Security Now 999 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security now. Steve Gibson is here with lots to talk about Google's record-breaking fine from Russia I don't think they plan to pay it. Firefox 132, some nice new features, a really bad exploit involving Windows RDP files and then Steve's going to talk about his new product plans for his next paid product, for the first time announced right here. Next on Security Now Podcasts you love from people you trust.

0:00:41 - Steve Gibson
This is Twitter.

0:01:07 - Leo Laporte
This is Twit time for security now the election day edition with steve gibson, where we cover, uh, all of this. Oh, I got the wrong uh album art up there. I'll fix that, steve. I'll cover all the latest security news, privacy news and ai news.

0:01:16 - Steve Gibson
Look at these two stickers. You voted, yeah, you voted twice. I got lori's also.

0:01:21 - Leo Laporte
You know, vote early, vote often, that's right I only have the one sticker, but uh, yeah, it's, there's something really satisfying about, about participating in our democracy, I have to say, and I I always enjoy it and uh, this time was no different. Even though I did vote by mail, I didn't, I didn't go in. Uh, it's just satisfying to put that in the mailbox and say I'm participating.

0:01:46 - Steve Gibson
I do appreciate California making it so easy. Whether you ask for it or not, you get the ballot in the mail Thank you very much. And you get to do it three or four weeks ahead of time and drop it in the box and hope it doesn't catch fire.

0:02:03 - Leo Laporte
And then you're done. See it's security now everybody.

0:02:07 - Steve Gibson
Ah, very nice.

0:02:09 - Leo Laporte
I have fixed the album art, which means it's time for you to tell us what's ahead in the show.

0:02:13 - Steve Gibson
Okay. So, before I forget, I've been receiving some emails from people who say, hey, you're mentioning that you sent out the announcement about the podcast the day before Yesterday it was the evening before, to 12,154 people, I believe or the week before, it was the afternoon before. But people are writing saying I didn't get it and I got them before, but I didn't get it. Anyway, what's happening is I tracked this down. Anyway, what's happening is I track this down. Some people's email services are, in an attempt to protect them from malicious links, are link following their email, like the links in their email, and unfortunately, my one-click instant unsubscribe really does work and there's no confirmation on it. You click the link and you're out, bye-bye, bye-bye, no warning. And so, apparently, people who are using Outlook, some people using Outlook Outlook will protect them by fetching the links in their email. Well, when they fetch the instant unsubscribe, that's it. They're not going to get any more email from me.

So, by everyone who's hearing this, who did not get yesterday or last week's or yesterday evening's email, I'm sorry you were inadvertently unsubscribed by your overprotective email system. Uh by. So please go back, resubscribe, and by by this time next week, I'm sure this will be resolved. Um, I will have to take you to a page that asks oh, you're sure you want to unsubscribe? And then you click yes. And now I understand why that's what everybody else does. You know I wasn't doing that and that was not good. It turns out you need to say are you sure? Because that Outlook goes oh look, isn't that nice. He's asking if they're really sure. So we're not going to gonna.

0:04:25 - Leo Laporte
He's not giving them malware or anything so the only outlook that does is I feel like gmail has some unsubscribing well, gmail makes it very easy.

0:04:34 - Steve Gibson
So the idea is you, you, there is a standard where the the one click unsubscribe goes in the headers. I was also putting it in the body of the mail, and so that's what Outlook is going and finding are things that users could click on that might get them into trouble. Oh boy, do I have a really amazing piece of news about that here today today. But but in the headers, that's where google will say if you mark something, if you flag something as spam, you, you get a little dialogue that says, oh, would you like to? Or maybe it's if you just delete them anyway. Do you get an offer?

you get an offer from gmail to unsubscribe from this list yeah, the reason it knows it's a list is that in the headers, unseen by recipient servers, would see, oh, that account hasn't been around for a decade and so the server itself would unsubscribe them. So it was, it was great, it's sort of you know it's like automatically cleaned the email list for me. So anyway, we are at security. Now Episode 999, as you mentioned, leo, and I should mention to our listeners, last week I noted I had not yet updated grc's side to handle four digit podcasts. I did that. Yay, we are prepared to wrap you. You had to do that.

0:06:26 - Leo Laporte
I had to do it. This was the last week For the longest time.

0:06:28 - Steve Gibson
This was why it was going to be all over. And boy, I didn't even realize it was going to be on Election Day when lots of things might be over.

0:06:36 - Leo Laporte
I think you had some prescience there saying you know, I think my last show should be Election Day 2024.

0:06:41 - Steve Gibson
That's right. Wow, did you pick that one? Okay, so we're going to talk about the interesting topic of AI being used for vulnerability discovery, which I think is going to be a big deal, and I don't want to step on my own story here, so I'm just going to leave it at that until we get there. We're going to talk about google's record-breaking fine by russia and wonder how many zeros does that number have? Also, uh, russian televisions. Rt's editor-in-chief admits that their hosts are ai generated. Oh yeah, probably because they sent all the actual hosts off to war.

Windows 10 security updates are set to end. That's for 22H2 set to end next October, or are they? When a good Chrome extension goes bad, we're going to look at a real world event that occurred. Going to look at a real-world event that occurred Also. Windows, it turns out, will launch RDP sessions, remote desktop protocol sessions, with a RDP launch file which can also configure your RDP client for full zero security. And we ask what could possibly go wrong with that? Actually, something has. Firefox 132 just received some new features.

Chinese security cameras have been removed Well, more than half of them from the UK. We'll check in there, and I know our listeners would not fail for this social engineering attack we're going to look at, but I bet you that lots of people would Also. I'm going to announce GRC's next commercial software product, or at least semi-commercial software product. Talk about that a little bit. And then we're going to look at the prospect of AI, as I said, being used to analyze code to eliminate security vulnerabilities. Much as I recently suggested that AI running on the local smartphone may be the solution to allow us to preserve full end-to-end encryption by preventing bad stuff from being sent or received, I bet you that AI may be the solution to the security problem. And oh, leo, have we got a picture of the week? Oh, it's a goodie.

0:09:20 - Leo Laporte
I love it. All ahead. Security now 999 is underway, which would have been, if you're just joining us, the last security now until Steve changed his mind a year ago.

0:09:35 - Steve Gibson
You were many years, people were fretting and I was planning, but no, I'm not ready to go yet Congratulations.

0:09:44 - Leo Laporte
That's great, our show today. We have a great sponsor, brought to you by Delete Me, and if you listen to this show, you know how problematic data brokers have become. That national public database that was breached and hundreds of millions of people's social security numbers and emails and home addresses were, you know, basically given out to the bad guys. I think that's one of the reasons we're getting this spate of sextortion emails, steve, with your name and address and phone number in it I think it came from the npd release.

You know who doesn't get those lisa. You know why she uses delete me, our sponsor for this segment. If you've ever searched for your name online and you don't like how much of that personal information is available, you may want to consider doing something about it. And maintaining privacy is not just a personal concern. It's a family affair. That's why Delete Me has family plans, so you can ensure that everyone in the family feels safe online.

How does Delete Me work? It reduces the risk of identity theft, of cybersecurity threats, harassment and more, and it works by removing your private information from these data brokers, from these sites on the internet that are collecting all these, like NPD. Lisa is not getting those exact same emails that I'm getting because her information wasn't in the NPD database. This is why actually, it's not why we started using it. We started using it because of phishing scams spear phishing scams bad guys were using to target Lisa's direct reports. She's the CEO of Twit and all of the people she manages were getting text messages saying this is Lisa, urgent. You know I'm in a meeting, but I need some Amazon gift cards right now. Order them for me and send them to this address. Fortunately, our employees are smarter than that, but it did give us a little cause for concern, like how do they know what lisa's number is, because it was lisa's number, who, who she, what her company is, who works for her? Who reports to her what their phone numbers are? That's when we said you know what we need delete me. How do you feel about compromised info and hacking and identity theft and spam? Uh, I mean, this is, this is a nightmare and we are very pleased that it's working for lisa. I'm not so happy about myself. Maybe I need to sign up to delete me.

Experts go out on the net and find and remove your information from hundreds of data brokers. They make it their specialty. They know all the data brokers and this is a really tough job because there's new ones every day but they make sure they get them all. And if you want to use it for your family, you can assign a unique data sheet to each family member that's tailored to them, with easy to use controls, so you can manage privacy settings for the whole family. You know some some people say no, no, I want to be on this site. I want to be on this site, but not this site. Here's the thing that I think is most important, the reason we went with delete me. They don't just remove it the first time. They continue to scan and remove your information regularly because these data brokers there's new ones popping up they repopulate their databases all the time. I'm talking addresses, photos, emails, relatives, phone numbers, social media information, property values and on and on and on. If you want to protect yourself and reclaim your privacy, do what we did Go to joindeletemecom slash twit.

