Security Now 1070 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here. Lots to talk about this week. We need a caption for our photo of the week. Maybe you can help. A social media company, another one, says no to strong encryption. That's not a good sign. There is a problem with proxies serving malware, and it might even be coming from your router.

Leo Laporte [00:00:20]:
We'll tell you how to find out. And then he's going to talk about his experience using CISA's internet scanner. All that coming up next. On Security Now. This episode is brought to you by OutSystems, a leading AI development platform for the enterprise. Organizations all over the world are creating custom apps and AI agents on the OutSystems platform, and with good reason. Build, run, and govern apps and agents on one unified platform. Innovate at the speed of AI without compromising quality or control.

Leo Laporte [00:00:51]:
OutSystems is trusted by thousands of enterprises worldwide for mission-critical apps. Teams of any size and technical depth can use OutSystems to build, deploy, and manage AI apps and agents quickly and effectively without compromising reliability and security. With OutSystems, you can accelerate ideas from concept to completion. It's the leading AI development platform that is unified, agile, and enterprise-proven, allowing you to build your agentic future with AI solutions deeply integrated into your architecture. OutSystems, build your agentic future. Learn more at outsystems.com/twit. That's outsystems.com/twit. Podcasts you love from people you trust.

Leo Laporte [00:01:41]:
This is TWiT. This is Security Now with Steve Gibson, episode 1070, recorded Tuesday, March 17th. 2026. CISA's free internet scanning. It's time for Security Now! Every Tuesday. I know you're looking forward to this, and I am too. We get together with this guy right here, Mr. Steve Gibson, our security guru, talk about the latest news, and there is always a lot of security news.

Steve Gibson [00:02:13]:
It is true, Leo. A small, very small subset of the world looks forward to, uh, sometimes this Monday morning, or I mean Wednesday morning typically, you know.

Leo Laporte [00:02:23]:
Well, it's— let's put it this way, we had about what, When we were last, a couple weeks ago at Zero Trust World, I think there were 1,800 people in our audience. We have, you know, I don't know, maybe 8 times that for every show. So it's a lot more people who are listening today than were there in the, although a live audience, you're very aware of them. A podcast audience, we don't know.

Steve Gibson [00:02:51]:
Yeah. Although I, as you'll see, this week's Picture of the Week issued a caption photo contest. So what, you know, I invited our listeners to caption this photo early on. Boy, did I get replies. Well, 20,191 pieces of email went out Sunday saying, we got any ideas? Oh boy, did I know. Yeah, I, I, uh, I got ideas back.

Leo Laporte [00:03:25]:
So, all right, well, we'll see that in just a second.

Steve Gibson [00:03:27]:
Episode 1070 for— we're crossing over the middle of March. It's the 17th. Um, I decided that I wanted to share the results from my first successful interaction with Sys's free internet scanning because I'm now in a position to be able to know it, like what it is, and to be able to recommend it without reservation to anybody who's got more than one IP that is, you know, DHCP issued by their ISP. Small, medium, large enterprise, I qualified. And as we know, I'm not running anyone's water filtering for the municipality or anything. I'm just GRC. But So it turns out that that barrier, which they talk about as this is for, you know, government agencies and local, state, and federal, you know, no, it's commercial enterprises are considered infrastructure in a very broad definition. So anyway, I'm going to tell everybody everything that I came away with from that.

Steve Gibson [00:04:41]:
And also, what it found in GRC's network that, uh, okay, I knew about it, but still it was interesting. And it was a little bit of a cry wolf, but, uh, we're gonna talk about the Picture of the Week, of course. Uh, also, a mega social media company has decided to say no to their own strong encryption on their own messaging, which is interesting. Uh, yeah, uh, and what does that mean? WhatsApp is going to give parents more control, which we'll, we'll discuss that. I think that's also good. Consumer bandwidth proxying that we were just talking about in the context of that Bright Data sort of semi-slimy, so smart TV API, turns out it's becoming a big deal. And I guess in retrospect, not that big a surprise. That is consumer bandwidth proxying.

Steve Gibson [00:05:36]:
Also Meta has purchased the Maltbook founder duo. Try to say that 3 times. We'll talk about that. The EU has given up and is settling upon a compromise with that controversial chat control. Oh, there it turns out that ransomware negotiation may not be always what it seems. Which should come as a surprise. CISA is compelling federal agencies to submit their logs to them. What? Also, is that a VPN in your pocket, or maybe is that something more malicious? We're going to answer that question.

Steve Gibson [00:06:24]:
Also, be very careful about what you download thinking that it might be AI. Once again, bad guys jump on anything that is popular, taking advantage of the enthusiasm of the moment. We've got a super clever and also worryingly simple means of bypassing AV scanners that a security researcher came up with. I'm going to answer the question that I keep getting from our listeners, which is whether AI will be writing code for me. and I've got an interesting couple of, uh, well-informed postings to share about that, uh, followed on the heels of another listener of ours discovering the joy of AI, uh, and then I'm going to share my experience with CISA's free internet scanning and unreservedly promote it to our listeners' enterprises. I just can't think of a reason why, why no, why anyone who was able to and was qualified wouldn't want to enlist, uh, another piece of, you know, another set of eyes looking at and confidentially reporting what they see from the outside. So I think, Leo, maybe it's worth tuning in this week.

Leo Laporte [00:07:45]:
Well, you've done so already, so it's too late. Uh, and I should mention it is St. Patrick's Day, so I shall be disappearing from time to time to check my corned beef to make sure it is doing its thing.

Steve Gibson [00:08:01]:
And are four-leaf clovers a result of Chernobyl radiation?

Leo Laporte [00:08:05]:
Ah, that's a good question.

Steve Gibson [00:08:06]:
Or do they occur in nature?

Leo Laporte [00:08:07]:
I wonder. Well, they do occur in nature. I know that because we had them before Chernobyl, but I wonder if there are more of them than there used to be.

Steve Gibson [00:08:14]:
Aren't they normally three and they get a mutation?

Leo Laporte [00:08:16]:
Normally the three. They are a mutation, I believe, yes.

Steve Gibson [00:08:20]:
You know, Mark Thompson, went to Chernobyl with a group, like he thought that would be a cool place to go walk around. And he did report that there seemed to be an abundance of four-leaf clovers.

Leo Laporte [00:08:32]:
Aha. So that's a very interesting experiment.

Steve Gibson [00:08:35]:
What made me think of it?

Leo Laporte [00:08:37]:
Yeah. We will get to our picture of the week and your caption contest in just a moment. But first, a word from our sponsor, Delete.me. Let me tell you, folks, If you've ever searched for your name online, if you've ever wondered how much of your personal data is out there on the internet, don't do it. It is a lot more than you can possibly imagine. Your name, your contact info. Steve and I did this, I don't know, about a year ago after a big breach, a big data broker breach, found our Social Security numbers, home addresses. You know, it's not illegal to sell somebody's Social Security number.

Leo Laporte [00:09:15]:
That seems like that should be illegal. It's not. We, we, on last week we had Cindy Cohn, who's the executive director of EFF, on. She's written a new book about Privacy's Defender, and we talked about why we do not have comprehensive privacy legislation in this country. We do not have that protection. Well, fortunately, we have DeleteMe. Okay, I mean, the bad news, it's completely legal for data brokers to collect all this information about you, your family members, your employees and then sell it online to anybody, anybody who wants it, including foreign nationals, law enforcement. It's not just marketers anymore, hackers.

Leo Laporte [00:09:56]:
And of course, this can lead to terrible consequences— identity theft, phishing attempts, doxxing, harassment. But now you can protect your privacy with DeleteMe. I think everybody should be doing this. We first became aware of Delete Me when Lisa was phished. There were text messages sent out on her behalf. So she— they used her name and phone number and her— she— they knew about her direct reports and what their phone numbers were, and they were able to text them saying, oh, I'm stuck in a meeting right now, can you buy some gift cards and send them out?

Steve Gibson [00:10:28]:
So impersonation attack.

Leo Laporte [00:10:29]:
Impersonation, that's the word. Uh, that was an eye-opener because immediately I saw they know way too much about our our corporate structure. So I think every business should have DeleteMe for their middle management, their upper management to avoid this. This certainly helps a lot. And it's something we've been subscribing to for a long time. In fact, every couple of weeks we'll get a DeleteMe email, which is great, telling you what they found, what they've removed. DeleteMe is a subscription service, so it doesn't just— it's not a one and done. It will remove The personal information you specify from hundreds of data brokers— there are more than 500 at last count, new ones every day, so it might even be more than that.

Leo Laporte [00:11:09]:
You sign up, you provide DeleteMe with just what you tell them, what you want removed, so they don't remove too much, right? Just, just, I don't want my social out there, that kind of thing. I don't want my phone number out there. Their experts will take it from there. They will go one by one and get your stuff gone. And then, as I said, they'll send you regular personalized privacy reports telling you what info they found, where they found it, what they removed. And they will do this again and again because data brokers are like cockroaches. You, you can't just exterminate them once. They come back and there's new ones all the time.

Leo Laporte [00:11:46]:
You need DeleteMe to constantly work for you. They always are monitoring. They're always removing the personal information you don't want on the internet. To put it simply, DeleteMe does the hard work of wiping you your family, your employees, your management's personal information from data broker websites. So take control of your data, keep your private life private, sign up for DeleteMe. We've got a special discount for our listeners. This is on the individual plans. You'll get 20% off your DeleteMe plan.

Leo Laporte [00:12:12]:
Joindeleteme.com/twit. So that URL is very important. Joindeleteme.com/twit. Use the promo code TWIT at checkout The only way to get 20% off is to go to joindelete.me.com/twit and enter the code TWIT at checkout. That's joindelete.me.com/twit, offer code TWIT. We thank them so much not only for supporting Security Now and the good work Steve does here, but for helping keeping, uh, keep us private and safe on the internet.

Steve Gibson [00:12:46]:
So Leo, before you look at the photo I will just tell you that all I wrote across the top of it was SecurityNow's Caption That Photo Contest.

Leo Laporte [00:12:58]:
Okay.

Steve Gibson [00:12:59]:
And when you scroll up, you'll see why. Oh boy.

Leo Laporte [00:13:08]:
Oh boy. Now we were talking about this. I don't know where this is, but Paul Theriot and I were talking about this in Mexico. He lives in Mexico City. This is what the phone poles look like because if something doesn't work, they don't figure out what's not working. They just put a new one in. So many of these wires are probably nonfunctional. Tell us what we're looking at here.

Steve Gibson [00:13:29]:
So, well, when I was growing up, we would have called this a rat's nest.

Leo Laporte [00:13:36]:
Yes.

Steve Gibson [00:13:37]:
And it is someone atop, a, uh, it's hard to describe this as a telephone pole, although these look like phone lines coming in.

Leo Laporte [00:13:49]:
There's one in there somewhere, I think.

Steve Gibson [00:13:51]:
And look, there's like boxes hanging from wires and, and various size junction containers. And, and I do notice that a lot— there's a lot of loopage, you know, like, like, like rolls of wire that are hanging. I It would be really interesting to actually to know where now. And as you noted, when something goes wrong, they just string another one. It's difficult to imagine that this actually functions. And one wonders how long ago this began that, and to allow this to occur to it. It's just anyway, so Uh, in response, that's all I said was— I didn't even— I know it— I, I didn't have a chance to talk about it on the email that I sent out, but our 20,191 recipients said, oh, I got an— I got a name for that. And so the responses have been pouring in, uh, in response to something that came in early that gave me an idea for what I think is going to probably— I'm going to suggest as the winning caption, uh, but we will see next week.

Steve Gibson [00:15:08]:
In the meantime, uh, those who are just listening to this, I, I, I don't think I could adequately prepare you for what you would actually see if you saw the photo in this week's show notes. It is beyond insane. And, and, and Leo, How did he get up there? Like, he must have like had a crane plant him on the top of this because you can't climb the— well, I guess you could climb the side, but then who knows how many wires you'd pull loose.

Leo Laporte [00:15:42]:
So wow, that's amazing.

Steve Gibson [00:15:45]:
Yeah, and I've had this photo in my, in my, uh, uh, pictures of the week candidate pile for quite a while, and finally I thought, okay, let's just Let's just see what our listeners think about this. Okay, so, um, last week the news— and we talked about this, of course— was that TikTok had decided and formally announced that it would not be adding end-to-end encryption to its already controversial enough short format video sharing platform, right? They said that, that is, TikTok said that we want to enhance our users' security, and doing that means being able to screen the content that our users are sharing and prevent illegal content from being shared. So they said that. Then what's somewhat surprisingly, last Friday, the Hacker News reported that Meta, of all people, or all groups, all companies, had announced their somewhat similar plan to back encryption out of Instagram. Uh, what? So the Hacker News wrote, Meta has announced plans to discontinue support for end-to-end encryption for chats on Instagram after May 8th, 2026. So I guess this was like a 60-day notice, right? Uh, uh, uh, March, April, May. Uh, they said the social media giant said in a help document, quote, if you have chats that are impacted by this change, you'll see instructions on how you can download any media or messages you may want to keep, which I thought was interesting. How is keeping messages relevant to ending end-to-end encryption.

Steve Gibson [00:17:45]:
Maybe they're just going to start over. I don't know, uh, like get rid of everything that has been in the dark that they haven't been able to see, so that from now on any new messaging will be without end-to-end encryption. Anyway, they said if you have an older version of Instagram, you may also need to update the app before you can download your affected chats, unquote. Hacker News said when reached for comment, this is what Meta had to say, quote, very few people were opting in to end-to-end encrypted messaging in DMs, so we're removing this option from Instagram in the coming months. Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp. Okay, they said Uh, The Hacker News said the American company first began testing end-to-end encryption for Instagram direct messages in 2021 as part of CEO Mark Zuckerberg's, quote, privacy-focused vision for social networking, which we all remember at the time. They said the feature is currently only available in some areas and is not enabled by default. Then they said weeks into the Russian-Ukrainian war in February 2022, the The company made encrypted direct messaging available to all, all adult users in both of those countries.

