Security Now 1063 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security now. Steve Gibson is here. He's going to talk about an antivirus that infects its own users. That's not good. Curl Discontinues bug bounties. That's not good either. They say they have to do it. And MongoDB has lowered the hacking skill level bar to the floor.

Leo Laporte [00:00:21]:
It's too easy to hack. All of that and more coming up next. That's Security Now.

TWiT.tv [00:00:29]:
Podcasts you love from people you trust.

Leo Laporte [00:00:33]:
This is twit. This is Security now with Steve Gibson. Episode 1063, recorded Tuesday, February 3, 2026. Mongo's too easy. It's time for Security Now. Oh, goody, goody Goodyear. I don't think all those CISOs and CIOs and security professionals listening are going, oh, goody, goody, goody. But in their heart of hearts, they're thinking, yay, it's Tuesday, Steve's here.

Steve Gibson [00:01:04]:
Yay. What are they gonna talk about today?

Leo Laporte [00:01:06]:
Steve Gibson, our hero, the man of the hour. Every Tuesday we get together, talk about the latest security news. And you know, interestingly enough, there's never been a lack of security news to talk about.

Steve Gibson [00:01:18]:
Oh, boy. And in fact, I, I, Lori's been pushing me to start working on the podcast earlier in the week. Well, and it makes sense because she knows how stressed I get. You know, I'm, when I commit to doing something and doing a good job, that's gonna happen. So I was reminiscing with her that there was a time maybe a couple years ago when I would come, I would, you know, because I'm, I, I'm working in my separate location during the day. And then, so I would come home at 4, and I would say on a Monday, and I would say I have all my topics. Like, I've gone through the news and I've got a list of topics. And then Monday night and all day Tuesday morning up until we started recording, I'd be fleshing everything out, doing the research, pursuing the leads, you know, basically creating the show notes that we now see.

Steve Gibson [00:02:18]:
And she'd been pushing me to, like, start sooner, start earlier. And, and so then the other thing that's happening is we're in the process of, of working on this, finishing up this remodel, which is now 18 months in. I mean, it's, it's, we bought the house.

Leo Laporte [00:02:35]:
Oh, I know all about that.

Steve Gibson [00:02:36]:
A year and a half ago. And so, so then there's the problem that I'm needed on site for, like, decision making, right? And there for example, this morning. This. Wait, no, no, yes, this morning it was supposed to be. I told them, I'm available until 1. Well, then it was going to be noon. Then they switched it to 9:30. And these were people coming out to measure the stairs for the hand.

Steve Gibson [00:03:05]:
The main staircase railing. And. And I needed to be there. Well, I couldn't be there if I was up against a podcast deadline. So I started this week on Saturday morning. Normally I tried to. I tried to do coding and GRC stuff all day Saturday. And then she had me starting.

Steve Gibson [00:03:27]:
She. I mean, you know, well, I am married, so the little woman.

Leo Laporte [00:03:31]:
Or as Richard Campbell calls her, she who must be obeyed.

Steve Gibson [00:03:36]:
Anyway, yes. And I've heard that actually that that's a common phrase now. And the. The other one is happy wife, happy life. So. Yeah. Anyway, so the point is that as a consequence of the fact that I'm starting earlier and I have to say it's. It is nice to like, have it done.

Leo Laporte [00:03:56]:
Yeah.

Steve Gibson [00:03:56]:
Know that I've got my commitment met and then I'm free to write code. Otherwise, I'm sort of preoccupied by, oh, you know, I got to get to. I got to get to it. So as a consequence, the show notes this week went out like, Sunday, early afternoon, and someone wrote back and said, I love this. This is the earliest I've ever received them. Unfortunately, a super important piece of news dropped.

Leo Laporte [00:04:23]:
That's what came to my mind. Yes, yes, yes.

Steve Gibson [00:04:27]:
And I have been flooded with our listeners because I actually warned about this event for several years. I was saying, this is going to be a problem, or it could be not. I didn't say it was going to be, but this is a danger. And as a consequence of the fact that I've been. I won't say predicting it, but recognizing that this is a problem. Oh, my God. That, you know, all of our listeners said, Steve, it happened like. Yeah, anyway, so that was about Notepad plus.

Steve Gibson [00:05:04]:
Plus that we'll be talking about.

Leo Laporte [00:05:05]:
What a story.

Steve Gibson [00:05:06]:
Yeah. Yes. And. But. Oh, Leo, there's been a breakthrough. Our picture of the week. There is a breakthrough in age verification that does not require its. It's verifier.

Steve Gibson [00:05:26]:
You. The person being asked to verify their age, you can't look. Don't look. It's not. You can't look at.

Leo Laporte [00:05:32]:
I save it. I save it. I. I just see the. I see your headline.

Steve Gibson [00:05:38]:
Finally, an age verification solution that does not require its user to provide any additional information. It's. It's the kind of thing where it's like, once you see it. It's like, oh, how did we, like, everybody, like, get all tangled up in crypto? And everything is like, no, no, it's much simpler than that, folks. Anyway, I think maybe this is going to be a good podcast.

Leo Laporte [00:06:05]:
Okay. Yeah. I'm going to tell you, Steve, we're going to get you Vibe coding here. You really got to get. I know you. You're a coder, and you probably think, oh, no, code has to be written by humans. But there are certain things. Like, for instance, I've, over the last couple of weeks, Vibe coded a series of tools that I use to prepare the shows now that they go out.

Leo Laporte [00:06:27]:
I have a newsreader that's custom built just for the kind of news reading that I want to do. You know, you would point it to all the security sources, and. And it. Not only does it let me bookmark them, but it summarizes them. It pull pulls quotes and stuff you could have. And I have a workflow, so I do that. And then I have a. That's called Beat Check.

Leo Laporte [00:06:47]:
And then there's a tool after Beat Beat Check that I run every day called Collect Stories. It goes out, collects stories for each of the shows, puts them in a format that you can read on the web and that I can open with Emacs so I can organize it. And then there's a final stage called Prepare Briefing that prepares a webpage for it. You could easily Vibe. And all of this is Vibe. I didn't write a line of code. All of it's just said, well, could you do this? Could you do that? Could you upload it? Could you do this? And by the time it's done now, it's not only saved me a lot of time, but it's given me a.

Steve Gibson [00:07:20]:
Whole.

Leo Laporte [00:07:22]:
You know, way of doing this that takes a lot of the stress out of it. I think we should talk because I. I would like for you to try these tools. You will be blown away.

Steve Gibson [00:07:32]:
The difference that I see is that. And I've heard you talking about this on your other podcast, that you've got, like, too many topics, you've got too many things to talk about, what our listeners have told me they value and.

Leo Laporte [00:07:47]:
Right.

Steve Gibson [00:07:47]:
Is. Is my analysis.

Leo Laporte [00:07:49]:
Yes. Well, that step is not gone. This isn't so automated that I'm out of the loop, but it just gets the stuff ready for me, and then I go, not going to do that. Oh, that one's good. That one's good. That one's good. And the AI summaries help with assessing.

Steve Gibson [00:08:03]:
That I don't have any dearth of topics, as you said, security.

Leo Laporte [00:08:09]:
Nor do I. Right. Yeah. Yeah. No, a lot of what we do is boil it down. That's our job, right. Is to take this flood of information and make it usable for our listeners. You do a great job of that.

Leo Laporte [00:08:21]:
I'm just thinking it's a. Well, I'm not going to talk you into it. It's. If you want. But I think you. I would be very interested in your reaction just to see as this thing writes its code, how competent it's gotten over the last two weeks. Three weeks. Matt, November 24th was the breakthrough day of last year.

Leo Laporte [00:08:41]:
Wow. It's. It's. If we're not at AGI, then I think we need to define AGI better. And this, it's very human, very competent, very responsive.

Steve Gibson [00:08:53]:
One of our topic, we have, we have two main topics for today. I titled this Mongo's Too Easy Coming.

Leo Laporte [00:09:00]:
Back, which made me think of Blazing Saddles. But I don't think that's that Mongo.

Steve Gibson [00:09:04]:
You'Re talking about because it was the first podcast of the year was talking about the Mongo Reach, or Mongo Bleed, rather mongodb. There's more information about that. But there's another piece of information that was vying actually it was the topic, it was my working topic until there were two things that I wanted to talk about. The other is the, the breakthrough in bug finding. It's another thing that we thought was going to happen, but what we're. One of the trends. I would say it's safe to make and it's, it's. It, it echoes what you're saying is this is happening faster than anyone expected.

Steve Gibson [00:09:49]:
Right. I mean it, it was mind bockling fast. We knew it would mean. We knew it would happen. You know, I, I had said AI should be able to code because code has a rigor that, you know, it's their native language. Psychotherapy doesn't. It's like, well, I'm not feeling well today, honey.

Leo Laporte [00:10:09]:
But you know, it's funny though. It's one of the things that's come up and I, I don't know if you cover it today, but a lot of the people. Things people are doing now with things like openclaw is completely violating all of everything we know about security. You know, it's gotten to the point now where Curlin Debash, no big deal, not gonna, I'm not gonna. And in order to use these personal assistants, you basically have to say, well, I'm just Gonna throw caution to the wind. In fact, that the new phrase is YOLO everything. You only live once, just YOLO it all. And it's very tempting because when you do it, you know that balance between security and privacy, or security and convenience.

Steve Gibson [00:10:50]:
Functionality. Functionality or ease of use.

Leo Laporte [00:10:54]:
The scale is very vastly tipped, if you're willing.

Steve Gibson [00:10:58]:
A perfect example is what the shuttle's computer programming cost. Because it could not have a single bug, you can't fix it. So it was insanely expensive to program that pokey little computer right in the shuttle.

Leo Laporte [00:11:13]:
At this point, the temptation to give this AI agent, this clawbot. It's called openclaw. Now, they keep changing the name of openclaw. Your credit card number, your phone number, access to your Google Docs, your Gmail, everything. The benefit you get out of that is so great that it's very tempting. I'm sitting here, it's half installed, my fingers, it's like I just can't bring myself to do it. What I'm going to do is give it a credit card with a hard limit of like $5 a day. But you want to give it all these tools because it's amazing.

Leo Laporte [00:11:53]:
There was a guy I was watching looking at a guy on Twitter who said, this is weird, but I told my clawbot to surprise me, work on something overnight and surprise me. It called him. It made a phone call. It had overnight gotten a phone number, created a computer generated voice and called him in the morning and said, hey, surprise. I figured out how to make phone calls. Steve. It's getting weird out there. Anyway, we're going to talk about security and our picture of the week and we've solved the age verification problem.

Steve Gibson [00:12:32]:
Leo. It is the most brilliant solution.

Leo Laporte [00:12:35]:
Fantastic. We will talk about that in just a moment with Steve Gibson. I'm going to shut up now because this is Steve's show and it's all about Steve. This portion of the show brought to you by Threat Locker. Steve and I are actually headed out to Orlando for Zero Trust World and we're very excited. It's coming up in March. Sponsored by ThreatLocker. ThreatLocker is the solution you've been looking for.

Leo Laporte [00:12:56]:
You know that ransomware is harming business worldwide. But now ThreatLocker can stop it before it starts. Recent analysis from ThreatLocker shows how one single one of many but one ransomware Operation Qilin surged from 45 incidents in 2022, just 45 less than fewer than one a week to 800 last year. ThreatLocker Zero Trust Platform takes a proactive and this is the key here. With Zero Trust deny by default approach, it blocks every unauthorized action. If you don't say it can happen, it can't happen. That protects you not just from known threats, but from zero days from unknown threats, threats nobody even thought of before. ThreatLocker's innovative ring fencing constrains tools and remote management utilities so attackers cannot weaponize them for lateral movement or, you know, mass encryption or mass exfiltration of your information.

Leo Laporte [00:13:55]:
Threat Locker works in every industry it supports. The support is fantastic. 24. 7 It's US based. It will work on Windows, it will work on Mac environments. It works everywhere and gives you comprehensive visibility and control, which is great for compliance. Ask Emirates Flight Catering, global leader in the food industry, 13,000 employees. Threat locker gave Emirates Flight Catering full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support.

Leo Laporte [00:14:24]:
The CISO of Emirates Flight Catering said this a direct quote. The capabilities, the support and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with ThreatLocker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to to me as a ciso. End quote. Threat Lockers trusted by some of the best and biggest in the world. Companies that can't afford to be down, that can't afford ransomware.

Leo Laporte [00:14:52]:
Companies like JetBlue, they use threat Locker. Heathrow Airport uses Threat Locker. The Indianapolis Colts, the Port of Vancouver, they all use Threat Locker. Threat Locker consistently receives high honors and industry recognition. It's a G2 high performer and best support for enterprise. Summer 2025 peer spot ranked number one in application control. Get app's best functionality and feature award in 2025 and on and on. Visit threatlocker.com twit you can get a free 30 day trial.

Leo Laporte [00:15:20]:
Learn more about how ThreatLocker can help you mitigate known and unknown threats and Ensure compliance. That's threatlocker.com TWIT now if you want to come out and see me and Steve for a limited time, we've got a code for you. ZTW Twit 26 Zero Trust World is ZTW ZTWIT 26 all one word. That's 200 bucks off registration for Zero Trust World 2026. You get access to all sessions. You get hands on Hacking labs meals. There's an incredible after party. Lisa and I have some sweet costumes for that.

Leo Laporte [00:15:57]:
I know Steve, you can't make it to that, but I will be there the most interactive hands on cybersecurity learning event of the year. It's March 4th through the 6th in Orlando, Florida. Steve and I are going to do a presentation at the end of the day on March 4th. We'd love to see you at that. And don't forget the offer code. 200 bucks off ztw twit 26. All right. Are you being facetious when you say this solves everything?

Steve Gibson [00:16:23]:
Oh, I have to interrupt. I have to preempt. We don't normally do breaking news here.

Leo Laporte [00:16:28]:
Oh, but, but while you were good.

Steve Gibson [00:16:30]:
While you were talking, I got a little blurb on my phone, a little piece of news.

Leo Laporte [00:16:35]:
Yes.

Steve Gibson [00:16:36]:
The Wall Street Journal just posted AI disruption fears. Royal Software industry and the Stock Market. And it says from legalzoom.com and Expedia to Aries and Apollo. Shares of companies that sell or invest in software fell sharply on Tuesday. Investors fears that new developments in artificial intelligence will supplant software reverberated through the stock market Tuesday, dragging down the shares of companies that develop, license and invest in code and systems. Traders. Oh, boy. Traders have questions.

Leo Laporte [00:17:15]:
I just lost a house worth of money.

Steve Gibson [00:17:19]:
Traders have questioned whether AI will chip away at the competitive moat built by software makers like Adobe and Salesforce ever since generative AI models hit the market several years ago. Recent advancements in tools, such as those from AI developer Anthropic, are now prompting more scrutiny. On Tuesday morning, investors honed in on Anthropic's announcement that it was adding new legal tools to its co work assistant, meant to help automate a number of legal drafting and research tasks. Shares of Thompson, Reuters, LegalZoom.com and London Stock Exchange, which all provide some form of legal tools or various databases, fell more than 10%.