Use the offer code TWIT, you'll get 20% off. That's joindeleteme dot com slash twit. Use the offer code twit, you'll get 20 off. That's join delete me dot com. Slash twit 20 off with our offer code twit. And we thank delete me so much for supporting the show and we thank you for supporting the show by using that address join, delete me dot com slash twit. All right, steve, I have prepared myself, steeled myself, if you will, for the picture of the week. Just hold on to your desk.

0:13:55 - Steve Gibson
It looks like something out of alfred hitchcock's psycho wow, so I I gave this one the the caption when handrails are not optional, and I truly wonder whether you could walk down these stairs without You'd have to close your eyes. The stairs are normal, right, I mean they're not abnormal, but they sure look that way.

The stairs are completely normal. Correct, the stairs are completely normal. Someone put the worst imaginable pattern of carpeting on these stairs. It's all full of like off axis. Crosswise it's horizontal stripes, but they're all kitty wampus is the technical term. Yes and oh, I mean you have to really focus in order to get down these things. So anyway, I've had this one for a while and I thought it was great. You could see the aisle that it goes down to is the same pattern and that's going to be okay. But, boy, when it turns around and goes 90 degrees and goes up the stairs, this looks like it's on a ship too.

0:15:09 - Leo Laporte
I don't want to make it worse, but imagine you're rocking on this thing. Wow, yeah, wow, not good, not good, okay.

0:15:18 - Steve Gibson
So it's a shame that our favorite Russian Internet watchdog, raskinazor, is not the Russian entity that's been levying these fines against Google over its management of YouTube, since it would have been fun to say that name many more times during this reporting. We only get that once, but nevertheless this bit of news was too fun and bizarre to pass up. It seems that Russia's accounting, by Russia's accounting, google currently owes some large Russian media outlets a rather significant sum in fines. We noted last week that the few millions of dollars that the US's SEC had levied in fines against four publicly traded US companies would be unlikely to change those companies' behavior, because the fines fell far short of being significant for them. However, that's not the case here with Google and these Russian media companies. Quite the reverse, in fact. Here's the story as it was recently reported in the Moscow Times under the headline Russia finds Google 2.5 decillion US dollars over YouTube bans, they wrote.

The RBC News website reported Tuesday that Google has racked up some two undecillion rubles, which is the equivalent of 2.5 decillion US dollars worth of fines in Russia, after years of refusing to restore the accounts of pro-Kremlin and state-run media outlets. You know like Google just said no, we're going to kick this off of YouTube. Rbc cited an anonymous source familiar with court rulings against Google. According to RBC sources, google began accumulating daily penalties of 100,000 rubles in 2020 after the pro-government media outlets Sargrad and RFI Fan won lawsuits you know Russian lawsuits against the company for blocking their YouTube channels. Those daily penalties get this have doubled each week, and you know, when we're young, we learn about the power of compound interest, right? So these penalties are doubling each week, leading to the current overall, or one trillion trillion trillion rubles. $307 billion in 2023 is unlikely, you think, to ever pay the incredibly high fine, as it far exceeds the total amount of money on Earth. A total of 17 Russian TV channels have filed legal claims against Google, according to one of RBC sources filed legal claims against Google. According to one of RBC's sources, among them are the state-run Channel One, the military-affiliated Zvenda broadcaster and a company representing RT editor-in-chief, margarita Simonian. Youtube, they write, which is owned by Google, blocked several Russian state-run media outlets over their support of the full scale invasion of Ukraine. Authorities in Moscow retaliated with these fines, but stopped short of blocking YouTube outright On Thursday.

The Kremlin called the fine against Google symbolic. I'd be inclined to call it embarrassing but OK. Symbolic. I'd be inclined to call it embarrassing, but okay. Kremlin spokesman Dmitry Peskov told reporters at a daily briefing quote although it is a concretely formulated sum, I cannot even pronounce this number. Rather, it is filled with symbolism. In fact, it's also filled with zeros. In fact, this should be a reason for Google's management to pay attention to this and fix the situation. Google's management doesn't care, anyway. Finally, they said, this seems unlikely, given that Google's Russian subsidiary filed for bankruptcy in the summer of 2022 and was officially declared bankrupt last fall, and Google had earlier halted all advertising in Russia in order to comply with Russian sanctions over the war in Ukraine.

So yeah, find them all you want. Double it every week. You're going to run out of zeros at some point. Double it every week. You're going to run out of zeros at some point. And, as I also noted at the top of the show, this editor-in-chief's name, margarita Simonian, was mentioned as one of the other 17 companies that have also recently admitted that many of RTs you know, russian television's hosts do not exist and are entirely AI generated, along with their fake social media accounts, because I guess you got to you know. If you want to respond to them interactively, get all engaged. They need to have a social media account to allow you to engage with them, with their fake AI hosts. Anyway, she predicted that journalism would disappear in the near future. You know it already has in Russia, so maybe she thinks that's going to spread. Unfortunately, she may be right. We'll see that's going to spread. Unfortunately, she may be right. We'll see.

A recent posting to the and this is important for all of our listeners. Unlike that first one, that was just a little bit of junk food, yeah. A recent posting to the Zero Patch blog regarding next year's end of Windows 10 security updates contained a bunch of interesting related news. This included what Microsoft plans to charge end users who would rather remain on Windows 10 come next October, or may not be a matter of rather remain. They may have no choice due to what we know are Microsoft's arbitrary minimal system requirement policies for moving to Windows 11. So here's what the folks at Zero Patch recently wrote. Their blog post headline was Long Live Windows 10 with Zero Patch, and their subhead was End of Windows 10 Support Looming. Don't worry, zero Patch will keep you secure for years to come. So they wrote.

October 25, october 2025 will be a bad month. For many Windows users, that's when Windows 10 will receive will be to upgrade to Windows 11. Many of us don't want to or simply can't upgrade to Windows 11. We don't want to because we got used to the Windows 10 user interface and we have no desire to search for some button where it's been moved and why the app posting in shitification, including bloatware, start menu ads and serious privacy issues. We don't want to have an automated, integrated screenshot and key logging feature constantly recording our activity on the computer. We may have applications that don't work on Windows 11. We may have medical devices, manufacturing devices, point-of-sale terminals, special-purpose devices, atms that run on Windows 10 and cannot be easily upgraded. And, finally, our hardware may not qualify for an upgrade to Windows 11. Qualify for an upgrade to Windows 11. Canalys estimates that 240 million computers worldwide 240 million computers worldwide are incompatible with Windows 11 hardware requirements, lacking trusted platform module you know, tpm version 2, supported CPU, 4 gig of RAM, uefi firmware with secure boot capability or supported GPU.

So what's going to happen in October 2025? Nothing spectacular, really. They say Nothing spectacular, really. They say Windows 10 computers will receive their last free updates and will, without some additional activity, start a slow decline into an increasingly vulnerable state. As new vulnerabilities are discovered, published and exploited that remain indefinitely present on these computers, the risk of compromise will slowly grow over time and the amount of luck required to remain unharmed will grow accordingly. The same thing happened, they said, to Windows 7 in January of 2020. Today, a Windows 7 machine, last updated in 2020 with no additional security patches, would be really easy to compromise, as over 70 publicly known critical vulnerabilities affecting Windows 7 have been discovered since. Leaving a Windows 10 computer unpatched after October 25 will likely open it up to the first critical vulnerability within the first month and to more and more in the following months. If you plan to do this, at least make sure to make the computer difficult to access physically and via the network For everyone else.

There are two options to keep Windows 10 running securely.

Option one Microsoft's extended security updates, which means another year, or two or even three, of security fixes for Windows 10, just like they've done before with Windows 7, server 2008 and Server 2012.

Extended security updates will be available to consumers for one year only, until October 2026, for the price of $30. Educational organizations will have it cheap just $7 for three years while commercial organizations are looking at spending some serious money $61 for the first year, $122, that is to say, twice that for the second year, and $244, doubling again for the third year of security updates, totaling $427 for every Windows 10 computer across three years. That's, you know, for the enterprise. In other words, to interject here for just a moment, the cost to have Microsoft repair the mistakes that it has previously made in the design and operation of their own Windows software will double for their enterprise users every year, will double for their enterprise users every year, but not for end users, who could apparently maybe it's not clear to me maybe just pay for one year for $30, and then that's supposed to be enough of a bitter pill that you're pushed off to Windows 10.

So they continue. Zero Patch, says. Opting for extended security updates will keep you on the familiar monthly update and reboot cycle and if you have 10,000 computers in your enterprise network, it will only cost $4 million, they said. If only there was a way to get more for less. Oh wait, there is Option two zero patch.

