. That's the reason, you know, Google's group messaging and, and Google's conferencing is, is being blocked now. So working to combat this abuse. Of course they're not taking it lying down either. Russian officials say they've already blocked more than 67,000 accounts for suspicious. For suspicious activity such as spam sharing malicious files and you know, the whole rigamarole.

Steve Gibson [00:46:29]:
Looks like the Kremlin and our favorite agency Ross are going to have. Yes, are going to have their hands full dealing with the consequences of their own messaging service which they said they wanted so it couldn't happen to a nicer bunch. As I said, even though they've got Western models to follow. Still not an easy thing to do. Yeah, Samsung recently patched a zero day. Their own zero day 2025 to 1043 which they rated as critical and the Android OS version that ships with the Samsung devices. The vulnerability was discovered in Android's Lib image codec qram so file. Now, I didn't dig in to see whether it may have been similar to what Apple recently patched.

Steve Gibson [00:47:26]:
That is whether that was also having to do with with decoding the Adobe DNG file format. But like the recently patched Apple vulnerability, this one also formed part of an exploit chain that targeted WhatsApp users. So whether WhatsApp was on Apple where it was using. We know that Adobe DNG image decompression, decompression flaw or Whether it was on a Samsung phone using Android OS. Some there was some flaw in IM in the image codec, which was chained with the WhatsApp flaw that allowed spyware to be installed onto the users of WhatsApp for Samsung, presumably broader for Android OS. So at least on the Apple side, we will see by the end of this podcast why that would not have worked if this, if this was already in place, what they have now released with this new hardware. While I was assembling today's show notes, I was reminded that there's all the difference in the world between a casual mistake made by an employee who clicks on a malicious link they receive and an employee on the inside who wishes to maliciously attack their own employer. You know that that's a higher bar than an oops, I clicked the wrong link.

Steve Gibson [00:49:02]:
An article from the UK's privacy watchdog is what reminded me of this difference. They found and reported that UK students are increasingly behind the hacks of their own schools. Okay, insider hacks, right, because they're, you know, the, the, the student is on the school's network and is able to sneak around the UK Information Commissioner's Office, the ICO says it studied 215 insider caused breaches within the UK educational sector between 2022 and the middle of last year, 2024 and, and found that students, to no one's surprise, were behind 57%. So not, you know, by no means all wasn't 97%, but more than half, 57% of all intrusions. So certainly there are still external actors trying to get in and where, where a stolen password was used to breach a school system, students were involved in Almost all cases, 97%. So virtually all stolen passwords were student based. The underlying motives were cited as being dares, notoriety, a little bit of financial gain, revenge and rivalries. In other words, basically, you know, because it's possible to do it sorts of hijinks.

Steve Gibson [00:50:38]:
Breaches were blamed on staff leaving devices unattended, students being allowed to use staff devices. Incorrect permissions. Yeah, hijinks. Yes, there's some hijinks.

Leo Laporte [00:50:50]:
Oh you kids. You rascals, you little rascals, you.

Steve Gibson [00:50:56]:
That's right. Incorrect permissions on school resources and in Some, though rare 5% of the cases on students using sophisticated techniques to bypass security and network controls. So maybe we have some listeners among the students in the UK who are a little more sophisticated. After researching those 215 insider student caused breaches, the Information Commissioner's Office reached two conclusions. The first one was that an early familiarization with hacking might lead kids down the wrong path and serve as a gateway to a life of cybercrime. Okay, hold on. I remember being that age and I was notorious for all manner of hijinks. Of course, the adventure of the Portable Dog Killer to name one.

Steve Gibson [00:51:50]:
But I think it would be a stretch to imagine that some high schoolers success at guessing a teacher's password or perhaps looking underneath the keyboard for it written down on a post it note would lead to a life of cybercrime. You know, after all, everyone is an insider within their own family's home where there are plenty of tantalizing hacking opportunities. So you know, one school I would say is just another of many. The second conclusion the ICO reached was that the responsibility for much of their students hacking successes lay at the feet of the school's administrators who repeatedly failed to properly and adequately secure their own networks. And of course, writing one's password on a post it note under the keyboard is never a good idea. In conclusion, the ICO urged schools to quote, remove the temptation from from their students, unquote, by taking steps to improve their own cyber security and data protection practices. So yes, you are trying to herd a wild bunch of, you know, cyber enabled kids, you know, do yourself a favor by locking the gate if that's what you're trying to do and not allowing them to see what's on the other side because, oh, that might lead them to a life that they regret. Okay, I don't think so.

Steve Gibson [00:53:24]:
I think they're just having some fun, you know, accepting a dare and so forth. It's never a good sign when a security aware bug bounty company such as HackerOne, one of the leading bug bounty companies we've talked about them, often themselves get hacked, but this really wasn't on them. The blast radius of the recent Sales Loft Drift supply chain attack has been wide and deep and HackerOne was another entity that got caught up in it. They first posted about this shortly after it happened back on at the end of August, August 28th. So like three weeks ago they wrote. Recently, hundreds and that's true of companies have been responding to an attack that resulted in unauthorized access to Salesforce records connected to the Drift from Sales Loft application. I'll talk about what that is in a second, they said. A situation detailed in reports from Mandiant and others.

Steve Gibson [00:54:38]:
As part of Our commitment rights Hacker1 to Transparency Trust and our company's value of default to disclosure. We're writing to confirm that HackerOne is among the companies impacted by this incident. So okay, they're, they're trying to obscure themselves a little bit by being among the herd and it's like, well, we're just one of hundreds. Okay. Anyway, they said our security team received notice of the potential compromise from Salesforce on Friday, August 22, and this was confirmed by Sales Loft on August 23. HackerOne security team immediately initiated incident response procedures, working in partnership with Salesforce and Sales Loft to assess the scope and impact of this incident. HackerOne's investigation is ongoing, but we can confirm that a subset of our records in our Sales Fun Force instance was accessed via a compromise of the Drift application. Due to HackerOne strict policies and controls governing data segmentation, we have no reason to suspect that the incident impacted or exposed any customer vulnerability data.

Steve Gibson [00:55:54]:
We're continuing to conduct forensics on the records that were accessed and will communicate directly with any impacted customers as appropriate. Okay, so that's, that's everything we would want and hope to see in a breach disclosure. A straightforward reporting of the event with a promise to follow up when anything more is learned. And that follow up was posted last Thursday, which is why it came back to my attention last Thursday. They wrote, HackerOne continues to investigate the recent Sales Loft Drift incident. And we are posting here to update you on the status of our investigation as well as provide additional information we're able to share at this time based on the information we have to date. A subset of HackerOne's Salesforce data was accessed via the Drift application on August 13 and August 18. Both the dates and the indicators of compromise are consistent with what Sales Loft has reported, which can be found@trust.salesloft.com and don't bother going looking because it's just marketing spiel.

Steve Gibson [00:57:02]:
They said we can confirm that all Sales Drift connectors are currently offline and as a precaution we have rotated all relevant API and service credentials due to. And I'm going to explain what this terminology here means in a second. Due to HackerOne strict policies and controls governing data segmentation, we have no reason to suspect that the incident impacted or exposed any customer vulnerability data, nor have we found any indication of lateral movement. That's all good. We understand that you may still have questions about this incident and we appreciate your patience as we continue our investigation. HackerOne has engaged a third party forensics firm to us to ascertain what records were accessed and we will communicate directly with impacted customers as appropriate. So basically they're saying, yes, we were caught up in this. We've verified that our network was penetrated, but we have an architecture.

Steve Gibson [00:58:05]:
Now this is similar to what I was suggesting, ought to be the standard going forward. Where segmentation, you know, network segmentation. Where network segments. I was trying to find another word, but there it is. Segments are isolated from one another by purpose, so that unless it's actually necessary for some API or individual to have access to some specific set of data, there is no physical access. That's what prevents any damaging lateral movement. We're always now talking about lateral movement, how you get in somewhere and then you move laterally in a network to some other location and then from there you're able to get access you didn't have from where you began. That's what needs to be contained.

Steve Gibson [00:59:04]:
So I usually try to find some lesson for us to take away from incidents that we cover like all of this. The problem is today's modern model of outsourcing services and interconnecting separate enterprises. Automated systems with persistent authentication, which is what happened here, inherently brings a risk which we are and have been seeing play out. One of the recent trends I'm sure everyone listening to this podcast has encountered is the increasing, at least for me, annoying use of automated conversational AI chat windows that increasingly appear typically in the lower right corner of a website. You know, I have yet to find engaging with one of those annoyances to be fruitful. You know, if you've encountered one of those, you know, it may have been courtesy of Sales Loft Drift, since that's what their technology does, that's been the root cause of all of this pain. Sales Loft Drift describes themselves as, quote, a conversational AI chat lead qualification component of the Sales Loft platform. It's built on or integrates the Drift Chat AI agent that engages website visitors in real time, qualifies, leads, routes them to the sales team via workflows like rhythm and helps convert them into pipeline, unquote.

Steve Gibson [01:00:55]:
Okay, I don't want to be converted into pipeline, whatever the heck that means. All I want to know is whatever happened to that end table that we ordered? But that information is not available through the chatty chatbot. In order to integrate with its client enterprise customers, this Sales Loft Drift AI chat thing needs to have access into its customers into its customers networks. Consequently, when Salesloft Drift is hacked, all of its many customers networks then suffer their own respective breaches as the hackers of the company to which they have outsourced this service obtain the credentials that allow access into every one of those enterprises internal networks. It's an inherently unstable solution with an astonishing blast radius. But you know, you get to annoy every one of your visitors by asking them unprompted what they need and whether there's anything they want to ask while not ever being able to provide any answers. This today is what we call progress, Leo.

Leo Laporte [01:02:12]:
It's customer service, baby.

Steve Gibson [01:02:15]:
Have you seen those things? Those annoying little chatty windows in the lower right.

Leo Laporte [01:02:20]:
It's like always close.

Steve Gibson [01:02:22]:
Oh, and I've, I, I finally in frustration once I asked one of them, I said well here's what I want to know. And I, you know, presumably it's some LLM AI thing and I got nowhere with it. Finally I got, I got pissed off and I said I want to talk to a supervisor. And then it gave me a phone number to call.

Leo Laporte [01:02:40]:
So it's like okay, that's ridiculous.

Steve Gibson [01:02:42]:
For future reference, just be upset with it and tell it you want to talk to a super, give me the number.

Leo Laporte [01:02:47]:
Just stop it.