Steve Gibson [00:19:09]:
The development comes days after TikTok said it does not plan to introduce end-to-end encryption to secure direct messages on the platform, telling BBC News that the technology makes users less safe and it wants to protect users, especially young people, from harm. Last month, Reuters also reported that Meta proceeded with plans to adopt encryption to secure messages in Facebook and Instagram despite internal warnings in 2019 that doing so would hinder the company's ability to detect illegal activities such as child sexual abuse material, you know, CSAM, or terrorist propaganda. Um, uh, and then flag those, uh, illegal activities to law enforcement. They said end-to-end encryption has been hailed as a win for privacy as it ensures that only communicating users— only communicating users— can decrypt and read messages, thereby locking out service providers, bad actors, and other third parties from accessing or intercepting the data. However, Law enforcement and child safety advocates have argued that the technology creates a safe space for criminals as it prevents companies from complying with warrants to turn over message content, a problem referred to as the going dark phenomenon. This year, the European Commission is expected to present a technology roadmap on encryption. We'll have a little more to say about that in a minute. To identify and evaluate solutions that enable lawful access to encrypted data.

Steve Gibson [00:20:54]:
Good luck with that. By law enforcement while safeguarding cybersecurity and fundamental rights. Okay, so I think this is interesting, and I wonder whether this signals the start of a gradual backing away from providing strong encryption to consumers on the mega popular generic platforms. I doubt whether most lawful users of TikTok, lawful users of TikTok, Instagram, or even WhatsApp really care all that much about encryption. Sure, if they can have it for free and if it's built in and if it doesn't cause them any trouble or headaches, sure, okay, fine, they'll take it. Um, but is even a single person gonna walk away if it's removed? I doubt it. While there was an initial rush on the part of publishers to provide it, you know, like in 2019 with, with, with Zuck's big privacy-first business, um, I don't think it's ever been shown that there was any actual consumer demand. Anyone who really wanted secure messaging, after all, could switch to Signal, which is also free and where Meredith maintains unflagging vigilance at the gate.

Steve Gibson [00:22:22]:
So the way we're seeing things shake out, I suspect that the right solution to all the mess and pushback to this messaging you know, to all— to the increasing prevalence of fully encrypting everyone's random messages on consumer platforms by default, is simply not to bother with it, and no one will much care. I know this will make the privacy-at-all-costs people's heads explode, but again, Signal is always available, as is Telegram, and is free. For anyone who actually wants it. For those who worry about grooming and CSAM, you know, removing always-on encryption by default from the major platforms will tend to eliminate that opportunistic abuse. It won't be on, and so the bad guys can't safely do that. And in fact, eventually I think it won't even be an option. So, um, I'd be interested, Leo, to know what what that gal— you had an EFF person on, uh, recently— wonder, you know, what she had to say about all this. Um, WhatsApp, however, uh, is also moving in a parent-forward fashion.

Steve Gibson [00:23:42]:
Uh, Meta also announced the addition of parent-managed accounts for WhatsApp. The accounts are designed for preteen children where access to account settings will be controlled by a PIN set by the parent. Essentially, parents can control settings, lock those settings on their children's devices, their underage teen, you know, preteen children's devices, um, and, and, and obtain some control over it. Um, the message content on the preteen accounts will remain private. So this is not a privacy invasion. It's a, you know, setting controls lock. Parents will be able to approve to whom their children may speak, what groups they can join, and review message requests from unknown contacts. So do a little bit of sort of at-distance management of what their kids are doing, keep their kids from changing that stuff, uh, basically parental controls for WhatsApp.

Steve Gibson [00:24:52]:
And I think, you know, that, that seems to make a lot of sense to me and seems like a good thing. Um, last week we looked in some depth at the company Bright Data, whose unfortunate business model involves Arranging to offer end users the, like, not directly from them, but by virtue of streaming partnerships and smart TV partnerships, to, uh, offer end users the ability to lower their costs, uh, either for streaming and or see fewer advertisements in return for, for the privilege of routing third-party internet traffic through their ISP-purchased or subscribed bandwidth and thus using their residential consumer IP address. And as we noted last week, there's only one conceivable reason for doing this, which is to allow those third parties to mask their identities and hide whatever their purchase may be among the world's broadly distributed consumers. The issue of consumer proxies was again in the news after we talked about it last week for another reason. The, the Risky Business News late last week opened by writing, American and European law enforcement agencies have seized the infrastructure of a residential proxy provider named Socks Escort, the latest such crackdown against proxy providers over the past years. And again, this is like a growth interest on the internet, this idea of proxies, because the internet is getting much better about filtering and proxies are a way to bypass filtering. Risky Business News wrote the service, this SOCKS escort service, had been running since 2021 and rented access to more than 369,000— so more than a third of a million— 369,000 different IP addresses, not all at once but across its entire lifetime. So that, you know, they came and went over time.

Steve Gibson [00:27:26]:
Generally there were several tens of thousands at any given time. According to the FBI, they write, Europol and Dutch police, uh, SOCKS Escort was a front for a malware operation that infected modems and home routers. In other words, unlike Bright Data, which is, is hopefully an above-board, only with user permission, and hopefully with user understanding, asking to reuse consumer bandwidth. This is malware. These are, you know, leveraging router vulnerabilities in order to get these proxies installed and then obtain persistence. So in other words, malware proxies, not benign bandwidth bouncing proxies. They were maliciously installed without their host's knowledge or permission. To form a proxy botnet.

Steve Gibson [00:28:27]:
Of course, we've talked about proxy botnets through the years, uh, because this IP-based blocking, as I said, has been growing and the bad guys are needing to obscure their bandwidth. Uh, the, the article continues writing, Lumen's Black Lotus Labs linked this group to a botnet it discovered in 2023 named AVRecon. The botnet never grew to an extremely large size but managed to maintain, they write, a healthy pool of IP addresses it could rent out to its customers, most of which were other cybercrime operations needing ways to hide their attacks inside the infrastructure of residential internet providers. Europol linked the service to ransomware deployments, DDoS attacks, and the distribution of child sexual abuse material. It also estimated that SOCKS Escort operators made more than €5 million from renting their infected IPs, which they noted is quite the sum for a service as simple as, you know, proxying. On the day of the takedown, they write, the FBI published an advisory with tips on how telcos and consumers can protect their devices and prevent them from ending up as nodes in proxy networks. It also published advice on spotting and removing specifically this AV recon from residential devices. Over the past few years, they said, the U.S.

Steve Gibson [00:30:08]:
has mounted a war against residential proxy networks after several reports concluded that foreign adversaries were using infected American routers to hide their tracks. Law enforcement takedowns have targeted both private proxy networks like ORBs, or operational relay box networks, but also residential proxy providers. The difference between the two is that ORBs are typically built and managed by the threat actors for their sole use. So those are essentially proxies installed somewhere, while a residential proxy provider is a service built for an operator's financial gain, typically rented out to whoever has the money. And they finish saying past proxy-using botnets that were taken down include 911S5, Anyproxy, 5socks, rsocks, Flax Typhoon's Raptor Train, Volt Typhoon's KV Botnet, APT28's Moobot VPN filter, and others. So in other words, the idea of proxying is a hot commodity on the internet today. Our takeaway is that while bad guys again probably have very little interest in the contents of any random person's internal network, and for that we can be thankful, and let's hope that doesn't change soon. There is substantial interest in using and abusing any distributed bandwidth they are able to obtain, being able to hide and emit their junk, whatever it is, attacks, probes, uh, whatever, from residential IPs, from, you know, the IPs of users who have no idea that's what's going on.

Steve Gibson [00:32:05]:
That's of huge value to them. In fact, way back in time when I tracked down that, uh, that kid that had been DDoSing GRC, um, it was a— I Got the FBI to work with me. I had the IP address of a source of the attacks because the source IPs were not spoofed. We located a family a few miles from me, and I made a house call and looked at their computer. It was infected. They had no idea this was going on behind their back. They were horrified. And of course, I I was interested because I wanted to get a sample of this thing in order to reverse engineer it, which I did.

Steve Gibson [00:32:53]:
And in return for that, I disinfected their computer for them. But that's an example of, you know, this happening behind people's backs and nobody had any idea. So, um, we've also learned that substantial interest in, you know, I said there is, there is substantial interest in a in using and abusing any distributed bandwidth the bad guys can obtain. And what we know is that substantial interest in equates to substantial pressure to get in. That is, you know, bad guys want in to people's NAT routers. So keeping the bad guys out means resisting any temptation to rely on a border router's authentication mechanisms. We see time and time again, you just can't. Any NAT router without any deliberately exposed WAN-side services is going to be inherently bulletproof.

Steve Gibson [00:34:02]:
If traffic is only originated from inside and is only allowed to come back in from outside when it matches what first went from inside out. So it's a firewall unless you poke holes in it. Poking holes in it means unsolicited connections from the outside in because, for example, you just couldn't resist turning on remote web access to your router's management interface.

Leo Laporte [00:34:31]:
I can't resist that.

Steve Gibson [00:34:33]:
Please, please resist.

Leo Laporte [00:34:37]:
So I use Tailscale to open up.

Steve Gibson [00:34:40]:
100%.

Leo Laporte [00:34:41]:
That's okay, right?

Steve Gibson [00:34:42]:
Yes. Because Tailscale is outbound NAT penetration and you are not opening, you know, you are not able to from Starbucks, you know, put, you know, go https:// and then your home IP and be looking at your routers. Oh, Log into your ASUS. No, no, no, no, no, no. It's only when consumers decide to deliberately expose external management, you know, access to their router-hosted services that authentication bugs in the router's firmware can be leveraged to install and maintain proxies. So, and again, It's like everyone's false thought is, well, who would want to get into my router? Who would want to get into my network? I don't have anything. The fact that you have a router is valuable. That creates pressure to get in because they want to set up shop and use your bandwidth and use your IP.

Steve Gibson [00:35:49]:
And also, you don't want your IP associated with all kinds of dastardly deeds on the internet. That's— not good for you either.

Leo Laporte [00:35:56]:
And there's some, uh, interest in how— when, uh, what does it take to get a house call from Steve Gibson? Asking for a friend. That's special treatment, let me tell you, folks. So if I, uh— so does the proxy server run on a PC or does it run on the router?

Steve Gibson [00:36:15]:
It's on the router. So, so it is, yeah. So it's a little— it's, it's a little, uh demon that is set up in the router. Uh, it, it, it's added to the router's boot code so that it comes back alive, and it, it, it reaches out to a remote command and control server to establish a contact. So even, even with it there, it doesn't open a port. It maintains its own stealth because it reaches out to the external command and control, and then So, and then, so basically it phones home to establish a connection and then to await orders.

Leo Laporte [00:36:54]:
How, how is, how do you detect it?

Steve Gibson [00:36:59]:
Uh, you've got to look at the actual, you got to, you know, like a traffic map or something. Well, traffic, or I mean, it unfortunately, and this is the problem, is most the re— the reason I paused there is that all the ways I could think of required you to know Linux. You know, I mean, you need to look at the shell script startup stuff and go, what the heck is that?

Leo Laporte [00:37:25]:
That's not supposed to be there. In other words, you need Steve to come over.

Steve Gibson [00:37:28]:
Don't attack me.

Leo Laporte [00:37:30]:
So if you reboot the router, is that sufficient?

Steve Gibson [00:37:34]:
Oftentimes rebooting, because a lot of these things are unable to establish. Yes, they only live in RAM. So, so rebooting is the first thing. Reflashing is— that will also do it. So like, you know, if, if you're able to just update your firmware or re-update your firmware, that will also clear things out.

Leo Laporte [00:37:55]:
Good to know.

Steve Gibson [00:37:57]:
You know, the other thing that's good to know, Leo—

Leo Laporte [00:37:59]:
what's good to know?

Steve Gibson [00:38:00]:
I know you know. I know, I know this next sponsor is good to know about.

Leo Laporte [00:38:05]:
Everyone should know about our next sponsor. I completely agree with you, and I would tell you about them if I just had put the right copy in there. So hold on just a, just a, just a, just a moment while I get mesmerized. Our viewers, everybody, look, look at Steve's coffee cup. Steve's coffee cup. It's so good. Our show today brought to you by Material The cloud workspace security platform built for lean security teams. I love Material because it's not there to replace you, security teams.

Leo Laporte [00:38:43]:
It's there to augment you, to make your life better. Managing security in the cloud is tough, especially in those cloud workspaces we all use now. We're a Google Workspace customer. Maybe you're a Microsoft 365 customer. It's not just phishing anymore either. It's not the only way in today's email security. You know, tends to stop at the perimeter, and new attacks are hard to detect with siloed email and data and identity security tools. So Material goes that extra step.

Leo Laporte [00:39:12]:
They protect the email, the files, the accounts that live in your Google Workspace or your Microsoft 365, because effective email security today needs to do more than just, you know, block phishing and other inbound attacks. It needs to provide visibility and defense across the entire workspace threat surface. Material ingests your settings, ingests your contents, your logs. It, it's smart. It looks at it and it gives you a holistic— those of visibility into the threats and the risks, not just email but across the workspace. And then of course it gives you the tools to actually remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. You get phishing protection, and email security, combining advanced AI detections with threat research and user report automation.

Leo Laporte [00:40:07]:
So you've got all these signals coming in and you can coordinate those. You also have detection and protection of sensitive data, not just in your inbox but shared files too, because it understands the whole workspace. You also get account threat detection and response. Somebody's trying to get Lisa's Google Workspace account pretty much every day. This would give you comprehensive control over access and authentication of people and third-party apps. Material empowers organizations to rapidly mature their ability to detect and stop breaches with step-up authentication for that really sensitive content, blast radius visualization for accounts, and the ability to detect and respond to threats and risk across the entire cloud workspace. Material. Enables organizations to scale their security without scaling their team.

Leo Laporte [00:40:59]:
It's not there to replace you, it's there to make your life better. Material drives operational efficiency with its simple API-based implementation and flexible automated one-click remediations for email, file, and account issues, including an AI agent that automates user report triaging and response. Makes your life easier. Material protects the entire workspace for the cost of just email security alone with a simple and transparent pricing model. You'll be very impressed. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See material.security to learn more or book a demo. Easy to remember: material.security.