With October 2025, zero patch will security adopt their phrase Windows 10 version 22H2, the final release of Windows and provide critical security patches for it for at least five more years longer if there's a demand in the market. They wrote. We're the only provider of unofficial security patches for Windows and we've done this many times before. After security adopting Windows 7 and Windows Server 2008 in January 2020, we successfully took care of six versions of Windows 10 as their official support ended. Security adopted Windows 11 21H2 to keep users who got stuck there. Secure took care of Windows Server 2012 in October 2023, and adopted two popular Office versions 2010 and 2013, when they were abandoned by Microsoft. We're still providing security patches for all of these. Still providing security patches for all of these.

With zero patch, you will be receiving security micro patches for critical, likely to be exploited vulnerabilities that get discovered after October 14th 2025. These patches will be really small, typically just a couple of CPU instructions hence the name and will be applied to running processes in memory without modifying a single byte of original Microsoft binary files. There will be no rebooting the computer after a patch is downloaded, because applying the patch in memory is done by briefly pausing the application, patching it and then allowing it to resume. Users won't even notice that their computer was patched while they were writing a document. In the same way that servers protected by ZeroPatch get patched without any downtime at all by ZeroPatch get patched without any downtime at all, and just as quickly and easily our micro patches can be unapplied if they're suspected of causing a problem. Again, no rebooting or application relaunching.

Zeropatch brings zero-day won't-fix and non-Microsoft security patches won't fix and non-Microsoft security patches. With zero patch, you won't only get patches for known vulnerabilities that are getting patched on still supported Windows versions. You will also get zero day patches, which are they explain patches for vulnerabilities that have become known and are possibly already exploited, but for which no official vendor, that is to say Microsoft, patches are available. Yet We've fixed many such zero days in the past, for example, folina, 13 days before. Microsoft Dogwalk 63 days before Microsoft. Microsoft Access Forced Authentication 66 days before Microsoft. Microsoft Access Forced Authentication 66 days before Microsoft. And Event Log Crasher more than 100 days before Microsoft. On average, our zero-day patches become available 49 days before official vendor patches for the same vulnerability become available.

Then there's won't fix patches patches for vulnerabilities that the vendor, again Microsoft, has decided not to fix. For some reason, the majority of these patches currently fall into the NTLM. You know, nt Landman coerced authentication category, nt Landman coerced authentication category. Nt Landman protocol is more prone to abuse than Kerberos and Microsoft has decided that any security issues related to NTLM should be fixed by organizations abandoning their use of NTLM. Microsoft therefore doesn't patch these types of vulnerabilities. But many Windows networks can't just give up on NTLM for various reasons, and our won't-fix patches are there to prevent known attacks in this category.

At this time, our won't-fix patches are available for the following known NTLM coerced authentication vulnerabilities DFS, coerce, printer, bug slash, spool sample and petite potam and finally, non-microsoft patches. They wrote with most of our patches, while most of our patches are for Microsoft's code. Occasionally a vulnerability in a non-Microsoft product also needs to be patched when some vulnerable version is widely used or the vendor doesn't produce a patch in a timely manner. Patch products include the Java runtime, adobe Reader, foxit Reader, 7-zip, winrar, zoom for Windows, dropbox app and Nitro PDF. Though you're probably reading this article because you're interested in keeping Windows 10 secure, you should know that these patches are also available for supported versions of Windows, such as 11 and Windows Server 2022, and we keep updating them as needed. Currently, about 40% of our customers are using ZeroPatch on supported Windows versions as an additional layer of defense or for preventing known NT Landman attacks that Microsoft doesn't have patches for.

So what about the cost? Our Windows 10 patches will be included in two paid plans Zero Patch Pro, suitable for small businesses and individuals, management on the computer only, single admin account currently priced at €24.95 plus tax per computer for a yearly subscription. Zero patch enterprise, suitable for medium and large organizations, include central management, multiple users and roles, computer groups and group-based patching policies, single sign-on, etc. Currently priced at €34.95 plus tax per computer for a yearly subscription. And they conclude. The prices may be adjusted in the future, but if, when that happens, anyone having an active subscription on current prices will be able to keep these prices on existing subscriptions for two more years. Okay, so this was obviously a sales pitch, but that doesn't make this any less true or relevant. We know from our many years of covering zero patch these guys are the real deal and that they really do present a viable alternative to Microsoft's doubling-every-year extortion for the enterprise. So, in this instance, I don't mind this sales pitch, because it's easy to endorse what they're selling.

Microsoft has clearly made a strategic gamble to deliberately abandon its users to its buggy and vulnerability-ridden software as a clear means of sc.

New vulnerabilities always being introduced to this new operating system while older problems are still being resolved.

And let's not even get started on the fact that Microsoft's replay is an issue for Windows 11 users issue for Windows 11 users. So, considering that remaining on a platform that works and that you love, into which Microsoft will no longer be continually introducing new vulnerabilities and which will nevertheless continue receiving updates for any newly discovered critical security vulnerabilities, this is the niche ZeroPatch has decided to fill, and I think that, for just 25 euros per year, which at the moment is around 27 US dollars per year, extending the security coverage of that beloved platform for a minimum of another five years, starting in October 2025, makes a great deal of sense. And, to top it all off, their on-the-fly RAM-based code patching system is significantly more user-friendly than Microsoft's nagging reboot-and-wait system. Windows 10 users still have a year to go before that final. Windows 10 version 22H2 will need either third-party or extended Microsoft update help. This podcast will be somewhere around episode 1045 at that point, and, among other things, we should know a lot more about recall by then.

0:38:43 - Leo Laporte
So anyway, I just wanted to let everybody know. Yes, I have some questions. So, first of all, zero patch, it sounds like, is patching in memory, not on the drive.

0:38:57 - Steve Gibson
Yes, you can't patch on the drive because that would break the signature of the files.

0:39:02 - Leo Laporte
Ah right, and so they would never load, so you have something running all the time. That's the zero patch tool that just loads in patches as needed.

0:39:14 - Steve Gibson
Yes, there's a zero patch agent which is small and runs, and when we've talked about this in the past, the patches are literally 23 bytes. I mean they're like they're. They're a few instructions where they just fix the problem.

0:39:31 - Leo Laporte
Yeah, they just. You know. So all of the patches are their own. They are. How do they get so microsoft's releasing security patches, uh, and zero patches duplicating those patches? Do they reverse engineer them? How do they know?

0:39:44 - Steve Gibson
Just like the bad guys do, in the same way that the bad guys do a delta on the pre and post patch code.

0:39:51 - Leo Laporte
That's all you have to do, I guess, huh.

0:39:53 - Steve Gibson
Yeah, you just find the thing that Microsoft changed, and so they say fine.

0:39:59 - Leo Laporte
Just what it is. Yeah, okay, it's an interesting business actually.

0:40:05 - Steve Gibson
I think it's a great business and I mean they've been around for a long time. If you search GRC's transcripts for…. Oh, we've been talking about them for years. Yes for ZeroPatch, because they often jump in before Microsoft has an update and they don't charge you anything for need that Microsoft has not filled for something being exported in the wild. You can get that from them for free. I mean, they're like Cloudflare in just having this feeling of being really good people.

0:40:53 - Leo Laporte
Well, they are going to sell it down the road, which is good, that's fine. Yeah, 24 bucks for a year of protection.

0:40:59 - Steve Gibson
Many people would rather do that than be forced to use windows 11. Are you running it? Have you run it? No, no, because I don't believe any of this nonsense about you can't run old versions of windows. I'm running windows 7, I'm just fine those 70 vulnerabilities don't bother you no, I just don't go to bad places.

You know my site doesn't have any, and you know, and, and I've got up-to-date browsers. Browsers are the big vector, the way stuff gets in. And, oh boy Leo, wait till you see one of the ways, a new way that people are being tricked. Let's take a break and then we're going to talk about what happens. A case in point of good extensions going bad in Chrome.

0:41:40 - Leo Laporte
Okay.

0:41:41 - Steve Gibson
Deal, but I recommend zero patch. I think everybody who's listening should take a look at it If the idea appeals to them. I don't see a downside.

0:41:52 - Leo Laporte
And I mean it keeps you running for as long as your apps continue to be secure. I mean, ultimately, that's what breaks it is. You know, the browser is no longer supporting windows 10 or something like that right yeah very interesting.

All right, let's talk about our sponsor for the hour, a name. You, I'm sure, are very familiar with one password. You remember, uh they. We used to do an ad for a company called collide with a k? Uh company. I really liked. One password acquired them, and they've Collide, in conjunction with their own technology to create something they call 1Password Extended Access Management, and it is a very clever idea. Let me ask you a question I think I know the answer to.