Steve Gibson [01:02:50]:
Okay, so it was a little over a year ago in episode 975. It was May of 2024 that we last talked about students hacking their university provided washing machines. You'll remember that Leo. To obtain free laundry services. Now today a university campus in Amsterdam has shut down its laundry room after its five smart washing machines were hacked in July. Surprise, surprise. Like again, that's what you would call an insider attack. Students were able to wash their clothes for free for months.

Steve Gibson [01:03:36]:
But that will be ending. That will be ending shortly.

Leo Laporte [01:03:39]:
Oh, I know.

Steve Gibson [01:03:40]:
Those five Internet connected smart machines are being replaced with dumb washing machines that accept old fashioned coins. Who even has coins anymore? Seems like the students are going to get what they deserve here. Needing to somehow now go find coins to put in these slots. Imagine that. The university must have been confounded. Why did, why have. Has everyone stopped using our washing machines where when we go to empty the, the, the coin boxes, they're empty. Imagine that.

Steve Gibson [01:04:13]:
Now I'll confess, as I mentioned when we talked about this before, UC Berkeley also provided coin op washing machines in pre Internet 1973 when I happened to be there. And really what did they expect? The machines had been placed in Erman hall, which was the engineering dorm where I was. It turned out that the coin op box had that had been added as an afterthought to the machine had a sheet metal screw in the back, the removal of which created a hole through which a properly shaped length of coat hanger wire could be threaded.

Leo Laporte [01:05:03]:
And you would do anything like this?

Steve Gibson [01:05:05]:
Not that I would have ever had anything to do with that, but with a little bit of fishing around, it turned out that the lever that was normally actuated by the insertion of a in by the insertion of a quarter into the front could be tricked into believing that that had just happened. So let's just say that I never needed to bring laundry home on the weekends for my mom to wash. And.

Leo Laporte [01:05:33]:
That my friends, that's what leads kids to hacking.

Steve Gibson [01:05:36]:
That's down the dark path.

Leo Laporte [01:05:39]:
It's the gateway drug to future hacking exploits. Wow, that's just. That's what hacking is, right? It's getting around restrictions.

Steve Gibson [01:05:50]:
I mean it's like Wozniak and, and, and phone freaking with a blue box that generated 2600 Hertz tone that disconnected the local line and dropped you into the long haul network. Not that I knew anything about that.

Leo Laporte [01:06:04]:
No, of course not.

Steve Gibson [01:06:05]:
No, no, no, no, no.

Leo Laporte [01:06:06]:
Not a thing.

Steve Gibson [01:06:07]:
Just things that fascinated kids. Okay, I'm just gonna start this next piece by reading what was posted. Then I'm going to share my sadness.

Leo Laporte [01:06:20]:
Oh.

Steve Gibson [01:06:21]:
Huh. UK London Tuesday Last Tuesday, September 9th fast netmon, they wrote today announced that it detected a record scale distributed Denial of service attack. You know DDoS. Targeting the website of a leading DDoS scrubbing vendor in Western Europe, the attack reached 1.5 billion packets per second. Not. Not bits. These are 1.5 billion packets per second. One of the largest packet rate floods publicly disclosed.

Steve Gibson [01:07:04]:
Now I'll just pause to say that remember we talked about the challenges that flooding attacks were present. One is bandwidth. Just the wires are unable to carry the, the amount of bandwidth that's being generated. So packets overflow the incoming buffers of the routers and are being dropped. And as a consequence of that valid data is it. The, the valid packets have a very low probability of making it through the buffer into the router. As a consequence, the, the valid service is denied. The other problem is that every packet that does get into a router needs to be examined for its destination.

Steve Gibson [01:07:53]:
The routing table then used to look up which interface that packet should be sent out of. In other words, there is a per packet routing overhead separate from just the raw bandwidth overhead. So when you're generating one and a half billion packets per second and they are all focused down onto some poor little IP address somewhere, what happens is all the routers that everywhere on the globe are dealing with all of those packets and as, as they are routed closer and closer to their destination through multiple router hops, the, the overall rate of packets skyrockets to the point where even if the bandwidth weren't being flooded, the, the number of packets that needed to be Examined per second, no router could possibly handle. So this attack, one and a half billion packets per second. As they wrote one of the largest packet rate floods publicly disclosed. The malicious traffic, they said was primarily a UDP flood launched from compromised customer premise equipment. In other words, you know, CPE is the abbreviation IoT devices and routers across, get this, more than 11,000 unique networks, not devices, 11,000 networks worldwide. The disclosure, they said, comes only days after Cloudflare reported mitigating an 11.5-terabit per second DDoS attack.

Steve Gibson [01:09:41]:
11.5-terabits trillion bits per second. Showing, they said, how attackers are pushing both packet and and bandwidth volumes to unprecedented levels. I mean really, it's just crazy. Pavel Odinsov, founder of fastnetmon, said, quote, this event is part of a dangerous trend. When tens of thousands of customer premise equipment devices can be hijacked and used in coordinated packet floods of this magnitude, the risks for network operators grows exponentially. The industry must act to implement detection logic at the ISP level to stop outgoing attacks before they scale. Okay, so there, what he's talking about is, as I said, attacks originate from 11, 000 networks, right? And it's the, it's the concentration, the aggregation of all of that bandwidth as it narrows down on the Internet to a single target that causes the, the buffers to overrun and, and the routers to fail to be able to route that many packets per second. But if it were possible for all 11,000 of those Source networks to never transmit the outgoing packets, then there wouldn't be the ability for the traffic to aggregate anyway.

Steve Gibson [01:11:16]:
This quote finishes saying that fastnetmon advanced platform is designed to handle attacks of this size using highly optimized C algorithms for real time network visibility. Fastnetmon enabled its customer to automatically detect the flood within seconds, preventing disruption to the target service. Okay, I'm not sure what highly optimized C algorithms have to do with anything, and unfortunately this Pavel guy is dreaming. We've been talking about the problem of DDOS flooding throughout the entire 20 years of this podcast. And during that time, while attacks have grown astronomically in scale, they have also become less possible to prevent. Back in the early days, spoofing source IP addresses was the order of the day. We argued at the time correctly that no ISP should emit any packets from their networks that contained a fraudulent source ip. So called egress filtering could have been employed back then to nip those attacks in the bud before the traffic was given the chance to aggregate into an overwhelming flood.

Steve Gibson [01:12:43]:
That was all true Then. But the only reason devices back then were spoofing their source IP addresses was to hide their true IP from their victims. Once you have tens of thousands of individually compromised home routers and IoT devices, hiding is no longer necessary. Who cares if the identity of some of these devices, or all of them for that matter, is known? They're scattered across the globe in faraway countries behind ISPs that will never pick up the phone. As a consequence, source IP spoofing as a requirement for packet and bandwidth flooding is far less important today than it once was. There's no way for an ISP now to know that any given outbound traffic is fraudulent because it carries valid source IP addresses. The other factor is that it is trivial for a CDN like Cloudflare to drop all incoming readily spoofable UDP traffic. Cloudflare doesn't need UDP traffic.

Steve Gibson [01:13:59]:
It's a web hosting provider. So it what it needs is TCP traffic over port 80 and 443. And as we noted recently, even port 80, you know, old HTTP instead, you know, unencrypted instead of HTTPs HTTP, port 80 is now falling by the wayside too. So now the the name of the game is connection flooding. And connection flooding needs TCP protocol with round trip packets, and round trip packets prohibits the use of any spoofing. And of course now who cares when today's massive bot networks have tens of thousands of individually throwaway agents? We don't need, we don't care what their IP addresses is. Nobody will ever contact the people who are in control of them, or their ISPs, or their ISPs. ISPs.

Steve Gibson [01:15:01]:
One of the earliest things we talked about on this podcast during our how the Internet Works series was the brilliant, genius invention of the idea of opportunistic packet routing. By completely dropping the idea, just forgetting about it, that every communication packet needed to get through the network with 100% reliability, the Brilliant designers of the Internet invented an incredibly elegant solution for for the ages. There's just one problem with it. To this day, and probably forever more, that incredibly elegant system is utterly and completely vulnerable to packet generation abuse. And there is no way to fix it. None. This astonishing global network which we have is there. It's in place so that anyone anywhere can send a packet to anyone else, anywhere else.

Steve Gibson [01:16:08]:
Unfortunately, there is nothing to prevent bad guys with thousands of remotely scattered devices under their control, all sending as much packet traffic as they can to anyone they choose. The result of this is that frequently targeted companies are Choosing to hide behind the growing number of companies who are able to provide comprehensive DDoS protection thanks to having many points of Internet presence themselves, their own massive network bandwidth which is able to absorb these attacks and the automation in place to block incoming attack traffic once it's been identified. It's not an ideal solution, but I suppose it's the price we pay for, for a system that otherwise works so incredibly well. And Leo, you know the other system that works incredibly well?

Leo Laporte [01:17:02]:
You mean the system where we do ads to pay for all of this and you drink more and I get to have system? I like that system. We're going to take a little break. We'll have more of security now in just a moment. We're talking about how can you solve the problem. You know, obviously training is not enough of employees having, you know, unlimited access to everything on the network. Well, there is a solution out there. It's called Zero Trust. This episode of security now brought to you by Threat Locker.

Leo Laporte [01:17:35]:
You know, ransomware is harming businesses and schools and I mean everybody worldwide. It happens through phishing, emails, infected downloads, malicious websites, RDP exploits. That link that no one should be clicking. Don't you be the next victim. ThreatLocker's Zero Trust Platform takes a proactive and this is the key three words, deny by default approach that blocks every unauthorized action, protecting you from both known and unknown threats and that employee who keeps clicking those links trusted by global enterprises. Companies that can't afford to go down for one minute, let alone three weeks. JetBlue, for instance, infrastructures like the Port of Vancouver, they both use Threat Locker. Threat Locker shields them and you from zero day exploits and supply chain attacks while providing complete audit trails for compliance.

Leo Laporte [01:18:35]:
ThreatLocker's innovative ring fencing technology isolates critical applications from weaponization, stopping ransomware and limiting lateral movement within your network. ThreatLocker works across all industries. It supports Mac and PC environments, provides 24.7us based support. Really good support, not that you're going to need it. It's so easy to use and it enables comprehensive visibility and control. So ask Mark Tolson. He's got a tough job. He's the IT Director for the city of Champaign, Illinois.

