This Week in Tech Episode 1003 Transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
 

00:00 - Leo Laporte (Host)
It's time for Twit this Week in Tech Great panel for you. Owen Thomas is here, managing editor of the San Francisco Business Times and former director of the Stanford Internet Observatory. Current CISO at Sentinel One, Alex Stamos will talk about Delta's half billion dollar lawsuit against CrowdStrike, surge pricing coming to a Walmart near you and why Elon Musk has been talking to Vladimir Putin all the time. It's all coming up next on TWIT.

00:32 - Owen Thomas (Guest)
Podcasts you love.

00:34 - Alex Stamos (Guest)
From people you trust.

00:36 - Owen Thomas (Guest)
This is.

00:37 - Leo Laporte (Host)
TWIT. This is TWIT this Week in Tech, episode 1003, recorded Sunday, october 27th 2024. Crab strike. It's time for TWIT this Week in Tech, the show where we cover the week's tech news with the smartest people in the business. I've got a great panel for a very important show because, uh, we've got an election coming up and I thought you know what, if you're gonna, if you're gonna get a election coming up, we should probably get some somebody who's into uh, disinformation. And, of course, alex stamos is my go-to guy for all of that.

01:23
Currently cso, chief information, chief Information Security Officer at Sentinel-1. We first became aware of Alex when he was at Yahoo and then at Facebook covering security. Zoom brought him in as the pro from Dover when they were getting a lot of heat over their kind of pseudo-encryption, not end-to-end encryption. You helped fix that, I know, alex. Encryption, not end-to-end encryption you helped fix that, I know, alex, uh and uh for a long time at stanford. This is the reason I wanted to talk to you at stanford's internet observatory uh, which was watching disinformation for the last few years. Alex, great to have you back on our show yeah, thanks, leo, thanks for having me good to have you also with us from the san francisco business times.

02:03
good friend, owen th. He's Thomas. I'm sorry, he's managing editor there. Thompson's the English muffins. You're Thomas. Oh, it's great to see you, owen. Welcome.

02:13 - Owen Thomas (Guest)
As long as you don't call me oh, who's the actor? Owen Wilson, owen Wilson, I will not I understand the confusion. That would be good, I don't know.

02:25 - Leo Laporte (Host)
I wouldn the confusion. That would be good. I don't know, it wouldn't be. It wouldn't be an owen wilson. Yeah, uh, lots to talk about uh this week. Uh, and I see that we actually have uh something that's kind of right up your alley. But before we got too far along, I did want to talk about disinformation. Do you follow uh this as much as you did?

02:40 - Alex Stamos (Guest)
probably not when you were at sio, right, alex oh yeah, well, you know, I'm still plugged in, I'm still teaching at Stanford.

02:46
I just okay taught a class on Friday. Um, what's the class? Uh, so in the fall, I teach an intro to cyber security class for the master's in cyber policy, so you can do a master's in international policy at Stanford and there is a cyber specialty. Uh, it's the first class for those students. Um, so it's basically teaching lawyers and political scientists how to hack stuff. It's great, you teach a lawyer how to use Metasploit. It's a dangerous thing.

03:13 - Leo Laporte (Host)
No kidding, holy cow. How fascinating though. So you know it's funny. In 2016 and 2020, we heard a lot about Russianussian misinformation and, uh, you know, russian troll farms and uh so forth. Yeah, um this, this time around not quite as much, although we are starting to also hear about chinese involvement. I saw a story that said the chinese are looking more down ballot yes uh campaigns than at the presidential campaign. I thought that was kind of interesting. What is China's interest, do you think, in our election? What would they like?

03:52 - Alex Stamos (Guest)
Okay, so overall, there is more foreign interference in this election than any American election before. No kidding, yeah, including Russian. So the Russian activity is larger and, like you said, everybody else has gotten involved, which we have. This long history in the cyber world of some country will do something big and spectacular and by everybody else. You have stuxnet getting copied. You have the snowden disclosures laying out a bunch of surveillance techniques that end up getting copied, and so it's the same thing here that the russian disinformation techniques from 2016. Everybody else around the world looked at that and like, oh but I'd like they learned the lesson right, the russians like, like the us yeah we do it too, our

04:43
team at Stanford has actually written up a number of cases where, unfortunately, the Pentagon has paid for troll farms to do the same thing for countries we don't like, which I think is actually really bad on a number of levels. One, it's like an incredible waste of money. Like, the people the US pays for this are incompetent, so it's a big waste of taxpayer dollars, but it's also just incompatible with American ideals. But back to your point like, the Iranians and the Chinese have been massively involved this time as well and they have very different geopolitical interests than the Russians. While they are aligned in a lot of ways, their goals in the US election are quite different than Russian goals of ways, their goals in the us election are quite different than russian goals.

05:27 - Leo Laporte (Host)
The russians, it's my understanding, wanted to flood the field with, not with garbage, just to destabilize. Uh well that was.