If you're an IT department or in your business, you're in security. Do your end users always work on company-owned devices and IT-approved apps? Of course they do, right? They never bring their own phone or laptop in. They never run an out-of-date operating system browser or I don't know Plex server on your company's network, right? Of course they do on your company's network, right? Of course they do so in that world of BYOD, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices? 1password has figured out a very clever solution extended access management. It's more than a password manager. 1password extended access management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM, too, cannot touch.

Imagine your company's security like the quad of a college campus. You've got nice brick paths leading between the perfect green lawn from IV-covered building to IV-covered building. Those are the company-owned devices, the IT-approved apps, the managed employee identities. It's all perfect. But, as with every college quadrangle, there are then the paths people actually use, the muddy little shortcuts worn through the grass that are actually the straightest line from building A to building B. You've got that on your network. Those unmanaged devices, right. The shadow IT apps, the non-employee identities. Like contractors, people bring in their own tools because they work better, right, they're the shortcuts.

But the problem is most of the security tools only work on the happy brick paths and most of the security problems take place in the little money shortcuts. That's why you need 1Password Extended Access Management. It's the first security solution that takes all those unmanaged devices and apps and identities and puts them under your control. It assures that every user credential is strong and protected. But then it goes an extra step, making sure that every device is known and healthy and every app is visible. It's security for the way we really work today, not the fancified, perhaps for everything we're perfect way that some security companies want it to be. It gets down there on those muddy paths. Now it's generally available to companies that use Okta or Microsoft Entra for authentication. They are in beta for Google Workspace customers and it's a great way to up your security. Check it out at 1passwordcom slash security, now the number one. P-a-s-s-w-o-r-d dot com slash security now.

I know everybody knows and trusts 1Password. I think you'd be very interested in what they've done with this really cool product. 1password. I think you'd be very interested in what they've done with this really cool product, 1password extended access management. Find out more at 1passwordcom slash security. Now. We thank them for their support and you support Steve and his good work too by using that address. So they know you saw it here 1passwordcom slash security.

0:45:37 - Steve Gibson
Now, steve, back to you, okay so we have another example of a popular Google Chrome extension, with more than 100,000 daily users, suddenly becoming malicious. The extension known as Hide YouTube Shorts has been found to be performing affiliate fraud and collecting and transmitting the browsing history of every one of its users. Find YouTube shorts.

0:46:08 - Leo Laporte
Hide YouTube shorts, hide your shorts, that's right, okay, and apparently that's a thing.

0:46:13 - Steve Gibson
Anyway, I'll get to that in a second. Okay, so security researchers say that the extension appears to have turned malicious, not surprisingly. We've talked about this a lot after it was clearly a thing, since there were many other similar extensions listed as alternatives whose names similarly suggest that they do that also. But in any event, in response to questions, the extension's new owner defends the overreach of the extension's privileges by saying that in the future there might be the need for more latitude. The brief write-up from the researcher, who took the time to dig into this, was interesting. He wrote what initially piqued my suspicions were the strange search suggestions on YouTube, completely unrelated and disconnected from the context of my searches, sometimes in foreign languages. However, after analyzing the traffic in the browser tab and developer console, I didn't notice any suspicious activity. It was only after I started debugging the extension that I noted suspicious network activity and requests being sent to an unknown external service containing the addresses of all visited sites and unique identifiers. Does what it says it will do, but in the background it collects and sends information about all visited pages to an external server hosted on AWS. The information that the extension collects and sends includes a unique user identification number, installation number, authentication token, language, timestamp and full URL with path and arguments and parameters, which allows reading the information in the address bar, including, for example, search history and search terms. Some users in the reviews on the extension page in the Chrome Web Store also indicated the possibility of redirecting that is, being redirected, to phishing pages. Due to the malicious nature of this extension. I do not know what other information it could have collected before, but due to the wide permissions of the browser extension, it should be assumed that it could also read information transmitted in forms, including credentials, logins, passwords, personal and sensitive data. Such data can be used for a wide range of attacks. Yeah, so anyone who has used such an extension should assume that all data viewed and transmitted, and again, 100,000 users per day.

The extension was originally developed, he wrote, by a single developer who maintained the source code on GitHub. However, the GitHub repository was archived on September 12th, 2022. I'm sorry, 2023. And the plugin was acquired or maybe sold to another developer, he said. I have not analyzed everything to the extent. I would like, especially earlier versions, to find out when the malicious change was made, although it seems that the first developer, for some reason, decided to use the all pages reading model. When the extension was just entered I'm sorry, when the extension was just entering the Google Web Store, he wrote. I analyzed its behavior and did not see similar problems with it. So indeed this did happen downstream at some point. He finishes I have no doubt about the intentional nature of the current developer's actions and as his responses to comments about the extension's permissions being too broad clearly demonstrate his intent broad clearly demonstrate his intent.

So once again, the caution would be. You know, our takeaway from this would be to attempt to minimize the use of browser extensions. We know that by. You know by far for the most part, extensions developers are well-meaning and acting above board, but we also have incontrovertible evidence that there are also malicious actors swimming in these waters. It becomes a numbers game where, statistically, the greater number of extensions being used, the greater the chance that one of them might be malicious. And I still I just haven't had any time to dig into you block origin further that, for example, if you wanted to block YouTube Shorts, ublock Origin would just do that by using the dropper and clicking on something in YouTube Shorts and they would just go away. I've had anecdotal reports of that in feedback from our listeners. So you probably don't even need more special purpose extensions. You probably just need to better utilize uBlock Origin At some point. I'm going to make time to do that for us.

0:52:10 - Leo Laporte
It's just a CSS div, probably that you could you know. If you knew the name of it, you could just block it automatically. Exactly that, yeah.

0:52:18 - Steve Gibson
Yeah, and in fact that little, the, the little dropper thing, finds that for you, it's the div yeah just yes, exactly, and just does that and creates a rule. Yeah, so anyway, the fewer the better. When it comes to extensions, okay, this is one. Oh boy, oh boy. We all know the trouble Windows has had over and over and over over something as simple as lnk link files. I mean, leo, you were covering these before the Security Now podcast on your weekend show.

0:52:59 - Leo Laporte
Anything you double-click, that does something is always risky right uh-huh.

0:53:04 - Steve Gibson
so the exploits of those have been epic, you know, and we've lost count of the number of times they've been fixed in air quotes, only to rear up again. You know, some design, some, some design concepts, are just bad and are notoriously prone to abuse. And Leo, you just summed it up Anything you can double-click that's a Windows RDP file to pre-configure and launch a remote desktop session. It's like Microsoft never learned anything from the past and, as we know, those who do not learn from the past are destined to repeat it. Ok, so the generic tech press reporting on this just said Microsoft says that a notorious Russian cyber espionage group is using a clever OK, clever new technique to compromise victims and deploy malware on their systems. The technique involves sending malicious RDP configuration files to victims.

0:54:49 - Leo Laporte
But it's convenient and this is the real reason we do it. It's so simple. Yeah, it's so simple.

0:54:54 - Steve Gibson
Microsoft has attributed the operation to Midnight Blizzard. Remember, they're the people who got into their email. Also, they don't like the Midnight Blizzard people. No, they don't. A cyber unit inside Russia's SVR foreign intelligence service used the new technique since October 22nd and has targeted individuals in government, academia, defense and NGOs across the US and Europe. This is the same campaign that was spotted by AWS and CERT-UA. Okay, now, since the inherent insecurity of this entire design was just too much to believe, I went to the source, where Microsoft themselves explain. They said on October 22nd 2024, microsoft identified a spear phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. These emails were highly targeted, using social engineering, lures relating to Microsoft, amazon Web Services and the concept of zero trust. The emails contained a remote desktop protocol RDP configuration file signed with a let's encrypt certificate, because you can get those for free.

0:56:25 - Leo Laporte
Yeah.

0:56:26 - Steve Gibson
RDP configuration. You know dot RDP files they wrote summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs. Imagine that. Let's make that easy. Let's make it one click of the local system to a remote server controlled by the actor where we insert what could possibly go wrong.

0:57:01 - Leo Laporte
I'm sorry I missed my cue.

0:57:02 - Steve Gibson
It's okay, we'll have a few more by the time we're done here. Oh good, in this campaign. The maliciousrdp attachment contained several sensitive settings that would lead to significant information exposure. Once the target system was compromised, it connected to the actor-controlled server. Oh, and, by the way, where they say was compromised, they're being quite kind way. Where they say was compromised, they're being quite kind. By that they mean when the user received the email containing the dot rdp extension and clicked it, that that now that qualifies, as you have just compromised your computer, baby jeez, because you clicked on a file that your email wasn't trained to block. Notice that you can't send XEs anymore. Those die at immediate death. If you try to email someone an XE, there's just no hope. But RDP, yeah have at it.