Leo Laporte [01:19:11]:
Imagine that's one of those jobs where you have to be perfect. The bad guys just wait. You have to be perfect. He says, quote Threat Locker provides the extra key to block anomalies that nothing else can do. If bad actors got in and tried to execute something, I take comfort in knowing that Threat Locker will stop that. Stop worrying about cyber threats. Get unprecedented protection quickly, easily and cost effectively with threat locker. Visit threatlocker.com TWIT to get a free 30 day trial and learn more about how Threat Locker can help mitigate unknown threats and ensure compliance at the same time.

Leo Laporte [01:19:50]:
That's threatlocker.com Twitter thank them so much for their support of security now. Good work Steve's doing here. All right, on we go.

Steve Gibson [01:20:02]:
Okay, so Blue sky is going to implement conditional age verification for South Dakota and Wyoming as age verification requirements continue to evolve. We got an update last Wednesday from Blue Sky. Recall that the last time we talked about them, they were going to they were going and did go completely dark in Mississippi due to Mississippi's all or nothing age verification law. After the first two paragraphs of Blue Skies posting, which didn't really say anything, it was just, you know, marketing spiel, they said in the UK we come we complied with a new law that requires platforms to restrict children from accessing adult content. In Mississippi, the law requires us to restrict access to the site or for every unverified user. That's the difference, they said. To implement this change we would have had to invest substantial resources in a solution that we believe limits free speech and disproportionately harms smaller platforms. We chose not to offer our service there at this time while legal challenges continue right, like why invest in this if it's if the law is going to get changed or overthrown, they said.

Steve Gibson [01:21:28]:
South Dakota and Wyoming have also passed online safety laws that impose requirements on services like ours. These are very similar to the requirements of the UK Online Safety Act. So as we did in the uk, we'll enable kids web services which they abbreviate KWS Age verification solution for users in these states. Through KWS Blue sky, users in South Dakota and Wyoming can choose from multiple methods to verify their age. But the the important part is you don't have to unless you're trying to access adult content. So all users can still remain anonymous unless they need unless they are are trying to access age restricted content. That's what Mississippi did not do, they said. We believe this approach currently strikes the right balance.

Steve Gibson [01:22:26]:
Blue sky will remain available to users in these states and we will not need to restrict the app for everyone. We're committed to keeping our community informed as we navigate these new regulations. As more states and countries adopt similar requirements, we'll update this blog post accordingly. So again, just to be clear, the difference between Mississippi, South Dakota and Wyoming is that the more sane laws passed in South Dakota and Wyoming only require age verification before their Citizens are allowed to access adult content as opposed to all social media content. That's what's similar to what the UK has done. Following that, you know, that tragic Mississippi suicide of the young man who has catfished on Instagram. The state of Mississippi has effectively declared war on all social media, regardless of its content. While First Amendment lawsuits are flying, Blue sky decided to just back out of Mississippi until the dust settles.

Steve Gibson [01:23:33]:
What would be good is if Mississippi were to align them themselves with South Dakota and Wyoming and just say, okay, it's just the adult content. But you know, it depends what you.

Leo Laporte [01:23:45]:
Define as adult content though. That's the problem. And that's where these legislators are much broader than you and I might expect when they call stuff adult content.

Steve Gibson [01:23:55]:
And unfortunately, as we know, the our U.S. supreme Court did not make this fight any easier because they said we don't think it is a First Amendment compromise to require people to provide proof of their age.

Leo Laporte [01:24:10]:
Right.

Steve Gibson [01:24:10]:
Well, I mean you, that's a huge privacy compromise right now. We have no system that allows you to do that without divulging who you are.

Leo Laporte [01:24:20]:
Guess who's the latest? ChatGPT says it's going to attempt to guess your age.

Steve Gibson [01:24:26]:
Oh my God.

Leo Laporte [01:24:27]:
And if it can't guess that you're over 18, it's going to ask for verification.

Steve Gibson [01:24:32]:
Wow.

Leo Laporte [01:24:32]:
This in the wave of lawsuits after, after teen harm self harm stories, blaming a chat GPT, they're going to create a chat GPT for kids. So if it thinks you're under 18, it's going to shift you over to that. And if it's not sure, it's going to say, okay, you need to give me some ID. And that's again hugely problematic. I asked chat GPT, it says, well, I know you're 68, you told me. But it believed it. And that's the point, is it? It assigned me an age based on what I had told it in a prompt. So this seems like this might be easy to get.

Steve Gibson [01:25:14]:
Well, and I'm sure it knows who I am. It knows me, my email address, it knows my account, if you can go check, I'm all over the Internet. So it, you know, it knows what day, what my birthday was. It doesn't have to guess that. The big problem, I mean I don't, for example, I'm a big chat GPT user. I don't have a problem, you know, disclosing who I am to chat GPT. The but you know, the dicey thing are for example, porn sites where people are going to be very self conscious about, you know, de. Anonymizing my.

Steve Gibson [01:25:52]:
Themselves there. And that's what. The. What, what the. Well, in fact we're about to talk about that because the UK is really going overboard here. This next story I have the. Speaking of the UK, they're on the war path following their July 25th passage of the new age check requirements. And that's what we were talking about on the Online Safety act which, which talks specifically about adult content.

Steve Gibson [01:26:21]:
Only a week after its passage, they announced that they had launched investigations into the compliance of four companies which collectively run 34 pornography websites to verify that they were now using quote, highly effective age assurance, unquote, to prevent children from accessing that content. At the time they said that these 34 new cases added to Ofcoms. That's the, or the, the, the office in the UK that does this to Ofcom's 11 investigations that were already in progress into 4chan, an online suicide forum, seven file sharing services and another pair of porn publishers. They concluded by saying that they expected to be making further enforcement announcements in the coming weeks and months, which just happened last Thursday with their apparently proud announcement that another 22 porn sites were now being investigated to, to verify the effectiveness of their age verification measures. So as I started to say, it's one thing to need to show your ID in order to pick up a medication prescription or before purchasing alcohol, but it's obviously a far more sensitive matter, a personally sensitive matter to need to produce an ID in order to obtain access to online content. That is, to say the least controversial and probably extremely embarrassing. So it's hardly any surprise to learn that the traffic of the websites that are requiring such proof of age has dropped precipitously and significantly. And Leo, somewhere I saw and I, when I went back to, to look for it, I couldn't find it, but they were actually targeting sites whose traffic had increased since their legislation because we knew that people were, were being driven to the sites that did not require age verification.

Leo Laporte [01:28:35]:
Yes.

Steve Gibson [01:28:36]:
And away from the sites that were. This is just a mess. You know, I'm glad Stina is on this because I mean, you know, she's a bulldozer and she's gonna, if she's working with the World Wide Web Consortium and has the, and has a non profit set up and they are 100, dare I say laser focused or laser aimed at, at this problem. You know, we need a solution and we need it yesterday.

Leo Laporte [01:29:08]:
Stina Svalbard, who is the CEO of Yubico and, and a friend of the show and of course the Yubikey is a number one solution for hardware authentication. So she's working on some sort of ID privacy forward ID solution.

Steve Gibson [01:29:24]:
Yes, she has established a nonprofit. She won, she just won a big award as like Sweden's number one entrepreneur innovator award. Deal.

Leo Laporte [01:29:37]:
Nice.

Steve Gibson [01:29:37]:
And, and, and know. I mean so she's really. And, and since I knew her, I mean we had, we. She used to come down because I. What's the big gaming company down here?

Leo Laporte [01:29:52]:
Zynga, World of Warcraft. Oh, Blizzard.

Steve Gibson [01:29:55]:
Yeah, Blizzard is down here and she was providing their identity solutions and so we would meet at Starbucks and spend a morning, you know, talking about, you know, all this stuff.

Leo Laporte [01:30:08]:
Let me correct by the way, I gave the wrong call her Stina Svalbard. She's Stina Ehrensvard. Correct that yes. Svalbard is the city close to the Arctic Circle. It's a different place entirely.

Steve Gibson [01:30:22]:
Yeah. Anyway, so, so this has been a thing for her and a few months ago I sent a note just saying Stina, I hope somebody is doing is like looking at age verification because we need a privacy forward age verification system where all it does is it challenges you for an. Are you at least this old and you just get a go, no go reply from you know, from a system that cannot be spoofed that is biometrically locked, you know that that provides the things we need. So that. Anyway, so she says yes, I have a non profit that's doing that right now.

Leo Laporte [01:31:04]:
Good, good, that's exciting.

Steve Gibson [01:31:07]:
Yeah, it is.

Leo Laporte [01:31:08]:
I will be see with interest. We'll talk to her when it comes out.

Steve Gibson [01:31:13]:
Okay. We've talked about gpc, the global privacy control which as we know it's just an talk about no go go no go. It's a signal reminiscent of its predecessor DNT do not track. And of course much as I was for dnt, it never got off the ground since without enforcement it means absolutely nothing. You know, you got to sue some people in order to get the industry's attention and for them to go, oh, maybe we should, you know, take this for, you know, to take this seriously. But on the enforcement front, GPC may have a brighter future. The news is that state attorneys general from California, Colorado and Connecticut, three Cs. We've seen these three get get together before.

Steve Gibson [01:32:01]:
Colorado, California and Connecticut, they've announced a joint investigation into companies refusing to comply with with Global Privacy Control, which is now a law. Data trackers that refuse to honor the GPC signal are in violation of recently passed state privacy laws. Seven other US States also require companies to honor gpc, but they've not joined the enforcement action. They may not need to, or maybe we'll make it 10 companies or or 10 states. Anyway, this is great news since as I noted, without any enforcement the law means nothing and will likely suffer the same fate as befell dnt. There's hope here because, you know, certainly California is serious about its privacy laws and if it's got, what was it, 499 registered data trackers. If, if California investigates and finds the they're not honoring it, they're going to just get kicked out of California. So yay for enforcement.

Steve Gibson [01:33:12]:
Listener Feedback Michael Buck wrote hi Steve, in episode 1040 you talked about your disappointment with what you called Synology's built in NAS synchronizer. He said, I'm not sure you gave your listeners a fair review of Synology's solutions. He says, I'm a Synology user and have used Synology Drive, which works like syncthing, Box and other synchronizing tools. Like you, I have several machines that I use and like to keep files synchronized between these machines. Synology Drive was easy to set up and I've been using it for years without any problems. It keeps my files synchronized between multiple Mac and Linux machines. I also use the tool that Leo mentioned, Hyper Backup. Most Synology NAS machines have an external USB port.