Leo Laporte [00:41:44]:
We Thank him so much for supporting Steve and the work he does at SecurityNow. That's material.security. And now back to a fully caffeinated Steve.

Steve Gibson [00:41:59]:
Re-caffeinated.

Leo Laporte [00:41:59]:
Re-caffeinated.

Steve Gibson [00:42:01]:
Okay, so in case anyone was wondering, Molt Book, which was that weird facility that was affiliated with OpenClaw, where open-only, open-clause autonomous AI agents were able to talk amongst themselves, and we lowly humans were only able to look on, gawking in wonder at the interagent AI dialogue. That was just purchased by Meta. I assume actually the guys started work there yesterday. I assume Meta's entire interest is in obtaining those two creators of Moltbook, uh, Matt—

Leo Laporte [00:42:43]:
one of whom is a good friend, by the way, Steve— Ben Parr, who's been on Twitter many times. And Ben Parr, yeah, I didn't know Ben was Moltbook or I would have had him on the show to talk about it all this time. He was kind of more stealthy than the other guy. The other guy got all the attention.

Steve Gibson [00:42:58]:
Yeah.

Leo Laporte [00:42:58]:
Anyway, congratulations.

Steve Gibson [00:43:00]:
Yes, they both— and I'm sure they're being well compensated. They both started working at Meta yesterday on March 16th, uh, in Meta's MSL, which, uh, modestly stands for— not M is not for modest, M is for Meta. Like, literally, this is what they call themselves, Meta Superintelligence Labs, MSL. Yeah, anyway, uh, Matt has been working on autonomous AI agents since, uh, 2023. And he launched Maltbook in late January as an experimental third space, as they put it, for AI agents. And Maltbook was built largely with the help of his own personal AI assistant, which he named Claude Clutterberg. Okay. And of course, his partner in Maltbook, and now also at Meta, as you said, is Ben Parr, who was formerly an editor and columnist at Mashable and CNET, and a good friend, uh, and a good friend of the show.

Steve Gibson [00:44:06]:
Yeah, of, of TWiT. So apparently Maltbook continues to be available through Meta, although they indicated that they weren't certain what its future might be. So it's not clear whether they're going to bother to keep it going, but for now it is, uh, the typical corporate speak statement from Meta, as reported by Axios, was that, quote, the Molt Book team joined MSL— joining MSL opens up new ways for AI agents to work for people and businesses, unquote, which of course says nothing. And I doubt that even they know what they mean by that. But that's how these sorts of, you know, acquisitions go, where It's the people that are actually being acquired. Meta doesn't care about Maltbook at all. They just want those guys.

Leo Laporte [00:44:59]:
Although I imagine that they want to somehow capitalize on this agentic future. And yes, and extend Facebook to agents.

Steve Gibson [00:45:10]:
Why not? God help us, Leo.

Leo Laporte [00:45:14]:
I know. I mean, the real problem with Maltbook, besides the fact that it has had a terrible security model, was that humans could get into So we never really knew if it was only AI-generated dialogue, right? Right, right.

Steve Gibson [00:45:29]:
Okay, so the good news is that the EU was unable to secure the votes needed to pass its most recent attempt to force all communication services to monitor their users' communications. I mean, we, you know, we were balancing on a on a razor's edge there for quite a while. It's like this could almost happen. And finally, Germany reversed their previous, yeah, we think that we probably should vote. And they said, okay, no, we're not gonna. And that, that killed the whole thing. So what we have instead is an extension of the previous, what's been called voluntary chat control, which You know, as I said, that's what's already been in place. Last Wednesday, the 11th of March, Heise Online covered this news, writing, the EU Parliament approved a renewed extension of voluntary chat control, which is in quotes because that's not really the official name, but that's what we all call it, to combat child sexual abuse in Strasbourg on Wednesday.

Steve Gibson [00:46:39]:
After the initiative surprisingly failed in the responsible committee a week ago, MEPs are now attaching clear restrictions to the extension. The regulation creates a temporary exception. This is, again, this is, remember we were just talking about how COPPA would need to be amended, Leo, in order to allow like kids to disclose that they're children, but that would be a breach of COPPA because you're not supposed to know that, right? Well, here we have the same thing.

Leo Laporte [00:47:12]:
That would kind of be a hint that something's wrong here.

Steve Gibson [00:47:15]:
Yeah, we got, we got, we got the same thing happening here because you can't, you can't even voluntarily look at people's data under EU regulations. So what we have is an amendment to the regulation creating a temporary exception to the European data protection rules, allowing messaging services to scan chats for depictions of child sexual abuse. There is currently no agreement on a long-term solution, which is, you know, which is what the EU Commission and member states were hoping to get. Providers of messaging services, Heiss wrote, may automatically scan their platforms for digital traces of child pornography. The search for adults who prey on minors, known as grooming, is also under debate because this violates the EU directive on the protection of privacy. The EU hastily created an exception regulation in 2021. This exception regulation, which has already been extended once, now again, is valid until the beginning of April and was supposed to be renewed until April 2028 at the request of the EU Commission. Last week, however, the commission's proposal surprisingly failed in Parliament's Committee on Civil Liberties, Justice, and Home Affairs.

Steve Gibson [00:48:41]:
In a— they're just having all this trouble with this. In a new compromise, Parliament has now agreed to an extension until August 2027. At the same time, MEPs voted for a clear limitation of powers to search for already known material and only for users or groups suspected of concrete wrongdoing, thus not just a blanket search everybody. Furthermore, encrypted chats should not be affected. Well, they actually— practically, they can't be because they're encrypted. A spokesperson for the Committee on Civil Liberties, Justice, and Home Affairs said, quote, This exception is a temporary, strictly limited instrument that allows providers to continue their voluntary detection measures under certain conditions. The extension must also maintain end-to-end encryption. These restrictions correspond to Parliament's draft for a long-term solution.

Steve Gibson [00:49:47]:
These will be the subject of upcoming negotiations with the Commission and member states. Only when an agreement is reached here can the renewed extension come into force. There's currently no majority in Parliament for far-reaching surveillance powers such as arbitrary chat control. That's what we were talking about before that Germany vacillated on and then said no. The Council of Member States has also moved away from this after a long struggle, right? However, this does not make a permanent voluntary solution any easier, especially since it also affects the fundamental rights of EU citizens, which are protected from this. While the Commission and member states want to make the controversial exception regulation permanent, the EU Parliament insists on significant restrictions. For example, error-prone technologies such as AI should not be used in the church, in the search for child pornographic depictions. Scanning text messages for grooming attempts should also remain prohibited.

Steve Gibson [00:50:52]:
So if anybody thinks this sounds like a huge mess, then you have been paying attention. Because yes, this is the EU just, they're in a big scramble and pickle fusion.

Leo Laporte [00:51:09]:
They're in a pickle.

Steve Gibson [00:51:11]:
Boy, yes. The good news is that saner heads prevailed. And since they weren't able to push anything forward, they at least didn't move anything backward. And companies that have been doing some of their own platform-based CSAM screening, as we know some major providers have, this gives them the COVID to continue to do so without requiring them to do it, nor requiring them not to offer their own internal encryption for their users to whatever degree they wish to. So, you know, for now, that's what we have, and it's probably the best that we could hope for. Um, they, you know, they, they're unwilling to to drop it, but they are unable also to push it forward. So they're just extending the, the voluntary chat control, and maybe that'll calm down over time.

Leo Laporte [00:52:11]:
It's so telling that in both the US and the EU, any attempts, uh, to do this have to require exceptions to existing privacy laws. It's like the age verification stuff in the US. They have The, the, the, whoever it is, the Department of Commerce had to give an exception to the COPPA rules, the Child Online Privacy Protection Act rules, because, well, if you're gonna ask people's ages, that's a violation. Isn't it telling that the thing you want to do is a privacy violation? That should tell you something. Oh well, I'm asking too much.

Steve Gibson [00:52:50]:
Yeah, I, I, uh, there, there was a piece that one of our listeners sent me that I looked at, which I can't remember now where the— what the publication was in, but, uh, the, the people were just going crazy calling any indication of— oh, I know what it was. It, it was that Meta had secretly been supporting nonprofits to the tune of $2 billion. I think that was the number, um, across the country for them to be pushing on behalf of, of, um, uh, the need for age determination.

Leo Laporte [00:53:32]:
Oh yeah.

Steve Gibson [00:53:33]:
And pushing Google and Apple to push this onto their platform.

Leo Laporte [00:53:37]:
And they were doing this secretly because they didn't want anybody to know. Yes, they were behind this. Yeah.

Steve Gibson [00:53:42]:
Yes. And my take is that this is where that should happen, that it should be—

Leo Laporte [00:53:50]:
I agree—

Steve Gibson [00:53:51]:
Apple who simply allows an API to be— I mean, the user still has control. Uh, if, if, uh, if you want to go to an age-restricted site, before that happens, a dialog pops up and says the site or the app or whatever it is wants to know if you are an adult. Do you want to give them any indication? You can say no, in which case, if, if you may not be able to go there. Or you can say yes, I, I'm an adult, and I, I, you know, tell them that to me. I mean, the, this, I get it that there are people who want to give nothing, but it's just not— we also have laws throughout the world where age matters. Yeah, you know, children can't drink alcohol. Children, we've decided, cannot be exposed to aspects of human sexuality. You know, children— you know, I mean, there is behavior that's regulated based on age that needs to get extended out to the internet because the internet is here to stay.

Steve Gibson [00:55:03]:
I think that's fair.

Leo Laporte [00:55:03]:
I really do. I've come around a little bit on that. Yeah, I have to find a way to make it work. And I think you're right, there is a choke point. It's, it's Android and iOS. Yeah. And that's where this should happen.

Steve Gibson [00:55:14]:
Yeah. And, and the beauty then is that— and this is Meta's point, and they're right— then every individual provider doesn't have to keep, you know, coming up with their own solution, because every independent solution is another opportunity for a privacy breach. And so, you know, you know, doing things like looking at the camera and saying, oh, don't worry, we're not going to keep your photo. Well, we've already seen examples where, where third parties did keep people's photos and then they got breached. So yeah, I, I, I trust Apple and I would trust and Google to engineer something for Android that's as good as we can get. And, and yes, that, you know, you could still have absolute privacy, but then you're going to lose some access to content which your government has decided only adults should have. So you get to choose.

Leo Laporte [00:56:11]:
Yeah. Yeah, I think that's fair. And it's privacy forward.

Steve Gibson [00:56:16]:
Yes. Yeah. And it's as good as we can get. I mean, yes, you're going to lose some if you want access to adult-restricted content that your government has said, the government that you are subjected to has said no. Children can't have that. You just need to tell us that you're an adult, and, and you— the platform you're using needs to— you have to have shown that to the platform one time, let them check it, and then the platform remembers and can make that assertion on your behalf. Uh, okay, Leo, get this. This next bit of news just made me shake my head.

Steve Gibson [00:56:52]:
I'm not going to spend too much time on it, but I didn't want to let it pass without comment. Cyberscoop informs us that ransomware negotiators, right, working for the ransomware negotiation firm DigitalMint— that is like, that, that, that companies that have been breached and have been, that are under ransom, they bring DigitalMint in to negotiate on their behalf. They were also the ransomware attackers that they were negotiating with. Oh, oh. So CyberScoop wrote, a 41-year-old South Florida man is accused of conducting at least 10 ransomware attacks and helping accomplices extort a combined $75.25 million in ransom payments while he was working as a ransomware negotiator for DigitalMint.

Leo Laporte [00:58:02]:
Oh, this has to be a movie. Somebody has to option this. This is too good.

Steve Gibson [00:58:07]:
According to federal court records unsealed last Wednesday, 5 of Angelo John Martino III's alleged victims hired DigitalMint, which assigned Martino to conduct ransomware negotiations on their client's behalf, putting him in a position to play both sides as the criminal responsible for the attack and the lead negotiator for his alleged victims. Really, you can't make this up.

Leo Laporte [00:58:42]:
I don't know. You know, these ransomware guys, they're really hanging in there tough. I think you're going to need to give them some more money. I don't know.

Steve Gibson [00:58:50]:
Yeah, they're just not— they really sound like they're not going to give.

Leo Laporte [00:58:54]:
They're really hanging in there.

Steve Gibson [00:58:57]:
Martino allegedly, they wrote, Martino allegedly obtained an affiliate account on AlfV, also known as BlackCat, a criminal ransomware as a service group. And conspired with other— get this— other former cybersecurity professionals.

Leo Laporte [00:59:18]:
So, oops, oops—

Steve Gibson [00:59:20]:
to break into victims' networks, steal and encrypt their data, and extort companies for ransoms over a 6-month period. Prosecutors accuse Martino of providing confidential information regarding ransomware negotiations to Alfie co-conspirators to maximize the ransom payment. The 5 U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a A nonprofit and companies in the hospitality, financial services, retail, and medical industries. All 5 of those victims paid ransoms.

Leo Laporte [01:00:16]:
Wow.

Steve Gibson [01:00:17]:
So anyway, CyberScoop's coverage of this continues at some length, but everyone gets the idea here. Uh, uh, on the one hand, this obviously puts The guy who's negotiating both sides of the deal, as you noted, Leo, in the position to know exactly how much ransom his victim will actually pay.

Leo Laporte [01:00:40]:
Now, just between us guys, what's the maximum you'd be willing to pay? I want, you know, we just want to find out.

Steve Gibson [01:00:47]:
Yeah, exactly. We're not, we probably don't, you know, we don't want to go there. No, just so you, just so we know what, you know, What do we have to work with? Now, on the flip side, the upside, such as there is, is that the negotiator is also in the unique position to know for sure whether the attackers, since that's also him, will actually honor their promise to restore the victim's data and delete any copies they might have.

Leo Laporte [01:01:19]:
I'm pretty sure if you give these guys a million dollars, they're gonna give you the key. I'm pretty sure.

Steve Gibson [01:01:25]:
That's right.

Leo Laporte [01:01:26]:
I can't promise, but I have a good feeling about it.

Steve Gibson [01:01:29]:
Seems like, yeah, the way they're talking, I, I, they, they, they seem like, you know, they're obviously they're bad guys, but they seem like good bad guys.