0:58:09 - Leo Laporte
I would submit that your computer was compromised the minute you enabled RDP.

0:58:14 - Steve Gibson
Well, it's enabled by default and that's another one of those should be. Here we go. What could?

0:58:21 - Leo Laporte
possibly go wrong. I didn't miss that one okay.

0:58:25 - Steve Gibson
So, as they say, once the target system was compromised meaning the user clicked on something in email, which is all it takes to compromise Windows these days it connected to the actor-controlled server and bidirectionally mapped this is Microsoft and bidirectionally mapped the targeted user's local devices resources, meaning hard drives to the server. Bidirectionally mapped means not only can you know, you can read it and write it. That's right. Resources sent to the server may include, but are not limited to this is Microsoft saying this? All logical hard disks, clipboard contents, printers, connected peripheral devices, audio and authentication features and facilities of the windows operating system, including smart cards. Basically, you've just given them your everything access to your entire system yeah, they and microsoft wrote this.

Access could enable the threat actor Okay, the only way it wouldn't is if they were literally asleep when this mapping occurred. Otherwise, oh, could enable the threat actor to install malware on the target's local drives Actually, it's probably automated, and so they can be asleep and it'll happen in their sleep and mapped network shares, particularly in auto start folders. Oh, so they have those too. Or install additional tools, such as remote access Trojans to maintain access when the RDP session is closed. The process of establishing an RDP connection to the actor-controlled system may also expose the credentials of the signed-in user to the target system. This is again Microsoft writing. When the target user opened the RDP attachment, an RDP connection was established to an actor-controlled system. The configuration of the RDP connection was established to an actor-controlled system. The configuration of the RDP connection then allowed the actor-controlled system to discover and use information about the target system, including files and directories. Connected network drives. Connected peripherals, including smart cards, printers and microphones. Web authentication using Windows Hello Right, protected by recall, don't worry, you're safe. Oh right, windows Hello, not safe. Pass keys or security keys, clipboard data, point of service, also known as point of sale, or POS devices, and they go on and on and on.

In their blog posting, microsoft goes into detail about the attacks and provides pages and pages of iocs indications of compromise. Under their mitigation section, they have pages of things that can be done to keep this from happening. I have an idea how about never building this inherently incredibly dangerous and abuse prone facility into windows in the first place, which is, I think, leo, the first thing you suggested upon hearing this? If it's not there, there's nothing to abuse Seriously. If it's not there, there's nothing to abuse Seriously. Is it necessary?

1:02:12 - Leo Laporte
to have an RDP file type that causes a machine to configure to a maximally insecure state and connect to a previously unknown remote server.

1:02:19 - Steve Gibson
It's there for remote support, right support right. Well, I use rdp extensively and, yes, rdp saves its connection profile settings into individual rdp files, and that can be useful. But when those files are given the capability to initiate a connection on their own, this becomes an extremely dangerous design pattern. If they're going to exist at all, such files should be tightly bound to the machine that created them, not something that can be received in the mail and then clicked on by an unwitting user. Microsoft loves storing things in the mail and then clicked on by an unwitting user. Microsoft loves storing things in the registry. So RDP settings for the local machine could be retained there instead of in individual RDP files, and then this problem would not exist.

Handy as it inarguably is, there's just no safe way to send somebody anybody a file that, when executed, causes their machine to connect to any foreign, unknown machine with all of its local resources shared. There just isn't. There's no safe way to do that. There's no safe way to do that, you know. At the very least, this facility should be firmly disabled by default for everyone, and then only those few people who actually need to do this should then be forced to jump through some hoops to enable it on their machine only, and even then possibly only for some self-limited time, and if that were the case, russia would have never bothered to create this, because it would be off for 99.999999% of the people in the world. You know I hope everyone knows to never click on anything received in an email, even if it appears to have been sent from someone you know and trust. We can now add another to the long and growing list of email-based exploits. Emailed attachments are too useful to ban outright and unfortunately, clever bad guys keep finding new ways to abuse this useful capability.

1:04:44 - Leo Laporte
But, man, an RDP link is so powerful. Now I don't allow port 139 on my router.

1:04:52 - Steve Gibson
Most people probably don't, but I guess because it's an outbound request, your firewall is not going to stop and it runs on 6800 or it runs on a high port number, as I recall also.

1:05:07 - Leo Laporte
But it doesn't matter, because you're outgoing saying hey, Russian server, come on in.

1:05:12 - Steve Gibson
And you can bet that Russia has their port wide open listening for anybody to connect. And, leo, this started on October 22nd, meaning that thousands of emails went out to hundreds of companies, highly targeted, looking legitimate. People clicked on them and they got themselves immediately compromised. That's how bad guys then get a foothold inside an enterprise and talk about a foothold. I mean, this is a body hold. Yeah, you own it. Yes, wow. And speaking of owning it, leo, let's give our listeners a chance to own something and then we will continue.

1:05:58 - Leo Laporte
You're not anxious to get to some other. I have the TV on here, Steve. You're not missing anything. That's not fair. There's nothing going on.

1:06:09 - Steve Gibson
No polls are closing on the East Coast.

1:06:11 - Leo Laporte
You've got at least an hour before Georgia closes, so you're good. This is the fastest-paced show we've ever done. I can't keep up. Okay, we'll have some more great stuff coming from Steve. As always, steve's amazing with the quality of the information you get here, and we thank our sponsors for making it possible.

Like Big ID you know about Big ID I've talked about them before. They are the leading data security posture management solution. Dspm have you ever heard of that? It's the only dspm solution that can uncover dark data, that can identify and manage risk, can remediate the way you want and scale your data security strategy through unmatched data source coverage. Bigid seamlessly integrates with your existing tech stack, which is nice because you can then use it to coordinate security and remediation workflows, take action on data risks All the actions you know annotate, delete quarantine and more based on the data, and, of course, it maintains an audit trail so every action is recorded. The partners that it works with are every, just say everybody, but I'll mention a few ServiceNow, palo Alto Networks, microsoft, google, aws, and on and on and on. Servicenow, palo Alto Networks, microsoft, google, aws, and on and on and on. With BigID's advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Bigid is so good at finding this dark data that they equipped an organization that probably has more data and more little hidey holes than any other the United States Army.

The US Army used BigID to find that dark data, to accelerate cloud migration, to minimize redundancy and to automate data retention. Listen to the quote. This is from US Army Training and Doctrine Command. This is an amazing quote. The first wow moment with Big ID came with just being able to have that single interface that inventories a variety of data holdings. Now, remember, this is the Army. Think of what kinds of data I mean. They said, including structured and unstructured data across emails, zip files, sharepoint databases and more. To see that mass and to be able to correlate across those is completely novel. Again, quoting the US Army training and doctrine, I've never seen a capability that brings us together like Big ID does. That's a pretty nice endorsement. When they told me that, I said can I please read that, because if the Army says it and is willing for you to hear it, that's a pretty big endorsement.

Cnbc recognized Big ID as one of the top 25 startups for the enterprise. They were named to the Inc 5000 and Deloitte 500. Two years in a row, they are the leading modern data security vendor in the market today. All right, I got to give you one more. This is from the publisher of Cyber Defense Magazine. Quote Big ID embodies three major features we judges to look for to become winners Understanding tomorrow's threats today, providing a cost-effective solution. And innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.

1:09:40 - Steve Gibson
That's.

1:09:40 - Leo Laporte
BigID, start protecting your sensitive data wherever your data lives at bigidcom slash security now. And, by the way, the Army and CNBC and all the rest just just scratch the surface. Go to the website. You will see all of the accolades, all of the people who give BigID thumbs up, all the references. It's pretty darn impressive. Bigidcom slash security now. You can also, while you're there, get a free demo to see how BigID can help your organization reduce data risk.

And, by the way, finding all that data, knowing what that data is and where it is, is part of the process of accelerating the adoption of generative AI. Right, because you don't I mean think about the army there's stuff there that's top secret, right? You're not going to put that in the AI. So being able to see it all, know where it all is and control it is so important. Bigidcom B-I-G-I-Dcom slash security now. And speaking of AI, there's a new free. They have lots of reports, lots of white papers, but I noticed there's one that will give you insights and key trends on AI adoption challenges and the overall impact of Gen AI across organizations. Of course, they know all about that. Bigidcom slash security Now. Thank you, bigid. Thank you very much for the job you do. I guess I should say thank you for your service and thank you for supporting security now. We really appreciate that. Bigidcom slash security now, steve.

1:11:13 - Steve Gibson
Okay, we got a new Firefox. We're now at 132. It adds some new features and security fixes. The biggest new feature in 132 is support for a post-quantum key exchange mechanism under TLS 1.3. And they also block fav icons if they're loaded via HTTP.