Steve Gibson [01:34:03]:
My son is also also has a Synology and we each purchased a large USB drive and plugged them into each other's NAS USB ports. Then we each use Hyper Backup to backup our NAS machines to our own USB drives at each other's location. The data is encrypted and we don't eat up the disk space on each other's nas. Thanks for all you do. Or thanks for all you and Leo do to provide a great podcast. Cheers. Mike Spinride, Owner and podcast listener since Episode one in Utah that's clever, that is. Okay, so in case anyone else may have been confused by my disappointment with Synology's built in internas synchronization, I wanted to take another moment to clarify there was nothing whatsoever wrong with it.

Steve Gibson [01:34:57]:
I agree with Mike that it was quick and easy to set up, and I have a strong bias toward what we would refer to living off the land solutions. Meaning that if Synology provides a means of keeping two of their NASA's synchronized, I would be strongly inclined to to assume that they know best how to do it. And again, it worked. I would have never been unhappy with it or aware that the system, at least for me, was operating in a what appeared to be a far from optimal way unless I had been watching the Synology drives massive apparent full resynchronization using Soft Perfect's wonderful free networks utility, which I've spoken of before. I have that utility networks configured to continually display the SNMP counters on my router's interface. So it is showing me not my own machine's bandwidth, but the instantaneous bandwidth usage of my entire lance, which includes the Synology. What I witnessed to my extreme chagrin on many occasions, was my network's bandwidth being pinned for a very long period of time after only updating a few files on my NAS. And when I checked the NASA's drive lights they were all flashing away like mad.

Steve Gibson [01:36:35]:
So what it appeared that updating a small collection of files was basically triggering some sort of shock and resynchronization of the entire nas. Whenever that happened again, everything worked, but it was certainly not a situation that I wanted to live with. The only change I then made was was to shut down Synology's native synchronizer and run Sync thing natively on both NASA's with them synchronizing everything on each end now using syncthing. When I update a few files on my local NAS, for example, after rebuilding a new instance of the DNS benchmark after a short delay I'll notice a brief few seconds long blip of outgoing bandwidth as my local sync thing instance sends those and only those updated files over to the other NAs. So yes, sync things native synchronization works, no question about it. And it's, you know, I, I meant to say Synology native synchronization works. It's easy to set up and configure, but it might be worth monitoring its bandwidth usage. Or if that's not easy for you to do, just watch its drive activity lights after you've updated a bunch of files all at once and see if they just go, you know, blip for a few seconds or if it generates, you know, 45 minutes to an hour of of frantic drive lighting.

Steve Gibson [01:38:17]:
Because that's what I saw. Greg Williams wrote hi Steve, just a few notes. Cloudflare already has significant certificate transparency monitoring, he says, although it's in preview and gave me a link. He said no idea why they didn't use it themselves. And he said you also mentioned the 1.1.1.1 domain. That's not a domain, it's an IP address that's not owned directly by Cloudflare but apnic he said see the Wikipedia article and he gave me a a pound tail on the URL which as we know jumps you to a section on a page. That page is titled Prior usage of the IP address. For other references to the default use of 1.1.1.1 he says as laziness by other vendors including Cisco.

Steve Gibson [01:39:16]:
Signed Cheers Williams, Brisbane, Australia Interesting. So, okay, yes. So of course first of all, Greg, is 100 correct about 1.1.1.1 not being a domain? I know better. The numeral one is not a TLD, right? It's it's a numeral one which could never be a TLD. Since the RFC specified minimum length of any TLD is two characters, you cannot have a single character top level domain. So Greg, thank you for the correction. I also got a kick out of Greg's reference to that Wikipedia page, which suggests that it wasn't just this random CA that was using 1111 out of laziness. Apparently Cisco and others have been found to be using it too for very much the same reason.

Steve Gibson [01:40:14]:
So thank you for that Greg. Buzz said, I've listened to the last show and as a UK citizen I can confirm that Apple's ADP is still active for those users who opted in at the start.

Leo Laporte [01:40:30]:
Good.

Steve Gibson [01:40:30]:
It is un yeah it is unavailable to any new users. Best regards Buzz and Dan Bright said hi Steve, Regarding last week's talk about the availability of Apple's ADP in the uk, he said, I have it turned on myself and can confirm that Apple has not yet removed it from my account. Kind regards Dan in Scotland so anyway, Buzz and Dan's notes were were echoed by other listeners who all confirmed that while it it's no longer possible to enable fresh udp, I mean adp, you're not able to turn on advanced data protection. It is not yet ever been forcibly removed from any UK based Apple user who has reported into us. So if the effect of the still inferred and presumed UK notice which was presumably sent to Apple, if that stands, then the presumption is that Apple will eventually be required to ask all K users to please flip the switch off. Or perhaps Apple will themselves preemptively disable the feature with some future update and just inform their users that the devil made them do it. So don't know what's going to happen, but it is at least a little bit of a canary for us to get some sense for what's going on because, you know, no one's talking. Annoyingly, John David Hickin wrote I'm following the proposals to solve the problem of asserting that age of X is greater than equal to Y is the way he phrased it.

Steve Gibson [01:42:17]:
He said zero knowledge proofs may come in handy here, but it seems to me that there is and he gets kind of clever here. He says there is a potential use case that deserves thinking about. If different states start to impose differing age requirements while attracting the same visitors, then web tracking across those sites may be able to refine upwards the lower limit on a person's guest age. Huh? That's true, he said. I'm not sure if it's a real issue, but somebody will surely try to monetize it. So anyway, John's thinking is correct and clever. That is if, if, if the and and and using that equation, age of X is greater than or equal to Y. Well, if the why changes as you move from state to state and you continue making that assertion and you were to follow that person as they roamed from state to state and watched whether that assertion was true or not, you would end up being able to find the you would be able to elevate up to equality potentially where X was equal to Y.

Steve Gibson [01:43:38]:
So again, as I said, clever. The handwriting is certainly on the wall that the this previous era that we have all been enjoying a free and full unfettered access to the Internet's content is rapidly drawing to a close, thanks to recent legislation in the uk.

Leo Laporte [01:44:03]:
Soon.

Steve Gibson [01:44:03]:
Coming to the eu and already within many state jurisdictions within the United States, Internet websites which inherently have global reach, are being required to comply with the laws which govern their visitors, which often requires that those visitors sacrifice the fully anonymous access that we've been enjoying up to this point to the requirement of an acceptable form of age verification. I haven't noted this before, but we may see safe havens for anonymous Internet access spring up in the wake of these new legal restrictions. Websites that are compelled to obey the law might geolocate their visitors and limit their age restriction enforcement to only those countries that impose these requirements, much as Blue sky is doing on a state granularity here in the US and also for the uk, given that doing so is entirely feasible, that is Geolocating your visitor, it would seem to follow logically from country specific legal requirements. So for example, anyone coming from the uk, the EU or the US would be required to provide proof of their age. But for example, Icelandic visitors who are outside the EU and live within a society with very liberal Internet regulations might not be required to give up any identifying information. And if that were the case, it would not be a stretch to imagine Commercial VPN providers deliberately establishing points of presence in Iceland and offering customers anywhere, including the uk, EU and US the option of having their VPN traffic routed out through Icelandic locations. You know, again, this is all just technology.

Leo Laporte [01:46:07]:
It's, this is the problem with a global Internet. How do you, how do you solve these problems?

Steve Gibson [01:46:13]:
Yep.

Leo Laporte [01:46:14]:
There's no national jurisdiction that applies globally.

Steve Gibson [01:46:18]:
And you're enforcing the laws under which your visitors are under, which varies from country to country, state to state.

Leo Laporte [01:46:29]:
Ultimately though, the lowest common denominator ends up winning. Right. If people get more and more afraid of getting sued or shut down, they just kind of refer to zero free speech.

Steve Gibson [01:46:41]:
I guess as I think you correctly generalized there, there is a coalition that just wants to see all pornography outlawed on the Internet. And so, you know, I mean, it's like there's that too, you know, that's.

Leo Laporte [01:46:57]:
What some of this is. Okay.

Steve Gibson [01:46:58]:
We're just going to make it so painful that it will stop being a profitable business.

Leo Laporte [01:47:03]:
Yeah. And I think it's important, the distinction between pornography and adult content. I think there is also a fairly large constituency on the Internet that wants to control what you see, period. And is willing to call it adult content in a variety of things that others might not consider adult content. Stuff that's not pornography.

Steve Gibson [01:47:24]:
Yes. A week or two ago I read a really well written lament from someone who was just. He, he or she, I don't remember now, wrote adult, non pornographic, like. Oh yeah, I don't know if it.

Leo Laporte [01:47:44]:
Was poetry or that was erotic.

Steve Gibson [01:47:46]:
And it was. Yeah, yeah, exactly, exactly. And it was like I, you know, I'm, I'm subject to these laws now.

Leo Laporte [01:47:54]:
Right. And yeah, I think it's really a desire, a strong desire to control what you and I and everybody else can see to control the flow of information. And I think that's anti democratic in the long run. But they always use children. You know, let's protect the children as the right, as the excuse. Right, right.

Steve Gibson [01:48:15]:
And it's not that they're wrong. I mean the kid, the children.

Leo Laporte [01:48:18]:
I want to protect children.

Steve Gibson [01:48:19]:
Absolutely. Yeah, absolutely. Let's take a break and then we're going to start in on memory integrity enforcement. And I'll find a point at about two hours in another half hour to take our final break because.

Leo Laporte [01:48:35]:
Good.

Steve Gibson [01:48:35]:
We're going to spend now until the end with, as I said, get your.

Leo Laporte [01:48:40]:
Your waiter for my propeller hat.

Steve Gibson [01:48:42]:
Yeah, yeah, I don't think that's going to do it. I think you need waiters, you need to be able. We're Going to get into some deep stuff here.

Leo Laporte [01:48:48]:
Oh, I love it. It's always, everybody loves it when you go that way. Let's go. We're getting in deep, kids. Hang on. Before we do though, a last moment of sanity, let's talk about our sponsor, Bitwarden. Yeah, we love Bit Warden, the trusted leader in passwords, yes, passkeys, and really in general, secrets management. Bitwarden is consistently ranked number one in user satisfaction by G2 and by software reviews.

Leo Laporte [01:49:19]:
Bitwarden now has more than 10 million users across 180 countries, over 50,000 businesses. These are people who value open source, who understand that any sort of crypto, including password managers which rely on cryptography, needs to be open source. So you can verify that it's doing what it says it does. Exactly. No more, no less. And I think open source is the one and only solution for that. So that's one of the reasons I switched to Bitwarden. The other thing I like about Bitwarden is very forward thinking.