Leo Laporte [01:01:37]:
This is a gutsy fella. That's, uh, wow.

Steve Gibson [01:01:40]:
Well, he's a gutsy fella in chains right now. Uh, yeah. And, and boy, the, the The article had pictures of aerial photos of his estate in South Florida, you know, and a 224-foot yacht that was docked on his pier. So yeah, he wasn't hurting. And he was married. You got to wonder what his wife thought. Like, honey, he doesn't really work that much.

Leo Laporte [01:02:07]:
What do you do for a living?

Steve Gibson [01:02:08]:
He closes his office door and mumbles into the— yeah. I don't know.

Leo Laporte [01:02:15]:
I got a very important meeting with myself.

Steve Gibson [01:02:17]:
Just, uh, I'll be back later. Yeah, I'll let you know how it goes. So 3 weeks ago during episode 1067, we covered the news of yet another horrific CVSS 10.0 in Cisco's— courtesy of Cisco— Cisco's SD-WAN product. This is that bug behind CVE-2020-6-20127, another critical authentication bypass in Cisco's Catalyst SD-WAN. And the reason I say another is it had, it had an additional one back in 2020. It's hard to get those right, especially for Cisco. Uh, it, it in this case, this allows unauthenticated remote attackers to gain admin-level access to SD-WAN controllers to compromise entire WAN infrastructures. Last Wednesday, CISA revised their previous orders, which we covered 3 weeks ago.

Steve Gibson [01:03:25]:
3 weeks ago, CISA was saying you needed to update by such and such a time. They had a whole— they calendar laid out. CISA has now ordered all federal agencies to upload their logs from Cisco's SD-WAN devices to CISA's own cloud platform by next Monday, March 23rd. These Catalyst SD-WAN devices had been under attack, as we know, using a zero-day since As we said at the time, still true, 2023. Wow. And a great many of Cisco's customers have done nothing about it in the past 3 years. While CISA has no jurisdiction over private enterprises, it does over federal agencies. It has been given that jurisdiction.

Steve Gibson [01:04:23]:
This uploading and aggregating of the logs on CISA's platform will allow CISA's people to investigate which agencies have been compromised. So Leo, you were wondering, you asked the question like, how would a consumer know if their router— well, not easily. But in the case of SD-WAN logs, look, you morons, just send— have you configure your device to send your logs to our cloud platform. We will look at them for for you and let you know if you've got a problem. So, and I imagine the first thing they'll do is like, why have you not updated your firmware on your SD-WAN? So agencies will have to configure their Cisco SD-WAN to send future logs to the same cloud logging aggregation warehouse, which is known as CISA CLAW, C-L-A-W, the Cloud Logging Aggregation Warehouse.

Leo Laporte [01:05:22]:
Hmm, interesting.

Steve Gibson [01:05:25]:
Clawing back the data. Um, now, uh, the past year, as we've talked about, has seen a huge upward trend in the use of VPN services for geo-relocation. Why? Well, right, this increase in VPN use has been driven by new regional legislation which forces providers of age-restricted content to block access based on the geolocation of their would-be visitors, thus appear to be somewhere else. Unfortunately, a new demand and a rush to something, whatever, anything, AI, geo-relocation, you name it, what is the current enthusiasm, creates, you know, that rush creates new opportunities for bad guys to take advantage of the inexperience of newbies who are entering a market that's new to them. We've previously noted that this has been happening with VPN add-ons for Chrome. Microsoft Security has been tracking a group they identify as Storm-2561, which has been using search engine optimization, SEO, poisoning to provide malicious links to unwitting Windows users who are looking for VPN client software. Microsoft writes, in mid-January 2026, Microsoft Defender experts identified a credential theft campaign that uses fake virtual private network clients distributed through search engine optimization poisoning. The campaign redirects users searching for legitimate software to malicious zip files on attacker-controlled websites to deploy digitally— and here's the interesting— digitally signed— wait, what? Digitally signed? Digitally signed Trojans that masquerade as trusted VPN clients while harvesting VPN credentials.

Steve Gibson [01:07:42]:
Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561. Active since May of 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious zip files that contain fake installer files are hosted on GitHub repositories. Which have since been taken down. But of course, GitHub, you know, engenders trust. Additionally, they said the Trojans are digitally signed by a legitimate certificate that has since been revoked.

Steve Gibson [01:08:53]:
This blog shares— writes Microsoft— shares our in-depth analysis of the tactics, techniques, and procedures, the TTPs, and indicators of compromise in this Storm-2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion, and evade detection. We also share protection and mitigation recommendations as well as Microsoft Defender detection and hunting guidance. In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products, but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they're redirected to a malicious GitHub repository. They say, again, no longer available, that hosts the fake VPN client for direct download. Okay, so I'll note that while Microsoft keeps reinforcing that the malware has been taken down, they know as well as we do that no sooner will one set of malware be taken down than its replacement will appear. In fact, it's more often the case that multiple sets of redundant malware have already been staged in place on GitHub and are just waiting to be linked to when the, the current malware in use is removed. This allows that malware to age a bit on the platform to increase its appearance of authenticity.

Steve Gibson [01:10:40]:
So a takedown of one set, while certainly useful and necessary, should by no means suggest to anyone that the threat has been you know, in any way diminished. This is a classic case of whack-a-mole, and while it's true that the game must be played, it can never be won by playing catch-up. You know, another mole will always be ready to pop up somewhere else. Microsoft continues to explain the GitHub repo hosts a zip file containing a Microsoft Windows installer in a Microsoft Windows installer, you know, an MSI installer file that mimics a legitimate VPN software and sideloads malicious DLL files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application. So for example, an unwitting user believes they're getting a VPN. They download the VPN, install the client, activate the client. It says it's connected to the remote VPN server, and they then go to wherever they are wanting to VPN to and log in.

Steve Gibson [01:12:04]:
None of that is true. So the bad guys obtain the credentials they use to log into wherever they were trying to VPN to. So it is very crafty. And I mean, this is the way enterprises end up getting penetrated and being ransomed by somebody from Digital Mint who's working for the bad guys or themselves. So, uh, Microsoft said this campaign exhibits characteristics consistent with the financially motivated cybercrime operations employed by Storm-2561. In other words, ransomware. The malicious components are digitally signed— this was interesting— by, uh, Taiwan, uh, Lua Near Information Technology Company Limited. Okay.

Steve Gibson [01:12:56]:
The initial access vector They said relies on abusing SEO to push malicious websites to the top of search results for queries such as Pulse VPN download or Pulse secure client. That's so you put that into Google and the first link is this bad one. They said, but Microsoft has observed spoofing of various VPN software brands, not just Pulse, and has observed the GitHub link at the following two domains: vpn-fortinet.com and ivanti-vpn.org. Once the user lands on the malicious website and clicks to download the software— and again, when you go to this malicious website, you know, if you're not paying attention, if you don't know what the domain should be. It looks legit. I mean, it looks 100% like, oh good, I just got to the home of Pulse VPN Secure. I'm going to download this secure client. Why wouldn't you? They said once the user lands on the malicious website and clicks to download the software, the malware is delivered through a zip download hosted at github.com/latestver/vpn/releases/download/vpn-client2/vpn-client.zip.

Steve Gibson [01:14:33]:
Looking at that URL is like, okay, what's bad about that? Looks fine. So they said when the user launches the malicious MSI, Masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded zip, the MSI file installs Pulse.exe along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path. It's, you know, it's Common Files backslash Pulse space Secure. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion. Alongside the primary application, the installer drops malicious DLLs dwmapi.dll and inspector.dll into the Pulse Secure directory. The dwmapi.dll file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the inspector.dll file, a variant of the InfoStealer HiRax. The HiRax InfoStealer extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command and control infrastructure which is how the bad guys learn how to log into, like, your enterprise that you're intending to VPN to securely. In other words, no one wants this software, any of this software, anywhere near any of their computers.

Steve Gibson [01:16:23]:
It's all bad. Microsoft noted that the files were all signed. As I've been saying, no code these days can get off the ground any longer without being signed by someone. In this case, Microsoft also explains, writing, the MSI file and the malicious DLLs are signed with a valid digital certificate which is now revoked. The Taiwan Lua, near information technology company limited. This abuse of code signing, they wrote, serves multiple purposes. It bypasses default Windows security warnings for untrusted code, might bypass application whitelisting policies that trust signed binaries, reduces security tool alerts focused on unsigned malware, and provides false legitimacy to the installation process. They said Microsoft identified several other files signed with the same certificates.

Steve Gibson [01:17:32]:
These files also masqueraded as VPN software. Okay, so Microsoft described this as an abuse of code signing. Okay, I suppose it's an abuse. Of the intent of code signing, but I'd be inclined to call it a failure of the code signing requirement to prevent the use of malicious software. Because, right, the bad guys didn't abuse code signing. They used code signing to abuse the process code signing was designed to prevent. Maybe I'm splitting hairs, but what we don't know and what Microsoft chose not to reveal here is whether this Tayan Lua Near Information Technology Company Limited is an authentic firm whose valid signing certificate somehow got loose. But that's difficult to understand because, as we know, code signing certificates now must reside in hardware.

Steve Gibson [01:18:40]:
Or whether the company was always a facade which bad guys used to obtain a valid code signing certificate. Microsoft also chose not to reveal who signed their certificate. It would be interesting to know which certificate authority allowed themselves to be spoofed and how and where exactly the required chain of enterprise existence proof failed. How'd this happen? Hopefully somebody at Microsoft is pursuing this because this is what's not exactly what's not supposed to happen. It's because of all these hoops that I had to, you know, go through everything I did in order to update my code signing certificate because you're not supposed to be able to do this. But here's a clear instance of very, very malicious software having a valid code signing certificate, and Microsoft mentions it a number of times in their write-up. The only actionable takeaway we can have from this is the annoyingly diffuse imperative to remain ever vigilant. There are bad guys scattered all around the world focused upon taking advantage of our trust or in any momentary lapse of our attention.

Steve Gibson [01:20:05]:
All we really can be is as well-informed and careful as possible. Um, while we're on the subject of bad guys taking advantage of the passion of the day, uh, I wanted to note that Bitdefender, Kaspersky, and ThreatBook all recently posted independent examinations of the dramatic rise they all noted in malicious web pages offering instructions for installing AI agents like Claude and OpenClaw. I have a picture here in the show notes of what somebody would receive if they put into Google, download Claude Code. The first response that comes up is, it looks, it's from developers.squarespace.com.

Leo Laporte [01:21:04]:
Oh my God. And it's a sponsored result.

Steve Gibson [01:21:08]:
Uh-huh. Exactly, Leo. And it says, install Claude Code, Claude Code docs, Use the AI-powered sidebar, generate snippets, refactor logic, and explore ideas in a clean interface. So you put download Claude code into Google, the first sponsored result that comes up is malicious. Because, and because Google, yes, it, who would not trust this? Now we know that we should not be getting Claude code from developers.squarespace.com. But your typical user doesn't know that.

Leo Laporte [01:21:51]:
I wonder how many people have been bit by this. That's awful.

Steve Gibson [01:21:54]:
Google labels it as a sponsored result and the branding looks authentic. Users tend to trust it. You know, so, you know, no more needs to be said other than to be careful and to always go to the original source of anything you obtain from the internet. And again, Perfect instance. Why do— why is this being done? Because right now AI is the rage, and the bad guys are going to take advantage of what everybody wants.

Leo Laporte [01:22:22]:
Oh, and when you install this stuff, you really give it full access to everything.

Steve Gibson [01:22:25]:
Yeah, it's like a great way to get malware in a system.

Leo Laporte [01:22:29]:
Yeah, yeah, you should never Google support numbers either for the same reason, right?

Steve Gibson [01:22:34]:
Yep.

Leo Laporte [01:22:34]:
But everybody does. What you should Google, Leo, Oh, our next sponsor.

Steve Gibson [01:22:39]:
Yeah. How did you know?

Leo Laporte [01:22:41]:
You're getting good at the segues, Steve Gibson. You better watch out. You're going to be a DJ soon. This episode brought to you by My Thinkst Canary. I love this little guy. I do love this little guy. This, it looks like, I don't know, it looks like a little USB hard drive, like external hard drive. It's not.

Leo Laporte [01:23:01]:
Sure, it has a USB cable, but it also has an Ethernet port. And that should tell you something. This here is the best darn honeypot anywhere in the world. Honeypots are phenomenally useful, but as we learned, uh, when we start— talked to Bill Cheswick, who wrote Stalking the Wily Hacker and wrote the very first, as far as I know, honeypot, they are also devilishly difficult to create because you want your honeypot to be secure. You don't want it to look like a honeypot. You want it to look like something you know, a bad guy would want to get into. And so it takes a lot of skill to write a honeypot. Fortunately, the people at Thinkst Canary have that skill.

Leo Laporte [01:23:43]:
They've got decades teaching companies and governments how to break into systems. That's their expertise. They know how hackers think, and they have developed the best honeypot ever, the Thinkst Canary. This is a honeypot you can deploy in minutes. It's absolutely secure. It's written bulletproof, and it looks like the real deal. You can go into the configuration utility. It's so easy to set it up.

Leo Laporte [01:24:10]:
As this one's a Synology NAS, that's mine, but it could be a Windows server, a SharePoint server, it could be a Linux server. You could turn on all the services, a handful of services. It could be a SCADA device. It could be anything you want. And when it impersonates those devices. It really looks real. For instance, this has a Synology MAC address, so that's probably the first thing to look at. Well, let's see, is what's the MAC address? Oh yeah, this has the exact login screen.

Leo Laporte [01:24:39]:
It looks exactly like the real deal. The folks at Think Scannary take great pride in making very effective honeypots. You could make it an SSH server. You— oh, and the other thing you do with it, which is really cool, is you can create files with it. So that look like the real deal, like Excel spreadsheets or PowerPoint documents, or even things like WireGuard configurations, uh, you know, Cisco SD-WAN configurations, anything, anything that a bad guy might want to get into. And then you could sprinkle those, as many as you want, unlimited, all over your network. Even on your— I have on my cloud, like my Google Drive has a few, you know, they look like spreadsheets labeled employee information, that kind of thing, the kind of thing that a hacker cannot resist. Now, this is why this is great.