Back, when we were looking at Firefox's third-party cookie handling, there was a great deal of confusion since Firefox's UI we talked about it at the time on the podcast Firefox's UI and its behavior its actual, demonstrated, demonstrable behavior appear to be at odds with one another. So among the improvements that we got in 1.32, I was pleased to see the sentence quote Firefox now blocks third-party cookie access when enhanced tracking protections strict mode is enabled, when enhanced tracking protections strict mode is enabled. So that's what everyone thought it was doing, but we saw that it wasn't. It is now so, as we suspected. You know, grc's cookie forensic system showed what was happening and that's been fixed in Firefox 132, which everybody probably has. Firefox 132, which everybody probably has, as I mentioned at the top of the show, under the sad but understandable category of we don't trust camera-equipped black boxes made in China we have the news, really.

1:12:51 - Leo Laporte
Yeah, okay.

1:12:57 - Steve Gibson
We have the news that the we talked about DJI drones as one example of a of a camera equipped black boxes.

We have the news that the uk government now says that over 50 of all chinese made security cameras have been removed from sensitive sites such as government buildings and military bases. The government says it expects removal to be completed by April of next year 2025, despite the fact that the removal was initially ordered well back in November of 2022, as we covered at the time. And I was thinking, wow, you know, it took them until now to get rid of half of them. And I was thinking, wow, you know, it took them until now to get rid of half of them. But then I thought, ok, there's probably a long procurement cycle for such things, so it took some time to get the replacement cameras in the pipeline and, as we know, uk officials ordered all sensitive sites in the UK to remove all Chinese made cameras, citing national security concerns, because anything is possible and basically, that's it right, no evidence, but anything's possible. So, yeah, I think certainly first for sensitive installations.

1:14:07 - Leo Laporte
That makes sense I'm not sure I would announce that. Oh, we've removed half of them.

1:14:11 - Steve Gibson
Yeah, yeah, yeah, let's start using the other half before they. Yeah, exactly.

1:14:19 - Leo Laporte
Hey, good news Half of them are gone.

1:14:21 - Steve Gibson
That's right, okay. Now Leo, yes, okay, and I know that our listeners are savvy. Yeah, I was first tempted to call this the there's a sucker born every minute attack in honor of pt barnum, but upon further reflection I think that would be too harsh, because this is actually a rather clever and horrific form I think I would far fall for this.

1:14:52 - Leo Laporte
I hate to say it it again.

1:14:54 - Steve Gibson
I I can see people like I know lots of people who would definitely A very clever form of social engineering attack and I think it might ensnare many non-suckers. So it's not the sucker born every minute, it's that, you know. Maybe it's a little more than do you have a pulse, but still not much been, and probably never will be, completely certain or confident about how any of this magical hocus pocus stuff works. Mostly right, they just follow the instructions and do what's asked of them and hope for the best. And that's why I can understand why this new and rather blatantly obvious to techies exploit is actually succeeding out in the wild and it's horrifying to contemplate. Okay, it begins with a faked capture pop up, which, of course, we're all seeing now. So it starts.

You get something you expect to see right, like okay, I'm going to have to prove that I'm not a robot.

1:16:21 - Leo Laporte
It even says reCAPTCHA, which is legit.

1:16:24 - Steve Gibson
Right, right. So in this case it was used where somebody wishes to watch a video. They need to click on the CAPTCHA button to start authenticating that they are human. Okay, but this click that the user makes actually runs. It's created by JavaScript and it runs a bit of JavaScript which places a dangerous PowerShell executable string onto their Windows clipboard. Oh my God, javascript is able to read and write the clipboard. So when you click on this, it puts this PowerShell script onto your clipboard and it uses an encrypted command tail that PowerShell will decrypt. So it just looks like gobbledygook, like, okay, whatever. Okay, after pasting this Trojan invoking PowerShell script onto their clipboard, it then displays the remaining instructions they must follow to ostensibly prove their humanity. Okay, well, they are definitely about to prove their humanity, but not in the way that they intend. Get this. The pop-up reads verification steps, press Windows button, and then it shows you that little Windows. You know, four window pane icon plus R. Oh, I wouldn't fall for this part. I know again. Okay, but but we know what people who would right?

1:18:03 - Leo Laporte
sure, because most people don't know what windows are and control don't have any clue what any of this is about right now?

1:18:10 - Steve Gibson
step number two press control V. Step number three press enter Step number four what could possibly Wow so?

Windows plus R brings up the Windows run dialogue with its. You know, what would you like me to run? Field highlighted Right. What would you like me to run? Field highlighted Right. Control V pastes this horrendous PowerShell XE command into the systems clipboard Well, from the systems clipboard into that run field, so that the run field now contains the executable PowerShell script to download and install and run Trojan malware on their computer. And then this all culminates when they follow the final instruction of pressing enter to, as Picard would say, make it so. Again, as I observed, none of us would do this. But again, most people don't know what any of this is, so they're just following the steps because they want to see the video, they want the carrot, and so wow.

1:19:28 - Leo Laporte
Fortunately, windows key R does nothing on a Macintosh, so I'm safe, You're safe.

1:19:37 - Steve Gibson
Oh, you in the minority.

1:19:39 - Leo Laporte
The minority is growing and it's because of things like this. I'm convinced, but okay, go on. Wow, yeah, yeah.

1:19:46 - Steve Gibson
So, anyway, I don't know what to tell our listeners. I know none of our listeners would fall for this, but I know they know people who would. Oh yeah, oh yeah, oh yeah. So you know, wow, it's bad enough to be forced to click things, like forced to click things in your browser when it could be a spoofed window. Our browsers are designed to try to minimize the damage, but it's possible for JavaScript to put something on our clipboard and then these instructions basically say oh, thank you, here's what we want you to do now, and it involves getting that thing to run, which those keystrokes will do. Wow, okay, I said last week that I wanted to announce the next big thing I'm working on, oh boy, is doing link following to protect people from malicious links and, in the process, unsubscribing people from their mailing list. So I'll fix that in the next day and then it's on to what comes next.

Also, oh, and I forgot to mention last week, one of the email systems originally missing features was the capability to allow its users to easily update and migrate their email addresses at any time they may want to. My original thought was that, since an email account didn't have anything other than zero, one or two subscriptions associated with it. Anyone could simply delete their old account under their old email and then create another one under their new email, so not really a need to explicitly rename their existing account. I saw very high spam complaint rates when initially mailing to Spinrite's owners from 20 years ago who were like what the heck is this? I migrated Spinrite's purchase data into the email system which allowed me to send email which opened with the line. Back in 2005, someone named Joe Schmo at this email address purchased Spinrite and, as I mentioned at the time, that had a profound effect upon the spam complaint rates. Suddenly everyone was like oh yeah, I remember that. Anyway, now the email system is able to handle updates. The email system knows about Spinrite owners, so there is more actual data contained in an account and I'd like to keep it there. To the email management page, which any of our listeners will see next time they go there, like to resubscribe to the Security Now podcast, which they were just mistakenly unsubscribed from. So I want to let everyone know that since they last visited the email management page, editing has been added. Once that was done, I was then able to address the final remaining loose end of the Spinrite 6.1 documentation offering, which was to create a video walkthrough demonstration of showing Spinrite in action.

Since booting DOS and using a textual user interface is becoming increasingly foreign, I wanted a way to allow someone who might be considering whether to purchase Spinrite to get a quick and clear sense for what it looks like when it's running. So that now exists. I posted it on my YouTube channel, I posted it over on GRC, so it's hard not to find it. And if anyone is curious, there you go. And that brings me to the announcement that I teased last week.

As I've mentioned a number of times, grc's number one by far I mean far, 9.3 million downloads so far most popular software of all time is the DNS Benchmark. I have been astounded by its popularity. When I was putting the show notes together, I guess it was Sunday it had been downloaded 9,313,642 times and around 1,600 downloads per day. 642 times and around 1600 downloads per day.

The benchmark pages have a page that solicits feedback, and I am constantly receiving requests for new features of encrypted and privacy-protecting DNS using encryption. Doh, dot or DNS crypt compares with regular plaintext DNS. Is it slower, is it faster, what? And despite the glacial progress of IPv6, as we talked about last week. Many people are requesting that I add support for IPv6, as we talked about last week. Many people are requesting that I add support for IPv6 to the benchmark, and actually I think that makes sense, because when IPv6 is available, our systems use it preferentially. So you may be using an IPv6 DNS server which the benchmark won't benchmark. So other great ideas have been to allow the benchmark to verify the domain filtering being done to services like buy, services like NextDNS, and others have been wishing to avoid local domain name blackouts where the DNS services they're using don't let them access sites they want to, so the benchmark could be used to help them locate servers that would allow them to get access to those sites.