Leo Laporte [01:49:49]:
They're always advancing what they do, what they can do. And one of the things that Bitwarden folks realized recently is there is an issue with people using AI and agentic browsers and agentic AI going out on the Internet, say to look up stuff, but also to buy stuff, because those AIs have to have your credentials, right, to buy it, your credit card, your password and that kind of thing. And so now there is a security gap. And that's why Bit Warden just launched their very own Bit Warden MCP server. Now it hasn't been packaged up, you know, the documentation is a little sparse, but it is available right now for you to see and use and examine at Bitwarden's GitHub. What does it do? Well, it enables secure integration between AI agents and credential workflows. So the idea is it's a secure, standardized way for AI agents to communicate with Bitwarden, to get your password, to keep it safe. But to log into those sites, users benefit from a local first architecture for security because that's the Bitwarden MCP server runs on your local machine.

Leo Laporte [01:50:59]:
So all of that secret stuff, all the client interactions are kept within the local environment, minimizing the exposure to external threats. It also integrates with the Bitwarden command line interface. That might not be important to you. I happen to love it. I use Linux and I use the CLI on Linux and I love it. Users can also opt for self hosted deployments is another thing Bitwarden is famous for as an individual user if you wish. I don't do it because I trust Bitwarden to keep my vault safe. But if you want that extra trust no one, you can self host your vault.

Leo Laporte [01:51:34]:
And now with the MCP server, you can also self host that deployment, which means you have greater control over system configuration and data residency. It never leaves your system. What is mcp? It's an open protocol for AI assistance. MCP servers enable AI systems to interact with commonly used applications that could be content repositories like GitHub. Business platforms like Salesforce. Developer environments through a consistent open interface could even mean other AIs like, you know, clawed. So driving secure integration with agenic AI. The Bitwarden's MCP server presents a foundational step towards secure agentic AI adoption.

Leo Laporte [01:52:15]:
If you think about it, it's kind of a missing piece of the puzzle. But that's not all. I mean Bitwarden is always doing important work to keep you secure, to keep you safe, to enhance its capabilities. New report just came out from Infotech's research group title Streamline Security and Protect yout Organization. This report highlights how enterprises in the Forbes Global 2000 are turning to yes, Bitwarden to secure identity and access at scale. The report emphasizes the situation we're in now, which is growing security complexity because you've got globally distributed teams, you've got fragmented infrastructure, you've got credentials dispersed, you know, across teams, contractors, devices. Enterprises are addressing these credential management gaps and strengthening their security posture by investing in scalable enterprise grade solutions like you got it Bitwarden. Now it's easy to move to Bitwarden.

Leo Laporte [01:53:13]:
Steve and I did it a few years ago. Bitwarden supports importing for most password management solutions. It's actually easier than we did when we did it, but it was even then it only took a few minutes. And of course the Bit Warden open source code is regularly audited by third party experts. Anyone can look at it. You too, but they hire these experts and they publish the reports. They also meet SOC2 type 2 GDPR, HIPAA CCPA requirements. They're ISO 270012002 certified.

Leo Laporte [01:53:44]:
Bitwarden does it right. One more thing I want to tell you about, then we'll get back to the show. It's coming up just a few days off. September 25, Bitwarden's sixth open source security Summit. It is a virtual free industry event. You can register right now for it. You can attend it from anywhere, absolutely free. Go to the website open sourcesecuritysummit.com all one word open sourcesecuritysummit.Com to explore advancements in open source security and see how using open source tools can build trust with customers and consumers.

Leo Laporte [01:54:17]:
I think it's vital. I really do. Bit Warden is the awesomest. Get started today with a free trial for your business of a teams or enterprise plan. Or if you're an individual, get started for free forever across all devices. Unlimited passwords, unlimited pass keys. It supports hardware keys like the Yubikey. If you're an individual user, it's free for life@bitwarden.com TWIT Now I paid 10 bucks for the, you know, a year for the kind of premium version, but that's just because I want to support them.

Leo Laporte [01:54:48]:
You don't have to. Bitwarden.com Twitter thank you Bitwarden, for all you do, for all of us and for supporting Steve Gibson and security now all right, I'm gonna massage my temples while you describe memory integrity enforcement.

Steve Gibson [01:55:04]:
Just yes, Close your eyes. Sit back. Let it just flow over you. Apple's big September 2025 product update announcement last Tuesday included technical capability, a technical capability advance which garnered much less attention. But it was nevertheless, perhaps somewhat more important in the long run for Apple's users than their decision, you know, to create Leo, your new cosmic orange color for the iPhone 17.

Leo Laporte [01:55:43]:
I'm ready for Cosmic Orange. I can't wait. I'm so excited.

Steve Gibson [01:55:47]:
Under the covers of any iPhone 17, and it's a 19 chips, lies an advance in hardware technology that goes further than anything Apple has previously or any company has previously implemented to prevent coding mistakes from being leveraged into exploitable vulnerabilities that can be used against iPhone users. It's worth remembering that if today's incredibly complex code did not contain subtle mistakes, none of these extra fancy prophylactic measures would be required for security. Two weeks ago, everyone needed to update and reboot their iOS and iPad OS devices, and their Macs, for that matter, after Apple discovered that a subtle flaw in the decompression code for Adobe's DNG lossless image compression format, coupled with a registration bypass flaw in WhatsApp, was being leveraged in the wild, almost certainly by the customers of commercial spyware vendors, those customers largely being governments, to install and to install spyware into the idevices of highly targeted Apple users. Does this affect you and me? No. But Apple is serious about nipping all of this stuff in the bud and whole and, you know, and, and being able to claim that they have an utterly bulletproof, bulletproof platform. So Were it not for the apparent impossibility of catching all mistakes before they ship, there would be no need to go to these seemingly endless lengths to protect the users of these devices from their abuse. But one of the painful lessons the industry has reluctantly acknowledged, you know, as our understanding of the nature of security has matured, is that mistakes are not disappearing. And they may never, because we're always pushing the boundaries of what's possible for us to build.

Steve Gibson [01:58:06]:
This created the concept of layered security described as defense in depth. The idea is to, wherever possible, establish multiple, often redundant layers of protection so that the failure of any one or more layers would still leave a system's effective security intact. Furthering this apparently endless effort, last Tuesday, Apple's SEER S E A R group, where SERE stands for Security Engineering and Architecture Security Research, informed the world of their latest and greatest hardware assisted technology that has been incorporated into the A19 processor chips being used by their iPhone 17 and other just announced devices. Their blog posting was titled Memory Integrity Enforcement A Complete Vision for Memory Safety in Apple Devices. Okay, now I'm going to start by sharing just the first two sentences of their posting, after which we'll need to pause to catch our breath. Apple's team wrote Memory Integrity Enforcement MIE is the culmination of an unprecedented design and engineering effort spanning half a decade. As I noted earlier, also commonly known as five years that combines the unique strengths. Half a decade.

Leo Laporte [01:59:40]:
Half a decade.

Steve Gibson [01:59:41]:
That's right. That combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry first always on that's one of the keys memory safety protection across our devices without compromising our best in class device performance. We we believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

Leo Laporte [02:00:18]:
Okay, a long time.

Steve Gibson [02:00:20]:
At least half a decade sets the bar high. Yeah. So the reason we're here today is to gain with this podcast is to gain an understanding of what Apple has done to justify this claim. Their posting then continues to remind us of the nature of the threats they face and some details of their journey up to this point. I'm going to share that, interrupting to comment and elaborate where needed. They they write there has never been a successful widespread malware attack against iPhone. Okay, now that's true and it's worth remembering. Microsoft might argue that Windows, being a far more open platform compared to Apple's, which is a much more controlled environment, faces a much more daunting security challenge.

Steve Gibson [02:01:17]:
That is the Windows faces a much more daunting security challenge but all of Microsoft's biggest problems were of their own making, with their own code. All of those early Internet worms leveraged fundamental flaws in Microsoft's IIS web server. And the many continuing problems with Microsoft's NT LAN Manager and their remote desktop protocol. Those were in every case enabled by Microsoft's poor coding and insecure protocol designs. Apple has objectively done a far better job and their devices are every bit as well connected as Microsoft's. So Apple continues the only system level iOS attacks we observe in the wild come from mercenary spyware, which is vastly more complex than radio, regular cyber criminal activity and consumer malware. Mercenary spyware is historically associated with state actors and uses exploit chains that cost millions of dollars to target a very small number of specific individuals and their devices. And I'll just note that that what Apple is saying is we don't care, we're gonna stop that even though, you know, they've never really had a big problem, they wrote.

Steve Gibson [02:02:50]:
Although the vast majority of users will never be targeted in this way, these exploit chains demonstrate some of the most expensive, complex and advanced attacker capabilities at any given time and are uniquely deserving of study as we work to protect iPhone against even the most sophisticated threats known. Mercenary spyware chains used against ISOs share a common denominator with those targeting Windows and Android. They exploit memory safety vulnerabilities which are interchangeable, powerful and exist throughout the industry. Okay, that's all true and, and I'll just say I may not care less how thin Apple is able to make an iPhone, but the same dogged, crazy over the top passion that they show for making their phones ever thinner. A whole different group at Apple is showing the same sort of focus on darn it, we're not going to let anything attack our devices, period. No matter how much they cost. Whoever it is that wants to do it, we're just saying not here. So as I noted earlier, despite all the lessons we've learned, even you know, recently authored code such as that Adobe DNG file decompressor continue to exploit exploit to exhibit exploitable vulnerabilities.

Steve Gibson [02:04:28]:
So Apple writes for Apple, improving memory safety is a broad effort that includes developing with safe languages and deploying mitigations at scale. We created swift and easy to use memory safe language which we employ for new code and targeted component rewrites. In iOS 15 we introduced K Alloctype, a secure memory allocator for the kernel, followed in iOS 17 by its user leverage user level counterpart X Zone Malloc. These secure allocators take advantage of knowing the type or purpose of allocations so that memory can be organized in a way that makes exploiting most memory corruption vulnerabilities inherently more difficult. In 2018, we were the first in the industry to deploy pointer authentication codes PAC in the A12 bionic chip to protect code flow integrity in the presence of memory corruption. The strong success of this defensive mechanism in increasing exploitation complexity left no doubt that the deep integration of software and hardware security would be key to addressing some of our greatest security challenges. It's worth noting that that means what they're saying is we learned something from that a 12 bionic chip experience, they said. Then, with Pack behind us, we immediately began design and evaluation work to find the most effective way to build sophisticated memory safety capabilities right into Apple Silicon.