Leo Laporte [01:25:25]:
If someone is accessing one of those lure files or brute forcing your fake internal SSH server, your ThinkScanary will immediately tell you you have a problem. You don't get false alerts. If you get that alert via text, Slack, webhooks, syslog, there's an API that you can get any way you want, email, When you get that alert, you know there's somebody in my network. Just choose a profile for your Think's Canary device, register it with the hosted console for monitoring and notifications. Then you sit back and you wait. You relax, because the minute an attacker breaches your network or a malicious insider starts looking around your network, they will— they can't help but make themselves known by accessing your Think's Canary. Now you should have one for every network segment You know, big bank might have hundreds of these scattered all over the place. Small operation like ours, just a handful.

Leo Laporte [01:26:17]:
But let me give you an example. Go to canary.tools/twit. For $7,500 a year, you'd get 5. You get your own hosted console, you get upgrades, you get support, you get maintenance, of course. Oh, and if you use the code TWIT in the 'How did you hear about us?' box, you'll also get 10% off the price for life. Now, You can always return your Think Canary with their 2-month money-back guarantee and you get a full refund. That's 60 days. And I should tell you, next month it'll be the 10th year that we've been talking about these Think Canaries, a whole decade.

Leo Laporte [01:26:54]:
I should say that during all of those years, nobody has ever asked for that refund ever, because once you get one of these, you know, how did I live without it? Visit canary.tools/twit. Enter the code TWIT in the How Did You Hear About Us box, 10% off, and not just for the first year but for as long as you have your Think's Canaries. This— every network needs at least one of these, many of these really, one for every segment, I would say at least. How else will you know if there's an intruder? This is your intruder alert. Intruder alert. Think's Canary at canary.tools/twit. Don't forget the offer code. Twit.

Leo Laporte [01:27:34]:
Thank them so much for their support. Yeah, Steve, we're going to the RSA conference, uh, next Tuesday. I'm very excited, very— gonna have a lot of fun. Sometime you have to come up for that. Have you ever been?

Steve Gibson [01:27:45]:
That's where I met Steena.

Leo Laporte [01:27:46]:
Oh, you met Steena coming down the escalator? That's right, that's right. Yep, Steena from, uh, YubiKey. Yeah, on we go with the show, sir.

Steve Gibson [01:27:56]:
Okay, so this is so I don't know what this is.

Leo Laporte [01:28:00]:
It's so weird.

Steve Gibson [01:28:02]:
Is it frightening? Is it clever? Is it genius?

Leo Laporte [01:28:06]:
Is it a movie of the week?

Steve Gibson [01:28:08]:
Okay, so a security researcher by the name of Christopher Aziz of Bombadil Systems discovered a very, very clever— I say new technique. I mean, it's always been there, but nobody thought to do this. That allows for the creation of malware-containing zip files that slide right past endpoint security tools, you know, Windows Defender and so forth, uh, all the various AVs. In his testing, Christopher found that his simple— I mean, horrifyingly simple— zip format hack would evade 98% of antivirus engines. I think 1 out of 55 caught it. The other 54 didn't. When Chris packaged something, a piece of known, very well-known malware in a regular zip file, it was almost universally detected by the AV engines at VirusTotal. But when he simply then tweaked the zip file's header to claim that its file contents had been directly stored rather than compressed.

Steve Gibson [01:29:33]:
Nearly all existing AV tools were fooled into believing that the contents was just gibberish. In other words, they didn't attempt to decompress the contents because the header said it wasn't compressed. It's almost too easy. Christopher put up a page on his GitHub account to draw attention to this obvious in retrospect vulnerability. Uh, it's at github.com/bombadil, B-O-M-B-A-D-I-L, hyphen systems forward slash zombie hyphen zip. He wrote under how it works. He said AV engines trust the zip method field. When method equals 0, meaning that the file was stored not compressed, they scan the data as raw uncompressed— as if it was raw uncompressed bytes, but the data is actually deflate compressed, which is ZIP's standard compression format.

Steve Gibson [01:30:41]:
Deflate compressed. So the scanner, instead believing it's not compressed, just sees it as compressed noise, he writes, and finds no viral signatures. The CRC, the cyclic redundancy check, the CRC is set to the uncompressed payload's checksum, creating an additional mismatch that causes standard extraction tools— 7-Zip, Unzip, and WinRAR— to report errors or extract corrupted output. He said, however, a purpose-built loader, meaning a loader that knows what has been done, that ignores the declared method and decompresses as deflate, recovers the payload perfectly. He said the scanner, the vulnerability is scanner evasion. Security controls assert no malware present here while malware is present and trivially recoverable by attacker tooling. As for the attack vector, this is not an end-user extraction vulnerability. This is a staged delivery smuggling technique, meaning that you would, you know, malware, some script or something running that's already running would download this because of this simple hack.

Steve Gibson [01:32:10]:
It would get into the system by passing all AV screening, and then it would know how to decompress this back into its full, fully malicious uncompressed state. So he said the stage delivery smuggling technique. First, a malicious payload packaged in what he calls a zombie zip with a modified header. The zip transits security boundaries, email gateways, network scanners, endpoint AV. Scanners read method equals zero, scan compressed noise, and report Yep, all clean. A purpose-built loader or dropper decompresses the payload programmatically. The payload materializes and executes. He says this is consistent with established malware delivery patterns known, having previously been seen in ISO smuggling, HTML smuggling, cab abuse, and so forth, where attackers use custom loaders rather than consumer extraction tools.

Steve Gibson [01:33:21]:
So what was affected? He said 50 out of 51 AV engines on VirusTotal were fooled. Also fooled: Microsoft Defender, Avast, Bitdefender, ESET, Kaspersky, McAfee, Sophos, Trend Micro, and so forth. He said only something known as Kingsoft detected it. So anyway, this just goes to show how some of the simplest hacks, even after all of this time, can still be among the most effective. You know, sometimes there's just no need for something to get overly fancy. There's, you know, some assumptions were made, and those assumptions can be abused to the benefit of the attackers. Okay, so will AI write code for me? Our listeners, understandably curious because I've been so impressed with things like what Claude Code is doing for people, continue to express their curiosity over my own plans for AI coding. I mean, this is like, until this week when, where I asked what the caption for that photo should be, it was probably the most often asked thing.

Steve Gibson [01:34:47]:
Like, well, Steve, when are you going to start using AI? And I'm sure that this is partly due to my having previously made t-shirts for myself which would, which say in white block letters on a black, born to code. you know, and also due to my having been completely open-minded about a topic that has perhaps been more near and dear to me than anything else in my life. I have many times, as we know, Leo, celebrated your successes and experiences embracing Claude Code, and I've shared many of our listeners' similar stunned, mouth-left-hanging-open experiences. When AI produced code for them that made their computer do things they never imagined they'd be able to obtain for themselves. And in fact, I'll be sharing another instance of that here after this. Obviously, something huge has happened. The question remains what that is exactly. As I settled down last Saturday morning to begin assembling today's podcast, I decided to log into X to see whether any of our listeners might have posted a candidate picture of the week.

Steve Gibson [01:36:05]:
That's where I used to get them. The good news is everyone has largely switched over to using email, as I have, but you never know. So it was serendipitous that when I happened to check, my feed contained several posts that were completely on topic for the question of AI and coding. I don't know, presumably Elon's X system knows of my interest in the topic and therefore dropped those into my feed. So the first post I want to share was written by a guy named Akash Gupta who posts frequently on Medium. Uh, of akashgupta.medium.com if anyone's curious. I've got a link in the show notes with the spelling. His short bio says that he helps product managers, product leaders, and product aspirants to succeed, and that clearly is his focus.

Steve Gibson [01:37:07]:
His posting quotes, uh, somebody who posted on the 13th, an Arvid Kahl, who just wrote, devs are acting like they didn't write slop code before AI. So sounds like this guy is defending, uh, you know, AI-produced code against people who are saying, you know, it's sloppy. So Akash Gupta, who has a lot of experience with AI and product managers, he says in his posting, he writes, 41% of all code shipped in 2025 meaning last year, was AI-generated or AI-assisted. The defect rate on that code is 1.7 times higher than human-written code. And a randomized controlled trial found that experienced developers using AI tools were actually 19% slower than developers working without them. Devs, he says, have always written slop. The entire software industry is built on infrastructure designed to catch slop before it ships. Code review, linting, type checking, CI/CD pipelines, staging environments— all of it assumes one thing: The person who wrote the code can walk you through what it does when the reviewer asks.

Steve Gibson [01:38:47]:
That assumption, that is, that the person who wrote the code understands it, he says that assumption held for 50 years. It broke in about 18 months. He said when 41% of your code base was generated by a machine, and approved by a human who skimmed it because the tests passed, the review process becomes theater. The reviewer is checking code neither of them wrote. The linter catches syntax, not intent. The tests verify behavior, not understanding. The old slop had an owner Someone could explain why temp_fix_v3_final existed, what edge case it handled, and what would break if you removed it. The new slop instead has an approver.

Steve Gibson [01:39:51]:
Different relationship entirely. He says Arvid's right— the guy he was originally quoting— Arvid's right that devs wrote bad code before AI. The part he's missing: the entire quality infrastructure of software engineering was designed around a world where the author and the debugger were the same person. That world ended last year, and nothing has replaced it yet. So I just, I like that just as a statement, you know. And his post captures aspects of my own discomfort with using AI to create code that I'm going to put my name on. So the answer to the question of whether AI will write code for me would be not the AI we have today. Even before this Consider this.

Steve Gibson [01:40:52]:
Even before this AI coding revolution arose, I should objectively have at least been using C, right? But I'm so comfortable— right, go on. I'm so comfortable with assembly language, and I now have so much solid boilerplate written by me in assembly language through the years that moment to moment the path of least resistance is just to keep using assembly. When I face the possibility of using something to write code for me, I'm immediately brought up short wondering how can I possibly know the code it creates is correct. The code I'm writing is never for a lark. You know, I'm not writing it as a hobby. I'm always writing production code that I and others will depend upon. Either it's server-side code running on GRC's servers, or code that will form a product that bears my name. In either case, the code needs— I need the code to be as correct as I'm able to make it.

Steve Gibson [01:42:14]:
It's true that I have, we know, strong perfectionist tendencies. I know that's one of the reasons people listen to this podcast. I don't ever judge my work by whether it's good enough. I don't have a good enough. I know, you know, that I judge it by whether it's as good as I am capable of making it. That is my standard. Can it be better? So if I don't actually write the code I'm using, you know, and offering for sale, how can I ever definitively make that judgment if no one or nothing sentient and personally responsible creates it? If the code just magically appears and if there are large swaths of code that is never carefully inspected by anyone, how can I ever have confidence in what the code does? Sure, I know, test, test, test. I get that, you know, that is after all, you know, the, the model that many of our development testers know quite well.

Steve Gibson [01:43:26]:
That's the development model that has evolved with the code that I currently offer by hand is, is validated. But is the appearance of the code working, or the code no longer being seen to fail, an adequate replacement for someone actually writing the code for a purpose? I don't know. But I do know that the entire world is objectively going nuts over AI-written code. Perhaps the reason for this is that there is tremendous pressure within the larger code-creating universe to create more code with fewer human coders. So perhaps it's the fact that I truly love writing code myself and that I feel very little pressure to produce more code faster. Maybe that's, you know, why there— why the balance for me, the scale hasn't tipped. I've talked about days past when my little company employed many more people, many of whom I was actually jealous of since they were getting to do the work I wanted to be doing instead of just managing them. Doing that work.

Steve Gibson [01:44:51]:
If that's the case, why would I want to have an AI producing code that I would then not have the joy of writing for myself? You know, all of the foregoing suggests that the answer to that question, when will Steve be using AI to author his code, the answer is at least not yet.

Leo Laporte [01:45:14]:
But we should point out, Steve, you're kind of a unicorn. You're kind of a—

Steve Gibson [01:45:19]:
I'm just talking. Yes, the question is me.

Leo Laporte [01:45:23]:
Me.

Steve Gibson [01:45:23]:
I mean, our listeners have been asking, Steve, you're all— you're, you know, you're, you're talking about Claude Code and how great it is. When are you going to use it? And I'm explaining why maybe never.

Leo Laporte [01:45:36]:
Yeah. And I— but nobody— the— how many people work like you? I mean, you're really an anomaly. You weren't in the past. There were a lot of people like Peter Norton and stuff who wrote their own stuff and shipped it and so forth. But most code these days is written by large teams with all sorts of layers of review and architecting. And I think for a lot of what is written today, AI makes perfect sense.

Steve Gibson [01:46:08]:
Not for you, Because you're, you know, and Leo, you'll notice I didn't, I didn't say otherwise.

Leo Laporte [01:46:14]:
No, and no, I know. Yeah. And you're right. I agree with you 100%.

Steve Gibson [01:46:17]:
Yeah. And I, but I do.

Leo Laporte [01:46:18]:
Anybody who loves to write code should write code. If you love it, you should write it. Why not? That's not, but I have to say, I'm not sure I fully agree with this tweet because one of the things you're not going to see Frankly, if you have AI-written code, is temp— what was it? Oh, temp fix underscore— because it won't get patched.

Steve Gibson [01:46:45]:
It'll be created whole.

Leo Laporte [01:46:47]:
Code is so cheap that you refactor, you redo it. You don't do that kind of— that's what humans do. They apply a little spackle, a little Bondo to the code. That's not what happens, or it shouldn't with AI. If it's being done right. I think really the experience people have with AI coding depends a lot on their own mindset and how they've gone about it and how it really, you become, instead of the coder, you become the kind of more like the manager. Yeah.

Steve Gibson [01:47:16]:
Yes.

Leo Laporte [01:47:16]:
And a good product manager really thinks deeply about specs, is willing to throw out code and start over.

Steve Gibson [01:47:22]:
I mean, and Leo, I remember I always say, What we have today is not what we're gonna have tomorrow.