Leo Laporte [00:18:06]:
Yep, and I think that's true, but it's disruptive. There will be opportunities. For instance, I think a huge opportunity is enterprise grade security around these AI tools. The stuff I want to do with Open Claw is so risky. You would never let somebody do that in a company, ever. But there will be companies that will come up with ways to do this in a secure and safe fashion. Those guys are going to make a lot of money.

Steve Gibson [00:18:31]:
So it's what it means is expanding the security boundary, expanding the moat to encompass much more than it did before.

Leo Laporte [00:18:41]:
Absolutely.

Steve Gibson [00:18:42]:
We had lots of small security boundaries that were all individualized. What we want to do then is to expand that so that there's much more content within a much larger boundary. In that case, then all of that is able to interact within its own enclave.

Leo Laporte [00:19:00]:
And there has to be. There have to be AI firewalls. There have to be ways of letting AI go out and look at the world without exfiltrating your private company documents or your credit card numbers. Well, there's going to be ways to do this. I'm convinced.

Steve Gibson [00:19:17]:
I would argue that that's probably the challenge. We've talked a lot about how adding an equal sign to the end of a prompt breaks through like all of the. All of the protections. It's like, what? So you know, this doesn't work in any normal way that we've known before, but it's also not surprising that that's where the answer was and no one thought to look there before.

Leo Laporte [00:19:41]:
Yeah.

Steve Gibson [00:19:42]:
Anyway, I never. I'd never mentioned that. We're going to talk about an antivirus system which is infecting its own users. Yeah. Nice. Not what. Not what you look for.

Leo Laporte [00:19:53]:
Eliminate the middleman.

Steve Gibson [00:19:55]:
Or in AV, Apple's next iOS release, a point release will be fuzzing cellular locations.

Leo Laporte [00:20:03]:
We talked about that. Yeah.

Steve Gibson [00:20:05]:
Curl has discontinued its bug bounty program due to a flood of bogus AI generated bug reports. They just said, okay, we can't. We. No, no more payout anymore. We have the. The other main topic I'm going to talk about is AI discovering and fixing is. Get this 18 CVE worthy 0 days in open SSL.

Leo Laporte [00:20:33]:
Holy.

Steve Gibson [00:20:34]:
This is the breakthrough on that side that we need to talk about. It turns out that Ireland, contrary to what I said last week, did not already pass their spying legislation. We have a listener in Ireland who is involved in performing Irish English translations and explain to me why this was confusing. I will share that an AI irreversibly deleted someone's project files and apologized. Yeah. At least it was very polite.

Leo Laporte [00:21:07]:
Apologize. It felt bad.

Steve Gibson [00:21:09]:
AI is very polite, Leo. Oh, I'm sorry. You're dead. That's too bad.

Leo Laporte [00:21:17]:
My bad. I am so sorry.

Steve Gibson [00:21:20]:
We're going to look at Windows. Serious global clipboard security problem. Another listener came up with something I hadn't thought of before, about a way for ISPs to monetize their subscribers identities. And then we're going to look at MongoDB, having lowered the hacking skill level bar to the floor. So lots of good stuff to talk about. But now, Leo, it is time to share with our listeners a stunning breakthrough in age verification.

Leo Laporte [00:21:51]:
I'm very nervous about this.

Steve Gibson [00:21:53]:
Let's see, I'll let you read it and react and then I will explain it.

Leo Laporte [00:21:57]:
I'm going to scroll up. We need to verify Your age. Please choose a verification method below. You only need to do one method. Take a selfie. OK, search for my IDs in existing breaches. Is this real?

Steve Gibson [00:22:14]:
So you have a multiple choice here. This is for age verification. The headline says we need to verify your age. Please choose a verification method below. You got two choices here and it does give you a little padlock and shows your details are used for verification purposes only and is not stored. And so the first choice is take a selfie, confirm your age with a quick selfie which is processed directly on your device for privacy. Or you could choose the second option, which is search for my ID in existing breaches. And it explains.

Steve Gibson [00:22:53]:
We'll search for your ID in our database of breached personal information. If your ID is found, we can verify your age automatically. It's quick and easy and odds are you're already in there.

Leo Laporte [00:23:10]:
Oh Lord, that's true. Now, is this a joke or is this serious?

Steve Gibson [00:23:15]:
No, it was, it was, it could be serious.

Leo Laporte [00:23:17]:
I mean, that's true, right?

Steve Gibson [00:23:19]:
It's one of those things where you have to do a double take because you're thinking, wait a minute, and, and it's powered by Kid id. That's the logo at the bottom. And one of our listeners who, who received this Sunday afternoon wrote and said, wait a minute, kid ID.com is a real thing.

Leo Laporte [00:23:36]:
It's real.

Steve Gibson [00:23:37]:
Yeah. It's like, yes, they are in fact the service that. God, I'm now, I don't, One of the people that we've talked about, one of, one of the age age clamped services was using Kid ID in order to perform this verification. And I think maybe they're the ones that were not deleting people's selfie pictures and got caught doing that. But I, I, I could be wrong about that.

Leo Laporte [00:24:01]:
But now they have my ID in their. I'm, I'm set.

Steve Gibson [00:24:05]:
Yeah. So basically, wow, security breaches. So I'm sure this was a, a fake.

Leo Laporte [00:24:12]:
It's got to be tongue in cheek.

Steve Gibson [00:24:13]:
It's, you know, great humor and it just suggests that like, well, you know, breaches are so rampant that why are we even being asked to identify ourselves.

Leo Laporte [00:24:22]:
How old you are?

Steve Gibson [00:24:23]:
That's right.

Leo Laporte [00:24:24]:
Wow.

Steve Gibson [00:24:25]:
That's exactly right. Okay, so I, I'm going to do this out of order because I want to address this, this big piece of news that, that really lit up our listeners. Don Ho, the author of the immensely popular Windows notepad replacement, which is Notepad plus plus, which I, along with many of our listeners have chosen to use for you Know, as a, like our, our primary note, you know, simple text editor and I mean plus plus is no exaggeration. This thing, it recognizes the language of the, of what it is you're, you're dropping into it based on file extension. It's got every bell and whistle you can imagine. So I mean, and I've, over time I've really come to like it. Well, Don notified the world Sunday after the podcast notes went out that for around six months or so, like the second through, through the second half of last year, June through the start of December 2025, unbeknownst to him of course, highly sophisticated state level actors believed to be Chinese had arranged to compromise and did compromise his Notepad plus plus software update mechanism. They used it to launch targeted malware attacks against specific Notepad plus plus users.

Steve Gibson [00:26:05]:
So a, you know, a serious supply chain attack. Now our listeners know that I have complained on multiple times about the high rate of notepad updates. Bless his heart. Don seems unable to just leave this thing alone. It's like it's never done. So, you know, I specifically cited the possibility of exactly this sort of supply chain attack being facilitated due to the, you know, to Notepad seemingly endless code changes every time, you know, it downloads another copy or into your computer. That's another opportunity. I'm not saying that it's gonna happen, but it could, you know, and the more frequently it's done, of course what happened is these Chinese state level bad guys, they're not dumb, they see that Notepad plus plus is updating itself like not hourly but like all the time, and they're thinking, hey, that's a target.

Steve Gibson [00:27:16]:
But you know, we want to get that because it's abused all of its users into accepting constant updates. And every update is another opportunity for us to get our, our malicious code into someone's computer. And that's what happened. So anyway, I wanted to acknowledge to everybody that I got everyone's email. Thank you. I, I'm glad, you know, everyone says, I'm sure you already know about this, but. And the first time I get one of those that's not true. But all subsequent ones, of course it is true.

Steve Gibson [00:27:50]:
Still, I do appreciate them and I appreciate letting having everyone make sure that I knew about this. And also Don acknowledges and if I, if it was important and it, you know, and it's not because the problem's been solved already. But, but he also had a, a lack of security in his own update mechanism which a, which his compromised hosting provider. This is, this was not a, a compromise at his end, it was the system which was hosting his updates is what got compromised. But they targeted him and his Notepad. So it's now at 8.9.1. He recommends that you go to the site, download it yourself and perform a manual installation just to be absolutely sure. And I would say then turn off this whole automatic update nonsense.

Steve Gibson [00:28:54]:
We have one listener who is proudly strutting around saying, I'm at 8.2 or something from three years ago and I'm sure glad I turned it off back then. So, again, I mean, these, these things are like, oh, the accent on the Swedish umlot is backwards. It's like, oh, so let's update the world with a new copy. It's like, no, I just. Come on. Yes, you know, it works. And you know, Leo, one of the things I've always appreciated about firmware updates is the manufacturer recognizes that a firmware update is, you know, it's a little bit fraught, right. If you trip over the power cord in the middle of a motherboard, firmware update, right.

Steve Gibson [00:29:38]:
You don't have a motherboard anymore. So their advice is always, if everything is working, don't update your firmware, because guess what? Everything is working. It's only if you've got some known problem that a firmware update is known to fix that it makes sense for you to make sure the plug is tightly in the socket in the wall and keep the dog in the other room and then start your update. So, again, Notepad has been fine for like the last decade.

Leo Laporte [00:30:15]:
They think it's Chinese, as you said. The Chinese hackers, what do you think they were after? It's just a get on as many machines as they possibly can.

Steve Gibson [00:30:22]:
No, no, no. These. It. I want to believe everything that we're being told. So it's a huge relief that these were apparently very targeted. They were, they. They were looking to get into specific machines and they did, using Notepad as their Trojan to get them onto the machine. But no.

Steve Gibson [00:30:48]:
So none of us, none of our.

Leo Laporte [00:30:50]:
I mean, it wasn't a crypto stealer or something like that. It was really aimed at probably Chinese dissidents or overseas Chinese.

Steve Gibson [00:30:58]:
Yes, and, yes. And I did see that the attacks that were known were over. They were targeted at other Asians over there, not. Not aimed at the West. And I'll just note, though, I mean, I've downloaded Notepad updates sometime between last June and the beginning of December. Although had this been a widespread attack, it would have come to light much quicker. So. So certainly the.

Steve Gibson [00:31:29]:
The reason we believe these were high level Chinese state actors is they didn't want this to get found. They wanted to keep this facility of being able to, to selectively infect specific Notepad plus plus users alive and working for them, available to them as long as they could. So, so you know, it's a good thing that it wasn't a widespread attack because anybody updating during that window of the time the attack starts and, and then it has found and ended would have had malware installed in their computer. And you know, many of us are updating Notepad plus plus a lot. I, I also stopped back when I said I'm sick and tired of this and I turned that off. So but I don't know that, that, that I haven't done it since last June. So anyway, I really, if it's, you know, we're like all addicted to this update, update, update. We got to have the latest and greatest because maybe it's going to fix something problem that we don't know we have.

Steve Gibson [00:32:36]:
Well, if you don't know you have it, you're probably okay. So last week two security companies, morphisec ed Kaspersky both detected and reported that the E Scan antivirus product published by a company based in India had attacked its own users after one of its get this, update servers was breached and infected with malware. So this perfectly reflects what we were just talking about with Notepad. You know, we are seeing an increasing incidence of supply chain attacks and attacking people's insecure update servers because as I said, the world's become addicted to updates. Everything we got is updating itself all the time. So here again is another instance of that. The event was covered by Bleeping Computer, which shared E Scan's defensive annoyance over the bad press this generated. And I'm here to give them some more bad press because oopsie.

Steve Gibson [00:33:54]:
Bleeping Computer also reminded us that back in April of 2024. So coming up on two years ago, E Scan's update facility was breached by North Korean hackers and used to spread malware into corporate networks. So, you know, I've often said that anyone can make a mistake. You know, it's true. And that mis and sometimes mistakes make us stronger. But an antivirus solution has a very, a highly privileged position in our machines. It's got to be running in the kernel. And a second similar incident occurring fewer than two years after the first one, I think that should be a concern to any E Scan customer.

Steve Gibson [00:34:45]:
That's a reason to look elsewhere for an antiviral solution. If you Want to look anywhere at all.

Leo Laporte [00:34:52]:
So of all the coverage, really no one you don't? I mean, I guess a business might.

Steve Gibson [00:34:56]:
But I, I'm, I'm going to get there. I, I'm, I'm going to get us there here in a second because I completely agree with you. Yeah. Of all the coverage this received, I thought that Kasper Ski summarized the technical details best. They explained on January 20, so. Right. A couple weeks ago, a supply chain attack has occurred with the infected software being the E Scan antivirus developed by an Indian company, Microworld Technologies. The previously unknown malware was distributed through the E Scan update server.

Steve Gibson [00:35:32]:
The same day our security solutions detected and prevented cyber attacks involving this malware. On January 21, meaning the day later, having been informed by Morphisec, the developers of E Scan contained the security incident related to the attack. Users of the E Scan security product received a malicious reload. Exe file which initiated a multi stage infection chain. According to colleagues at morphisec who were the first to investigate the attack, reload XE prevented further antivirus product updates. Of course it would by modifying the hosts file, thereby blocking the ability of security solution developers to automatically fix the problem, which among other things led to an update service error. Okay, now I want to take a moment here just to remind everyone how very powerful the hosts file remains and to share a little bit of Internet historical trivia. The presence of a HOSTS file predates the Internet.

Steve Gibson [00:36:47]:
As we know, ARPA stands for the Advanced Research Projects Agency. And the Internet grew out of the earlier work on something that was known as Arpanet. I recall that when I was working at SAIL, you know, Stanford, Stanford University's artificial intelligence lab in 1992, a big refrigerator like thing was white and looked like it, like it came from a battleship. I mean it was, it was really overbuilt. It was just then while I was there being installed. It was an imp, an interface message processor which was a node on the still very young arpanet. Back before the creation of of DNS, there was a need to map familiar host names to ARPANET addresses or nodes. And as we know, that's the role that DNS serves us today.

Steve Gibson [00:37:48]:
But ARPANet had no DNS. It barely even had ARPANet. So every machine on the ARPANET had a copy of the ARPANET's Master Hosts file. That file was maintained on a single machine at SRI Stanford Research Institute. And all hosts on arpanet would periodically pull that file from sri's one designated master copy to Maintain an updated and synchronized listing, you know, a view of all other available machines on arpanet.

Leo Laporte [00:38:30]:
We have in our discord right now a guy who worked at Barrett, Bolt, Beranek and Newman. Bbn.

Steve Gibson [00:38:36]:
Bbn, yep.

Leo Laporte [00:38:38]:
Who says I actually drew the ARP and not apps when I worked at bbn before there was anything called DNS.

Steve Gibson [00:38:45]:
And before we had cad. So he was drawing them with.

Leo Laporte [00:38:48]:
By hand?

Steve Gibson [00:38:49]:
Yeah, with a protractor, a. A stencil, and then, you know, lot and a straight edge. Yeah, yeah.

Leo Laporte [00:38:58]:
Pretty amazing, Craig. Wow.

Steve Gibson [00:39:01]:
So, in a classic example of old computer stuff sticking around from generation to generation, the original hosts file never went away. Today it sits somewhere inside every Internet connected machine. Windows users can find it at C Windows System 32, backslash, drivers backslash, etc. So I mean, it's like really an afterthought, right? Drivers, backslash, etc.

Leo Laporte [00:39:36]:
Etc.