05:33 - Alex Stamos (Guest)
I mean that was the big goal in 2016, right like the big difference between russian activity in 2016 and 2024 is in 2016 they didn't have like a big strategic purpose. You see kind of two themes in 2016. The Internet Research Agency their big theme was to flood the zone with garbage. That their goal was to drive division in the United States. The number one thing they talked about was Black Lives Matter. Actually, if you do an analysis of their content was just to push divisive themes and they wanted to amplify divisive content.

06:04
The GRU campaign was meant at harming Hillary Clinton, and that's really. Vladimir Putin does not like Hillary Clinton. He personally blames her for he believed the state department under her watch was trying to foment a revolution against him and he wanted to weaken her. Does that mean he wanted Trump to be elected in 2016? It's very hard to tell like what his purpose was, but he didn't like Hillary. He wanted to weaken her. Does that mean he wanted Trump to be elected in 2016? It's very hard to tell what his purpose was, but he didn't like Hillary. But it wasn't that big of a campaign in 2016.

06:32
In 2024, russia is involved in the largest war they have fought since World War II. It is now larger than Afghanistan. They have lost more men than they lost in Afghanistan. They're approaching probably 100,000 dead. They've spent billions of dollars. They've lost a significant portion of, for example, their armored vehicles, a huge number of helicopters and planes. A portion of sovereign Russian soil is being occupied by Ukraine right now. I mean like as big of a deal as the Russia Ukrainian war is to us. It's a humongous deal for them, and so they have a real strategic purpose now for their disinformation that they did not have in 2016.

07:15 - Leo Laporte (Host)
And are they looking for a candidate who will surrender, basically stop supporting Ukraine?

07:22 - Alex Stamos (Guest)
I think what? If you look at what they're trying to do, they really have two goals. One is they want donald trump to win, but that's not good enough. The other thing they need is they need to build a base of support in the united states for the idea that ukraine is an enemy of the united states, in that surrendering this war and pulling all support from ukraine is in the best interest of the united states, which is an idea that did not exist two, three years ago. Right it? Three, four years ago, nobody cared about Ukraine, right, like no American other than Ukrainian or Russian Americans with some kind of link to the region before the invasion you're saying before the invasion and before this Russian campaign.

08:04
Crimea wasn't enough for people to be upset about no, no, Back during the Crimean invasion, people were not. It was not something that was on people's radar, and that is what. If you look at the Russian activity now, it is about supporting Trump now explicitly. In a way. It was not in 2016, where it was much more diffuse, and if it was about Trump-Hillary, it really wasn't about Trump. It was about just weakening Hillary as a candidate. And now it is explicitly about inserting the idea in the populist right that it's a good idea to cut off Ukraine. Not just that it's acceptable, but that that is the right thing for America and that has been incredibly effective. And that is why you see them spending millions of dollars. You know we had this indictment by the FBI of foreign agents who were taking Russian money and giving them to American influencers.

08:52 - Leo Laporte (Host)
millions of dollars people are making you know that story got so undercovered oh, it felt like that was a huge story. Yes, that there were podcasters, there were influencers who were, it turns out, on the russian payroll americans. Yes, I feel like it.

09:09 - Alex Stamos (Guest)
We mentioned, it got mentioned, and then just kind of oh yeah, and if you think it's just those guys like I, have a bridge to sell you that's who we caught right.

09:18 - Leo Laporte (Host)
Those are the ones who have been caught so far right why did? Why did? Why do we lose interest? I, I think it's.

09:25 - Owen Thomas (Guest)
You know, I think it's kind of hard to trace the money trail. I think also, um, russia is historically very good at exploiting this idea. Uh, this category I believe the term of art is useful idiots. Yeah, these are not. These are not, like you know, secret agents. These are not people who actually have any contact necessarily with Russian agents in any form. It's just Russia has identified that if we boost the profile, the influence, the voice of this person you know who has, you know who has these wacky ideas then that will serve our larger goals. So it does seem like they're clear.

10:08 - Alex Stamos (Guest)
The goal with those guys is they were already big.

10:11
The goal was they were paying them to talk about ukraine, right, is that those guys were big about talking about cultural issues, talking about schools, talking about trans issues and the olymp, like whatever. But normally people don't care about Ukraine, right? Like it's just not something that is on the radar of the cultural right normally. And so by paying them that money, they could take it from off the radar to making it on the top five list of the things that they're gonna get angry about in their podcast, in their video, in their newsletter, and that is what has been effective. They've been doing that for years.