Leo Laporte [01:47:31]:
It's gonna very much change. That's the other thing. He says 41% of code written in 2025. Well, the thing that changed everything was November 24th, 2025.

Steve Gibson [01:47:40]:
Right, right.

Leo Laporte [01:47:41]:
So when Opus 4.6 came out, so, or 4.5, so.

Steve Gibson [01:47:45]:
I have one more thing I wanna share, but let's take a break.

Leo Laporte [01:47:48]:
Okay.

Steve Gibson [01:47:48]:
I'm looking at the clock and now it would be a good time.

Leo Laporte [01:47:51]:
I'm sorry to slow you down. I apologize.

Steve Gibson [01:47:53]:
And then I've got Uncle Bob Martin's post. Oh.

Leo Laporte [01:47:56]:
Uncle Bob, good old Uncle Bob. He's quite the character, but a legend in the business for sure. Yeah. Oh, I'm looking forward to that. That's coming up. You're watching Security Now with the great Steve Gibson. You know, I'm really glad that there are people like you, Steve, that cherish, that are artists. You know, you wouldn't expect a machine to paint the Sistine ceiling.

Leo Laporte [01:48:18]:
You're an artist. That's absolutely great. But I, but I am not. So I appreciate having an AI to do some of that coding.

Steve Gibson [01:48:28]:
And there's a whole different side of just getting the job done.

Leo Laporte [01:48:31]:
Sure.

Steve Gibson [01:48:31]:
You know, like, you know, and that's what most people are doing, frankly. And I'm going to share a post from a listener after this that takes the exact reverse. This has changed his life.

Leo Laporte [01:48:42]:
Yeah, yeah. And then, uh, you know, and I will say, you know, when I, when I do coding puzzles like Advent of Code, I'm not I have no interest in having AI do it. No, because the whole point of it is me having the fun of writing a story.

Steve Gibson [01:48:55]:
In fact, AI ruined that whole challenge.

Leo Laporte [01:48:58]:
It really did. It actually hasn't been a very good influence on it. He had to change everything. Let me talk about our ad for this segment of Security Now. This episode brought to you by Adaptive. Yes, it's a security platform. It's the first security awareness platform built to stop The thing that is perhaps pestering you the most, AI-powered social engineering. Here's the shift.

Leo Laporte [01:49:26]:
Attackers don't need malware anymore. They just need trust. They need a cloned voice, a convincing deepfake on Zoom, or maybe just buy an ad in Google Search or an AI-written phish that looks exactly like it came from your IT team. And as you— as we were saying when we were at Zero Trust World, as you said, the threat's coming from inside the house. That's why you need Adaptive. Adaptive prepares your organization with simulations, not just an email, but across email, SMS, and voice.

Steve Gibson [01:50:01]:
You—

Leo Laporte [01:50:02]:
yes, deepfakes, vishing, voice phishing, and AI-generated phishing, including scenarios that can mirror your own brand and executives. Imagine If your CEO is on the phone saying, Simpson, I need you now, you know, this, this is how the bad guys work nowadays. And when employees report something suspicious, is that the boss? Adaptive can help you triage it fast. Hey, I think I might have done something wrong, something bad. So security teams aren't buried in false alarms, but actually can fix the problem before it propagates. If you need training fast with Adaptive's AI content creator, you can turn a breaking threat— something just happened yesterday in the news, right? Something Steve just talked about today— an incident report, a compliance doc, instantly into interactive multilingual modules. I mean, I'm talking minutes. No design team required.

Leo Laporte [01:50:58]:
Adaptive does it. Adaptive will let you build, customize, and monitor every part of your training with complete personalization. The result is a more resilient security culture, which is essential. Take a company like Plaid, right? Uh, I use Plaid every day to log into my finance platforms. Plaid's platform powers thousands of digital finance apps, links consumers, developers, institutions together with sensitive data at its very core. Plaid security and compliance are non-negotiable. What do they use? Yeah, they use Adaptive Security. Plaid's head of security, GRC, says Adaptive has equipped our teams with cutting-edge tools and built a smarter, more resilient security culture across the company.

Leo Laporte [01:51:44]:
Actually, that makes me feel good because I use Plaid. I'm glad to know they're on it. They're on it. Trusted by Fortune 500s, backed by NVIDIA and OpenAI, Adaptive is building the defenses we need for the AI era.

Steve Gibson [01:51:57]:
Learn more.

Leo Laporte [01:51:58]:
At adaptivesecurity.com. That's adaptivesecurity.com. You want your customers to feel like I do as a customer of Plaid. Oh good, they're, they're doing what it takes. adaptivesecurity.com. We thank them so much for supporting Security Now. Steve?

Steve Gibson [01:52:17]:
Okay, so before we leave this topic, actually we have another note from a listener too, but I wanted to share another X post that appeared in my feed directly underneath the previous one. Uh, it was written by someone who we obviously know. Leo, uh, you are aware of Uncle Bob. Uh, he's got a Wikipedia page, uh, which, you know, was created to capture and describe his life's work. Uh, his given name is Robert Martin, uh, although he goes by Uncle Bob Martin. Uh, Wikipedia informs us that he's an American software engineer, instructor, and author who is most recognized for promoting many software design principles. And by the way, he's a lover of Lisp, uh, and for being an author and signatory of the influential Agile Manifesto. He's authored many books, uh, and magazine articles and was the editor-in-chief of the C++ Report magazine and served as the first chairman of the Agile Alliance.

Steve Gibson [01:53:18]:
Yeah, Wikipedia says he joined the software industry at age 17, so like many of us, it's been his life. Uh, he's credited with introducing the collection of object-oriented design principles that came to be known as SOLID. And Wikipedia mentions that he's authored many books. That's right, 13 books. Uh, since I'm going to share his what I think is an interesting observation which really made sense about the current state of AI-generated code, I want to first clearly establish his bona fides. So here are the titles of the 13 books he's authored across the past 30 years, and these are, you know, real books published by Prentice Hall, Cambridge University Press, Addison-Wesley Professional, and Pearson. With titles Designing Object-Oriented C++ Applications Using the Buch Method, More C++ Gems, Extreme Programming in Practice, Agile Software Development Principles, Patterns, and Practices, UML for Java Programmers, Agile Principles, Patterns, and Practices in C#, Clean Coding: A Handbook of Agile Software Craftsmanship, The Clean Coder: A Code of Conduct for Professional Programmers. He's all into clean.

Steve Gibson [01:54:40]:
Clean Architecture: A Craftsman's Guide to Software Structure and Design. Clean Agile: Back to Basics. Clean Craftsmanship: Discipline, Standards, and Ethics. Functional Design: Principles, Patterns, and Practices. We Programmers: A Chronicle of Coders from Atta to AI. Okay, so here's what Uncle Bob Martin posted last Saturday morning. He wrote, 2 months ago, while working on my empire game with AI, I had that Quicksilver experience. When you push on a blob of mercury, it slips out in some random direction.

Steve Gibson [01:55:24]:
Every time I added a new feature, some older feature would shift behavior. This was true even after I added unit tests and acceptance tests. The AI always took the path of least resistance on the current feature and was willing to sacrifice older features. It would change tests, including acceptance tests, in order to get the latest feature done. Telling the AI not to do that was ineffective. AIs are stochastic, and so are any rules you feed them. Rules bias their behavior but do not absolutely constrain it. When I called them out on breaking rules, they apologize and swear they won't do it again, but they can't really make that promise.

Steve Gibson [01:56:23]:
They are, in the end, liars and cheats. The solution is to massively over-constrain them, force them to write so many tests that changing a test feature breaks many tests. They feel that force and retract the change. It's like peer pressure with a lot of peers. At the same time, I reduced the chances for collateral damage by continuously forcing the AI to partition everything into small decoupled units. That way, it's not easy to break one feature while implementing another. It also keeps the AI from getting confused by its own messes. The final goal is semantic stability in the face of continuous development.

Steve Gibson [01:57:19]:
The things that worked before keep working as they were while newer things get added. This is a continuous effort. Acceptance tests, unit tests, TDD, crap analysis, and mutation tests are run after a reasonable batch of changes and are tasked with reducing crap below 8. Covering any untested behavior, and killing all surviving mutants. The size of the batch of changes is a judgment call. Too big and the analysis and repairs take a long time. Too small and the verification effort overwhelms the development effort. And then he finishes with, side note, the mutation, the mutation tests consume massive amounts of computer power.

Steve Gibson [01:58:12]:
My cores are running full bore all the time. And that's even with differential mutation. There's something poetically just about all this. The AIs require a massive amount of computer power to create. What they create for us takes a massive amount of computer power to keep stable. So, okay, um, I think this has to do with the size of what he's trying to accomplish, right? Like, you know, he, he's building something big and it's tending to get slippery, like, you know, like liquid mercury where you push on it and it slips away. And, but, but from the start of our discussion of AI, I've been saying that I firmly believe AI will have a very bright future in coding. I still believe that's true, 100%, but not today's AI.

Steve Gibson [01:59:14]:
Today's AI is still general-purpose AI. It's like asking AI for that list of very high-quality random numbers. Doing that perfectly, which we know how to do, requires specialization, not generalization. This is every bit as true when it comes to writing code correctly. The laughable catastrophic mess Bob describes in his posting, you know, commonly referred to as attempting to herd cats, is not the way to write code. But these 4 sentences from Bob's posting say it all. He wrote, AIs are stochastic, and so are any rules you feed them. Rules bias their behavior but do not absolutely constrain it.

Steve Gibson [02:00:08]:
He says, when I call them out on breaking rules, they apologize and swear they won't do it again, but they can't really make that promise. They are, in the end, liars and cheats. I believe that in those four statements, Uncle Bob exactly and perfectly captures the state of play today. But that's only today. I'm always, as I keep saying and noting, very careful to state that nothing we have or believe we have today regarding AI will hold tomorrow. And Leo, your November 28th date is a perfect example. On November 27th, we had one thing. On the 29th, we had the world changed.

Steve Gibson [02:00:51]:
It's not at all done changing. You know, we're like in that first round of home computers that were interesting and a lot of us got them, but they never got off the ground. It took another, you know, a bunch of more evolution and time for it to finally reach critical mass. And so the way I think this will shake out is that someday we will have many differing forms of application-specific AI. I suspect that's where the answer lies, at least the most, the practically economic answer. As I understand today's AI operation, having a single Super genius AI that contains all knowledge and does everything perfectly may be possible, but is incredibly wasteful, as in way too expensive to contain and operate if all you want is high-quality code. Instead, employ the far more cost-effective services of a specialist code-generating AI whose model can be far smaller while also containing far more concentrated knowledge about code and only about code. It knows nothing about the works of Shakespeare.

Steve Gibson [02:02:21]:
It just knows about code.

Leo Laporte [02:02:22]:
That's why our old model prior to November 24th, 2025 was asking a question of a chatbot. And then taking its code and pasting it in. We've gone way beyond that in a very, very brief period of time. I think AI, especially AI coding, is kind of like the blind men and the elephant. You know that adage? Everybody is seeing a different part of it. And I think especially we can't use our notions of coding from prior times in modern times. It's just so different now. And everybody has a different take because everybody has a different experience.

Leo Laporte [02:03:07]:
I think you're in a very—

Steve Gibson [02:03:08]:
I think we're in a very—

Leo Laporte [02:03:10]:
a huge period of flux. And I think that's the only true thing. And really the best advice I think anybody, for anybody, is just try it, play with it, get to know it, Give it a tough problem. Read and learn. Everybody's talking about it. Not everybody's right. There's a lot of points of view about this.

Steve Gibson [02:03:32]:
And not everyone can be right when the target keeps moving. I mean, it's very fluid. I cannot say enough. The world will be different again next year as regarding AI and code. There's just, there's no question about it.

Leo Laporte [02:03:46]:
Yeah, we're in an interesting time. I mean, I guess the bottom line, and we've talked about this before and I think we both agree on it, is that what the job is, is taking human thoughts and ideas and translating them into computer. And what we're trying to make is a computer program that's very adept at that. The easy part is translating it into computer. The hard part is translating us. But somehow something happened that it got really good very rapidly at understanding what we're saying and putting it into action. But there's still miscommunications and gaps. It's very— well, we live in interesting times.

Leo Laporte [02:04:29]:
Uncle Bob's very prolific, talks a lot about this. I actually saw this tweet. He's very active on X and talks a lot about this. Very interesting.

Steve Gibson [02:04:37]:
Yeah. So here is an example. Of AI on the flip side. Our listener Craig, his subject of his email was hard to describe. He wrote, first, I'd like to say thanks for mentoring me throughout nearly my entire career. Now retired, I ran the IT department for a 50-employee DOD DOE subcontractor. What I learned from you and implemented over the years made NIST 800-171 compliance easy, and I can proudly say that my company was never hacked. Oh wait, aside from that, where's Kitty, who created a hidden FTP site on my public FTP server? Remember those days? LOL.

Steve Gibson [02:05:32]:
But aside from that, Never once was my network taken down. I had weekly security awareness training for my users, almost always from your show. I was tight a decade before anyone was even thinking about security. Thank you. My entire career was hobbled by my poor coding skills. I never attended college for computers, just drinking and failing out. I learned everything.

Leo Laporte [02:06:02]:
I majored in that too.

Steve Gibson [02:06:06]:
I learned everything building PCs in those box shops in the late '90s. Network light FTW, LOL. Computer shopper for the win. I used to tell people I can code, but I can't develop. I could write a simple script after hours of scouring Stack Exchange or Spiceworks to figure it out. The places I could have gone if I had properly trained as a developer. Now all those tools I wish I had over my 30 years of career are at my fingertips. The best analogy I can give is that I spent my career in 2D black and white, and all of a sudden I can see 3D in color.

Steve Gibson [02:06:56]:
And infrared and ultraviolet and X-ray. And he's talking about AI. He said, I now have an entire agent infrastructure team, a CISO, architect, audit, monitoring, hardening, infrastructure, et cetera, managing my entire home lab. My kitchen module has an AI chef. Running from local Ollama to help with the current recipe. I just got done having Sisso build a 3D desktop for my platform inside of my Quest 2. It made downloading 20 years of Google account and then organizing it into my own system easy. It's working on building out a complete voice system around my house.