Steve Gibson [00:39:37]:
I just looked at mine on my Windows 10 machine. Its first line of that file contains a Microsoft copyright notice dated 1993. So, like when the TCP IP stack was first added to Windows 95 because the files dated 93. Right. Or maybe Windows 3. 1. I don't remember what the first Windows was that got on the Internet. Anyway, the thing that makes the hosts file so powerful is that by convention, it is the first place any Internet connected machine will look for a host name to IP address mapping.

Steve Gibson [00:40:23]:
In other words, it takes priority over everything else and you don't even have to restart or reboot. I've used this sometimes myself when I've needed to locally test some client server code that will eventually run@www.grc.com. if I add the line 1270 0.1 space or tab, you know, some. Some form of white space, then www.grc.com, then immediately and without waiting, restarting, rebooting, or anything, any attempt to access www.grc.com will be intercepted and be handled by a server on my own local machine. And that allows me to use a TLS www.grc.com certificate on my local machine. I mean, it's exactly as if it were@grc.com because the browser thinks that's the domain that it's accessing and so the certificate works. So anyway, modification to the hosts file can also obviously have malicious consequences. If, as in this case, somebody wished to prevent future updates to Escan's antivirus system after they'd infected the machine, placing the domain names of those update services into the user's local host file would immediately and completely prevent the compromised antivirus from being updated again to eliminate the malware.

Steve Gibson [00:42:12]:
Kaspersky continues writing. The malware also ensured its persistence in the system, communicated with control servers, and downloaded additional malicious payloads. In other words, you do not want this thing getting into your system. Reload Exe. Reload the gun. Persistence was achieved, they wrote, by creating scheduled tasks. One example of such a malicious task is named Corel Defrag. Oh, sounds simple, you know, harmless Corel Defrag.

Steve Gibson [00:42:46]:
Doesn't make any sense really, but okay. Additionally, the con sctlxexe malicious file was written to the disk during the infection. Okay. At the request of the bleeping computer information portal, E scan developers explained that the attackers managed. Oh, so. So this is Kaspersky. It's why they referred to bleeping computer. So oddly, Kaspersky is is writing this saying at the request of the bleeping computer information portal E scan developers explained that the attackers managed to gain access to one of the regional update servers and deploy a malicious file which was automatically delivered to customers.

Steve Gibson [00:43:30]:
They emphasize that this is not a vulnerability. The incident is classified as unauthorized access to infrastructure. Right? We're not going to call it a vulnerability. Right? Even though all of our customers got infected, the malicious file was distributed with a fake invalid digital signature. Oh, that's interesting. Some somebody was asleep with a switch and didn't notice that the signature, the digital signature was invalid or didn't stop the this thing from executing. According to the developers, the infrastructure affected by the incident was quickly isolated thanks to other people finding it and telling them, and all access credentials were reset. Having checked our telemetry, writes Kaspersky, we identified, get this, hundreds of machines belonging to both individuals and organizations which encountered infection attempts with payloads related to the E scan supply chain attack.

Steve Gibson [00:44:36]:
These machines have been mostly located in South Asia, primarily in India, Bangladesh, Sri Lanka and the Philippines. Okay, now I'll take a moment here to note that these are only the hundreds of machines that also happen to be under the observation of Kasper Ski's telemetry. This must reflect only a tiny microcosm of the entire Internet. One of the things that annoyed me was seeing the Micro World Technologies people because there were, you know, there were other things that I pursued in, in getting to the bottom of this. They were dramatically pushing back and downplaying the severity of this problem for their customers, which was pretty severe. The one thing that, you know, that we don't want to see is an irresponsible provider of highly privileged antivirus software. You need to trust your AV company Casper C says having Having examined them, we identified that to orchestrate the infection, attackers have been able to replace a legitimate component of the E scan antivirus Located under the path C program files x86 escan reload.exe with a malicious executable, so that reload.exe in the e scan subdirectory is the problem, they said. This reload.exe file is launched at runtime by components of the E scan antivirus.

Steve Gibson [00:46:13]:
It has a fake invalid digital signature. We found this implant to be heavily obfuscated with constant unfolding and indirect branching, which made its analysis quite tedious. What Kaspersky means when they refer to constant unfolding and indirect branching is that typical straightforward code simply contains jump instructions, which cause the program's execution to jump to another location, so someone examining a disassembly of the code can see for themselves where the CPUs execution will jump to. By comparison, an indirect jump refers to another location in the program or to the contents of a CPU register, and it will be the current contents of that location or register that specifies the location to which the CPU's execution will jump. Since there's no way to know what that location or register might contain at the moment the indirect jump is executed, a static disassembly and an examination of the deliberately obfuscated malicious code will not reveal its execution paths. You won't be able to tell by looking at the at the code itself where anything is going to jump to, because you don't know until you actually run the program that those addresses get resolved. So as Kaspersky noted, this makes an analysis of the code far more tedious, and that's of course exactly what its malicious creators intended. Kaspersky continues saying when started this reload XE file checks whether it's launched from the programs from the Program Files folder and exits.

Steve Gibson [00:48:15]:
If not, it further initializes the common language runtime environment inside its process, which it uses to load a small. NET executable in memory. This executable is based on the unmanaged PowerShell tool, which allows it to execute PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it and used it to Execute a malicious PowerShell script inside the reload XE process. Okay, now AMSI is Microsoft Anti Malware Scan interface, so this malware has arranged to bypass that. I wish my own code did that, and maybe I wouldn't have so much problem with Microsoft's annoying Anti Malware scan, which is, you know, false positing on me. Anyway, Kasper Ski's tear down goes on to take the malware apart and describe its operation in great detail. But we all have a good sense now for what happened and the point you were going to make.

Steve Gibson [00:49:27]:
Leo. I have in the show notes I wrote. Neither Leo nor I use any third party anti malware add on and whenever I'm asked, I recommend against it. It's true. There was once a time when I strongly recommended the addition of a third party firewall to Windows. Then Microsoft added one into XP and finally set it running by default with XP's Service Pack 3. The same thing happened with Add On Antivirus. The various third party AV solutions had their day, but that day has passed.

Steve Gibson [00:50:08]:
Windows now brings its own along. I see no benefit and only downside risk associated with gratuitously adding another to Windows. This recent misadventure with E Scan shows how much trust any third party must be given to obtain such an honored place in our PCs. As I said, AV is in the kernel, which means if it goes bad, you're in deep trouble.

Leo Laporte [00:50:38]:
It goes bad?

Steve Gibson [00:50:39]:
Yeah. It's just not worth it. Yeah. What is worth it? Leo is hearing from our next sponsor.

Leo Laporte [00:50:45]:
Oh, I always like that. One of my favorite things. Yeah, actually this is a good one too. I'm happy to talk about them. We'll continue with security now in a moment, but first a word from Meter, the company building better networks. Meter was founded by two network engineers who thought there's gotta be a better way. And if you're a network engineer, I bet you've thought that too. Once.

Leo Laporte [00:51:11]:
Once or twice. You know the headaches. Legacy providers with inflexible pricing, it, resource constraints, we all have that, right? Stretching you thin, complex deployments, fragmented tools. You know, you're mission critical to the business, right? But you're working with infrastructure that just wasn't built for today's demands. I mean, it's not quite as bad as an imp, but it could, it could be. That's why businesses are switching to Meter. Oh, look at their website. This is the sweetest stuff.

Leo Laporte [00:51:42]:
Meter delivers full stack. I'm. And I mean full stack networking infrastructure for wired, for wireless, even for cellular. And they build it for performance, they build it for scalability, they build it for security. Meter knows that in order to make that work, you've got to do it all. You've got to the whole stack. They design the hardware, they write the firmware, they build the software, they manage the deployments and then they provide Aftermarket support. Meter offers everything.

Leo Laporte [00:52:12]:
I mean, even down to ISP procurement. They can help you get the right ISP with the capabilities you need. The security. They'll help you with routing, switching, wireless firewall, cellular power, DNS security, VPNs, SD WANs, multisite workflows. It's all in one solution from a single vendor. You know why that's great? Because if you have multiple vendors, you know that one vendor is going to blame the other one, the other one's going to blame them, and you get the vendor run around. Well, it's not our problem. Ask your isp.

Leo Laporte [00:52:44]:
Meter handles it all. Meter's single integrated networking stack scales. I mean, they're in major hospitals. If you've ever been to the hospital, you know what, how challenging that wireless environment can be. They help with branch offices. It's not unusual that a company will acquire a branch office or worse, a warehouse in another area. You know, you're expanding, business is going great. Now you got to get their whatever wonky stuff they add into your system.

Leo Laporte [00:53:13]:
Well, Meter can come in and fix the whole thing. They do large campuses, they do data centers, they do Reddit's data center. Okay, so that's a pretty good testimonial. The assistant director of technology for Webb School of Knoxville had a great quote. They were in an interesting situation. He said, quote, we had more than 20 games on campus going on between our two facilities. Each game was being streamed via wired and wireless connections simultaneously. The event went off without a hitch.

Leo Laporte [00:53:46]:
We could never have done this before. Meter redesigned our network. That's pretty good. With Meter, you get a single partner for all your connectivity needs from that first site survey to ongoing support without the complexity of managing multiple providers or multiple tools. Meter's integrated networking stack is designed to, you know, work together and to take the burden off you and your IT team, to give you deep control and visibility, reimagining what it means for businesses to get and stay online. Meter is built by network engineers for network engineers for the bandwidth demands of today and tomorrow. People who know exactly what's going on in your life right now and are here to help. We thank Meter so much for sponsoring.

Leo Laporte [00:54:36]:
I had a great conversation with them a couple of weeks ago, so impressed with what they're doing. Go to meter.comsecuritynow to book a demo. Okay, that's meter M E T E R.com SecurityNow book a demo, look around, take a look at the equipment that what they can do. I think you'll be really impressed. I certainly was meter.com security now. Now more security now with Steve Gibson.

Steve Gibson [00:55:05]:
So the Apple iOS world has been moving through a number of point and point point releases. Seems like we've had a lot of updates.

Leo Laporte [00:55:16]:
Yeah.

Steve Gibson [00:55:16]:
26. Yeah. And of course some of that has been good. They've. They've toned down liquid glass, making a little less liquidy.

Leo Laporte [00:55:26]:
Yes.

Steve Gibson [00:55:26]:
Yeah. Every so often, even with all my settings set to mute it and suppress it, like I'll get a little weird liquidy squiggle under something.

Leo Laporte [00:55:38]:
It's just terrible. Why do these companies do this? I don't.

Steve Gibson [00:55:41]:
Yeah. Yeah. Okay. So we're currently hovering at 26, but there's some welcome news about 26.3 for cellular connected devices. Last week Apple announced that it would be adding optional deliberate imprecision to cellular surface to cellular services ability to geolocate cellular devices. So here's what we learned from Apple under their headline limit precise location from cellular networks. They said with the limit precise location setting you can limit some information that cellular networks may use to determine your location. Available on compatible iPhone and iPad models with supported carriers, obviously cellular models.

Steve Gibson [00:56:33]:
Cellular networks can determine your location based on which cell towers your device connects to. And of course we know also relative signal strength factors in.

Leo Laporte [00:56:42]:
And I learned just recently they can also request GPS coordinates. Did you know that?

Steve Gibson [00:56:50]:
Wow. Yeah.

Leo Laporte [00:56:51]:
I had no idea.

Steve Gibson [00:56:52]:
Over the cell network.

Leo Laporte [00:56:54]:
Yes.

Steve Gibson [00:56:55]:
Does make sense. I have a. Our, our signal. Laurie and I are both Verizon subscribers and in our location, in our area, it's like this, this well known Verizon dead zone.

Leo Laporte [00:57:10]:
Yeah.

Steve Gibson [00:57:11]:
So one of the first things we did when we, we set up shop there was we got a, a femto cell as they used to be called.

Leo Laporte [00:57:18]:
Smart.

Steve Gibson [00:57:19]:
Yeah. And, and you know, you just connect it in into your. Your land. And now we have five bars where we used to like not even have one.

Leo Laporte [00:57:28]:
Some irks me a little bit because you're using your Internet for their connectivity.

Steve Gibson [00:57:34]:
What's.

Leo Laporte [00:57:34]:
But it's the only way you can get on.

Steve Gibson [00:57:36]:
What's worse, there's no way to lock it to your phones. You're providing cell service to your neighbors.

Leo Laporte [00:57:42]:
I didn't know that. Yeah, we used to have to have a femto cell at the old Twitch studios because there was, it was a dead zone for T Mobile anyway.

Steve Gibson [00:57:50]:
So, so the point of this is that one of the things in this is a gps. You, you have to put a little antenna out and it, it like, like it takes a long time for this thing to boot up because it, it it deter. It needs to determine for whatever reason, its exact location.

Leo Laporte [00:58:10]:
Building the almanac.

Steve Gibson [00:58:10]:
Yeah, in, in three space. So it knows you know where it is. So I guess I'm not surprised that they're able to. To ping your phone and say, give me your current GPS location.

Leo Laporte [00:58:22]:
And it is a privacy concern because they sell that. Yeah, they don't even sell it. They sell it for cheap. If they sell it to law enforcement, it's exact too. Yeah, it's exact. Yeah.

Steve Gibson [00:58:33]:
So Apple said cellular networks can determine your location based on which cell towers your device connects to. The limit precise location setting enhances your location privacy by reducing the precision of location data available to cellular networks. With the setting turned on, some information made available to cellular networks is limited. As a result, they might be able to determine only a less precise location, for example, the neighborhood where your device is located, rather than a more precise location. Oh, look, he's in the bathroom right now. You know, such as a street address. The setting doesn't impact signal quality or user experience. They said.

Steve Gibson [00:59:16]:
And they finished saying the limit precise location setting does not impact the, and this is important, the precision of the location data that is shared with emergency responders during an emergency call. So again, they also took the time to think this through. This setting affects only the location data available to cellular networks. It does not impact the location data you share with apps through location services. So you know, within the family and within your community of devices and where you've said, yes, I'm, you know, let. Let Google Maps know where I am when I'm using them, that still remains high precision. So they said, for example, it has no impact on sharing location with friends and, and family with Find My and so forth. So, okay, at the moment, iOS 26.3 is in its third beta pre release, so it's expected shortly.

Steve Gibson [01:00:18]:
Once it's available, the setting can be found under the phone's cellular data options, which I thought was not where I would have looked, but okay, cellular data options. And they said that a device, a device reboot may be required in order to change that setting. So it's probably, you know, down in the baseband system that that's part of the, the core infrastructure of their cellular technology. And you know, I'm, as I've said before, and I know you are too, Leo, we're annoyed by Apple's constant commercial upselling of their services. It's. It just feels to me like they, they don't need to do that. But the flip side is there is no company that I trust More to have my back. Apple has demonstrated their steadfast commitment to their users privacy over and over through the years.

Steve Gibson [01:01:10]:
Now I fully realize that it might really amount to not that much. Right, because tracking and privacy invasions are happening well outside of Apple's sphere of control. There's but you know, so there's not a lot they can do overall. But knowing that my handset is arguably doing everything it can to have my back is better than nothing, you know, and it's what I would choose. You know, even while like Leo, you know, neither of us spend that much time worrying about privacy in the abstract, it feels like, you know, good luck.