10:47
And so that is, you know, right now, one of the big movies. Like I don't know if you guys seen it, but, like you know, when I open up Amazon Prime, they're trying to show me hey, there's a big biopic of Ronald Reagan, right, and you can go, and, like you know, one of the is Dennis Quaid giving up there and telling Mikhail Gorbachev to bring down this wall. And so, at the same time that we're celebrating Ronald Reagan, the party of Reagan has become pro-Russia, and so you've just taken a step back historically. The Russian campaign has been incredibly effective, right, that a humongous chunk of the Republican Party is now aligned and believes vladimir putin over a big chunk of the american intelligence agencies and a bunch of american allies and and believes that russia is our ally and that the democratically elected president of ukraine is actually some kind of dictator and that the ukrainians deserve to lose a big chunk of their country and that that is why they're they're paying these people.

11:46 - Owen Thomas (Guest)
I've been watching for all mankind, uh, which is on Apple TV. It's basically an alternate history of the space race. A great watch if you haven't watched it, but um, it's. It's fascinating how you know how removed from the kind of Cold War conflict, uh, which is a very central part of that uh, that tv.

12:06 - Leo Laporte (Host)
Yeah, the russians get to the moon first in that.

12:09 - Owen Thomas (Guest)
Yes, it's kind of this permanent sputnik moment, um, right, and you know like, just watching it is a, is a reminder of how. You know how warped, as you know, I think alex has pointed out the, you know the, the concept of russia as kind of a. You know a global, um, you know uh global opponent.

12:33 - Leo Laporte (Host)
I find that interesting, that that, uh, they have been fairly nimble in taking advantage of new technologies. You know, we are very concerned, for instance, about disinformation created by AI in this cycle, and Russia has now been accused of being behind a deep fake of Trump ballots being destroyed in the election. They've jumped on the deep fakes, right yeah.

13:01 - Alex Stamos (Guest)
I mean back in 2016,. They were taking videos and images and repurposing them. There's a little bit of Photoshopping, but for the most part, what they would do is they take a video of a riot and they would say look, it's riots in America and you're like no, that's actually, that was Algeria.

13:19 - Owen Thomas (Guest)
Oh right, latin America. Remember that Like hey look at the sign Right. There are no American streets.

13:26 - Alex Stamos (Guest)
Yeah, latin america remember that like hey, look at the sign, right right, there are no americans. Um, yeah, and so you know it's it's deep. Fakes are now giving them the opportunity to make it just a little bit harder to to disprove things and also to generate lots of content, when they used to have to have either find content or they had to have a floor full of photoshoppers and and illustrators it's just gotten easier right now it's a dude with a bunch of rtx 4090s in open source models, right?

13:51 - Leo Laporte (Host)
is the internet research corp that that troll farm is gone, right?

13:54 - Alex Stamos (Guest)
it's gone well. You've had any precautions dead right, so like I mean, that's one of the.

13:58 - Leo Laporte (Host)
He was the guy remember, who went up against putin and ended up dying in a suspicious plane crash.

14:05 - Alex Stamos (Guest)
Yes it is amazing, the things like if you're against Vladimir Putin, there are a number of things you should not do. Right, you should not drink tea.

14:12 - Leo Laporte (Host)
Go near a window, Stand near a window fly private right. There are just some things. Yeah, it pays better not to. So here's the question I actually asked both of you should we be concerned about this? Because I mean, we know it's happening?

14:28 - Owen Thomas (Guest)
and more subtle and probably a little more corrosive which is that people tend to just become coarsened and resistant to any kind of information. You know, in my industry they talk about news fatigue. People are just kind of tired of it all. You know, they don't want to hear about Ukraine, they don't want to hear about Russia. You know, they don't want to hear about this disinformation problem because it's like, ok, well, you're saying, you're saying information is, you know, one that kind of feeds into, uh, that feeds into people's predispositions, and it also serves probably russia's and china's and iran's goals is to just erode belief in institutions.

15:38 - Leo Laporte (Host)
You agree, alex? Is that? I mean, certainly that's the case, although I think some of that is we're just overwhelmed with news, legitimate and illegitimate. We, we're just sick of it. I mean, at least I am from 24-hour news channels and everywhere you have your in your hand, this communicator, even if you're only on Instagram, and TikTok is full of news. So I think I understand why people are a little done. I think there are people listening right now saying do we have to talk about this? Isn't there a new iPhone or something we could talk about?

16:08 - Alex Stamos (Guest)
yeah, on elections, there's no good. Uh, quantitative social science evidence that disinformation has thrown in the elections um so that's interesting you mean, you know there's been a bunch of studies. It unfortunately just it's quite hard. People have tried to follow panels of people. The thing that have been attempted in 2020, 2022, and now that a number of groups are trying in 2024, is they will follow individual voters, look at their preferences and then also look at what their media content looks like and then see whether or not Try to tie it all together, right?

16:43 - Leo Laporte (Host)
Yes, Because it's just very hard for social scientists to look at, like you know, this big, diverse set of things that you look at it seems to be almost confirmation bias, like if you believe something, then you will read the news and see the posts that confirm what you already believe in. Right?