Steve Gibson [02:06:16]:
Okay, so put. To put this into perspective, the earliest efforts at building barriers around memory to protect its misuse were implemented in software. They were useful and effective, but they turned out to fall short of being absolute. As a consequence, while the bar was meaningfully raised, this just meant that the bad guys needed to work a lot harder. You know, we talked about address address space layout randomization for example, and, and that in turn, with the bad guys working needing to work harder, the governments needed to pay more as exploits became significantly more rarefied. Unfortunately for journalists, political activists and other targeted individuals, governments have no shortage of funds nor willingness to pay a competitive price. You know, after adding things like address space layout, randomization, kernel address space layout, randomization, stack cookies, reference counting and other software based mitigations, all I'll note that we've covered in in the previous years of this podcast. They were all eventually worked around by highly motivated attackers.

Steve Gibson [02:07:33]:
So the ante had been upped and it was time to start adding explicit anti exploitation features to the underlying Hardware. Apple wrote ARM published the Memory Tagging Extension MTE specification in 2019. Okay, so that was six years ago. As a tool for hardware to help find memory corruption bugs, MTE is at its core a memory tagging and tag checking system where every memory allocation is tagged with a secret. It's a four bit secret. The hardware guarantees that later requests to access memory are granted only if the request contains the correct secret. If the secrets don't match, the app crashes and the event is logged. This allows developers, again developers, to identify memory corruption bugs immediately as they occur.

Steve Gibson [02:08:42]:
Okay, so again I'm going to pause to highlight this distinction because it's important. ARMS MTE was introduced, As I said, six years ago, in 2019 with the ARM version 8.5 A architecture. Its intention, design and focus was to assist developers, both software developers, both the software like like debuggers and the people during code development time when they were debugging. Running code under a debugger that would attempt to verify and validate every memory access would introduce prohibitive overhead. We'll be talking a lot about overhead in a bit. You know, everything is about overhead. So ARMS MTE was added to the ARM architecture to allow the hardware while running at speed, full speed, to detect instances of use after free and out of bounds accesses. And we'll explain how in a minute.

Steve Gibson [02:09:51]:
It's not possible to do this at speed without hardware assistance because I'm. You'd have to check every reference to memory and you just can't you. This has to be done in the hardware. By tagging memory allocations with what were known as colors, consisting of four bit tags so different allocations receive different coloring, and then checking against those pointer tags at runtime, MTE was able to provide a low overhead always available bug trapping mechanism in hardware. Since we're going to be talking about tagging a lot, let me clarify what's going on here. When an application running on behalf of its user or some process in the kernel needs the use of. Of a block of memory, for example, it needs a buffer, some. Some buffer space to store some incoming communications data.

Steve Gibson [02:10:52]:
The app or a kernel process makes a request of the operating system's memory management system. For decades, a memory manager for. For. For decades. You know, in, in. In the past, the way this works is that a memory manager would locate some free memory, increment that memory's usage count to show that it's now in use, and then return a pointer to the requested memory to its requester. From that point on, that memory would be considered to be owned by the requesting application, and it would be free to do anything with it that it wished. Unfortunately, the required flexibility of access required that the memory's ownership not be enforced.

Steve Gibson [02:11:40]:
Any other process that knew where the memory was located could also access it. This is what in this is what the introduction of MTE changed. Under arm's memory tagged extension, the requester would receive not only a pointer to a block of memory that satisfied its request, but also that short tag that that color a four bit secret key that would need to be present anytime that memory was accessed. The theory was that while bad guys might be able to arrange to determine where some memory was that had recently been freed or might still be in use, requiring that they would need to determine that memory's Access tag significantly raised the bar for memory access abuse. Okay, but MTE alone proved to be insufficient for Apple's needs, they wrote. We conducted a deep evaluation and research process to determine whether MTE as designed would meet our goals for hardware assisted memory safety. Our analysis found that when employed as real time as a real time defensive measure, the original ARM MTE release exhibited weaknesses that were unacceptable to us and we worked with ARM to address these shortcomings in the new Enhanced Memory Tagging Extension EMTE specification released in 2022. So, three years after the 2019 release of MTE working with Apple, ARM released a new specification, the Enhanced Memory Tagging extension emte, in 2022, they said.

Steve Gibson [02:13:43]:
More importantly, our analysis showed that while EMTE had great potential as specified, a rigorous implementation with deep hardware and operating system support could be a breakthrough that provides an extraordinary new security mechanism, they said. Consider that MTE can be configured to report memory corruption either synchronously or asynchronously. In the latter mode, memory corruption does not immediately raise an exception, leaving a race window open for attackers. We would not implement such a mechanism. We believe memory safety protections need to be strictly synchronous on by default and working continuously. But supporting always on synchronous MTE across key attack surfaces while preserving a great high performance user experience is extremely demanding for hardware to support. In addition, for MTE to provide memory safety in an adversarial context, we would need to finely tune the operating system to defend the new semantics and the confidentiality of memory tags on which MTE relies. Okay, again, I'll just pause to say that MTE was remember was designed to help developers and debuggers.

Steve Gibson [02:15:16]:
It was not meant as a proactive security measure. So Apple was this exploration that Apple talked about going on this deep analysis was can we use ARMS mte released in ARM8.5A as a security measure? And they said unfortunately no, it comes up short, they said. Ultimately we determined that to deliver truly best in class memory safety, we would carry out a massive engineering effort spanning all of Apple, including updates to Apple Silicon, our operating systems and our software frameworks. This effort, together with our highly successful secure memory Allocator work, would transform MTE from a helpful debugging tool into a groundbreaking new security feature. Today we're introducing the culmination of this effort, Memory Integrity Enforcement mie, our comprehensive memory safety defense for Apple platforms. Memory integrity enforcement is built on the robust foundation provided by our secure memory allocators coupled with enhanced memory tagging extension. That's the EMTE from 2022 in synchronous mode and supported by extensive tag confidentiality enforcement policies. Again, for use against malware, MIE is built right into Apple hardware and software in all models of iPhone 17 and iPhone Air, and offers unparalleled always on memory safety protection for our key attack surfaces, including the kernel, while maintaining the power and performance that users expect.

Steve Gibson [02:17:19]:
In addition, we're making EMTE a available to all Apple developers in xcode as part of the new enhanced security feature that we released earlier this year during the Worldwide Developer Conference. The rest of this post, they wrote, dives into the intensive engineering effort required to design and validate memory integrity enforcement. Okay, so let's get all these abbreviations straight. Originally, to aid in debugging, ARM designed and introduced MTE in 2019. But MTE was never designed to be used in an adversarial environment. It was designed to be a debugging aid. So for example, it was acceptable if it operated asynchronously from the code, notifying a developer of a violation sometime after the fact. That was okay because they could go back and see what had caused that.

Steve Gibson [02:18:25]:
Acceptable for a debugger, but in an adversarial setting, the damage might have already been done by the time an exception was raised. Thus Apple's need for synchronous checking. That is the instant you try to access memory, if you shouldn't be doing it, you're that your butt is terminated. They said after. Well so and what? So what they found was after experiencing for themselves MTE's limitations three years later in 2022, they work closely with ARM on the development and an implementation of an extension to that emte. They're enhanced or extended memory tagging extension. Original MTE allowed also allowed non tagged memory regions. That is, you know, it's like, okay, if you're not going to tag this, that's fine, you know.

Steve Gibson [02:19:21]:
For example, global or static allocations or untagged regions could be accessed without any tag checks, meaning that allocators could could exploit out of bounds rights into such regions. EMTE addressed this by requiring access from a tagged memory region into non tagged memory to respect the tag knowledge. This prevented the use of untagged memory from being used as a tag bypass. Again, Apple just looked at every single aspect of this and just said, you know, no, no, no, no no, we need to fix these things. I mean this is to me, this represents them really, really getting serious about, you know, nipping this stuff once and for all. EMTE also brings more comprehensive enforcement of Tag mismatches, especially in synchronous mode, so that buffer overflows and use after free bugs are blocked immediately, not just signaled later or more coarsely, so much more granular control. And as I said, synchronous, meaning the instant something tries to make a fetch, if it should not be doing so, the process is terminated and an exception is logged. So there's a lot more to the improvements that EMTE brought over its predecessor MTE.

Steve Gibson [02:20:51]:
But with their A19 ARM chips, the Apple has already moved on to their next generation of even more rigorous protections. So, Leo, let's take our final break and then we're going to continue looking at what Apple has done here.

Leo Laporte [02:21:06]:
Really interesting stuff.

Steve Gibson [02:21:08]:
Yeah, they, they, this is a take no prisoners. We're, we're screwed. We're, we're, we're through fooling around here where we, you know, we have our own silicon. We are comfortable with how ARM technology works. We're going to extend this and make what they called a significant commitment in silicon in order to just end this whole class of problems.

Leo Laporte [02:21:35]:
Darren Okey asked a question, maybe it's a dumb question. He says, why don't you just wipe the memory after it's free, zero it all out each time. But I guess this is not just what you're working with. It's overflows too, right?

Steve Gibson [02:21:50]:
So, yes, so it's overflows. And OSS do get around to zeroing memory after. Exactly. And so that would introduce a huge amount of overhead, releasing a large buffer and then everything would have to stop while you overrode it with zeros. So what happens is buffers that are released are put on a dirty chain and then free. And then free time that the operating system has is used to go zero them and then move them over to the ready to allocate chain and then all of those free memories are aggregated and consolidated. So there's a whole bunch of stuff going on behind the scenes that's actually.

Leo Laporte [02:22:34]:
Like in our house because Lisa says I should wash dishes while I'm cooking, but I say I'm going to cook and then I'm going to wash the dishes afterwards. I think that's more efficient, personally. But, you know, yeah, I, I tend.

Steve Gibson [02:22:46]:
To go for the same approach.

Leo Laporte [02:22:49]:
This episode of security we'll get back to this is really interesting and I. And very impressive, really, that Apple would, would, would say, you know, we're gonna huge.

Steve Gibson [02:22:58]:
It is a huge investment.

Leo Laporte [02:23:00]:
Yeah. That's exciting. We'll find out what Apple did do to enhance mte. In just a moment. But first, a word from our sponsor, Melissa. Hi, Melissa. The trusted data quality expert since 1985. Melissa's address validation app is available for merchants in the Shopify App Store now.