Steve Gibson [02:07:45]:
It can talk to my 3D printers. All of this is possible, and I just have to ask for it in natural language. My jaw is still on the ground. I hate to say it, Steve, but commercial software is dead. I don't need to buy what I can have my agents write. All I need are GPUs. So anyway, I just thought that was a great, uh, snippet from one of our customers whose life has been changed, uh, thanks to AI.

Leo Laporte [02:08:23]:
That's nice. Really nice.

Steve Gibson [02:08:25]:
Yeah. Okay, our last break, and then I'm gonna share my 100%, uh, positive experience with CISA's free internet scanning and pose the question, why are we not all doing it too?

Leo Laporte [02:08:41]:
Yeah, well, I'm gonna try. I mean, I, I guess you're, you're— I don't have multiple IP. Well, I guess I do have two IP addresses. I guess, I don't know, I have one static and one, uh, theoretically changeable that never changes.

Steve Gibson [02:08:55]:
You have resources for Twit, right? Or are they just—

Leo Laporte [02:08:58]:
oh no, it's all, it's all cloud.

Steve Gibson [02:09:00]:
Yeah, all distributed stuff.

Leo Laporte [02:09:02]:
Yeah, it's all over the place.

Steve Gibson [02:09:03]:
So it would be a small enterprise that has, you know, a, a a block of network space.

Leo Laporte [02:09:09]:
Russell can do it. I'll have Russell. He's in Florida? Okay. He can do it from Florida. What do you mean he doesn't work when he's in Florida? Let's do the final commercial and then we'll get to the topic of the day. CISA.

Steve Gibson [02:09:29]:
Free internet scanning.

Leo Laporte [02:09:30]:
CISA has been decimated in the recent budget cuts and I'm very nervous I'm glad they still have their bots running because, yeah. Well, yeah. I mean, we are the true target of cyber warfare, if not now, soon.

Steve Gibson [02:09:46]:
They've lost a huge bunch of staff.

Leo Laporte [02:09:49]:
And they had what I consider to be a terrible administrator for a year. He's gone now, but that doesn't mean everything's better. It means there's no administrator. We're in an interesting time. Let's just say to that. This episode of Security Now brought to you by Meter. I'm gonna go see these guys at RSA. I'm very excited about seeing these guys at RSA next week.

Leo Laporte [02:10:13]:
Meter is the company building better networks. I want to talk to the founders because, I mean, I talked to them on— I talked to them on the phone a couple of months ago, and I was so impressed because they were network engineers, right, who felt your pain. If you're a network engineer, you know, they know the headaches. You know the headaches. Legacy providers with inflexible pricing. Everybody's got IT resource constraints stretching you thin. Complex deployments across fragmented tools. You, you, Mr.

Leo Laporte [02:10:45]:
Network and Ms. Network Engineer, are critical, mission-critical to the business, but you're working, you know, with infrastructure that wasn't built for today's demands and insufficient resources. That's why So many businesses are switching to Meter, and this is so cool. Meter delivers full-stack networking infrastructure— wired, wireless, and cellular— that's built for performance and scalability. These guys realized there's only one way to build a reliable network, and that's to own the whole stack. So Meter designs hardware. That's why I can't wait to see them at RSAC. I want to see this stuff in person.

Leo Laporte [02:11:22]:
Meter designs the hardware. They write the firmware, they build the software, they manage the deployments, they provide support after the fact. Meter even does ISP procurement. They will help you every step of the way with covering security, routing, switching. Uh, they do wireless, they do cellular, they do firewall, they do power. Power is important, right? DNS security. Uh, they'll help you with VPNs, with SD-WANs, with multi-site workflows, all in a single solution. One of the things they said we— they commonly see is a company acquires another company, uh, or acquires their warehouse.

Leo Laporte [02:12:05]:
Now suddenly you have another site with completely incompatible software and hardware solutions. You got to get it on your network, you got to get it reliable. Some of these warehouses are 100,000 square feet, so there's all sorts of challenges with wireless, and they go in and they get it all working. They get it, they fix it all with their own hardware and software. Meter's single integrated networking stack scales. They are in major hospitals. There's— that's another challenging environment because of all the equipment, right? They're in branch offices, warehouses, large campuses. They're in data centers.

Leo Laporte [02:12:40]:
You know who uses Meter in their data center? Reddit. There's a network that must perform, right? The assistant director of technology for Webb School of Knoxville loves Meter. They said, we had, this is a direct quote, quote, "We had more than 20 games going on on campus between our two facilities. Each game was streamed via wired and wireless connections. The event went off without a hitch. We could never have done this before Meter redesigned our network." With Meter, you get a single partner for all your connectivity needs, from first site survey to ongoing support, without the complexity of managing multiple providers or tools. Meter's integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. And isn't that the job, right? Meter is built for the bandwidth demands of today and tomorrow by people who know your pain.

Leo Laporte [02:13:38]:
They've been there and they're here to help. We love Meter. Thank you so much for sponsoring. I can't wait to meet you, Meter, next Tuesday at RSAC. Go to meter.com/securitynow to book a demo today, or if you're going to RSAC, go on over to the booth, meter.com/securitynow to book a demo. And that reminds me, Steve, I will not be here next week. Mike will be doing the show. Yeah, yep, uh, I'm gonna miss Tuesday's shows so that I can go to the RSA conference, which I have never been to, so I'm really excited.

Leo Laporte [02:14:13]:
I get to go to this. It's gonna be so much fun. We're gonna see a lot of sponsors, so that'll be neat too. All right, let's talk about CISA.

Steve Gibson [02:14:20]:
Okay, so last week I shared feedback from a listener who shared with us that his organization uses, uh, CISA's free internet network scanner to keep an eye on his organization's network security exposure. He explained that when he first had CISA scan their network, what they found was quite bracing and brought their other IT people up short. And as I also noted, his sharing that with me raised my own curiosity about just who might qualify for CISA's periodic scanning. Uh, it's formerly known as CISA's Cyber Hygiene Service, and its page says, reduce the risk of successful cyber attack. Cyber threats are not just possibilities but harsh realities, making proactive and comprehensive cybersecurity imperative for all critical infrastructure. Adversaries use known vulnerabilities and weaknesses to compromise the security of critical infrastructure and other organizations. CISA offers no-cost cybersecurity services to help organizations reduce their exposure to threats by taking a proactive approach to monitoring and mitigating attack vectors. By taking advantage of CISA's cyber hygiene services, you can— and we have some bullet points here— significantly reduce risk, Organizations typically reduce their risk and exposure by 40% within the first 12 months.

Steve Gibson [02:15:59]:
Most see improvements in the first 90 days. Avoid surprises. Because the services look for assets exposed to the internet, they identify vulnerabilities that could otherwise go unmanaged. Sharpen your response by combining the vulnerability insights gained with existing threat detection and risk management efforts Enrolled organizations can increase the accuracy and effectiveness of response activities. This means fewer false alarms and less chance of real danger slipping through the net. Broaden your security horizon. SysScanning is about more than pinpointing vulnerabilities. It's about expanding your organization's security boundaries from basic asset awareness to daily alerts on urgent findings.

Steve Gibson [02:16:49]:
You'll be in a better place to make risk-informed decisions. They said CISA's cyber hygiene services include vulnerability scanning. This service continuously monitors and assesses internet-accessible network assets, public static IPv4 addresses, to evaluate their host and vulnerability status. In addition to weekly reports of all findings, you'll receive ad hoc alerts about urgent findings like potentially risky services and known exploited vulnerabilities. And web application scanning. This service deep dives into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit. This comprehensive evaluation includes but it's not limited to, the vulnerabilities listed in the OWASP Top 10, which represent the most critical web application security risks. This service provides detailed reports monthly as well as on-demand reports to help keep your application secure.

Steve Gibson [02:17:59]:
Okay, so I've, I've brought all this up again because my experiment to see whether GRC's little decidedly non-governmental, non-tribal 16 IP network block might qualify to receive CISA's automatic periodic background security scans and reporting. And it was a resounding and surprising success. Based upon my experience, I would hazard to imagine that a great many of our US-based listeners who are in charge of their own small, medium, and even large enterprise networks, like the listener that, that put me on this, would be able to similarly qualify to receive this free service much as I have? And if so, why wouldn't everyone wish to avail themselves of this entirely sane, zero-cost service offered by an agency of our federal government. Now, I suppose I can imagine that it might make some listeners a bit queasy to invite Uncle Sam to scan and report on the state of their networks. But stop to consider that anything that might be discovered and reported is already public information. It's not as if, you know, we're making an exception for CISA, allowing them through our firewalls to rummage around inside our networks. That's not happening. They're on the outside attempting to look in, just like would-be attackers and hackers in Russia, North Korea, and China.

Steve Gibson [02:19:49]:
The difference is that CISA is on our side. With the goal of strengthening North American networks against attackers in Russia, North Korea, and China and elsewhere. They email password-protected PDF reports that's only— whose only its intended receipt is able to decrypt, open, and view. I don't see any possible downside, whereas I see potentially huge upside. Okay, so what happened with GRC? Um, that CISA, um, uh, Cyber Hygiene Services page— it's at cisa.gov/cyber-hygiene-services, I've got a link in the show notes— invites candidates to indicate their interest and open a dialogue by sending an email to vulnerability@cisa.dhs.gov with the subject, with just the subject, requesting cyber hygiene services. So I addressed an email and I wrote simply, to whom it may concern, I own a small commercial network which I would like to have scanned. Thank you. Steve.

Steve Gibson [02:21:14]:
That was on the morning of Saturday, March 7th.

Leo Laporte [02:21:18]:
Did you just say, do you know who I am?

Steve Gibson [02:21:21]:
No, just, just, just to whom it may concern, I want to have my network scanned. Thanks. That was Saturday, March 7th. So nobody was working at CISA. I received a reply to that email first thing Monday morning. So immediately after the weekend at 5:32 AM Pacific, so 8:32 in the East where CISA is, that email response said, Steve, thank you for your interest in our cyber hygiene. And then they, of course, abbreviated CYHY vulnerability scanning, abbreviated VS because they like abbreviations. They said, so thank you for your interest in our Cyber Hygiene Vulnerability Scanning service, period.

Steve Gibson [02:22:11]:
Enrollment in our CyHiVS service must be done by a person in your organization who has ownership or authority over the IP addresses to be enrolled. This individual should hold a position such as chief information officer, Chief Information Security Officer, or a similar official capacity. If you are in this role, please proceed to navigate CISA's Cyber Services Cyber Hygiene Services, the beta version of our web-based enrollment system, to complete the following steps. First, create a Login.gov account. Login.gov is our trusted partner for secure and private access to CISA's online services. Including cyber hygiene. The Login.gov account must use the same organization business email that will be used to complete the remaining enrollment steps. And actually, I don't think it does, but didn't seem to matter.

Steve Gibson [02:23:14]:
Second, return to CISA's Cyber Services Cyber Hygiene Services page after logging in. You will now be redirected to the CISA Services portal for Ready, Set, Cyber. Use the navigation ribbon to go to Cyber Services, Enroll in Cyber Hygiene to return to the enrollment process. Third, complete account registration and organization's profile. Complete your organization's profile, enabling your organization to receive Cyber Hygiene and access other CISA services. And then finally, once you've completed the organization information page, You'll be redirected to a thank you page. Select the Enroll Now option to continue the Sci-Hi VS enrollment process. This step includes collection of the necessary information to enroll in the Sci-Hi VS service and services as the authorizing document allowing CISA to perform the Sci-Hi VS service for your organization.

Steve Gibson [02:24:15]:
For the IP address validation process, You will need to input and successfully verify the formatting of your IP addresses before continuing to the next page. Multiple IP addresses must be separated by comma or line break. If there are errors with the formatting, the system will display a modal noting— or modal meaning dialog error, I guess— noting how many errors. You will have the option to either go back and correct the errors or download a CSV file for editing if you have input numerous errors. If you have questions regarding your enrollment, please reach out to us at this email address. Best regards, Matt Leon, CISA Vulnerability Management Intake Team, blah, blah, blah. So I went back to CISA and logged in at login.gov. Where I already had an account, you know, since I'm, I'm 70, soon to be 71, and I use login.gov for managing Social Security, renewing my Global Entry certification, and driver's license.

Steve Gibson [02:25:27]:
So I was then bounced back over to CISA where I filled out a modest and not very intrusive questionnaire. Just, I mean, it wasn't a lot to tell them. Around 10 minutes after completing that process, I received another email with the subject CISA Organizational Account Confirmation and an invitation button to complete the signup process. I may have done something there. I don't recall. But either way, you know, the email trail shows that 13 minutes later after that one, I received a final email with the subject Cyber Hygiene vulnerability scanning acceptance letter. I thought, huh, that was easy.

Leo Laporte [02:26:10]:
Congratulations, you got in.

Steve Gibson [02:26:13]:
The letter said, welcome to SIS's Cyber Hygiene, you know, Sci-Hi vulnerability scanning, VS. Um, so, uh, they— these people really do love their abbreviations. The letter says, your Sci-Hi VS acceptance letter has been processed and a copy of the letter has been attached for your convenience. Your organization has been placed in queue for inclusion into the CISA Sci-Hi VS service. Scanning will begin as soon as your request file is processed in alignment with your requested scan start date. And that's so— and if not otherwise specified, scanning begins immediately. The letter continues, please keep an eye out for traffic. And actually, I did.

Steve Gibson [02:26:58]:
My log showed the scanning. Keep an eye out for traffic from Sci-Hi VS scanning IPs, which will signal to you that scanning has begun. You will receive your first Sci-Hi VS report via email on the Tuesday following the initial scan, which is based on your requested scan start date. The Sci-Hi VS report will come from reports@cyber.dhs.gov. And then here's what was interesting. They said, overview of CISA's CyHiVS methodology. Cyber hygiene defines a host as having at least one port open and service. Scanning of hosts occurs continuously between each weekly report.