16:58 - Alex Stamos (Guest)
does it change people's minds is the question but from my perspective, I think if you just take a step back and you look at the big historical the fact that a big chunk of one of the major political parties in the United States has now decided to back Vladimir Putin and his major geopolitical interest in getting the United States to abandon Ukraine it looks like it's a victory.

17:22
Outside of this massive political push, that seems less likely, right, and so he certainly thinks it's successful. And they have massively doubled down. Tripled down, like the investment the Russians are putting in is much larger and part of that is just the cost. Like, if you know, spending 10, 15, 20, $30 million, $40 million, $100 million, it's cheap, it's nothing right. Like that's losing at the rate at which they're losing tanks and planes and men in this war. Spending $100 million to mess with America's elections, where that is one of the only ways that they might possibly have a victory that is not a negotiated settlement is, you know, absolutely cheap compared to any other outcome there is, and I will say this is a conspiracy theory and I don't know how valid this is, but but there are data points.

18:16 - Leo Laporte (Host)
For instance, we've just learned that elon musk seems to talk to putin somewhat regularly, as does donald trump. Uh, we've seen jd vance basically say that that you know it was who cares if, if you, if russia wins in ukraine. We just need to end it, um and it it. It feels like, uh, this conspiracy theory is that, uh, donald trump, because of his age and cognitive difficulty, will probably not be very interested he wasn't that interested in 2016 very interested in running the country that JD Vance will be kind of the de facto president.

18:57
Jd Vance, as we know, is Peter Thiel's uh a protege, as is Elon Musk, and there is this conspiracy theory and I want to really say up front there's, this is a conspiracy theory that the technocrats see this as an opportunity to essentially run the country, that the peter teal and elon musk's of the world say, hey, here's an opportunity in in a vacuum, to kind of move in. And, of course, vladimir putin is probably the richest person in the world, not elon musk. We don't know how wealthy he is, but he basically controls russia's oil and gas. Uh, interests um, has the money to kind of and seems to be putting into all of this. Is this nuts or is this? See, this is where I feel like I'm so inundated with information. Well, you know, it's follow the money, right, leo Follow the money and unfortunately, money runs our politics.

19:56 - Owen Thomas (Guest)
So Andreessen Horowitz has declared American dynamism one of its big investment initiatives. What does that mean? It means defense contracting. So you've got a venture capital firm saying you know, hey, if we can get in good with the government, and Andreessen and Horowitz, the two co-founders of the firm, have backed Trump this cycle. You know like we stand to make money?

20:23 - Leo Laporte (Host)
Yeah Well. And then you have jeff bezos telling the washington post not to endorse a candidate. Uh, and then immediately there that day, blue origin, trump meeting with blue origin. It just starts to feel a little back door, back room, smoke filled room kind of cozy. You know there's there's that disinformation working on me, alex, you know just you know, in the stranger than fiction department there's a private space firm in for all mankind.

20:53 - Owen Thomas (Guest)
Sorry to go back to my, my current favorite tv show and it's just like you look at that and it's like nothing compared to the reality we're in of SpaceX and Blue Origin being basically NASA's only you know only the options.

21:09 - Leo Laporte (Host)
Right, I mean. This is why you don't want to hear that Elon Musk has been talking to Vladimir Putin on a regular basis, because he essentially controls our aerospace, our space industry, because SpaceX Boeing has failed.

21:24 - Owen Thomas (Guest)
It did seem like the DOJ put a scare in him uh, yeah, he was.

21:28 - Leo Laporte (Host)
He was paying a million dollars a day to people registering to vote, which is turns out illegal.

21:36 - Alex Stamos (Guest)
Uh, I don't know, though you know and the Putin thing's gonna be if the Musk's clearance issue is a serious one no kidding like um.

21:46 - Leo Laporte (Host)
NASA says they are going to investigate this.

21:48 - Alex Stamos (Guest)
Right.

21:49
So you know SpaceX does classified launches. For National Consulate's office in the Air Force that means they have what's called a facility clearance. He is the CEO of SpaceX. I looked into this a little bit. It doesn't look like they have a cleared. It looks like the Space Exploration Technologies LLC is actually the cleared org. They don't have a separate organization. So sometimes the way you do this is you have a separate company that does federal contracting and it doesn't look like they do this. It looks like it's the master organization, which means he has to have some kind of clearance.

22:23
What I've heard is he has a secret which is not incredibly hard to get. It's probably the best he could do. He's foreign born, he has all these foreign contacts, but even then, with a secret, I think you're still supposed to. It's not as strenuous as with the TSSCI, but you're still supposed to do things like file forms when you have foreign contacts with representatives of foreign governments. I once had a. You know I went to the. I go to this conference called the Munich Security Conference. Most years I was at a simulation with a bunch of people, including a guy who used to be in the KGB, which you're never really an ex-KGB agent.