Leo Laporte [01:01:47]:
There are a couple of footnotes to this. One is, at least according to some sources, this is because Apple now designs its own modem. So they have that C1X. They can do that. The other thing though is, and you read it, but maybe you kind of skimmed over it says participating cellular carriers. Yes, the carrier has to agree to it. And currently in the United States, the only carrier that it's agreed to it in the United States so far is Boost Mobile. And there's even some speculation that carriers might actually sue Apple over this.

Leo Laporte [01:02:20]:
Just as, you know, some companies have sued over app tracking transparency because they make money on selling your location and they're going to say, you know, their excuse will be oh no, no, it's how we improve our service. We need to know, we need to.

Steve Gibson [01:02:35]:
Know exactly where the phone is in order to map the signal strength, reception and blah, blah, blah.

Leo Laporte [01:02:41]:
Exactly. It's not, it's for your benefit.

Steve Gibson [01:02:44]:
Wow.

Leo Laporte [01:02:46]:
So it remains to be seen how many companies will allow this. I'd be very curious. On the other hand, it may be consumer demand just says, you know, tells T Mobile and Verizon and AT&T, you know, you better do this. Yeah, yeah, okay.

Steve Gibson [01:02:59]:
I, I hate to do another break except this is going to be a long piece. This is the other, this is the other big. The big story is okay. Of what is another breakthrough in AI. So let, so we're at, we're at the top of the hour. Let's take a break and then, and then we won't have to break in the middle of this.

Leo Laporte [01:03:17]:
I don't hate when you take a break. I just want you to know I like it. I like it that you have to take breaks. To be honest, our show today brought to you and you know this company so I don't think your mind so much. Bitwarden we love Bit Warden, the trusted leader in passwords, pass keys and Secrets Management. You know, this is another company where their commitment to the customer is genuine. They're an open source company, so they kind of have to, right? Bitwarden is consistently ranked number one in user satisfaction by G2 and software reviews. With over 10 million users in over 180 countries, more than 50,000 businesses, Bitwarden is the one to use.

Leo Laporte [01:04:01]:
Whether you're protecting a single account, your own, or thousands at a business, Bit Warden keeps you secure all year long and consistent updates. They're always adding new features. I think that part of that is because it's open source. They've just added something for enterprise called Bitwarden Access Intelligence. With this, organizations can actually detect weak, reused or exposed credentials and then immediately guide remediation with the user, replacing risky passwords with strong unique ones. And as we all know, that's a major security gap. Credentials are one of the top causes of breaches. Access Intelligence helps you get ahead of that.

Leo Laporte [01:04:41]:
Those weak passwords become visible, prioritized and most importantly corrected before exploitation can occur. They've also added something for us small users. Bit Warden Lite. It's light, actually it is a lightweight and I love this self hosted password manager. See when you're open source you can do stuff like that. It's built for home labs, for personal projects, environments that want quick setup with minimal overhead. Bitwarden understands that there's no one size fits all when it comes to a password manager and they want to make sure that every single person uses a password manager. It's the only way you've got to do it.

Leo Laporte [01:05:20]:
Bit Warden's now enhanced with real time vault health alerts for everyone. Incidentally, it's not just enterprises. They have those password coaching features that'll help users identify weak, reused or exposed credentials and to take immediate action to strengthen their security. Maybe. I know, you know, you listen to this show, you know how important a password manager is, but there are people you know, maybe your family members who, or maybe your employees who are not so aware. So this is a nice feature because it explains, you know, hey, this password's been seen in a breach, let me help you fix it. Bit Warden now supports direct import. Oh, this is great too.

Leo Laporte [01:05:57]:
So many people's first experience with a password manager is in the browser, right? The browser says I'll save those passwords but we know that's not the ideal way to do it for convenience, for security. So Bit Warden now supports direct import right from the browser's password manager into. Bit Warden currently works on Chrome, Edge, Brave, Opera, and Vivaldi. So those are all Chromium based and I'm sure Bitwarden is going to enhance it with more browsers soon. This eliminates that step Steve and I went through when we moved to Bitwarden of exporting your passwords from the old password manager. Now they're on your hard drive in the clear, right? Unencrypted import them and you got to remember to thoroughly delete that clear text version. Well, you don't have to do that because this direct import copies credentials right from the browser into the encrypted vault without requiring that separate plain text export. So that's easier, simplifies migration, helps reduce exposure associated with manual export and deletion steps, and makes it really easier for people to do the right thing to stop using the browser password manager and use something better.

Leo Laporte [01:06:58]:
G2 Winter 2025 reports Bitwarden continues to hold strong as number one in every enterprise category. This is in G2 for six straight quarters. Bit warden setup is easy. It supports importing from most password management solutions and it is GPL licensed open source. You can see it on GitHub Plus. It's regularly audited by third party experts and they publish the results of those audits. So everybody can see Bitwarden meets SoC2 type 2 GDPR HIPAA CCPA compliance. It's ISO 270012002 certified.

Leo Laporte [01:07:32]:
I mean they do it right. So here's my pitch. Get started in your business. Get started today with Bitwarden's free trial of a teams or enterprise plan or as an individual. Get started for free. Free forever across all devices. That includes unlimited passwords, unlimited passkeys, Hardware key support, bitwarden.com TWIT that's bidwarden. We thank them so much for their support of security now.

Leo Laporte [01:08:01]:
And I thank them personally for making a password manager I don't mind using. Okay, back to you Steve.

Steve Gibson [01:08:09]:
So I first encountered this next piece of news thanks to a listener, Elardis Erasmus. He wrote hi Steve, you may have seen this already. I work for a company that makes use of open SSL for cryptographic primitives. I evaluate the vulnerabilities as and when they're disclosed to determine the impact, if any, on our products. Just this Tuesday openss meaning Last Tuesday Open SSL released new versions fixing 12 previously unknown security vulnerabilities. This is way more than the usual one or two fixes found in a typical open SSL security release. Okay, now I want to pause to note that the idea that Elardis works for a company that uses and relies upon open SSL's cryptographic primitives and therefore carefully follows, tracks and examines the consequences of of any newly disclosed vulnerabilities which might have, you know, an effect upon their use. That just does my heart good.

Steve Gibson [01:09:22]:
It is so smart and it's a perfect demonstration of the responsible way to use any sort of third party library. You know, most organizations would and do simply link to the library and never give it another thought. We don't know who he works for, but whoever it is, they understand what I call non finger pointing security. You know, deflecting responsibility after a breach occurs due to the use of somebody else's vulnerable library might feel good. You know, you get to say, well it's not our fault, you know, but the breach still occurred and it occurred on to your systems as a consequence of using a library that you know, you weren't being responsible for its use of. You know what I mean? So anyway, I just wanted to take a moment and say that that is just the right way to do this. In any event, he explains his reason for writing saying to my astonishment, all 12 of the newly discovered open SSL zero day vulnerabilities were found by an AI based cyber security company called Aisle. And I don't know what if it's an acronym, but it's a I S L E, right? So that's where their name came came from.

Steve Gibson [01:10:43]:
Aisle A I S L E he says here's a link to a blog post from one of their researchers in case you're interested. What was also interesting from there from that blog was to learn that AI slop led to the cancellation of the Curl bug bounty program. He finishes thanks for all you do best. Elardis Erasmus okay, so the AI driven security company we learn of here, as I said, is called Aisle. Aisle and the contents of this blog posting that he linked to by one of their AI security researchers. As I said at the top of the show, it was runner up for today's topic and you'll quickly see why. The researcher begins his posting with a with a TLDR which reads Open SSL is among the most scrutinized and audited cryptographic libraries on the planet. It underpins the encryption for most of the Internet.

Steve Gibson [01:11:44]:
They just announced 12 new zero day vulnerabilities, meaning previously unknown to the maintainers. At time of disclosure, we at aisle discovered all 12 using our AI system. This is a historically unusual count and the first real world demonstration of AI based cybersecurity at this scale. Meanwhile, Curl just canceled its bug bounty program due to a flood of AI generated spam. Even as we reported five new genuine CVEs to them, AI is simultaneously collapsing the median and he has in. In. In double quotes slop and raising the ceiling, meaning real zero days in critical infrastructure. Okay, so let's pause here and first take a look at the problem that the Curl Project has had.

Steve Gibson [01:12:51]:
The. The project's bug bounty page, which is@curl se docs, slash bug bounty HTML. It was updated with a very short notice, which just says up until the end of January 2026. Which, okay, here's we're on February 3rd today, right? So three days ago, up until the end of January 2026, there was a Curl bug bounty. It is no more. The Curl project does not offer any rewards for reported bugs or vulnerabilities. Period. They said.

Steve Gibson [01:13:32]:
We also do not aid security researchers to get such rewards for Curl problems from other sources either. Meaning, you know, you can't go to hacker1 or, or, or one of the other bug bounty programs and say, hey, I found a bug. They're out of that game. Now. A bug bounty gives people, they wrote, two strong incentives, as in incentives which are too strong. T o o strong incentives to find and make up problems in bad faith that cause overload and abuse. We still appreciate and value valid vulnerability reports. Okay, so now to give this page, that's all they said on the new bug bounty page, is basically, ain't none.

Steve Gibson [01:14:18]:
We're done. Because we were, you know, offering to pay people, incentivizes them to just make stuff up. And apparently AI is, is the cause. Okay, so to give it a little more context, I used the Wayback Machine to capture the same page six weeks ago on December 18, before the closure of all Curl bug bounties, the page said same page. The Curl Project runs a bug bounty program in association with HackerOne and the Internet Bug Bounty. How does it work? Start out by posting your suspected security vulnerability directly to Curls and HackerOne program. After you've reported a security issue, it has been deemed credible and a patch and advisory has been made public. You may be eligible for a bounty from this program.

Steve Gibson [01:15:13]:
See the security process document for how we work with security issues. What are the reward amounts? The Curl Project offers monetary compensation for reported and published security vulnerabilities. The amount of money is rewarded. That is rewarded depends on how serious the flaw is determined to be. Since 2021, the Bug Bounty is managed in association with the Internet bug bounty. Who set the reward amounts? If they set amounts that are way lower than we can accept. The Curl project intends to top UP awards in 2025. Typical medium rated vulnerabilities are being rewarded $2,500 US each.

Steve Gibson [01:16:02]:
So finally, they finish. Who is eligible for a reward? Everyone and anyone who reports a security problem in a released Curl version that has not already been reported can ask for a bounty. And those days are over. So you know, when, when crimes are being investigated, the classic three requirements are means, motive and opportunity. You know, could they do it? Why would they do it? And were they in a position to do it? One of this podcast's foundational observations which followed the explosion and endurance in high end advanced intrusions, you know, with ransomware and extortion, has been that the thing the bad guys want, the only thing the bad guys want is our money. They, I mean, much as our personal details are, are important to us, they could not possibly care any less about the health records, the dating habits, the sexual proclivities or Social Security numbers of anyone else. They just don't care. The only value any of that has is for extorting those who somehow allowed that data to escape or to become encrypted and thus unavailable to them under an unknown encryption key.

Steve Gibson [01:17:29]:
I'm reminding everyone of this fundamental observation because the presence of a vital and vibrant bug bounty system which rewards with money those who discover and responsibly report security vulnerabilities represents another source of revenue which can be readily abused. We know how crucial CURLS security is. You know, Leo is just making a joke about, you know, using Curl to, to bash, well, who cares? Hope for the best. That's right. We've covered the discovery and remediation of previous critical vulnerabilities in curl. We also know the importance, the necessity of motivating security researchers to go looking for problems. Independent researchers need to eat too, so they're far more likely to look for, discover and report security vulnerabilities in open source projects that will reward their time and trouble than those that do not. CURLS announced withdrawal from their historical and important bug bounty programs means that independent research into CURLS security has effectively ended.

Steve Gibson [01:18:49]:
You know, sure, you could find one by mistake and report it to them, but sorry, you're just gonna, you know, you're a good citizen. They're not paying anymore. So I dug around a bit for some additional background and I found some. Over at the it's FOSS site, the posting titled Curl gets rid of its Bug Bounty program over AI Slop Overrun provide some additional background. The guy there wrote last year In May, the Curl project's bug bounty program was inundated with AI slop, where many bogus reports were opened on Hacker one, leaving the Curl maintainers to go through garbage. The problem didn't stop even after Daniel Stenberg, the creator of Curl, threatened to ban anyone whose bug report was found to be AI slop. He said, we're now in 2026 and the situation has reached a tipping point for context. Curl is an open source command line tool used by billions of devices worldwide.

Steve Gibson [01:20:00]:
Daniel has submitted a pull request on GitHub that removes all mentions of a bug bounty program from Curl's documentation and website. Coinciding with that, the project's security. Txt file has been updated with some blunt language that makes the new policy crystal clear. Okay, now we've talked about these types of files previously. They're a semi formal collection of files that can be found under the forward slash dot, well hyphen known slash directory in the root of of websites that have them. So I checked out the Curl projects security.txt file which reads Project Curl. The Curl open source project accepts security reports for problems found in products made by the Curl project. We offer no that's in caps 0 in parens rewards or other kinds of compensation for reported problems, but we offer gratitude and acknowledgments from clearly stated in documentation around confirmed issues.

Steve Gibson [01:21:19]:
We will ban you and ridicule you in public if you waste our time on crap reports. So it does appear that the Curl project is pretty fed up with the nonsense they've been subjected to for the past eight month or so. The the the posting over on the the FOSS continues saying the Curl team intends to make a proper announcement in the coming days, though many outlets have already covered the news of this happening, so I would say they ought to get on it ASAP. The program officially ends in a few days on January 31, 2026. After that, security researchers can still report issues through GitHub or the project's mailing list, but there won't be any cache involved. What pushed them over the edge, you ask? Well, just weeks into 2026, seven HackerOne reports came in within a 16 hour period in just one week. Some were actual bugs, but none of them were security vulnerabilities. By the time Daniel posted his recent weekly report, they'd already dealt with 20 submissions in 2026.

Steve Gibson [01:22:36]:
The main goal here is said to be stopping the flood of garbage reports by eliminating the monetary incentive they are hoping people or bots will stop wasting the security team's Time with half baked unresearched submissions. He also gives a stern warning to wannabe AI slo ers saying that quote, this is a balance of course. But I also continue to believe that exposing, discussing and ridiculing the ones who waste our time is one of the better ways to get the message through. You should never all caps report a bug or a vulnerability unless you actually understand it and can reproduce it if you report anyway. I believe I am in the right to make fun of and be angry at the person doing it, unquote. So yeah, he says that's that. If people still don't understand that AI slop is harmful to such sensitive pieces of software, then sure they can go ahead and make a fool of themselves. Okay, so that's the bad news.

Steve Gibson [01:23:54]:
It appears to be a new problem created by AI that will be the automation of the generation of low quality, often bogus security bug reports on the hope that they may score one and get some money. This has the potential to significantly spam the industry's critical bug bounty system. We know that the bounty programs whose importance has been well established won't go down without a fight. So what's likely to happen will be much more focus upon the establishment of any would be bug bounty recipients reputation. The result would be that reports coming in from unknown, presumably AI bots hoping to score a bounty would somehow be treated differently. The problem is then it's unclear how an unknown human researcher would go about establishing a reputation as a nonbot. Maybe just submit one high quality report and wait for it to be seen to be such and you know, get a gold star and you got to get a couple until you your reports are less filtered. So anyway, this will be something for us to all keep an eye on.