So, anyway, the other thing I hear more generically is that people would like to have a way of supporting my continuing work here on all things GRC. My continuing work here, you know, on all things GRC, you know newsgroups, forums, shields up DNS, spoofability tests, all the freeware that I write and I'm able to offer, and everything else. So I've decided that my next project before I create Beyond Recall for, you know, super fast, super secure data deletion, which will precede the development of Spinrite 7 for Windows, will be to revisit the DNS benchmark and to give it a major version 2.0 update. There will still and always be a free release available, like it is now, but I would like it to be able to support itself if it can, and I think it should be able to, based upon its observed popularity. So I plan to offer all those new features for $9.95 in a plus edition and also, for the real DNS pro guys, a pro edition for $19.95, which will do a whole bunch more run-as-a-service background logging, lots of long-term charting and a bunch of other stuff.

1:27:29 - Leo Laporte
So anyway, that's the plan. Count me in when is it available.

1:27:33 - Steve Gibson
Well and that's my hope, is that I'm going to, because it's an update to an existing product. It's not going to be a long time coming. World appears to be going that way. The agreement I'll be making with the purchasers of the benchmark is that they only ever pay once and they own it and its future of that addition forever, without ever any additional cost. So, if it succeeds as it might, it would create a revenue stream that would justify its ongoing improvement over time and continuing development as new DNS-related technologies arise. So, anyway, I will have a substantial new, a pair of an upgrade to the freeware that will still be available, to the freeware that'll still be available. And then, for people who want more, you know, for less than 10 bucks well, not much less $9.95, you can get that and own it forever and its entire future. So that's my story.

1:28:46 - Leo Laporte
It's smart to have the $9.95 and then the next one up, because I know that everybody looking at that's going to go well, for 10 bucks I can get Pro, but I want the super duper edition for $20. Because that's $20.

1:29:00 - Steve Gibson
And actually I got that thought from John Dvorak, who he and I talked like just sort of. He wrote to me. Well, he wrote to me and then we ended up having a couple-hour conversation because he wanted to know what email system I was using because he was leaving monkey mail whatever that thing is called Chimp mail.

1:29:38 - Leo Laporte
Anyway and the point he made was he said you know, don't put a cap on what people can pay you, because they might want to pay more. He's done very well with that, I might add, good.

1:29:42 - Steve Gibson
All right, okay, so let's take our last break. Yes, and then we're going to talk about AI's application in security, vulnerability discovery, security, vulnerability discovery, and I have a episode 999 sort of editorial to lead in on that with oh good, so good stuff.

1:30:07 - Leo Laporte
The good news is 999 is not the last Indeed not.

1:30:14 - Steve Gibson
Next week for episode 1000.

1:30:15 - Leo Laporte
Or are you going to do it in hex? I don't know what he's going to do. What would that be? I don't know, I don't know. Uh, our show today brought to you by melissa this much I know, they have been the trusted data quality expert since 1985 longer than we've been doing this show, that's for sure. With melissa's debut in the stripe app marketplace, this is really cool. Stripe customers now have access to the same data quality services leveraged by large global enterprises every day.

Key features and this is just one of many melissa integrations, but let's talk about the Stripe integration. Key features include address validation. The app validates global addresses at both the customer and invoice levels, and that's all within Stripe, without leaving Stripe. Auto-completion capabilities reduce the number of keystrokes required and, of course, eliminate fumbled-fingered errors. Only valid addresses enter the database, your database. User-friendly, you bet? Of course it is. Users can easily configure the app with a few steps, with support for both customer accounts and invoice level validation. The app offers smooth management of API keys and subscriptions, facilitating transitions from free to paid services. And of course, it's Melissa, so you get comprehensive support and quality assurance. Users have direct access to melissa's experts ensuring high quality service and support melissa's amazing. Enhancing operational efficiency, boosting customer satisfaction and maintaining overall financial health those should be strategic goals for any forward-thinking business, and if you're a business that relies on Stripe, you're no exception. And now you have an ever-expanding tool set at the ready with Melissa.

Melissa's amazing Melissa's services, by the way understand compliance like no other. That's important, right? You want to make sure that your data is safe. With Melissa, you get secure encryption for all file transfers and an information security ecosystem built on the ISO 27001 framework. Adherence to GDPR policies, soc 2 compliance Of course, they do it right. Get started today with 1,000 records cleaned for free at melissacom slash twit. We love Melissa. They've been with us for a long time. We're glad to see they'll be coming along in 2025 as well. Melissacom slash twit. Thank you, melissa, for supporting Security Now and thank you, dear Security Now listener and viewers, for supporting us by going to that address and that address alone. So they know, you saw it here. Melissacom slash twit. Okay, steve Vulnerabilities so they know.

1:33:00 - Steve Gibson
You saw it here Melissacom slash twit. Okay, steve, vulnerabilities. On the occasion of episode 999 of this Security Now podcast, I want to take a minute before we talk about something Google recently announced, where AI was used to discover an important vulnerability in a widely used piece of software. To put AI into a broader context, by now I'm sure our listeners have correctly determined that we are indeed on the verge of something truly transformative and I'm very glad I'm still, frankly, alive to watch this happen.

1:33:47 - Leo Laporte
Seriously, no, my parents Very science fiction futurism, isn't it? I mean it is and it's happening, yeah. Fiction futurism, isn't it?

1:33:53 - Steve Gibson
I mean it is and it's happening, yeah, you know, and my parents and a bunch of my close friends who would have been fascinated by this are no longer here to see this happen. And that's a shame, I think, because I believe this is going to be that big. I believe AI is going to be something that changes the entire world. Ai is going to be something that changes the entire world. Like most of those in the baby boomer generation, during my lifetime and my awareness, I've watched vacuum tubes give way to transistors and transistors give way to many generations of integrated circuits. Digital memory moved from relays and then to magnetic cores to insanely dense electromagnetic and electrostatic storage. Computers evolved from what was essentially an automated calculator, many times more expensive than people's homes at the time, to incredibly powerful devices that we now discard without a second thought. And the Internet happened during the second half of baby boomers lifetimes. We've had the privilege of watching this incredible global network interlink the computers we are all now casually carry around in our pockets. We are truly living through what was science fiction near the start of our lives, and now those of us who are still here are going to have the privilege of watching AI happen, given everything I've already watched unfold during my nearly 70 years on this planet and given what I've seen of it so far, I believe that AI's impact upon our lives is destined to be bigger than anything that has preceded it, more significant than everything that has come before.

For the longest time, the technologies that appeared to have the most impact were those that facilitated communication. The printing press changed the world, and that was followed by the telegraph, which was followed by radio and the telephone, which were similarly transformative. The reason the Internet has changed everything again is that it too is about communication. It could be argued that automotive transportation is also a form of communication. Communication has been so universally transformative because it's been about linking the thoughts and intentions of people. By comparison, I believe that AI is going to utterly eclipse the transformative power of communication, because it is the thoughts and intentions of people. Ai is the currency of people, of people. Ai is the currency of people.

And sure, it's easy for cynics and skeptics to find fault. There's always fault to find in the beginning of anything new, where big claims about the future are being made. That's just the nature of new. New is the start of the journey, not the end. New is the start of the journey, not the end.

Personal computers were initially a joke, as were the first luggable laptops, but no one's laughing now. Back at the start of Bitcoin and the invention of cryptocurrency, there were many skeptics, but I sure wish I had not installed Windows over my 50 Bitcoin. My point is what AI is today is not what it's going to be tomorrow. It never is, and I believe we're only at the start of what is going to be more significant than the invention of anything that has come before, because AI is, as I said, potentially the currency of people and there's never been anything like that before. I'm glad we're all going to be here to witness it together.

Okay, so what happened with AI and Google? So what happened with AI and Google? Google has a long posting in their Project Zero blog, but the Hacker News assembled a very nice summary. That's what I want to share. Here's what they wrote zero-day vulnerability in the SQLite open-source database engine using its large language model assisted framework called BigSleep, formerly Project Naptime. The tech giant described the development as the quote first real-world vulnerability uncovered using the artificial intelligence agent, the Big Sleep team said in a blog post. Quote the Hacker News said the vulnerability in question is a stack buffer overflow in SQLite, which occurs when a piece of software references a memory location prior to the beginning of the memory buffer, thereby resulting in a crash or arbitrary code execution. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of a valid memory location, or when a negative index is used. Following responsible disclosure, the shortcoming was addressed in early October 2024. It's worth noting that the flaw was discovered in a development branch of the library, meaning it was flagged before it made into an official release, and I'll also note that that made it. You know it was a newly introduced bug that this thing immediately found, they said. Project Naptime was first detailed by Google in June of 2024 as a technical framework to improve automated vulnerability discovery approaches. It has since developed into Big Sleep as part of a broader collaboration between Google Project Zero yay and Google DeepMind.