22:57
The form I filled out just from that being in that room was six pages long, so like it's fine, that's what, what, but that's what you have to do if you actually want to follow the rules right, you have a clearance. At times I've had clearances yeah and so right, it's something you do like if you work in cyber and you do this kind of work is you know?

23:19 - Leo Laporte (Host)
appropriately, appropriately.

23:22 - Alex Stamos (Guest)
I think that's completely appropriate right and if so, why isn't Elon?

23:25 - Leo Laporte (Host)
Musk doing this, or is he?

23:26 - Alex Stamos (Guest)
right, and so that's the question. I mean if, if he was not filling out a foreign contact form every time he talked to Vladimir Putin, I I think probably he's in violation. If he's been doing illegal drugs, he's certainly in violation, right?

23:38 - Owen Thomas (Guest)
um and so, like this is becomes a big.

23:40 - Alex Stamos (Guest)
This becomes like a real issue for him in SpaceX because they cannot maintain a facility clearance and that becomes a real issue for the government because it puts them in a very difficult position Because if he loses that then they're going to have to have a difficult discussion with SpaceX of whether or not he can stay a CEO.

24:00 - Owen Thomas (Guest)
I mean, can he stay in the United States? The revelations about his lack of legal status when he started his first company, Zip2, which then allowed him to bankroll what became PayPal, you know, and led to his whole current fortune.

24:22 - Alex Stamos (Guest)
I mean he's a citizen now, right, so I don't think they can denaturalize him for like. I mean, he's outside the and you probably can't prosecute him for what is really a minor violation like you have minimal really you have minimal due process when it comes to clearances, which is something they tell you yeah, that's interesting yeah hey, don't expect.

24:41 - Leo Laporte (Host)
This is different. This is not the legal system right, you don't have any rights.

24:45 - Alex Stamos (Guest)
What is what they tell you? Basically right and like. You can go to clearancejobscom. Like there's forums about this of people like low-level people who make tiny little mistakes and end up like having to lose their jobs.

24:56 - Leo Laporte (Host)
That's by the way the difference, because they're low-level people and it seems to be in this country. If you're a billionaire, you don't have to follow the same rules yeah, and it's.

25:06 - Alex Stamos (Guest)
It's getting to the point of words. I mean you talk about this or you talk about like trump taking huge piles of tssci material into his bathroom at mar-a-lago and it becomes difficult to like. Then go right, tell people who work normal jobs at the Pentagon to give them these briefings of like you're going to go to Leavenworth if you take a file folder home, right, like it's becoming, like I think it's becoming a real problem for the security establishment because the obvious dual treatment of people here is going to make it very difficult to enforce the rules.

25:47 - Leo Laporte (Host)
So we know what Russia's goals are and I can imagine what Iran's goals are. Right. Are they pursuing kind of anti-Israeli policy or looking for candidates that would support that?

26:01 - Alex Stamos (Guest)
So Iran has been attacking Trump right. So likean's goal, iran, is very anti-trump and so they went directly. Their activity has been much more like what the gru's activity was in 2016. They've been using cyber enabled uh hack and leak campaigns. So they attacked first roger stone um in his personal g and then, once they had access to his personal account, they leveraged that to spearfish the Microsoft mailboxes of members of the official Trump campaign, including lawyers who worked for his campaign, and then they got access to a bunch of content.

26:38 - Leo Laporte (Host)
Were they using the exchange flaw or it was just pure spearfishing?

26:42 - Alex Stamos (Guest)
No, pure spearfishing. So this had nothing to do with any uh, anything more technical than spear phishing. And then relay I, I believe my understanding is was they had like, uh, the kind of microsoft authenticator, uh push to authenticate. So it's the kind of thing that you can man in the middle if you have a reasonably advanced spear phishing setup so is iran, as Iran as sophisticated as Russia's pretty sophisticated in this, I think right.

27:08
So the way I would organize this like the. The real scary people you really don't want to go against is the. Svr is the Russian foreign intelligence service. They are the real scalpel of the Russians, but they're relatively small right. They probably have a couple hundred people at that top level. The largest and scariest is the Chinese. The Chinese have dozens and dozens and dozens of different groups that work for the People's Liberation Army, the Ministry of State Security, a bunch of different people's security bureaus that work for different cities and states, and those groups are in the thousands. So there's maybe 150, 200,000 people and they're good. They're're good. Only a couple of them are at that svr level. So the the the average quality of the chinese hackers is less so they make it up in volume.

27:52
But they make up in volume right, and so that is like from the an overall scope perspective, the chinese can go after way more targets at once right, and they have way more breadth of of attack politico uh reported a day before yesterday that the chinese uh were hacking the telecoms of the trump vance campaign.

28:14 - Leo Laporte (Host)
Yes, and by doing so got the communications data from roughly 40 uh people in the yes campaign, and the dhs is reviewing that right now right, and so that's part of what people have been calling the typhoon attacks.