Leo Laporte [01:25:17]:
I have kind of a good, a little different take on it.

Steve Gibson [01:25:21]:
Good.

Leo Laporte [01:25:22]:
First of all, I don't know this guy, but open source maintainers for very good reasons are crazy as hell and he's probably been doing curl without compensation, without much credit. One of the most used programs in the world for years and is, you know, a little sensitive. I get at least two or three bug reports on our website every day. Not AI generated just by people who are hoping to get some money out of us. We don't have a bug bounty even this is a problem, a people problem, not an AI problem. There are lots of people out there who are hoping to get some money from somebody by saying I found you don't get any of these because we get them all the time. Trust and safety or wit TV or that kind of thing, saying you got a bug and I'll reveal it if you give me some money. That's just a people problem.

Leo Laporte [01:26:23]:
Maybe AI has enabled some of these people, but I think that that's not exactly really the target. And I think there's a huge risk at stopping his bug bounty because there's a lot of people who do make money at this who legitimately report bugs who will not be incented to do so. And I think Curl's a pretty important thing. I think the solution to this is not to turn the bug bounty off, but to get some help to get some more people working on this project and maybe some more eyes on the reports.

Steve Gibson [01:26:53]:
Yeah.

Leo Laporte [01:26:54]:
The final thing is I don't think ridicule is going to do anything because the people who do this are not susceptible to ridicule.

Steve Gibson [01:27:01]:
I, I, I, you'll never hear me ridicule anybody ever. It's just not.

Leo Laporte [01:27:07]:
Well, they're anonymous for the most part. You know, these aren't real security researchers. I think to be, it's be fairly easy to filter out these bad reports and I certainly pay no attention to the emails I get every day saying there's a bug on your website.

Steve Gibson [01:27:22]:
Yeah, I think that I, for me establishing a reputation system, we know we need a bug bounty program. We know that bounty, that's the thing.

Leo Laporte [01:27:33]:
We shouldn't throw the baby out with the bath water here. We need that bug bounty and, and.

Steve Gibson [01:27:38]:
Sadly Curl, as you said, I mean it's, it is on the front lines. We've had, we, we've covered some, some serious, there have been a lot of bugs.

Leo Laporte [01:27:46]:
That's maybe the other reason he's a little prickly is if you look at his CVEs, it's not the most secure software ever.

Steve Gibson [01:27:55]:
I think it's not quiet.

Leo Laporte [01:27:57]:
He might be a little sensitive at this point to people, you know, finding bugs. I don't know, I love, I'm grateful to it. I would contribute to curl. Absolutely.

Steve Gibson [01:28:09]:
Stepping back further too, we know that there is a fundamental problem with the open source model.

Leo Laporte [01:28:15]:
That's, I mean that's really the problem.

Steve Gibson [01:28:17]:
Major corporations are taking advantage of open source and you know, and that, that fantastic cartoon of the whole Internet, you know, resting on a little peg that's supported by someone in Nebraska. Yeah, I mean there it is a weird system that we've evolved where one unpaid volunteer is expected to maintain a command line tool used by billions of, of systems.

Leo Laporte [01:28:48]:
Right, right. So I'm very sympathetic. More people should support him. The Work is very important. Get some help. But I don't think turning off the bug bounty is really. And ridicule is absolutely useless.

Steve Gibson [01:29:03]:
Yeah, okay, so that's. It's not time for good news, Leo.

Leo Laporte [01:29:08]:
Yeah. Because there's another side to this story, isn't there?

Steve Gibson [01:29:10]:
Yes, that was. That was the bad news. It also appears to be the case that code digesting and understanding AI, when in the hands of actual security researchers, can create newfound leverage enabling the high fidelity discovery of true security vulnerabilities. The first line of the posting by Isles security researcher, said, Open SSL is among the most scrutinized and audited cryptographic libraries on the planet. We know that is not hyperbole. It's absolutely true. I mean it. It is really rare to find a bad problem in open SSL because the entire industry is.

Steve Gibson [01:30:02]:
Is being so careful with it. Unlike Daniel with. With curls. So here's what this guy went on to explain. He said, we at Aisle have been building an automated AI system for deep cybersecurity discovery and remediation, sometimes operating in bug bounties under the pseudonym Giant Anteater. Our goal was to turn what used to be an elite artisanal hacker craft into a repeatable industrial process. We do this to secure the software infrastructure of human civilization before strong AI systems become ubiquitous. Prosaically, we want to make sure we don't get hacked into oblivion the moment they come online.

Steve Gibson [01:30:54]:
No reliable cybersecurity benchmark reaching the desired performance level exists yet. We therefore decided to test the performance of our AI system against live targets. The clear benefit of this is that for a new zero day security vulnerability to be accepted as meriting a cve, it has to pass an extremely stringent judgment by the long term maintainers and security team of the project, who are working under many incentives not to do so. Beyond just finding bugs. We must. We the issue must fit within the project security posture that is what they consider important enough to warrant a cve. Open SSL is famously conservative. Here many reported issues are fixed quietly or rejected entirely.

Steve Gibson [01:31:58]:
Therefore, our benchmark was completely external to us and in some cases intellectually adversarial. We chose to focus on some of the most well audited, secure and heavily tested pillars of the world's software ecosystem. Among them, open SSL stands out. Industry estimates suggest that at least 2/3 of the world's Internet traffic is encrypted using open ssl and a single zero day vulnerability discovered in IT can define a security researcher's career. It is a very hard target in which to find real valuable security issues in late summer 2025, six months into starting our research, we tested our AI system against open SSL and found a number of real, previously unknown security issues. The fall 2025 OpenSSL security release contained a total of four CVEs. Three of those four were discovered responsibly disclosed and in some cases even fixed by us or more precisely by our AI system, and two were rated as moderate severity issues and the third as low severity. For context on our approach, our system handles the full loop scanning analysis, triage exploit construction if needed, impossible patch generation and patch verification.

Steve Gibson [01:33:50]:
I hope you're listening to this Leo, because this is astonishing. I mean it has happened. Humans choose targets and act as high level pilots overseeing and improving the system, but don't perform the vulnerability discovery on high profile targets. We additionally review the resulting fixes and disclosures manually to ensure quality, although this only rarely changes anything today January 27, 2026 meaning just last week Open SSL announced a new security patch release publishing 12 new zero day vulnerabilities, including a very rare high severity one. Of the 12 announced, we at Aisle discovered every single one of them using our AI system, adding these new 12 to the 3 out of 4 CVEs we already had in 2025 previously. This means that Aisle, and by extension AI in general, is responsible for discovering 13 out of the 14 zero day vulnerabilities in open SSL in 2025. Both the count and the relative proportion have been increasing as a function of time and are overall historically very atypical, with the most recent 12 vulnerabilities spanning a significant breadth of Open SSL's code base. Even a low severity CVE is a higher bar than might be obvious.

Steve Gibson [01:35:35]:
The vast majority of reported issues don't qualify as security vulnerabilities at all. Most are bugs that get fixed without CVEs as standard patch releases. To receive a CVE from open ssl, an issue must pass their conservative security posture and be deemed important enough to track. Formally, Low severity in open SSL still means a real externally validated security vulnerability in well audited critical infrastructure. In five cases, Aisle's AI system directly proposed the the patches that were accepted into the official release following a human review from both Aisle and Open ssl. Matt Caswell, Executive Director of the Open SSL foundation, said this about the findings quote keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers. We appreciate Aisles responsible disclosures and the quality of their engagement across these issues. Tomas Mraz, the CTO of Open ssl said about the newest security release.

Steve Gibson [01:36:58]:
The following quote One of the most important sources of the security of the Open SSL library and Open Source projects overall is independent research. This Release is fixing 12 security issues, all disclosed to us by Aisle. We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation. Unquote, the researcher at Aisle continues the assigned CVEs still don't represent the full picture here. Some of the most valuable security work happens when vulnerabilities are caught by before they ever ship, which is, writes the researcher, my ultimate goal. Throughout 2025, Aisle's system identified several issues in Open SSL's development branches and pull requests that were fixed before reaching any release. Our AI discovered a double free in the OCSP implementation. It was caught and fixed before the vulnerable code ever appeared in a release.

Steve Gibson [01:38:10]:
Our AI also found a use after free and a Double free in RSA's OAEP label. Handling it found a crash in biosendmessage receive message with legacy callbacks and our AI discovered a location where important private key file permissions were not being set by the Open SSL req command. This is the outcome we're eventually working towards. Vulnerabilities prevented proactively, not only patched after deployment, retroactively. The concentration of findings from a single research team spanning this breadth of subsystems and vulnerability types is historically unusual for Open SSL and is in my view in large part due to our heavy use of AI. So okay, I wanted to put Aisle onto everyone's radar. They are@aisle.com and they're going to be worth keeping an eye on. What became clear to me in looking around their site is that they their work on Open ssl.

Steve Gibson [01:39:25]:
You know they also found a handful of true vulnerabilities. Five of them that resulted in cves and curl was just for the sake of working to perfect their process. Their actual business is not the improvement of open source software. That was just a happy proof of concept development side effect. For them, Open SSL served as a perfect test bed, allowing them to further test their AI assisted code analysis system and capability. They're going to be offering this capability for hire to the likes of Apple, Google, Microsoft and others until they're acquired by some big fish as a means of enabling their customers to similarly find and fix previously undiscovered bugs. Their about page says of them we're not chasing trends, we're solving the toughest problem in cybersecurity Aisle was built by security leaders and AI scientists who've seen both the scale of the threat and the limits of today's tools firsthand. Our goal is not to improve vulnerability management, it's to end the backlog, to close the loop.

Steve Gibson [01:40:47]:
We believe in something bold but measurable. Zero exploitable vulnerabilities. Not as a slogan, but as an achievable outcome. And explaining their mission, they wrote, we started Aisle after seeing the same pattern again and again. Attackers move faster and defenders are forced to catch up with too many tools, too much manual work and a backlog that never disappears. You know, think Microsoft. We built Aisle to break that pattern, not by adding another dashboard, but by creating something fundamentally different. An end to end autonomous cyber reasoning system that finds, fixes and verifies vulnerabilities.

Steve Gibson [01:41:37]:
And at machine superhuman speed and scale is cuts remediation time from months or weeks to minutes and seconds, bringing us closer to a future where software defends itself, built by engineers, accelerated by AI and designed for reality. So among Aisle's angel investors is a chief scientist at Google, the CPO for AI experiences at Microsoft, the co founder and chief scientist at Hugging Face, and a research scientist at DeepMind. So they have the backing of industry professionals who have understood that this had to happen, that it was going to happen. You know, our listeners have heard me assert over and over that code should be totally understandable by a sufficiently capable AI. It really means something that AI managed to find 15 out of a total of 16 CVEs in a system of code as carefully composed, maintained and scrutinized as Open ssl. It's truly a big deal. And as they said, the Open SSL project does not hand out CVEs readily. They don't want to.

Steve Gibson [01:43:04]:
It's also found five new CVEs as I mentioned in Curl, you know, and they don't care. They didn't get a bounty. They didn't do it for that. They did it to test their AI against open source software. We've recently seen that AI has made surprising strides in the generation of code. And now it appears we're on the brink of being able to leverage the same power, the power of AI to dramatically improve the quality of both the world's existing and its newly written code. My final observation is that every step along the way of this AI revolution, what we've seen has occurred much faster than certainly I and many observers expected. And each new hurdle is easily being surmounted.

Steve Gibson [01:44:02]:
You know, OH1AI is insufficient because the problem requires a context window that's too large, causing the AI to start becoming confused. No problem, just divide the too large a task into separate, individual, smaller tasks and deploy a team of AIs, giving them, you know, each of them a specific subset of the puzzle. What's happening is truly incredible. Having seen and understood the significance of what Isle has already accomplished, coupled with the speed at which all of this AI is evolving, I now believe that there's a very real possibility that many or most of us will live to see the day when software bugs are eliminated. That no longer seems like a far fetched, faraway goal. I think that's the thing that AI is going to do and it's going to change the world.

Leo Laporte [01:45:10]:
I completely couldn't agree more. And every day I see the evidence of that. One of the things that makes this really interesting with Aisle, they mention it, but I want to underscore it, is this stuff is incredibly fast and it works all day, all night, tirelessly. So it, I mean, yeah, okay, maybe it's slower to find a bug than a human would be. I don't think it is, but let's say it is. Doesn't matter. You can assign 20 of them to do it and they'll work all night for you and solve this problem. Tomorrow we're going to interview a guy who's written some really interesting software called Gastown that's designed to be used with these AI coders like CLAUDE code.

Leo Laporte [01:45:57]:
And what Gastown does is it creates for every project, it creates roles. So you've got a refinery, you've got a crew, you've got something called polecats, you've got a witness, you have a mayor who runs the whole thing, you have a deacon.

Steve Gibson [01:46:14]:
And so we're talking a collection, right? It's a collection that seems to be the next step.

Leo Laporte [01:46:20]:
And they work in concert and they check each other. So if, you know, if somebody kind of goes off the rails, the mayor steps in and says, wait a minute, if it's, it's I. Until you see it at work, it's, it's hard to believe, you know, I have a switch in my CLAUDE code that I turn on called test driven development. I said, no, no, write a test for everything. And, and don't. And I don't want to hear from you until every test passes, right? And it writes much more complete tests than I do because it doesn't have the biases that I do. It just says, well, I gotta test everything. There's also an overseer, that's the human, and it's just really, it's happening so fast and so much creativity is being put into it and there's a lot of risk.

Steve Gibson [01:47:13]:
I acknowledge and I just shared with everybody that story in the Wall Street Journal saying that the, the software heavy tech companies had just crashed. There's a good reason people are realizing that, you know, hey, I don't need to pay Adobe. I just need to ask my AI to give me one.

Leo Laporte [01:47:34]:
Right. And honestly I've talked about this before. We're in the age of hyper personalized software. People can say instead of saying, and I have a photo editing program and I'm going to kind of interact with it to get to do what I want. You just say what you want and the computer writes a photo editing program to do that for you. And it does it so fast. The other thing Harper Reed taught us very early on, I love Harper, he kind of lives in the future is this stuff is so cheap in terms of not dollars, but just generation. If something doesn't work, you throw it out and you start over.

Leo Laporte [01:48:08]:
You just go, eh, that's fine. It's disposable software. I wrote a tool that I only ran once that converted my Obsidian posts to the day one journal posts. And it, it, I wrote it, I will never use it again. But it did it once and it worked and it, it did a beautiful job.

Steve Gibson [01:48:25]:
And that's, you know, and I'm sort of thinking about the brilliance of the way the UNIX developers created UNIX to be a whole. Yes.

Leo Laporte [01:48:37]:
And so for instance, my, my workflow with story processing is three different agents doing different things that pipe one to the other. It's. That's exactly right. This is why you were asking a few weeks ago if it's helpful to be a programmer or not. I think it is helpful to be able to think in that way in terms of processes and, and, and flow and.

Steve Gibson [01:48:58]:
But the job is changing.

Leo Laporte [01:49:00]:
But the way you do it, you don't write the code anymore, you write the prompt. But you still have to think in that kind of fashion. I think, yeah, it's changing dramatically. I really want you to try it just for fun. Get it to write assembly. I'm not kidding. It'll write assembly perfectly well. In fact.