Leo Laporte [02:23:21]:
Oh, this is good news. This means if you're using Shopify, you can enhance your business's fulfillment and incidentally, keep your customers happy with Melissa. Enhanced Address correction is certified by leading postal authorities not just in the US but worldwide. It corrects and standardizes addresses in more than 240 countries and territories. And there's also Smart Alerts, which is great. It immediately alerts the customer if their information is incorrect or if there's something missing. So customers can update that before the order is processed. Before that bad data gets into your data.

Leo Laporte [02:23:57]:
When a business of any size would benefit from Melissa, their data quality expertise goes far beyond address validation. And sure, that's what they started with, but they do so much more. Data cleansing and validation are essential in fields like healthcare. Imagine this. 2 to 4% of contact data in healthcare is outdated. Every month your patients are disappearing. Millions of patient records in motion demand precision, which Melissa delivers. Boy, this is.

Leo Laporte [02:24:26]:
We've come a long way now with digital health systems, right? At least we can do this. In the past was paper. I don't even know what you would do. But now you can use Melissa's enrichment as part of your data management strategy. This way, healthcare organizations can build a more comprehensive view of every patient. By the way, that also helps in predictive analytics. Allowing providers to identify patterns in patient behavior or medical needs that can then inform preventative care makes you a better doctor. EToro's vision, here's another example, was to open up global markets for everyone, to trade and invest simply and transparently.

Leo Laporte [02:25:03]:
But to do that, they needed a streamlined system for identity verification because as you know, in every jurisdiction, pretty much there's no your customer rules and so forth. After partnering with Melissa for electronic identity verification, Etoro received the additional benefit of Melissa's auditor report, containing details and an explanation of how each user was verified. Perfect for the local regulators. The Etoro Business Analyst Shared Quote we find electronic verification is the way to go because it makes the user's life easier. Users register faster and can start using our platform right away. Development of the auditor report was an added benefit of working with Melissa. They knew we needed an audit trail and devised a simple means for us to to generate it for whomever needs it, whenever they need it. So you can see in healthcare, in financial services, there's so many areas where Melissa is more than useful, it's vital.

Leo Laporte [02:26:02]:
And of course your data is safe, it's compliant, it's secure with Melissa. Melissa's solutions and services, of course, are GDPR and CCPA compliant. They're ISO 2701 certified. They meet SOC2 and HIPAA high trust standards for information security management. All of these things are so important in, in every business now, right? Get started today with 1000 records cleaned for free at melissa.com TWIT that's melissa.com TWIT thank you Melissa for your support for security now. And now, okay, you got, you got to cool off a little bit, have a little tea. I'm not talking. You're gonna love the way our audience.

Steve Gibson [02:26:48]:
These four bit tags work LEO all right, so Apple's MIE can best be seen as an evolution of EMTE, the enhanced MTE, where Mie adds various final touches to EMTE's already very useful protections. So at first glance, for example, these four bit tags might not appear to be very useful because, you know, four bits having just 16 possible states cannot contain much security entropy. But the way they're employed is very clever. Allocations are made with the same granularity as memory pages, which ON ARM are 16k bytes each. One of the guarantees made by the system's memory allocator now under MIE is that adjacent allocations of memory will always have differing tags. This cleverly nips buffer overflows in the bud. If some adversary were able to arrange to comparable an application to obtain access to both its memory and its associated memory access tag, it would be unable to read or write outside of the applications allocated memory region because those adjacent buffer overflow regions would be guaranteed to be using a differing tag, with neither the benign application nor nor its malicious compromiser having any way of knowing or predicting any adjoining allocation tags differing 4 bit value. Thus the infamous buffer overwrites are stopped cold.

Steve Gibson [02:28:42]:
The equally pernicious and ubiquitous use after free vulnerabilities are similarly prevented. And this actually addresses that the the question that the listener had a second ago. LEO Use after free vulnerabilities are prevented by having the the the updated EMTE memory allocator. Now the Apple's MIE memory allocator change the access tags after any freed memory is freed. Thus in the same way, if an application had been compromised so that malware obtains access to the memory pointer and the tag of its memory after it has been released back to the system, any subsequent attempt by the malware to use that memory after it's been Freed will be trapped and blocked immediately. No more use of memory after being freed. So if you pardon the pun. Armed with this bit of background, Apple's further explanations will make some more sense.

Steve Gibson [02:29:57]:
Apple wrote A key weakness of the original MTE specification is that access to non tagged memory such as global variables is not checked by the hardware. This means attackers don't have to face as many defensive constraints when attempting to control core application configuration and state with enhanced mte. We instead specify that accessing non tagged memory like these global variables from a tagged memory region, meaning one under control, requires knowing that region's tag, making it significantly harder for attackers to turn out of bounds bugs in dynamic tagged memory into a way to sidestep EMTE by directly modifying non tagged allocations. And they said finally we developed tag confidentiality enforcement to protect the implementation of our secure allocators from technical threats and to guard the confidentiality of EMTE tags, including against side channel and speculative execution attacks. Our typed allocators and EMTE both rely on confidentiality of kernel data structures from user applications and of the tags chosen by the allocator. Attackers might attempt to defeat emtech and in turn memory integrity enforcement, Apple's newest technology, by revealing these secrets. To protect the kernel allocator backing store and tag storage, we use the secure Page table monitor which provides strong guarantees even in the presence of a kernel compromise. We also ensure that when the kernel accesses memory on behalf of an application, it's subject to the same tag checking rules as user space.

Steve Gibson [02:32:00]:
So ARM began with mte, which Apple utilized once it was available, but its limitations caused Apple to work with ARM to create emte. But Apple was able to obtain sufficient real world experience with emte, examining the many ways that it could and still was being bypassed in the field that they then further enhanced and that already enhanced memory tag extension to create mie. I guess they didn't want to go with E EMTE enhanced enhanced mte. So anyway, Apple has clearly essentially taken the second generation of MTE known as EMTE and moved it to always on synchronous and as strong as possible. If we were to summarize just sort of in a bullet pointed fashion, the things they did, they made EMTE synchronous so that tag verification occurs immediately before memory accesses and any tag mismatch crashes the process to prevent its exploitation. So this eliminates opportunities where malicious behavior might slip by due to delayed or asynchronous checking, which due to the overhead was the way MTE would be used. They also enforce always on system wide deployment. MIE is enabled by default across Apple's entire kernel and for more than 70 user land processes.

Steve Gibson [02:33:53]:
Previous and other systems were forced to rely on optional or per app memory tagging which unfortunately reduced the performance significantly. They have secure typed allocators where Apple's memory allocators have been updated to use type information to isolate objects by type to reduce any type confusion, style overlaps and help with the with the placement of allocations in memory so that different types get different tags and are and are less likely to misuse their targets. They also handle re tagging and memory reuse safely as I noted, when memory is freed and reused and Apple's system ensures that the free memory tag is changed so that stale pointers with old tags will no longer match. They also have protection for overflow across adjacent allocations by assuring that that adjoining allocations have differing tags. They also no longer allow for access of non tagged memory from non tag memory. It has to be tagged execution memory access accessing non tag memory. So they foreclose that too. And their hardware enforces the confidentiality of these tagging which was never done before because MTE was not really focused on on protecting against malicious abuse.

Steve Gibson [02:35:29]:
It was always focused on on helping debuggers to catch debugs. All of this being done down now in the hardware and silicon because doing any of this in software would be prohibitive of performance overhead. They they moved everything that was necessary in down into for MIE down into hardware for the A19 and A19 Pro chips. So I'm just very very impressed with the scale of Apple's commitment. It is not difficult to imagine what the team behind MIE who had just spent the last five years of their lives perfecting all of this new super hardening technology were probably feeling when you think about it with that just two weeks ago another successful exploit made against the hardware that they had already moved well past and were already like. They were poised to replace it as they did last week with an entirely new system that would almost certainly no longer fall victim to exactly that exploit and probably nearly any other attack. As I said, it is the case that not every type of security problem is a use after free or a buffer overflow or some sort of memory exploit, but I don't know what the percentage is.95% of them probably are. I think no one is ever going to suggest that there will never be another successful system level exploitation against Apple's Latest or future iOS and iPad OS platforms, but there is this distinct possibility that that could be the case.

Steve Gibson [02:37:26]:
Now we heard, as I mentioned before a while ago, from a past early Apple hobbyist and exploit developer who was lamenting that he had long ago hung up his spurs and was no longer attempting to find iPhone exploits because they had become insanely difficult to locate an engineer. There will come a time, and we might now be there today, when the cost to develop any new exploit, if it's even possible, has become so high that even the highest and most capable exploit developers, you know, join that earlier hacker in giving up on Apple and switching to more attackable platforms. Because you know, Apple has just gone all the way and said no, even though a tiny percentage of our users are ever being targeted. That's not okay.

Leo Laporte [02:38:29]:
Of course that means the people who will attack Apple are the ones most strongly motivated actors, actors from nation states who are going after.

Steve Gibson [02:38:38]:
But I'm saying even at this point, I mean, that's the only people who have. That's who those are the, those are the only people who have been attacking Apple.

Leo Laporte [02:38:47]:
Right.

Steve Gibson [02:38:48]:
And this.

Leo Laporte [02:38:49]:
Is this enough to deter them, you think?

Steve Gibson [02:38:51]:
Yes.

Leo Laporte [02:38:52]:
Yeah. Interesting.

Steve Gibson [02:38:54]:
I think what it means is we're going to be rebooting our phones for software security updates much less often.

Leo Laporte [02:39:02]:
Great. Because that would be great.

Steve Gibson [02:39:05]:
Apple won't be in a panic needing to protect us against the latest zero day. We're just going to have many, many fewer zero days.

Leo Laporte [02:39:16]:
As you know, Apple has locked things down so much it's hard for security researchers to actually work on iPhones. But they have opened up a program. In fact, they just opened up applications for the new phones for security researchers to get specially modified iPhones that are less protected so that they can at least work on these things. So I really admire the way Apple has gone.

Steve Gibson [02:39:43]:
I am so impressed. I mean, this is a. No. No other company has made this sort of commitment.

Leo Laporte [02:39:51]:
Yeah, fantastic. Well, that's what happens when you make your own silicon. You can do more. And thank goodness that their decision has been to do more and not save more and charge more.

Steve Gibson [02:40:05]:
But they called it. An unprecedented percentage of their silicon real estate is now devoted just to this. Not to making it faster, not to more cores and more, you know, neural nonsense. It's no, if you. If we're saying this is where. How we're tagging the memory and we're going to stop you cold if you don't have the magic token for doing so. And bad guys can't get that.