28:25 - Alex Stamos (Guest)
So it looks like this is either PLA or Ministry of State Security. We don't have direct attribution. Probably PLA. People's Liberation Army has a number of hacking units.

28:34 - Leo Laporte (Host)
And so there have been-. Salt Typhoon was the group that invaded Verizon's call center.

28:40 - Alex Stamos (Guest)
Right, right yeah, in this case, what they're doing is they're going after the systems the telecom companies have used for lawful intercept. So if you're, yeah, this is this is kalia.

28:51 - Leo Laporte (Host)
This is the hysterical thing, and ron wyden talked about this as saying look, we passed kalia in what the 90s right to support wire, lawful wiretapping, um. But unfortunately this backdoor into Verizon AT&T Lumen turned out to be hackable. Yep, because anytime you put a backdoor in something, guess what Bad guys might get it. And they did. And Wyden's saying this is exactly why we can't backdoor end-to-end encryption Because, kalia, you know, we're louis free, was this? The head of the fbi at the time said oh no, no, no, this will be completely safe.

29:29 - Alex Stamos (Guest)
We got this covered, no it means you have to build a back door that's wired into one place and it also has to be easy enough to use that lawyers can use it right.

29:39 - Leo Laporte (Host)
Well, there's your problem right there, right, I see yeah and so yeah.

29:44 - Alex Stamos (Guest)
So the chinese, in this case, have been breaking into the telecoms, and then, yes, they could go break into individual switches and routers and ss7 equipment at verizon or att ss7 is still broken, isn't it? Yeah, it's still broken.

29:59 - Leo Laporte (Host)
It will never be fixed, will it?

30:01 - Alex Stamos (Guest)
uh, I you know I'm not a telecom expert, but I think it's in so many phones it's well, it's on your phone, right like it's on my phone these things still have like full s7 stacks that they're emulating and it's and it has known vulnerabilities.

30:15
It's right, it was never really meant. I mean, it was never meant to be expanded outside of like at&t right. Right, it was meant for them to talk internally. I mean, my, my grandfather was like an at&t engineer, you know oh, that's cool yeah, I mean, he was born a goat herder, died an at&t engineer, which is oh my god a pretty cool path right wow, a greek immigrant uh cypriot yeah, cypriot nice yeah, um, from the wrong side of the tracks, uh, so to speak.

30:41
Uh, but yes, he uh, but he was using SS7 by the end of his career. So that shows you how old it is. It's ancient. It's ancient but anyway. So they were using it to spy in a number of cases. But you can imagine how powerful a technique that is. If you can get to Verizon or AT&T's internal interface, you can wiretap anybody right in the United States.

31:01 - Leo Laporte (Host)
Well, in fact and it's not just the Trump-Vance campaign, they also, according to Wall Street Journal and Washington Post, attacked staffers to Chuck Schumer, the Senate majority leader, and Vice President Kamala Harris.

31:13 - Alex Stamos (Guest)
Yeah, If you have that capability, you're going to use it.

31:16 - Leo Laporte (Host)
So what's the Chinese interest? I would imagine the Chinese don't like Donald Trump very much because of the tariff Right that the chinese interest, as you mentioned before, is a level below.

31:26 - Alex Stamos (Guest)
There's no good evidence of them getting directly involved in the presidential election this cycle. What they're doing is one. They're gathering intelligence, right, so they are providing intel up to their political leaders of to get ready for whoever the president is, so that that is just the normal they're not trying to throw the election.

31:45 - Leo Laporte (Host)
They're just trying to figure out what the hell's going on.

31:48 - Alex Stamos (Guest)
Right, neither party is great for China right now.

31:50 - Leo Laporte (Host)
Yeah, in fact, trump has recently said well, let's get rid of the CHIPS Act, which is one of the things that keeps us from exporting our technology to China.

32:01 - Alex Stamos (Guest)
Right, he also threw Taiwan under the bus, he did. He gave this crazy speech where he's like well, they stole our semiconductor industry. And then TMC's stock dropped like immediately, maybe.

32:12 - Leo Laporte (Host)
what am I saying about tariffs? It's really about Taiwan in the long run, isn't it? Right, right the Chinese want to know who's going to. Let us take Taiwan.

32:20 - Alex Stamos (Guest)
Right, and so they just want to know. But they are getting involved at the congressional level, which is, I think, where they can have more influence. Right, you've got you know instead of the down ballot. Tens of millions of people voting yeah, you have hundreds of thousands of people.

32:33
Much easier, much easier right, because some of these elections are a couple thousand people a couple hundred people maybe are are swinging it and and you have a lot less people paying attention. So you know a couple hundred fake accounts, you know a couple influencers. In a local election, maybe you have a member of Congress. You have a really close election, republican or Democrat either side. You might have somebody who's really anti-China and somebody who's just neutral, and in that case maybe they don't have to be pro-China, they just have to not care. So's just neutral, and in that case they don't have to be pro-China, they just have to not care so much, right? And in that case you target the one who's anti-China, who is on. You know, there's a couple of anti-China committees. There's a couple of committees that have been pushing, really looking into Chinese influence, really looking into microchips and AI and such. You target the person who's on the other side. If, every year, you can knock off one or two or three members of Congress slowly, that would have significant impact, and I think that is the Chinese model here.