Leo Laporte [01:49:17]:
Okay, here's it. Here would be fun. Tell it, hey, this Spinrite program, it's an assembler. Here's the code. Can you make a Mac version and just let it go, see what happens? I know it's kind of, it's. I know it's a little weird and scary, isn't it for somebody who spent his life hand coding software, very much hand.

Steve Gibson [01:49:41]:
Who loves. Who loves. It's not like labor, you know, Like, I've always felt guilty when I said I'm gonna go to work. It's like, it's not work.

Leo Laporte [01:49:49]:
It's like talking to a guy who carefully chisels a piece of furniture and then saying, see this thing called a lathe?

Steve Gibson [01:49:57]:
Yeah. Here's a laser printer that can cut that wood. Yeah.

Leo Laporte [01:50:03]:
And, and I, and, and you know what? Here's the good news. I love to code too. And I will always code. I know you will always code, but now it's something we do for fun, because we love it. Not for any other reason. Not because we have to.

Steve Gibson [01:50:17]:
Okay, break time. And then a piece of errata and then some feedback.

Leo Laporte [01:50:21]:
Yes, indeed. Yes, indeed. You're watching security now. We're glad you're here. Our show today brought to you by Material, the cloud workspace security platform built for lean security teams. You can be a lean security team with Material, and it solves a problem that if you're in security, if you're an IT guy, you understand this is a problem. Managing security in a cloud workspace like Google Cloud, Microsoft 365, that's challenging. It's hard.

Leo Laporte [01:50:50]:
Phishing, of course, is a problem, but it's far from the only way in. Unfortunately, today's email security stops, you know, at the perimeter, and new attacks are hard to detect. You've got siloed email data and identity security tools, and they don't talk to one another. Material protects the email, but it also protects the files and it protects the accounts that live in Google Workspace or Microsoft 365. Because effective email security today needs to do much more than, than just block phishing and other inbound attacks.

Steve Gibson [01:51:21]:
It.

Leo Laporte [01:51:22]:
It needs to provide visibility and defense across the workspace. Threat surface. This is, you know, as I think about it, this is exactly the kind of thing I was talking about. We were talking about, you know, this kind of fuzzy security perimeter. Now that we're doing these AI tools, you need something that, that can see across the whole workspace, that can see into everything. And that's what Material does. It ingests your settings, your contents, and your logs. It gives you holistic visibility into threats and risk across the workspace, because what you don't know can really hurt you, right? Along with the tools to automatically remediate them, Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment.

Leo Laporte [01:52:12]:
This is the New world phishing protection. Email security. Yes. Combining AI advanced AI detections with threat research and user report automation. Detection and protection of sensitive data across inboxes and shared files. Account threat detection and response with comprehensive control over access and authentication of people and third party apps. You probably don't want to think about it, but if your company's living in the cloud, do you have that kind of visibility or you're just kind of hoping everything comes out all right? Material empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication for sensitive content. So you can say, yeah, this stuff really protect this blast radius visualization for accounts so you know what the risks are and how far they can spread the ability to detect and respond to threats and risk across the entire cloud.

Leo Laporte [01:53:07]:
Workspace Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API based implementation and flexible automated and one click remediations for email file and account issues, including an AI agent that automates user report triaging and response. It takes your small team and turns it into superheroes. Right? With all the power, Material protects the entire workspace for the cost of simple email security with a simple and transparent pricing model to secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See material.security to learn more to book a demo. Check this out. This is, this is the new way of doing things, Material dot security. And we thank him so much for supporting Steve Gibson who likes doing things the old fashioned way.

Leo Laporte [01:54:08]:
No, that's what I love about you, Steve, because you're very wide open to this. There's a lot of people who are saying, oh no, you know, it's slop, it's slop, it's not. And you're very, you understand, this is transformational stuff that's happening.

Steve Gibson [01:54:20]:
I, I think we, we're going to see the end. We're going to be alive. You and I are, are, you know, I'm 70, you're almost, I'll be there. We're gonna, I, I don't think, I think five years from now we're gonna, I mean, I think that, I think this aisle company is going to get snapped up by one of the big fish in a heartbeat. That's, I'm sure that's the way they profiled themselves. And, and we're gonna, this is gonna change software, that the bugs are going to be over. Which doesn't mean the podcast is over because we still have the humans in the loop.

Leo Laporte [01:54:52]:
Yes.

Steve Gibson [01:54:52]:
And you know that our. Our. The title of our talk, our presentation next month at Threadlocker is the Call is Coming from Inside the House.

Leo Laporte [01:55:04]:
I can't wait. This is gonna be so much fun.

Steve Gibson [01:55:07]:
Okay, so I have an important correction to share. Thanks to one of our Irish listeners who took the time to explain an important nuance of Ireland's law passing process. Our listener is James Pelosi, who said, hi, Steve and Leo, longtime listener and Happy Club Twit member. He said I wanted to flag something from episode 1062 regarding Ireland's communications Interception and Lawful Access Bill. He said, by way of background, I work as an Irish translator specializing in, amongst other things, Irish and EU legislation, translating to and from Irish, our national and first official language. I encounter these government press releases regularly and I've translated a fair few of them myself down through the years, so I have some familiarity with how it all works. In this case, the bill has not actually been passed. In fact, it hasn't even been drafted yet.

Steve Gibson [01:56:08]:
What the press release announces is that the Cabinet has approved the Minister's proposal to begin to begin developing the legislation. Officials are now tasked with preparing a general scheme which explains that term that we. That we, you know, saw when I talked about this. Essentially a detailed policy outline which the Minister says he hopes to publish sometime in 2026. Only after that would the actual legal text be drafted, subjected to public consultation, scrutinized by parliamentary committee, introduced to the. Whatever that word is. O I R E A C H T A S. I'm sure if you said that with an Irish accent, it would sound good.

Leo Laporte [01:57:00]:
Yeah. Which makes more sense if you were.

Steve Gibson [01:57:03]:
Anyway, he says Perens are Parliament debated in both the Dale, whatever that is, lower house, and Cenod. Sorry, James, the upper House. And signed into law by the President, assuming she has no concerns about it being unconstitutional. In other words, boy, is it not a law. Yeah, it has a long way.

Leo Laporte [01:57:30]:
It's a general scheme is what it is.

Steve Gibson [01:57:32]:
Yeah, it's an ambition, probably better than anything else. So he said to clarify the terminology in Irish law, a bill is proposed legislation still going through Parliament, while an act is legislation that has been passed and is in force. So the 1993 act is current law. This proposed bill isn't even a bill yet. It's an announcement of intent to draft. One is that I'm personally of the view that this proposed legislation would actually be a significant improvement on the current regime. Under the 1993 act, interception warrants are authorized by the Minister for Justice alone. No court order is required.

Steve Gibson [01:58:26]:
Oversight is purely retrospective. A designated High Court judge reviews the operation of the act and reports annually to the. Whatever that word is. Prime Prime Minister, but doesn't approve individual. James, if you can translate Irish into English, more power to you, because this doesn't look like anything. T. Tai.

Leo Laporte [01:58:54]:
I could play the pronunciation for you if you want. I think I have it here. Let me see.

Steve Gibson [01:58:59]:
T, A, O, T, A, O, I. So we got three vowels in a row. And then I, I, that. That. S, E, A, C, H. You know what?

Leo Laporte [01:59:10]:
None of the dictionaries which normally have pronoun, you know, recorded pronunciations next to these words. Oh, here we go.

Steve Gibson [01:59:16]:
Here we go.

Leo Laporte [01:59:17]:
Here's one. None of them are playing it.

Steve Gibson [01:59:22]:
I don't blame them.

Leo Laporte [01:59:23]:
You'll have to imagine. Anyway, the proposed T. Sh. T.

Steve Gibson [01:59:29]:
Yeah, that's the Prime Minister.

Leo Laporte [01:59:31]:
Yeah.

Steve Gibson [01:59:31]:
Anyway, T. SH.

Leo Laporte [01:59:32]:
Yeah. You know.

Steve Gibson [01:59:35]:
The proposed bill would introduce a requirement for proper judicial authorization for the first time, along with an independent examiner in and a formal complaints process covering all the powers. He says. But to get a proper read on it, we'll have to wait for the actual text. And then he said something that's I'm sure is thank you or goodbye or good luck or something. James?

Leo Laporte [02:00:01]:
Yeah, I love Irish. I mean, I love it when they speak it. I couldn't pronounce it for the life of me. Yeah, wild. Okay, so we don't have to worry about it yet.

Steve Gibson [02:00:11]:
No, we do not have anything to worry about. You know, they're. It sounds like from what James explained, they're going to be. Whatever they do will have way more formal controls on it than were in place in 1993. But it's. They're still. I mean, it did say what we shared. It's not a law, but it's an intent.

Steve Gibson [02:00:33]:
Like, it's a wish for one where they get to have access to anything. That's what they're saying. And remember, that was the one where they're saying, we're going to give ourselves the right to install spyware on people's phones if we think that's what we need to do. So I can't say coming soon to. But, you know, it's the intent.

Leo Laporte [02:00:56]:
Yeah.

Steve Gibson [02:00:56]:
And we know that Germany expressed the same intent, which is what we. We also talked about last time.

Leo Laporte [02:01:01]:
Okay.

Steve Gibson [02:01:02]:
Ronnie Morgan said, I thought you'd be interested to know that Gemini recommended using your DNS benchmark. I've been working on changing DNS resolvers at work and was using Gemini to complete the task mostly for fun. Before I flipped the switch, I asked Gemini what would be a good way to test the performance of the old resolvers versus the new ones, and its number one suggestion was your tool, which I honestly didn't even think about until it suggested it. And the result? New servers are performing very well. He signed off saying, thanks for a great tool. I'm looking forward to the surprise you have in store for the paid version of it, he says. Parens, which I've already purchased and I'm looking forward to Spinrite 7o. So thanks Ronnie for sharing that I'm at work implementing some rather deep changes to GRC's e commerce system, which I originally created and wrote in assembly language with no help from AI in 2003 and I haven't touched it since in 23 years.

Steve Gibson [02:02:08]:
And I'm excited about the system's forthcoming new features, but I'm going to continue to keep quiet about them until they're implemented, tested and ready, because people are going to immediately rush to it and want them and I won't be ready. So Speaking of Gemini, I recently heard from Panos, the author and publisher of Nuevo Mailer, that marvelous emailing system I chose as the back end database and mail management platform for GRC's email list system, which all of our listeners are using. Nuevo Mailer is what mails nearly I think. I think it was 19,906 pieces of email on Sunday afternoon. None of them bounced back this time. This time Outlook and Hotmail had no complaints complaints. Whereas last week they bounced 1500 plus which I then later remailed with no complaints. So again, as you said, Leo, you know, anti spam false positive.

Steve Gibson [02:03:08]:
Anyway, Panos has become a listener of this podcast and he dropped me a note to share a chilling Gemini AI related event that he suffered last week. He wrote hi Steve, listening to the latest podcast and speaking of AI, here's what happened to me last week. The Gemini extension in Visual Studio code while in Agent mode wiped out all files and folders from my project, he said. I noticed it got into a loop doing undoing the same changes in two files, so I stopped it. I switched to the File Explorer to pick something else and it was empty. Not even in the Recycle bin. The response from Gemini I just love this Leo. That sounds incredibly frustrating.

Steve Gibson [02:04:03]:
Oh, I'm sorry Dave.

Leo Laporte [02:04:05]:
I'm sorry Dave. I didn't mean to do that.

Steve Gibson [02:04:08]:
We're gonna leave the airlocks closed and you're gonna. You're gonna suffocate so Gemini says that sounds incredibly frustrating and definitely not the kind of assistance as in quotes. God, not the kind of assistance anyone wants from an AI. I'm sorry, you're dealing with data loss. Recent reports, including documented issues in late 2025 and early 2026, have highlighted a bug where the Gemini CLI and VS code extension can occasionally misinterpret conversational context as destructive terminal commands like RM space hyphen rf, meaning, you know, recursively delete, you know, remove or fail during file moving operations, causing files to vanish. Since these deletions often happen via the extension host, they might bypass your OS recycle bin. But VS code has a hidden safety net that can often save you. So then Panos continues, the safety net did not help much.

Steve Gibson [02:05:21]:
It's only backups of recently edited files. Files that you've never opened with VS code are not there. Fortunately, I had another IDE which kept backups. Now I have a task running a bat file twice a day making backups of important projects to a different drive. Yeah, so, you know, we've been exploring and promoting the idea of AI driven software development and we've seen instances where AI is aimed at an existing GitHub project and then takes over, you know, so I just wanted to share Panos hair raising adventure and suggest that anyone who might be similarly vulnerable running, you know, maybe run a separate, entirely disconnected project backup system. You know, something that the AI is not involved with in any way because, you know, belt and suspenders.

Leo Laporte [02:06:21]:
The way I handle this and Panos, you should consider it too, is everything's on GitHub and you commit after every change. So there's always a way to pedal back.

Steve Gibson [02:06:32]:
To rewind.

Leo Laporte [02:06:33]:
Yeah, that's the beauty of a source repository like Git is you can always rewind. In fact, you frequently do want to rewind. Like, oh, that really screwed things up. Let's go back to the previous version.

Steve Gibson [02:06:44]:
I often I will make what I call a checkpoint and then I'll go do something. And if I end up really tangled up, you know, like the first, the first, the, the orig, the DNS benchmark from 2008 because IP addresses fit in a 32 bit register. I mean, it was so difficult to switch it to 128bit IPv6 and then strings, URLs. And so I kept going forward, I go, oh. And I rewind, I go back, I start again and each time I learned something that I hadn't anticipated until finally I got it to work.

Leo Laporte [02:07:24]:
It's like a Video game, you save regularly so that if you, when you.

Steve Gibson [02:07:30]:
Die, you get resurrected. You get resurrected.

Leo Laporte [02:07:33]:
Yeah, it's actually really handy. Almost all These tools use GitHub and it's trivial to say, you know, to your agent, you know, every time we finish something, commit. You know, I always say, in fact it does it automatically now. Commit, push and build. That's the other thing I never used to use GitHub's CICL process where it would build software. Right. It builds it now, so every time. And it builds it for multi platforms, it builds it for three different platforms.

Leo Laporte [02:08:04]:
So it's cross platform. So I just say, you know, commit. Okay, good, good job. Commit and build. And then I go do something we live in. I just so it.

Steve Gibson [02:08:15]:
So it changes us from coders to project managers, her bosses.

Leo Laporte [02:08:19]:
Yeah, yeah, or the mayor in this, in the case.

Steve Gibson [02:08:23]:
So also being a listener, Panos also shared. He said. P.S. i attached something that happened to me today. Of course I did not press Win plus R. So he attached an example of one of the most terrifying social engineering hacks floating around today.

Leo Laporte [02:08:44]:
This would get a lot of people.