Steve Gibson [02:27:47]:
Cyber hygiene scan prioritization is as follows. Okay, so we have addresses, IP address, IPv4 addresses with no running services detected, and they say parens dark space, are rescanned after at least 90 days. So if, if there's an IP that seems dead, no, nothing responds that they could find, it only checks every 3 months, or Hosts with no vulnerabilities detected are rescanned every 7 days. Hosts with low severity vulnerabilities are rescanned every 6 days. Hosts with medium severity vulnerabilities are rescanned every 4 days. Hosts with high severity vulnerabilities are rescanned every 24 hours. Hosts with critical severity vulnerabilities are rescanned every 12 hours. A single host may have multiple vulnerabilities of varying severity, which informs the frequency that a given host is scanned.

Steve Gibson [02:28:54]:
Presumably, the highest severity vulnerability found defines how often it is rechecked. And it finishes, need assistance? If you need to make changes to the information submitted in the acceptance letter to include updated IPs to be scanned, or you have any other questions pertaining to your Sci-Hi VS service, please email us at vulnerability@sci-hi.com. Disability@cisa.dhs.gov. Then last Wednesday, the day after last week's podcast, when I didn't know if any of this was going to work, I received my first CIHVS report. Now I'll admit I was actually somewhat surprised to see that CISA had not found anything critical to complain about. You know, like I thought maybe, but that's not to say that CISA did not find anything. They did complain that GRC's web servers would still negotiate and accept SSL/TLS connections using old and deprecated 64-bit block ciphers, things like Triple DES. And Blowfish.

Steve Gibson [02:30:10]:
Although not Blowfish, that was OpenSSL, but not in my case. That, that just is the what people generally have, really old copies of OpenSSL. I'm sorry, OpenSSH can use Blowfish and should no longer. So what caused my heart to initially skip a beat or two was that their report's headline was Urgent vulnerabilities detected. And I thought, what? So obviously that commanded my attention. Their report enumerates their findings by vulnerability description, uh, also whether it is known to be exploited, because as we know that CISA's KEV, right, K-E-V, known exploited vulnerabilities, that's one of their big deals. So they've got a column in the report for that, whether it's known to be exploited. Also whether ransomware is known to be exploiting it, uh, because obviously that, that drives an interest in that vulnerability and in being compromised by ransomware.

Steve Gibson [02:31:17]:
There's a column for its severity, uh, the host IP address and port where the— where they found the vulnerability, uh, and the date and time of its initial discovery. In this case, all of GRC's web server IPs at the HTTPS port 443 share the vulnerability that CISA identifies as, quote, SSL medium strength cipher suites supported. And then in parens, they said Suite 32. That's the vulnerability's name. It is not, however, known to have ever been exploited. So in the column of known to be exploited, it's no all the way down. The reason is that the Sweet32 vulnerability and attack is theoretical. It's called Sweet32 because the theoretical attack has a complexity of 2 to the 32.

Steve Gibson [02:32:20]:
Meaning 1 in 4 billion or 4.3 billion. The suite part of the name comes from the pun sweet 16 because it's a birthday attack. You need to do a whole bunch of things, recording all of them, and then looking for any collision between any two, thus the birthday attack. The vulnerability has its own website at suite32.info, which explains the nature of the attack. Writing, an important requirement for the attack is to send a large number of requests in the same TLS connection. Therefore, we need to find clients and servers that not only negotiate the use of triple DES but also exchange a large number of HTTP requests during a single TLS connection without ever rekeying. This is possible using a persistent HTTP connection as defined in HTTP/1.1 with keep-alive. On the client side, all browsers that we tested—Firefox, Chrome, Opera—will reuse a TLS connection as long as the server keeps it open.

Steve Gibson [02:33:41]:
Okay, so it says a large number of requests during a single TLS connection, but exactly how large? In their own testing, to recover a 16-byte authentication token, you know, which might be an HTTP cookie, for example, a 16-character cookie, um, which would be 2 64-bit encrypted blocks, because this is an attack on 16-bit block encryption. They needed to keep a single TLS connection established for 18.6 hours, during which their client pounded on the server with a storm of continuous small HTTP requests, finally transferring 705 gigabytes of data in the process. In short, at least for GRC, this is not a real problem. But that does not mean there's any way for me to defend GRC's now totally unnecessary support for this old and admittedly weaker than it needs to be Triple DES cipher today. So I very much appreciate the reminder nudge from CISA, and I've already tweaked the cipher suite configurations of GRC's various web servers so that the next time they're rebooted, their support for that long ago deprecated Triple DES cipher suite will disappear. You know, it hasn't been useful for a long time. It's only there because of inertia, but we know about inertia and security. So that's the story of GRC's establishment of an ongoing, very valuable, free vulnerability scanning service courtesy of CISA.

Steve Gibson [02:35:43]:
As I said, I cannot imagine why anyone listening to this podcast who's responsible for anything more than a single IP home network or or any sort of truly fixed, pre-assigned IPs, which are pointed to by DNS, would not wish to immediately avail themselves of CISA's free scanning service. You won't know what might surprise you until you do. And even if you find nothing, that would be super useful to know too. If you do find something, it might be very important. And, you know, the more that's going on within a complex networking environment involving multiple departments and overlapping responsibilities and people who've been terminated and blah blah, we don't know what equipment they left running and different configurations, you know, the more of that there is, the more chance that something unsuspected may be there. So win, win, win, win, win.

Leo Laporte [02:36:46]:
That's my motto for the day. You won't know what might surprise you until you do. I love it. That's why it's a surprise. Surprise. SciFace found the GitHub repo for all this stuff. So I don't know if that means it's open source. I don't know if you could take the GitHub repo and compile it and make it be—

Steve Gibson [02:37:09]:
Well, why not have it done for you? For you.

Leo Laporte [02:37:11]:
Yeah. Well, why not? Exactly. But it's kind of cool that they've put this all online. Yep. 41 repositories on GitHub under CYHY. Nice. So you can at least see what they're doing. That's pretty cool.

Leo Laporte [02:37:27]:
There's a lot of shell scripts. There's shell and Python. Yeah.

Steve Gibson [02:37:32]:
It's running on their infrastructure. And, you know, I did get So I got that one report that had that one vulnerability. Then a couple of days later, I got a, like a 34-page beautiful PDF that had charts and graphs and it was tracking vulnerabilities and, and like bar graphs and how long has this been around? I mean, it is, it is really valuable. And the listener who put me onto this noted that this replaced for their insurance provider a service that they'd been paying $6,000 a year for. Right. And that was an annual scan. So something could be bad for a year before it would get seen.

Leo Laporte [02:38:18]:
So this is some, some enterprising person taking all this code, getting it running and making their own commercial version of this. It's open source, though. Yeah. CISA has its own. I love this. GitHub repository, CISA.gov. Commit today, secure tomorrow. Oh, I like it.

Leo Laporte [02:38:38]:
Oh, that's what they said. It's their motto. Yeah. Commit today, secure tomorrow. I've got another motto now. I've got two mottos from the last section of this show. That's pretty impressive. Uh, Steve, you are pretty impressive.

Leo Laporte [02:38:50]:
We appreciate it.

Steve Gibson [02:38:51]:
You won't know what might surprise you until you do.

Leo Laporte [02:38:55]:
Surprise. Steve Gibson's at grc.com. If you go there right now, you will find Spinrite, the world's best mass storage performance enhancing, uh, uh, repair and, uh, maintaining maintenance, uh, utility. I mean, just a really— everybody should have it if you've got mass storage. You need Spinrite. You'll find 6.1 there. That's Steve's bread and butter. You'll also find another new program he just wrote for a mere $10, you can get the DNS Benchmark Pro.

Leo Laporte [02:39:28]:
All of that at GRC.com. That's also where you'll find copies of the show. We, we have copies too, but Steve's got some unique versions, a 16 kilobyte audio version, which makes it a 60 kilobit, I should say, audio version, which makes it a very compact and a 64 kilobyte audio version, which sounds perfectly fine. He also has the show notes. Which he composes in a mass fit of energy every Saturday and Sunday. Caffeinated energy. Caffeinated energy, working very hard to get it out. And it's worth getting that 20 pages thereabouts every week.

Leo Laporte [02:40:07]:
You can, of course, download it from the site, but Siebel also has a mailing list. I'll tell you how to get on that in just a second if you want to have it mailed to you automatically, get your little kick on Monday, see the Picture of the Week before everybody else does.

Steve Gibson [02:40:19]:
Or also, if you want to, in this case, submit your suggestion for the caption contest. That's right, baby.

Leo Laporte [02:40:27]:
Yeah. Uh, transcripts, uh, created by a nice human being named Elaine Ferris, available a few days after the show, also at grc.com. Now, if you go to grc.com/email, you can get your email address whitelisted so you can send Steve Pictures of the Week or questions or suggestions or comments. Many people do that. You'll also see right below the place where you put in your email address, two checkboxes, unchecked by default, but one is for the show notes, which he mails out automatically every Sunday or Monday before the show. And then below that, a very infrequent email that he sends out when he's got a new product. Have you used it yet? Not for this product, not for, for DNS Benchmark Pro.

Steve Gibson [02:41:09]:
No, I'm, I'm, I'm wrapping up some changes, uh, to get rid of that old ridiculous buy 4 copies and, and you're entitled to be a consultant. I'm replacing that with an explicit consultant license. Nice. Uh, and so I'm in the process, in assembly language, of updating our e-commerce system, uh, and then I will let everybody know because this final release of the benchmark, which everybody gets, uh, who's purchased it before There's a very excited puppy here.

Leo Laporte [02:41:40]:
Yeah. Who can't wait to get a copy of that. He says, quick, give me a credit card, Dad.

Steve Gibson [02:41:45]:
Perfect timing.

Leo Laporte [02:41:49]:
We also have copies of the show at our website, twit.tv/sn. That's Burke's beautiful little Lily, who's just a sweet poodle, miniature poodle. She's very sweet. But Lisa came home and she started barking at Lisa. You can get it at twit.tv/sn. You can— there's a YouTube channel with a video. We have audio and video on our site. And there's also, of course, best thing to do, subscribe in your favorite podcast client.

Leo Laporte [02:42:14]:
You'll get it automatically, audio or video or both. And give us 5 stars. Give us a good review. Tell the world about Security Now. Everybody needs to be listening to this show every week.

Steve Gibson [02:42:26]:
It's really vital, especially on this week before the release of Hail Mary.

Leo Laporte [02:42:33]:
I have tickets to see it Thursday night, and I'm a little worried because our local theater— I'm, you know, I have mixed feelings about IMAX.

Steve Gibson [02:42:43]:
I don't actually like IMAX because it takes me out of the movie. I had a bad experience with it. I was like way— it was like just hard to see everything.

Leo Laporte [02:42:51]:
Well, even if you're sitting in the right spot, it's still big, and it becomes more about the movie theater than about the movie. So I'm going to see it in something called ScreenZ with a Z, where it's on the regular screen. I've done that too.

Steve Gibson [02:43:10]:
It's bad, Leo.

Leo Laporte [02:43:11]:
I have a feeling it's going to be. It was really easy to get tickets.

Steve Gibson [02:43:14]:
SpaceX or SpaceZ or something where it's on the side of the theater. It's on the side. It's not good.

Leo Laporte [02:43:20]:
They have special walls. I think you can ignore it. Well, if I can ignore it, then it's just like seeing the movie, right? You just go like this. Yeah, there's no real—

Steve Gibson [02:43:28]:
there's no necessary content there. Uh, Laura and I are gonna go on Monday in the, in the early afternoon so that I will have seen it before Tuesday's podcast. Yes, that was my thinking too.

Leo Laporte [02:43:39]:
I have to see it before Twit. Yeah, we both love the book. We love, uh, Andy Weir. Read it twice. Should probably get Andy on the, on the show to talk about the movie. We'll try to get Andy because He's been— I've interviewed him for every single book he's put out. So, um, I love Andy.

Steve Gibson [02:43:55]:
And so anyway, for our listeners, Project Hail Mary opens on Friday or Thursday night if you're—

Leo Laporte [02:44:01]:
oh, it is? Oh, the reviews are fantastic. Oh good, I didn't know that. Oh, I've been looking at them, super positive. I've been reading them because I don't want any spoilers, even though I read the book. I know what's gonna happen. I've read that twice.

Steve Gibson [02:44:13]:
Yeah, I had to have a refresher.

Leo Laporte [02:44:15]:
Yeah. Oh yeah, no, the reviews are very positive. Oh, people are saying this is, this is the best movie. You're gonna love it. I'm so excited.

Steve Gibson [02:44:25]:
So excited.

Leo Laporte [02:44:27]:
All right, Steve, we'll talk about it next Tuesday on, uh, well, no, uh, I won't.

Steve Gibson [02:44:32]:
You and Michael will. Yeah, but are you gonna talk about it on Sunday?

Leo Laporte [02:44:36]:
Yeah, probably. Sure. Okay, you know, as much as I can without spoiling it for anybody. Yeah. I'll give you my review. Okay. On Twitter. Yeah.

Leo Laporte [02:44:45]:
Steve, we'll see you next Tuesday. We do the show every Tuesday right after MacBreak Weekly, 1:30 Pacific, 4:30 Eastern, 20:30 UTC. YouTube, Twitch, X, Facebook. I gotta hurry because he can't hold his hand like that. YouTube, Twitch, X, Facebook, LinkedIn, and Kick, or of course for our club members in the Discord. Thank you, Steve Gibbs. And have a wonderful week.

Steve Gibson [02:45:08]:
We'll see you in 2 weeks, my friend, and Micah next Tuesday.

Leo Laporte [02:45:13]:
Security. Bye. Hey everybody, uh, Leo Laporte here, and I'm gonna bug you one more time to join Club Twit. If you're not already a member, I want to encourage you to support what we do here at Twit. You know, 25% of our operating costs comes from membership in the club. That's a huge portion, and it's growing all the time. That means we can do more, we can have more fun. You get a lot of benefits— ad-free versions of all the shows, you get access to the Club Twit Discord and special programming like the keynotes from Apple and Google and Microsoft and others that we don't stream otherwise in public.

Leo Laporte [02:45:53]:
Please join the club if you haven't done it yet. We'd love to have you. Find out more at twit.tv/club. Bit.ly/clubtwit. And thank you so much. Security now.