33:34
Iran they don't like Donald Trump and they're trying to blackmail Trump. When you ask about Iranian hacking, they are technically less sophisticated than Russia and China. They are very good at social engineering and that is how they've made up for it is that they know they cannot go build the ODAs in the same way the Russian and China. They are very good at social engineering and that is how they've made up for it is that they know they cannot go build the O'Days in the same way the Russian and Chinese. They're not gonna be building O'Day iPhone kernel exploits in the same way that Israel or Russia or China can, but what they can do is they've gotten very, very good at tricking people into clicking links. They've built very good phishing campaigns. They've gotten very good at building relationships with people and convincing them to give up their passwords, to click yes on two-factor prompts and the like, and that's exactly how they got into the Trump campaign.

34:13 - Leo Laporte (Host)
I want to take a little break. We uh, we are we're. This is interesting stuff and I'm glad we got you on. Alex stamos is here. He is currently CISO at Sentinel one, which is a great security firm, relatively new in the industry but doing a great job protecting people all over the globe. Also with us, Owen Thomas of the San Francisco Business Times. Have you voted yet, Owen?

34:38 - Owen Thomas (Guest)
I actually have not. My ballot is sitting on my desk at home waiting to fill out. I'm a vote at home. Drop it off.

34:47 - Leo Laporte (Host)
The the day of kind of kind of guy, it is kind of fun to go to the uh, the polling station. Yeah, that way, workers, I like that feeling yeah, that's kind of best of both worlds.

34:56 - Owen Thomas (Guest)
Uh, california has let you do that for uh for many years I really want.

35:01 - Leo Laporte (Host)
I do want. So I have voted by mail. I really do want a switch I could set on my phone that says I already voted. Stop sending me texts, because I'm at this point. You know, give once and you will. You will be hearing from them forever. So I've donated to campaigns and, as a result, they have my phone number. It's public record, I guess and a lot of spam.

35:23 - Alex Stamos (Guest)
I mean a lot of so much. Like you know, if you give to any campaign, I get a lot of like give for Kamala, and you look at the links and it's it is not for Kamala.

35:32 - Leo Laporte (Host)
It is not well, that's what I think a lot of it might be. It might be uh, it's just fraud, it's fraudulent. Yeah, yeah, I, you know, I kind of suspect sometimes that that is right, it's vote.

35:42 - Alex Stamos (Guest)
Democratsnigeria is not, it turns out hey, the nigerians care.

35:48 - Leo Laporte (Host)
Okay, let's not. Uh, anyway, we'll have more in just a little bit. I actually want to talk about this is old news, but I I still want to get your take on this, alex, the uh beeper, uh plot. I thought that was. You know the reason it comes to mind. John Fetterman, the senator from Pennsylvania, recently in an interview said that was great, that was really cool Putting plastic explosives in the beepers of Hezbollah leaders. And when somebody said you know, one of the people killed by it was a was a child, he said, well, it's her father's fault for letting that evil into the house. And what it does raise is some real concerns about our supply chain, if this is possible. That is very scary. We'll talk about that and a lot more. We've got some other stories too. We might even get to talk about. I don't new macs. Maybe we'll see. I know that's why you really turn in. Uh, you're watching this week in tech. Our show today brought to you by actually speaking of security shopify.

36:56
I love a shopify. Let me tell you something my son has created I'm very proud to say a Shopify store, the Salt Lovers Club. And I should also say I'm an investor in the Salt Lovers Club, just to disclaim it where he sells salt and is going to sell pickles and some other stuff, and it was made so easy by shopify. So I have a real soft spot for shopify. You know, when you think about businesses, you know big businesses whose sales are just going through the roof. You know, I don't know companies like untuck it, one of our sponsors, all birds, I'm wearing them right now. Uh, you might be thinking, oh, it's an innovative product, it's a progressive brand, brilliant marketing. But what is often overlooked whether it's Salt Hanks, salt Lovers Club or my Allbirds right here is the businesses behind the business that make selling and for shoppers buying easy. That technology is critical and for millions of businesses including, I might add, all birds, saul hanks, all lovers club uh, oh, one, tuck it. Yeah, yeah, yeah, they're all powered by shopify.

38:17
I love shopify. I was looking for the bell. Nobody does sales better than shopify, home of the number one checkout on the planet. You won't believe how many companies, big and small, use Shopify. And the not-so-secret secret with ShopPay, shopify's payment system that boosts conversions up to 50%. Way fewer carts going abandoned, way more sales being made.