Leo Laporte [02:40:35]:
One thing I did notice that worried me was that they have enhanced the branch prediction capabilities they are not abandoning branch prediction which we as we know is one of the. One of the sources for the. These timing attacks like Rohammer. Would, would this help in that kind of event? No, this is a different kind of problem.

Steve Gibson [02:40:55]:
I think we're going to have to see whether the. Those. So those are side channel. And they are saying that this is also proof against side channel attacks.

Leo Laporte [02:41:05]:
Ah.

Steve Gibson [02:41:05]:
They have hard. They have hardened this against that.

Leo Laporte [02:41:08]:
So the memory leaks, that's what's happening is they leak in these branches.

Steve Gibson [02:41:12]:
Yes. It's the side channel attack that gets the malware the pointer that it can then abuse.

Leo Laporte [02:41:18]:
So if it can't abuse it. Ah, yes, brilliant.

Steve Gibson [02:41:21]:
It doesn't matter if the bad guys get the pointer.

Leo Laporte [02:41:27]:
Wow. Thank you for explaining this. I'm venturing that there are very few places you could get this kind of information. You could read the white paper for yourself. But it's going to take somebody like Steve to explain its implications. Somebody who's been doing this for time, a long, long time and knows exactly where the bodies are buried. Good on Apple. Good on Apple.

Leo Laporte [02:41:46]:
And thank you for explaining this.

Steve Gibson [02:41:48]:
I'm.

Leo Laporte [02:41:48]:
I'm very impressed. You know what I love is you don't shy away from the, the really technical stuff. And you know what? I think our audience appreciates that they fun is. Yeah, yeah, yeah. Fantastic. Are you going to buy the new iPhone? No.

Steve Gibson [02:42:04]:
Yeah. I. Oh well. And. And the reason is as I mentioned, I did get a 16 last spring when I. China's. China's tariffs might cause a problem. Now it's like what that means is that my trade in value would be high and so it wouldn't cost me that much to go from a, from a 16 to a 17.

Leo Laporte [02:42:26]:
I got offered $700 for my iPhone 16 Pro Max, which brought that price down for a new iPhone and more like 600 bucks which. Or 700 bucks. And I thought, you know, because I got it with. No, actually with 600 because I got it with 512 gigs. That means, it's, you know, at 600 bucks maybe not such a bad idea. I like, I like the fact that they'll take those trade ins.

Steve Gibson [02:42:47]:
Yeah. And apparently and I'm. I still have. This is my on by my desktop and there's my pretty wife.

Leo Laporte [02:42:56]:
Yes.

Steve Gibson [02:42:57]:
On my desktop. I use my iPhone 12 still.

Leo Laporte [02:43:00]:
Oh, you have an extra.

Steve Gibson [02:43:02]:
And I up. Well, yeah, because. Because this is the one that I had been using and I was fine with it until I worried that prices of iPhones might go through the roof during those early China tariff scares at the start of the Trump administration. So I bought the 16 for that reason. I just updated this to iOS 26 and based on all of the negative feedback or, you know, reviews I've been hearing about the glass.

Leo Laporte [02:43:29]:
You didn't get liquid glass.

Steve Gibson [02:43:31]:
I didn't get liquid glass because the phone is too old.

Leo Laporte [02:43:33]:
Yeah, there's a secret blessing hidden in there. Well, Steve, thank you so much for this. This is the kind of coverage we really appreciate. If you like this, I hope you will support Steve. There's a couple of ways to do that. Of course we love you if you join Club Twit because that supports everything we do. 25% of our operating costs now come from club members like you. If you're not a member Twit TV Club Twit.

Leo Laporte [02:43:59]:
You get ad free versions of this show, all the shows, specials, access to the Club Twit Discord and more. Twitt TV Club Twit. You can also support Steve by going to his site GRC.com and picking up a copy of Spinrite. That's his actual bread and butter. This is, this is how he makes a living. 6.1 is the current version. He's very generous. If you own any copy of Spin right prior you, you get a free upgrade.

Leo Laporte [02:44:27]:
So get that upgrade. But if you don't, now's the time to get on the Spinrite bandwagon. It's the world's best mass storage maintenance, recovery and a performance enhancing utility. GRC.com Spinrite but there are other things you can do there. In fact, once you get to the site, buy your copy of Spinrite and browse around. There's a lot of cool stuff. For instance, shields up his tool, so useful for making sure that your router is properly configured. Lots of things like never 10 which keep your Windows machine from upgrading against your will.

Leo Laporte [02:45:03]:
A lot of freebies, lots of extra information. And if you have a comment, a suggestion or even more importantly, you want to submit a picture of the week for the show, you can get on his email. Good Graces list. That's what I'm going to call this, your good Graces list by going to GRC.com email give him the email address. He'll validate it. Making sure that you are not a spammer. I don't think spammers are going to go through jump through that hoop so that way you can email him. He won't won't put you in the spam bucket.

Leo Laporte [02:45:35]:
You'll notice when you're there though, there are Two unchecked checkboxes for two newsletters. By default, unsubscribe, but do check them. One is of course, the weekly Security now newsletter, which is very complete with links and pictures and all. Somebody in the YouTube chat says, I wish Steve would do these with a whiteboard, which we could set you up with if you wanted to. Telestrator. We could set you up.

Steve Gibson [02:45:57]:
We used to in the tech TV days. That's what I did was I had Steve's whiteboard.

Leo Laporte [02:46:01]:
You put a chalkboard up? Yeah. If you want, I'll work on getting a telestrator for you. Alex Lindsay has a very good setup that you could illustrate. I think it would be distracting. But if you want that kind of extra oomph, two things you should do. One is go there to the email list. You know, subscribe to the Security Nano newsletter because that's got a lot of stuff, including images in there. You could also check the other box, which is a very infrequent newsletter.

Leo Laporte [02:46:29]:
He's only sent out one email this whole time, but that will announce new products. And we're waiting with great anticipation for his DNS Benchmark Pro any day now. And you'll get an email when that is available for. For download. He also has the show. I mean, I shouldn't give that short shrift. He's got unique versions. A crazy small 16 kilobit version.

Leo Laporte [02:46:52]:
It's a little scratchy, but it's small. He's got the full bandwidth 64 kilobit version. He's got the show notes, he's got the incredible transcripts written by Elaine Ferris, an actual human being who transcribes all these shows. Those take a few days, but once those are up there, you can, you can read along as you listen. You can use it for searching all of that@grc.com if you want video of the show or the 128 kilobit audio. Come. Oops. Apple's doing a little thumbs up.

Leo Laporte [02:47:23]:
It's rocking, it's rolling. Do a little go to the. Go to the Twit website, Twitter, tv, sn, and you can subscribe. There we go. Laser light show. You can subscribe. Actually, you could just download it directly. Audio and video are there.

Leo Laporte [02:47:39]:
If you want to subscribe, get a podcast client. Then you can subscribe and get it automatically again, audio or video. There's also, and this is important, if you hear something and you think, you know, I got to pass this along to our IT department or the boss or whatever, go to. There's a YouTube channel dedicated to security now. And that's a great way to send clips of the show to somebody else. YouTube makes that easy. And everybody, everybody, but everybody can watch a YouTube video. I think that's all the busy work I need.

Leo Laporte [02:48:06]:
We do the show and you can watch it live every Tuesday right after Mac break weekly. That should end up being around 1:30 Pacific, 4:30 Eastern, 20:30 UTC. The live streams, there are eight of them, including the Club Twit, Discord for the members, but there's also open to all YouTube, Twitch, TikTok, Facebook, LinkedIn, X.com and Kik. You can go anywhere, any of those. Watch chat with us. I'm watching the chat. We love having you in the chat room and. But you don't have to.

Leo Laporte [02:48:37]:
Like I said, you can download it later or even subscribe and you know, you can listen at your leisure. Steve, have a great week. I just saw a list. Remember Michael Swain? Yeah, he used to write for Dr. Dobbs, I think, or maybe. Anyway, one of the computer magazines, Swain's Flames.

Steve Gibson [02:48:53]:
Was that his article?

Leo Laporte [02:48:53]:
Yeah, that's it. Yeah. He just published a list from a 1984 hackers conference that you were at. Do you remember this? And now 40 years ago, and man the names of the people at this list. You know, here we are.

Steve Gibson [02:49:14]:
Mr. Dyson invited me to speak at one of her. Is that the one?

Leo Laporte [02:49:17]:
It might be. I don't know. Let me see if I can find his post because 1.0.

Steve Gibson [02:49:24]:
Can't remember the name of.

Leo Laporte [02:49:25]:
It was when the. It was when the. Yeah, I remember, of course, the wonderful Esther Dyson. But it was when one of the. It was right about when the Mac came out. So there were a lot of people there from the. Apple Atkinson.

Steve Gibson [02:49:42]:
There was.

Leo Laporte [02:49:43]:
That was there. Jobs wasn't. But I just was looking at the names on this list and I thought.

Steve Gibson [02:49:49]:
Roger Von Eck had a conference called Success in Software and I also spoke at that one. Software as an Art Form.

Leo Laporte [02:49:59]:
Might have been that. He said this was a like. He said it was like a hacker conference. I can't find the post now, but man the names of the people with. Bob Frankston was there. I mean just all the legendary names.

Steve Gibson [02:50:14]:
Frankston also was a speaker at Esther's conference. So that might.

Leo Laporte [02:50:17]:
Maybe it was Esther's. Yeah, yeah. I can't.

Steve Gibson [02:50:21]:
Frankston came out in a. Dressed like a. In. In like animal skins with a musket because he was a pioneer. I was like, okay. And Esther loved that kind of crap.

Leo Laporte [02:50:32]:
In 1984 he was considered a pioneer because 10 years earlier, he. He had created. What was it? VisiCalc. Yeah, I think it was. Was it VisiCalc or was it. Yeah, it wasn't Lotus 1, 2, 3. It was PhysicalC. Yeah, well, I can't find it.

Leo Laporte [02:50:47]:
I. I wanted to read you the list because it was a who of computer history.

Steve Gibson [02:50:52]:
Yeah.

Leo Laporte [02:50:52]:
And, man, you were right there, right in the middle of it. Just wild, just amazing. All right, enough of that. You get. You get going. Go have fun with your wife. We'll see you back next Tuesday.

Steve Gibson [02:51:06]:
Same to you.

Leo Laporte [02:51:07]:
Thank you, everybody.

Steve Gibson [02:51:09]:
Bye.

Leo Laporte [02:51:13]:
Security, now.