Steve Gibson [02:08:45]:
I think it would, and that's my concern. You know, we've all encountered CAPTCHAs that we're asked to solve. That's a thing now. And more recently, when we're attempting to visit a site that's hosted by cloudflare, we'll encounter an intercept screen that asks us to wait a moment while it verifies that we're human. Sometimes that intercept will self resolve, and other times we're asked to click on a checkbox to affirm our humanity. Presumably, some fancy JavaScript has been profiling our connection in some way, but it also wants to watch us as we servo the mouse over to the checkbox and click it. So, in a deviously brilliant social engineering hack that's obvious only in retrospect, bad guys realized that they could spoof the increasingly familiar Cloudflare intercept event and get people to follow additional innocuous looking instructions. I know that a great many of us serve as the computer experts for our friends and neighbors and family members and fellow employees.

Steve Gibson [02:09:57]:
So we've developed an appreciation for how little anyone really and truly understands the computers they're sitting in front of and using. You know, that's what makes this particular social engineering attack so devastating. It will obviously have a high success rate. A week or two ago, we shared the experience of another listener of ours who, while visiting at his mom's house, began receiving money transfer acknowledgments on his phone, he ran home to discover that something called Screen Connect had activated and somebody was controlling his machine remotely and using it to transfer his money elsewhere without his knowledge or permission. Naturally, he wondered how such malware might have landed inside his machine, in this case. Being a savvy security now listener, it's unlikely that he would have fallen for this particular hack, just as Panos did not. But unless somebody really understood what they were doing, this would look like an entirely reasonable request. The solution is for Microsoft to get proactive here, just as Cisco has needed to with their own networking gear.

Steve Gibson [02:11:20]:
Microsoft needs to soberly recognize that Windows users are not expert users anymore. Less so every day. Over time, you know, they're becoming less expert, you know. Clipboard. What's a clipboard? We see this recognition in many other areas of annoying, you know, preemptive handholding by Microsoft. In Windows, I have two Windows machines that I don't care much about which are logged in with a Microsoft account. What a mistake and lesson that has turned out to be. Microsoft is pushing everyone to log in with a Microsoft account.

Steve Gibson [02:12:01]:
When they repeatedly brutalize, you know, anyone who does not, it's, you know, becoming annoying listening to Microsoft over and over and over again, you know, telling me that I need to turn on backups on my PC, it's like, no, I don't, leave me alone. But I do a major update and it's back to the be, like setting up window screen, you know, making me tell them like four times in a row, no, I am really sure I do not want you to do backups for me. But in this case of what amounts to system clipboard abuse, which seems like a very serious problem that promises to wreak havoc, it would be trivial for Microsoft to track the source of any data that's placed onto the clipboard and take special measures when any clipboard data attempts to cross a security boundary. We know that today's web browsers are inherently high risk containers and that a huge amount of effort has gone into browser containment. A shared clipboard completely breaches browser containment, right, because it allows you to copy something from in the browser and paste it outside the browser. A shared clipboard is a fundamental weakness which just kind of crept up on us without anyone thinking about it. So the idea that it's possible for some malicious browser, JavaScript, which originated from Lord Only Knows where, to place malicious content onto the shared system Clipboard and then instruct its user to execute that content by copying it into the Windows run dialogue without having Windows raise a huge fuss with, you know, flashing lights and sirens and Are you sure? I mean, I'm sure I don't want backup. I am sure that I would like to have Windows warn me if something that I didn't manually put on the clipboard somehow got there and is about to be pasted into a run dialogue.

Steve Gibson [02:14:22]:
It seems to me it is the height of non proactive irresponsibility on Microsoft's part. So Microsoft, if any, anyone there is listening, get this fixed. Because this problem is not going away. Burying your head in the sand is not going to fix this. You know this is a problem. Nick Mapsey said hi Steve, I just got to the part in last week's podcast where you break down how your ISP can snoop on you. You point out that once we're all using TLS 1.3, the most they can do is track what IP addresses you visit. But I want to point out that even then there's a much bigger privacy threat they can pose.

Steve Gibson [02:15:11]:
As you said, ISPs know who you are and where you live. Third party cookies can track where you've been on the Internet, but they don't inherently know who you are. ISPs can solve that problem for tracking companies. They could set up a marketplace where a company can ask who currently is at this IP address and the ISP would, for a price, tell them who you are, where you live, what's your email address, what's your phone number, etc. We already know that cell carriers have been selling real time location data, so this is not a big leap at all. I haven't seen confirmation yet that this is being done, but I'm paranoid enough that this led me to finally start using a 24.7VPN. I thought it might be worth pointing out on the podcast and yikes. I have to agree with Nick's horrifying observation.

Steve Gibson [02:16:14]:
Again, no one has any evidence or or proof or belief that this is happening. But every ISP is aware of their subscribers current public IP address and it must be that law enforcement has been able to ask an ISP exactly who was using which of the ISPs block of public IPs at any given time. That would seem logical. So I agree with nick that imagining ISPs might monetize that knowledge in real time is not a big leap. I suppose it would be beneficial or it would be one benefit of of an ISP using carrier grade nat, which we've talked about before where where users don't get public IPs they get a block of, of private IPS because the ISP themselves, just as users are behind NAT router at home, the ISP is behind a carrier grade NAT router and is issuing private IPs to its subscribers, in which case they're anonymized by that. So that would be one benefit of that. But you know, ISPs do know who we are and they're, you know, who knows what the fine print says, Whether they are actually able to disclose our real time IP to anybody who asks, even not law enforcement, but for commercial purposes, I don't know. And Leo, what I do know is that we have one final sponsor to introduce.

Leo Laporte [02:17:56]:
Steve, you can count. That's so impressive.

Steve Gibson [02:17:59]:
We are good. I miscounted one week. I know I don't always count.

Leo Laporte [02:18:05]:
Yeah. Let's take a break, final break and then we will finish up with our story of the week.

Steve Gibson [02:18:13]:
Mongo is too easy again.

Leo Laporte [02:18:16]:
It has nothing to do with Blazing Saddles. You remember Mongo from Blazing Saddles? Do you remember that he was played by the ex football player, what was his name? Alex Karas. He's a big guy. Mongol, anyway. And you know, I Wonder though if MongoDB could have been named after Mongo from Watt Blazing Saddle. I could see that. I mean Python's named after Monty Python, right? Our show today, brought to you by Guard Square. This is a brand new sponsor we want to welcome to Security now.

Leo Laporte [02:18:45]:
And something you need to know about if you do mobile app development. Mobile apps today are obviously an inescapable part of life. If you've got anything, a mattress to a camera, you need to have a mobile app, right? Financial services, healthcare, retail entertainment. Users are trusting mobile apps, really trusting them with all their sensitive personal data. A recent survey showed that 72% of organizations had experienced a mobile app security incident last year. Almost three quarters, 92% of respondents reported threat levels rising over the last two years. And attackers know this. Attackers who want your personal data, who want your users, your customers personal data are constantly finding new ways to attack your mobile app.

Leo Laporte [02:19:39]:
Just like they attacked Don Ho. They reverse engineer it, repackage it and distribute the modified app via phishing campaigns. It looks like the real thing side loading third party app stores. There's all sorts of ways to get users to install that bogus app. But who gets the blame? You. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. That's where Guard Square comes in. I did not know this existed until I talked to them.

Leo Laporte [02:20:10]:
This is super cool. Guard Square delivers mobile app security without compromise, providing advanced protections for Both Android and iOS apps, combined with automated mobile application security testing that helps find vulnerabilities and real time threat monitoring to gain insights into attacks. So you know what's going on. Discover more about how Guard Square provides industry leading security for your mobile apps. You'll find them at guardsquare.com that's guardsquare.com G-U-A-R-D S Q U A R E guard square.com calm don't, don't be another Don Ho Guards. Bet he wish he's had this for notepad+/guard square.com for your mobile app. Okay, okay, Steve.

Steve Gibson [02:20:59]:
So even though we kicked off this year with a podcast titled Mongo Bleed and I resisted talking about it again so soon, the security research I just found was just too much fun and too interesting to pass up the competition for. Today's main topic, as I said, was that one that I already shared about AI finding flaws in open ssl, which I agree with you, Leo. I mean this is a game changer for, for the, for the software industry. And you know, on this, on the creation side, we just saw the stock market, you know, punish companies that produce software because, oh, I can make my own now. Okay, so get a load of this one. The following posting was made by the Darknet army, posted to the dark web at 2am last year on October 1st. So this is, you know, an a dark web posting by the Darknet Army. What's up hustlers? I've been using this secret method since 2019.

Leo Laporte [02:22:08]:
What's up hustlers?

Steve Gibson [02:22:09]:
What's up hustlers? What's up? To pull in steady cash every day. But it's starting to get crowded now. Before this method gets completely burned out, I'm sharing it here so you can jump on it and make some serious money for yourself. This isn't some complicated tech heavy process. You don't need to know coding, hacking or anything technical. If you can copy, paste and click, you're good to go. I'll guide you through every single step. So what are we actually doing? Here's the deal.

Steve Gibson [02:22:45]:
There are websites out there where businesses store their important information. Think customer records, orders, employee details, etc. In a digital storage system. The storage system is called a database. But here's the crazy part. Some businesses leave their databases completely unprotected, wide open on the Internet. They don't set up passwords or any security, which means anyone, all caps like you can access them with just a browser. Once you're in, you can delete their data, wipe it all clean, then leave a ransom note telling them to pay Bitcoin if they want their data back.

Steve Gibson [02:23:30]:
Sounds wild, right? Stick with me and I'll show you how easy it is to do this. Why are these databases exposed? Most businesses use a type of database called MongoDB because it's fast and easy to set up. They use a tool called Mongo Express to manage it, basically a control panel for their database. The problem? Many businesses are careless and leave their Mongo Express control panels exposed online with no passwords. This makes them perfect targets. You don't even need hacking tools to get in. Need help? If you're stuck or have questions, hit me up DM me on the forum, message me on Telegram. He provides addresses for all that and final words.

Steve Gibson [02:24:17]:
He says this method is stupidly easy and works like magic, but it won't last forever. Businesses are slowly waking up and fixing their Express setups, so use this while you still can. Follow the steps outline below to take action and you can start earning $600 a day. So I that was actually posted to the Dark Web for the Hustlers. I titled today's podcast Mongo's too easy because MongoDB's continuing exploitation is now in the hands of the script kiddies. It turns out there's another market out there such as it is, where there are no sophisticated intrusions with multi terabyte exfiltrations of data, fancy command and control servers with dynamically rotating and changing time based DNS domain lookups, encryptions and keys and all that. Nope, all of the data contained within exposed MongoDB instances are simply being deleted. In its place is a ransom note explaining that the data can be returned once payment of 500 or $600 in Bitcoin has been received.

Steve Gibson [02:25:48]:
Just to be clear, that's not true. They don't know how to do any of that. They're script kitties. Instead, all of the databases data was permanently deleted and a bogus ransom note is being left behind. It's a bogus ransom note because payment of the ransom has no effect. None. No data is ever returned because it was irreversibly deleted from the database. These are not the traditional serious attackers who hack, exfiltrate, encrypt and extort.

Steve Gibson [02:26:27]:
No, this is the bottom of the market. These attackers are trading on the reputation, such as it is, that the high end attackers carefully established long ago for honoring the payment of their extortion demands. Those guys are serious. These guys are not. The high end attackers realize that if they want their demands, which often run into the many millions of dollars, to be taken seriously and paid, they need their victims to really believe that payment will result in the return of the stolen data and its subsequent deletion so that it never leaks publicly. If the high end attackers do not honor their agreement upon the payment of ransoms, the high end of this market will fail. A Canadian cyber security firm known as Flare Systems posted a great piece from which I excerpted that earlier posting. The title of their posting Last Monday was MongoDB Ransom isn't back, it never left, they wrote.

Steve Gibson [02:27:42]:
Between 2017 and 2021 there was a series of research publications about MongoDB ransomware exploitation campaigns. These blogs described the same pattern. Someone in an organization made a mistake which left MongoDB exposed to the world. The problem was that this MongoDB didn't require any special authorization or password, so anyone over the Internet could have accessed and controlled that database. Here's the sequence of events for attackers who abuse these exposures. Threat actor finds a MongoDB database. They copy everything to their own device. They delete everything on the victim's computer.

Steve Gibson [02:28:28]:
In place of the database, they leave a ransom note. The ransom note claims pay hundreds of dollars in the next 48 hours or the database would be permanently deleted. That was five years ago, but since then there have only been a few stories about ransom against MongoDB. However, a couple of months ago we conducted a pen testing exercise for a small to medium sized business. The organization had 12 MongoDB instances and two of them were exposed to the Internet with a ransom note inside reminding us of the MongoDB ransom campaigns. We decided to create and run a honey pot exposing MongoDB secrets and Leo. If the Thinks Canary can support a MongoDB, that might be a fun thing for people for people to play with.

Leo Laporte [02:29:24]:
Oh, that's a good idea. Let me. I have to check and see if I can do that. I bet it can.

Steve Gibson [02:29:29]:
Yeah, so they said. A short Google search indicated that under the surface there are many similar stories. One story reflects the threat from a victim's perspective, talking about a rising star tech startup that heavily relied on MongoDB as a database being hacked and extorted for $25,000. In this blog we analyze the current Mongol DB ransomware threat. MongoDB ransom attacks are not driven by advanced exploits or novel malware. They are. They are the predictable outcome of Internet exposed unauthenticated databases. As long as insecure deployment patterns continue to propagate through tutorials, container images and copy paste infrastructure, these attacks will remain cheap, scalable and profitable for threat actors and costly for organizations without proper controls.

Steve Gibson [02:30:32]:
The MongoDB ransom ecosystem demonstrates that real risk often emerges from the intersection of deployment patterns, configuration shortcuts and attacker monetization models rather than from advanced exploits alone. The attacks exploit MongoDB databases that are exposed to the Internet with default unsecured configurations, no password, open ports, and so on. Automated scripts.

Leo Laporte [02:31:03]:
Oh yeah, here I can turn on MongoDB very. Let me just tell you, it's on port 27017 in case anybody wants to.

Steve Gibson [02:31:10]:
That is the default MongoDB port.

Leo Laporte [02:31:13]:
Yeah, no problem. So I got a Windows server running with a mongodb on it. Just come on in, hack away. You're more than welcome. I'll know immediately though. Isn't that great that I can make that things canary be that that's fantastic. Sorry, go ahead.

Steve Gibson [02:31:31]:
So they said automated scripts. Bots scan for vulnerable instances. Once an open database is found, the data is typically exported or simply deleted. The collections are dropped and a new collection containing a ransom note is inserted. Threat actors demand payment in Bitcoin, often around 0.005 BTC, equivalent today to between 500 and $600. Actually, that depends upon when you look. Bitcoin's been having a little rough time of it lately, they said, to a specified wallet address, promising to restore the data. However, there's no guarantee the attackers have the data or will provide a working decryption key if paid.

Steve Gibson [02:32:22]:
These incidents, sometimes referred to as the MongoDB apocalypse, affected tens of thousands of servers. Victims who have paid the ransom often reported receiving nothing in return or finding the provided datas and data keys were useless, leading to permanent data loss. Thus, security experts strongly advise against paying the ransoms. On the other hand, five or six hundred bucks. Part of the key to this working at all is that the bad guys put no effort into this. A bot found it, a bot dealt with it. And they're not asking for millions of dollars, they're asking for six, you know, five or six hundred bucks. They said we set up a MongoDB honeypot and so has Leo on a container infrastructure connected to the world without authentication.