With Big Sleep, the idea is to leverage an AI agent to simulate human behavior when identifying and demonstrating security vulnerabilities by taking advantage of a large language model's code comprehension and reasoning abilities. This entails using a suite of specialized tools that allow the agent to navigate through the target code base. Run Python scripts in a sandbox environment to generate inputs for fuzzing, debug the program and observe results. Google said quote we think that this work has tremendous defensive potential. Finding vulnerabilities in software before it's released means that there's no scope for attackers to complete. The vulnerabilities are fixed before attackers have a chance to use them. Unquote and the Hacker News finishes. The company, however, also emphasized that these are still experimental results, adding that, quote the position of the big sleep team is that at present, it's likely that a target-specific fuzzer would be at least as effective at finding vulnerabilities unquote.

Okay, so while this may be just the first time AI has been deployed for this, my own intuition is screaming that AI-driven code verification and vulnerability detection is going to be huge. To me, it feels as though this is dead center in AI's bailiwick and that it may be that AI is what finally comes to our rescue in the seemingly never ending and apparently intractable fight against both the continuous introduction of new vulnerabilities and the discovery and eradication of old ones. Microsoft must be hard at work figuring out how to use AI in this way. Imagine a day when Patch Tuesday is. Sorry, nothing to fix here. No new known vulnerabilities have been found, reported or known to be under exploitation. Now, you're just fantasizing. That would be something.

1:43:02 - Leo Laporte
Wouldn't that be something?

1:43:03 - Steve Gibson
Yeah, and it really, to me, it's impossible for us to reach if we don't do something like this. Yes, with AI it does not seem that far-fetched. You know, it may be that today's large language model training style doesn't really apply for this. That's my feeling. I don't think that's the way to attack this, but I'm not nearly close enough to AI to know. But I'm sure there are people who are. Of course, you know, this won't solve all of our problems, since there will always be people who are opening dangerous service ports to the internet or following instructions in a believable-looking captcha telling them to just bend over. Just copy this yes, paste it. You know, and you know, just copy this yes, paste it. And even when their UI's, ai cautions them not to do that. So I'm not worried that AI is going to put this podcast out of business anytime soon.

As always, there are users, and users can always be counted on to do dumb things. But I think that was Porn Cornell, something like that. Right, he was famous for citing that. But code, code is pure. It's why I love it. So it's just combinatorial math and it's fully deterministic. So it really seems to me as though code verification would be a natural habitat for AI and Lord knows, we need it. If I were a younger man, that might be where I might aim my own focus, and I'm serious about this.

We often get listeners who are just starting out and who are looking for and asking for some direction.

So here's some your verification and software vulnerability discovery, and these days it's possible to borrow big compute resources from cloud providers, which makes basement or garage development not only possible but practical, and if such technology were created, it feels like the sort of thing that would be snapped up by any of the big tech giants in a heartbeat. So think about that If you're young and full of future and you're looking for something to sink your teeth into. I have no idea how you would do it, but I guarantee you that in a decade and I'll still be here watching this stuff happening I will guarantee you this is going to change be what solves our end-to-end encryption problem, as I said last week, because it's going to give governments, the, the, the warm and fuzzies that, no, that that you know, abuse of children can no longer get past the, the, ai monitoring their device locally, and I think you, I think AI is going to be the thing that solves our endless software vulnerability problems. It's a big problem, but what fun.

1:46:44 - Leo Laporte
Hey, if it can do that, there's probably a lot of other things that AI will be up to as well.

1:46:50 - Steve Gibson
It's going to revolutionize medicine, leo. It's going to revolutionize drug discovery. I mean it is going to change the world.

1:47:01 - Leo Laporte
And, by the way, I loved how you started, because I think this is exactly what you and I, who have watched many changes in our lifetime, are hoping for one last big one, and this could be the big one. This could be the one that changes humanity and launches us into an entirely new realm. I kind of agree with you, so I'm excited too. That's stevegibsongrccom. He's got a new product coming Now. Timeframe. You don't like to do that.

1:47:33 - Steve Gibson
I can't guess A couple months probably. I't guess a couple months probably.

1:47:36 - Leo Laporte
I'm hoping a couple months put me down for, for one of those twenty dollar subs thank you, subscription. I will purchases, because I'll be the first in line to get it. I can see I I'm.

1:47:47 - Steve Gibson
I can't wait to find out how encrypted dns compares to un.

1:47:52 - Leo Laporte
I have no idea yeah, you'll have fun with this, or or ipv6, or what open dn, what next dns is doing things like that. This will be.

1:47:59 - Steve Gibson
This will be really useful yeah, and the, the, the because the pro version, so they're, they're there's plus at 995 and it has all the features except the, the.

1:48:10 - Leo Laporte
The pro can run as a service in the background, because it's in, because it's all written in assembler.

1:48:16 - Steve Gibson
It's a couple of hundred K.

1:48:17 - Leo Laporte
It's not these ridiculous hundreds of megs sitting in your machine.

1:48:22 - Steve Gibson
But to be able to look at graphs and charts of long-term DNS server performance that's going to be very cool.

1:48:31 - Leo Laporte
It's going to be very, very interesting, and that's what we hope for.

1:48:35 - Steve Gibson
Oh, I forgot Built-in spoofability testing too, so you can check the spoofability of the servers without having to do it generically over at GRC. Nice yeah, lots of stuff.

1:48:46 - Leo Laporte
Yeah, I run a network analysis program in the background almost all the time to keep an eye on our bandwidth and so forth frame, and I think this will be uh equally useful running in the background. I definitely look forward to it. Mr g, you did it again. 999. Now one last chance. This could be the last episode. Uh, for all time. It's up to you the counter.

1:49:12 - Steve Gibson
We we've remember, when we were young, the digital clocks people had where they. They were tumblers, yes and and, and. I would just sit there and wait for it to get to be. You know well, the real payoff was 959, right, because you'd get to see all three going at once, or in your car, when the odometer hit 100,000 miles.

1:49:36 - Leo Laporte
99,999 to 100. That was exciting, but this is even more exciting. Here we are, ladies and gentlemen, switching from 999 to 1,000. And again, steve, I need you to think of yourself as in the exit row. You could jump out that window or you could continue on with the flight. You want to continue on with the flight? Yeah, all right. Yeah, look forward to next week, episode 1000. Same bad time, same bad channel.

We are every Tuesday, right after MacBreak Weekly. We're trying to make it 1.30, but no later than 2 pm pacific, that's 5 pm eastern, 2200 utc. Streamed live on eight platforms. Now, count them eight. Of course, our club members get discord, which is, which is wonderful. But our youtube? Now I gotta be careful with my fingers here, because I did the wrong finger on sunday. Youtube, youtube, twitch, facebook, linkedin, xcom, tiktok and kick. Those are all the places you can watch us live, but you don't have to watch live. You can watch after the fact. Uh, on the website twittv, slash sn, you can. We have audio and video.

Steve has several unique versions of the show. He's got, of course, the audio at GRCcom, but he also has 16 kilobit audio, which is a small file size. You give up a little quality, but it's a quick download. He also has transcripts written by Elaine Ferris. So they're not an AI, so they're great, real, genuine transcripts that capture the flavor of the show. And, of course, his show notes, which really are fantastic. He does better show notes than anybody any podcast out there. All of that's at GRCcom. While you're there, you've got to remember right now there's one way Steve makes money and that's with Spinrite, the world's best mass storage, performance, maintenance and recovery utility. If you've got mass storage, you need Spinrite. Go get it at GRCcom, currently version 6.1. There's lots of free stuff. There's two. Steve gives away lots of great valuable information, even software like like, as an example, valid drive, which helps you test the usb key you got on amazon to make sure it really does hold all that data. By itself, that would be worth the price of admission.

We are at twittv slash SN. We also have a YouTube channel dedicated to security. Now, great way to share clips. This is one show I know a lot of people listen to and they go ah, that QR code. I know my dad's going to click that. Send that clip to him from the YouTube channel, because everybody can watch a YouTube video and that'll bring it home to him. Okay, things like that. And, of course, the best way to get it subscribe in your favorite podcast player, audio or video. You'll get it automatically as soon as we're done. In that way, you have a complete collection of all 999 episodes of security. Now, steve, have a great week. Don't get too uh, too too aggravated. We'll be. I know, texting back and forth, it'll be a late night Progresses.

I have a gummy. I'm waiting. If I need, I am, I'm ready. I might have to go to bed. Thank you, steve, we'll see you next time on Security.

1:52:51 - Steve Gibson
Now Thanks, buddy. See you for episode 1,000. Woo-hoo.

1:52:58 - Leo Laporte
Security Now.