Steve Gibson [02:33:16]:
We deployed the container in various geolocations. It didn't take long. A few days after we set up the containers, we saw the ransom note in all the servers. They then show the MongoDB shell radio running and the command show DBS. You know, DBS D databases which results in the listing of a file titled read underscore me underscore to recover your data. After using the MongoDB shell to switch to that file, it is dumped to the console and it reads all your data is backed up. You must pay 0.0054 BTC2 and then a Bitcoin address. In 48 hours your data will be publicly disclosed and deleted.

Steve Gibson [02:34:11]:
For more information go to and then they have a a website address, the numeral2info win forward slash MDB they said after paying after paying send mail to us and then they have an email address rambler and then a plus sign and then a six character token1y08bunionmail.org they said and we will provide a link for you to download your data. Your DB code is and then the same token 1y08 bullet so they said we observed this attack. We started collecting threat intelligence to better assess this threat and associated risks. We found hundreds of relevant results, including this MongoDB ransom tutorial, the one that, that I I showed you guys above. That's the note that I, you know that I showed before then under the heading why and how does the MongoDB attack actually happen? They said. MongoDB is a widely used NoSQL document database designed for flexibility, scalability and speed. Instead of rigid tables and schemas, MongoDB stores data as JSON like documents, making it a natural fit for modern applications that evolve quickly and handle diverse data types. It is commonly used in web and mobile applications, SaaS platforms, IoT backends, real time analytics, content management systems and microservices architectures.

Steve Gibson [02:35:58]:
Its ability to scale horizontally, replicate data across nodes and support high throughput workloads has made MongoDB a popular choice among startups and enterprises alike, and particularly in cloud native environments where agility and rapid deployment are key. With this understanding, we leveraged Flare, which is a tool that they use their own in house tool to identify publicly shared code snippets that explicitly configure MongoDB servers to be exposed to the Internet without authentication. This approach is based on the assumption that validated repeatedly in real world incidents that organizations and individuals often rely on ready made Docker images and copy paste configurations from Docker Hub and GitHub. When deploying infrastructure using Flare, we searched for code artifacts containing the command pattern that would bind MongoDB to all network interfaces and enable unauthenticated access by default, and they give a sample of such a string in their posting, they said this configuration results in a MongoDB instance running inside a container that accepts connections from any IP address. When the container port is bound to the host and exposed externally, any Internet originating traffic can connect directly to the database. In their default configuration, these MongoDB deployments do not enforce authentication. Again, in their default configuration, these MongoDB deployments do not enforce authentication or require credentials, allowing unrestricted access to any party that can reach the service. As a result, this code pattern leads to publicly exposed MongoDB instances over a three month analysis period.

Steve Gibson [02:38:07]:
In our query, we identified 763 okay, so 90 days three months analysis, they said. We identified 763 container images uploaded to Docker Hub containing exactly this insecure configuration. These 763 container images spanned 30 distinct namespaces. Most of these images appear to be intended for personal or experimental use and have only a few hundred pulls. However, we also identified two widely used projects with more than 15,000 polls each that included the same insecure setup. Okay, so there's so Docker Hub is hosting two specific images for which 30,000 deployments have been made insecurely, they said. While these numbers alone do not appear significant, this represents only one of the many common ways MongoDB is inadvertently exposed. We highlight this pattern to illustrate how easily insecure configurations propagate and how widespread such exposure can become.

Steve Gibson [02:39:33]:
Out of curiosity, they said, we also searched for some exposed credentials. We found 17,909 potential results for a specific user password exposure, one of many potential search terms. Out of those, we found at least half of them as valid credentials that could be abused by attackers. The diversity of sources illustrate the low level of password hygiene in the wild and how easy it is for attackers to obtain credentials in the wild. We found exposed credentials in coding repositories and registries such as GitHub and Docker Hub, Dark web forums, paste sites, and shy shy hulude victims. We used Shodan to identify Internet connected MongoDB services. Our analysis revealed more than 200,000 servers running MongoDB that were publicly discoverable. Again, remember, there are very few instances where you actually need public exposure from from MongoDB database.

Steve Gibson [02:40:48]:
It is meant for internal infrastructure, not remote access. 200,000 servers they found running MongoDB that were publicly discoverable. Of these, they said, slightly over 100,000 instances disclosed operational information, and 3,100 were fully exposed to the Internet without access restrictions. Among the 3,100 fully exposed servers, 1416 that is to say, 1,416 instances had already been compromised with their databases wiped and replaced with a ransom note. In nearly all cases, the ransom demand was approximately 500 U. S in Bitcoin. Notably, only five distinct Bitcoin wallets were observed across all incidents, with the wallet associated with the ransom notes left on our servers appearing in over 98% of cases. In other words, one attacker is out there.

Steve Gibson [02:42:00]:
Basically, their, their business model is just scanning the Internet for morons who put data on a mongodb and, you know, they delete it and put a ransom note up and Hope to get paid. 98 of all of the ransom notes they've seen Pointed to the same bitcoin wallet, they said. This strongly suggests the activity is attributable to a single dominant actor, Likely the same attacker documented in our previous dark web research. The data reveals an interesting discrepancy. They said. While Shodan identified 3,100 servers as fully exposed to the Internet, Our analysis shows that only slightly less than half of these instances were, were actually found to be compromised and wiped. Based on the shodan data, we found a little more than 95,000 of the more than 200,000 exposed servers had at least one vulnerability. So there are, you know, also these servers are, are vulnerable in addition, so under their prevention and mitigation section, they enumerate, you know, all the expected steps and measures.

Steve Gibson [02:43:14]:
You know, avoid exposing mongodb directly to the Internet, enable authentication and authorization, restrict network access. You know, I'm a big fan of, of IP address filtering. Why let the world have it? Why expose it to Asia, for example? If you have to have it exposed in the U.S. then, then, you know, do some geolocating that's no longer difficult to do. They say, harden container and cloud deployments, implement continuous exposure monitoring, isolate the database, audit access logs, assess data integrity, and patch and upgrade. Right? So, you know, all of that amounts to standard and expected best practices. Don't expose, don't. Don't expose the darn thing to the Internet, period.

Steve Gibson [02:44:03]:
Why, you know, exercise any sort of security hygiene. So anyway, my two final points are. The first is one of my primary. We wake up and smell the coffee. It's not that it's impossible for authentication to work. It's that it absolutely must not be be relied upon to work. It should never be the only thing standing between attackers and disaster. It should only ever be one of multiple lines of defense.

Steve Gibson [02:44:44]:
One of my favorite things that I hit upon last year thanks to this podcast, is the observation that the only servers that should ever be exposed to the Internet are those that are meant to be accessed anonymously by everyone. In other words, no authentication on purpose, no authentication by design. Things like web servers and email servers and DNS servers that everyone is expected to access. Their job is to provide anyone who comes knocking a connection and access. This means that nothing that requires a logon before its services can be used from the public Internet should ever be widely exposed. I know it sounds nutty and impractical, but almost all systems and services could be set up that way if their I if their IT people cared to do so. Pointing fingers at Microsoft, Cisco or whomever after the fact and blaming them for their authentication failures may shift the blame, but a more robust overall network design could have prevented their failure from also highlighting yours. And I said I had two points to make.

Steve Gibson [02:46:10]:
The second point flows from this line of Flare's systems. Conclusion they write attackers did not rely on sophisticated exploits or zero days. Instead they abused insecure defaults. This further supports the pessimistic the pessimistic contention I ended with last week AI may help us find flaws in our software. Now we know that's almost certain to happen. Yay team. That's great. But unfortunately, while AI may be getting smarter, it also shows no signs nor hope of being able to make us humans any less dumb.

Steve Gibson [02:46:56]:
AI won't fix what amounts to laziness and lack of attention to critically important details, configuration mistakes and default setups. That's on us. There's just no excuse for MongoDB for example, to still, as we enter 2026, be in the sad state it is. It's truly unconscionable.

Leo Laporte [02:47:21]:
Well, maybe they'll listen to this show and figure it all out. Steve. Certainly I have. Now I have to go open all the ports on my router so that my AI assistant can that's.

Steve Gibson [02:47:35]:
That's good.

Leo Laporte [02:47:35]:
Do everything.

Steve Gibson [02:47:38]:
Give it your credit card number, give it your family history.

Leo Laporte [02:47:42]:
You only live once Steve.

Steve Gibson [02:47:45]:
Yolo baby, baby.

Leo Laporte [02:47:48]:
It's so tempting. You know, I'm sitting here looking at I'm giving it oauth credentials to my Gmail and my Google Drive and well, how else is it supposed to triage my email and upload files and know.

Steve Gibson [02:48:02]:
What you're thinking from no and know what I'm thinking?

Leo Laporte [02:48:05]:
Yeah, I already kind of gave it a brain dump. I'm going to also give it my Obsidian and Day one journals and it can. It can know everything deep down in my inner secrets. But I'm not giving it my GitHub keys.

Steve Gibson [02:48:19]:
No way.

Leo Laporte [02:48:20]:
Steve Gibson is@grc.com the Gibson Research Corporation that is where? Well, there's so many reasons to go there, of course. Spinrite, the world's best mass storage maintenance, performance enhancing and recovery utility. If you have mass storage, you need spinrite. He's also got the incredible brand new just for you, a DNS benchmark pro for a mere 999, so lifetime license. So go on in there and get it. While you're@grc.com, you can also give him your email address. Not he's not going to send you anything unless you ask for it, but. But the idea is that you can send him stuff because he whitelist.

Leo Laporte [02:49:01]:
He's a clever system. He's got a whitelisting system. So once you put the address in, he does some voodoo and then all of a sudden you can send him emails with pictures of the week or questions or suggestions. GRC.com Email There are two little checkboxes below the email address. One for the weekly newsletter. Now, it goes out on Sunday. Soon it'll be Saturday. If Laurie has anything to do with it, it'll be by Wednesday.

Leo Laporte [02:49:27]:
And I take it she does that so she has more time with you. And I think that's a good thing.

Steve Gibson [02:49:33]:
She just knows that I get stressed out because I take this responsibility so seriously and so the sooner it's over, then I'm not worrying about getting it done.

Leo Laporte [02:49:41]:
So doesn't she understand it's never over? It's like painting the Golden Gate Bridge. Soon as you finish one, you gotta start the next. Anyway, check that box. You get that news. The weekly mailing of the show notes. Really, really great stuff. 22 pages this week of fantastic stuff. Links, images, all the text.

Leo Laporte [02:50:00]:
Now you can actually see the real text, the transcript he's got. When you go to the podcast site, not only does he have some unique versions of the show, but he has really nice transcripts written by a human, not AI. Lane Ferris does a great job. So the transcripts for every show are there. It takes a few days. 1063 will be there, you know, maybe by Friday. You also can get, of course, the show. He's got the 16 kilobit audio version.

Leo Laporte [02:50:28]:
Does anybody download that ever?

Steve Gibson [02:50:32]:
I haven't seen the counts.

Leo Laporte [02:50:35]:
Somebody must.

Steve Gibson [02:50:36]:
There are people who absolutely rely on it and they tell me when, you know, it's like I forgot to post or because I have to manually select the. The bit rate, sometimes I forget and leave it at set to 64. And they'll say, hey, this thing's too big. I know it's.

Leo Laporte [02:50:55]:
It's probably people on dial up in, you know, Western Australia, stuff like that. You know, really, you know, people really out in the boonies, but they love the show, if you know who you are. The 16 kilobit versions@grc.com he also makes a 64 kilobit version which is still smaller than what we offer. So that's good. And that sounds fantastic. That one's fine. And let's see, show notes, the two different versions, the transcript. I think that's everything, right, that you offer for that.

Leo Laporte [02:51:26]:
Go there. There's lots of other stuff. It's one of those websites you fall into and three hours later you go, what? What happened to the time? Lots of great information there. We have copies of the show at our website too, of course, TWiT TV, SN. But ours are a heftier. We have 128 kilobit audio for people with four ears. We also have a video version of it. If you like to see Steve's mustache.

Leo Laporte [02:51:52]:
It's very animated.

Steve Gibson [02:51:54]:
It's getting wider.

Leo Laporte [02:51:55]:
It's a life of its own. If you keep drinking coffee, it might not get Wider. That's Twitter TV. SN. There's a YouTube channel dedicated to this. Actually, that's really useful because I know all the time, you know, you say, God, I got to send this to my boss or whatever. Easy to clip. Everybody can watch it, even your boss.

Leo Laporte [02:52:15]:
So that's the Dedicated to Security Now YouTube channel. I can't remember the exact address. Something like YouTube.com Security Now. Something like that. Yes. Search for security now. You'll find it. And the easiest way to get it, subscribe in your favorite podcast client because it's everywhere.

Leo Laporte [02:52:32]:
Leave us a nice review if you do that. We'd appreciate it. And of course, it's free. There's audio and video. We do do the show live. We stream it live. If you want to watch while we're doing it. It's funny, we've been doing that for years, since like 2009 or something.

Leo Laporte [02:52:47]:
But now all the cool kids say, hey, you know, you really ought to stream video of your podcast. It's like, oh, really? I should think about that. Oh, there's a new podcast company just start up Kaleidoscope, they said, and we're going to do video. Oh, good for you. So if you, if you want to watch us do it live, we stream the video as we're doing it every Tuesday right after Mac break weekly. About. It's about 13:30 Pacific time, 16:30 Eastern. That would be 21:30 UTC.

Leo Laporte [02:53:18]:
The live streams are on the discord for club members, but there's also YouTube, Twitch, X.com, linkedIn, Facebook, and Kik. So lots of ways to watch us live. And if you're watching live, I watch the chat and I see all the chats so you can also chat with us as well. Appreciate. I think that's all the business I need to take care of. Except to say Steve, you did it again. Thank you so much. And we'll see you next week on Security Now.

Steve Gibson [02:53:44]:
Thanks buddy. Till then. And who knows when the show notes will come, but I'll be at I'll be working on them next weekend.

Leo Laporte [02:53:51]:
It's always a surprise. Hey there, it's Leo Laporte, host of so many shows on the Twit Network thinking About Advertising In 2026 we host a network of the most trusted shows in tech, each featuring authentic post read ads delivered by Micah Sargent, my co host and of course me. Our listeners don't just hear our ads, they really believe in them. Because we've established a relationship with them. They trust us. According to Twitch fans, they've purchased several items advertised on the Twit Network because they trust our team's expertise in the latest technology. If Twitch supports it, they know they can trust it. In fact, 88% of our audience has made a purchase because of a twit ad.

Leo Laporte [02:54:35]:
Over 90% help make it and tech buying decisions at their companies. These are the people you want to talk to? Ask David Coover. He's the senior strategist at Threatlock. David said Twitch hosts are some of the most respected voices in technology and cybersecurity and their audience reflects that same level of expertise and engagement. It's the engagement that really makes a difference to us. With every campaign, you're going to get measurable results. You get presence on our show episode pages. In fact, we even have links right there in the RSS feed descriptions.

Leo Laporte [02:55:06]:
Plus, our team will support you every step of the way. So if you're ready to reach the most influential audience in tech, email us PartnerWIT TV or head to TWiT TV Advertise. I'm looking forward to telling our qualified audience about your great product security.

Steve Gibson [02:55:27]:
Now.