38:42
Let's hit it again. Yeah, that's the sound you want to hear. So, if you're growing your business or just getting started or your commerce platform, better be ready to sell wherever your customers are Scrolling or strolling yeah, that's right, not just on the web, but brick and mortar in the stores, in their feeds and everywhere in between. Uh, in their feeds and everywhere in between, it's powered so many great businesses, businesses that sell more. Sell on shopify. Upgrade your business and get the same checkout that all birds uses, that my son, saul hank, uses. Sign up for your one dollar a month trial period right now.

39:20
Shopifycom slash twit that's all lowercase. Go to shopifycom slash twit that's all lowercase. Go to shopifycom slash twit. Upgrade your selling today. Shopifycom slash twit Hit it. Oh, I love that sound. Shopify. I like doing ads for a company that I really believe in, and boy, I'll tell you I'm just watching. Hank made the right choice when he started to go with shopify, so I'm very happy to be able to talk about them on the show.

39:49
Uh, we are talking about the week's news with some very smart people. Uh, alex wants, uh, uh wants to get in the. Do you want to get in the discord, alex, so you can talk to people? We should mention that we are streaming uh. Now this is our new thing on eight different, eight, count them eight. Eight different platforms. So, yes, discord, that's where our club trip members live. But youtubecom slash twit, slash live uh. Twitchtv, slash twit. Xcom, and usually, unless gary vaynerchuk is streaming on x, usually we are at the top of your xcom front page. Let me just see uh, because we often have more people streaming than anybody else. Let me see. Well, wait a minute. I know.

40:38 - Alex Stamos (Guest)
I'm just trying to see all the you know horrible things people are seeing about people love you, are you kidding? It's just you know it's the best way to feel like neurotic in real time well, and.

40:46 - Leo Laporte (Host)
But the thing is there's there's not just discord. We get chat from youtube, we get chat from twitch, we're on tick tock too. We get chat from tick tock, we're on linkedin, we're on facebook, uh, and we are on kick. So I think that's all eight. So, yeah, you people are watching live, uh 1 000 I see the number here 1 134 people watching live. Now, that's a fraction of the total, but I think it's cool to have a live audience watching and commenting, so we'll uh we'll send you my chest hair, if I knew it was gonna be button your shirt, button your.

41:20
Well, I we'll send both. I usually send everybody. Uh the uh the discord, uh link.

41:27 - Alex Stamos (Guest)
We give you complimentary memberships, of course uh, I could have gone really greek, I should have had chains and gone, yeah, a little little cornu, and so you're cypriot. I didn't know that uh, yeah, yeah, cypriot in greek. Yeah, the stomatopolis is from the peloponnese, but my mom's side's from from greece. Yeah, or?

41:42 - Leo Laporte (Host)
from. I have good friends who uh friends who he's a doctor lived in Cyprus for some years and they love Cyprus, they just love it. And they say you've got to go. I say, isn't it war-torn? They said not anymore.

41:57 - Alex Stamos (Guest)
It's not war-torn, but my family's from the side that you can't go to anymore, mean I guess I could visit, but my family was was driven out by the uh. So, yeah, no, I do want to take uh, my. My eldest is named after a monastery there, uh, so let's take him one day, yeah yeah, he should see it.

42:14 - Leo Laporte (Host)
The family uh, the family estate where did the thomases come from? Oh yeah, absolutely yeah. The the goat, the goat farm, that's what I'm talking about.

42:23 - Alex Stamos (Guest)
My mom visited 1968, a little bit before the invasion, and they still in 1968. They had no running water, they had no electricity. There's outhouses and you know burning wood. So, yes, but were?

42:35 - Leo Laporte (Host)
they happy. But were they happy?

42:37 - Alex Stamos (Guest)
that's no my grandfather couldn't? He got the hell out of there.

42:41 - Leo Laporte (Host)
So yeah, that's a good point, that's a good point. I love his story.

42:45 - Alex Stamos (Guest)
That's fantastic yeah, america, america yeah america and then, you know, when I did that security clearance, I had to go list, uh, every member of my family who wasn't born in the us, and he remembered the day he came to america, the day of his naturalization his serial number from the us army, his like.

43:01 - Owen Thomas (Guest)
I mean like I didn't.

43:02 - Alex Stamos (Guest)
He didn't have to look up a single thing. I'm like he. I didn't actually need all those things, but I didn't tell him, and like he's, I'm just writing it down at all, because he knew it off the top of his head he was just incredibly proud to be like I'm an american and like I'm gonna prove to you so that you can tell people.

43:15 - Leo Laporte (Host)
Yeah well, that's, yeah, that's what I want to. That's the thing I mean. Um, you know, whoever you vote for, whatever you think of either candidate, we should be proud of being in this country and the right to vote, and exercise that right to vote and also kind of defend against disinformation and an attempt to subvert our democracy from other countries. Is North Korea a threat in any way?

43:50 - Alex Stamos (Guest)
Not from a disinformation side. From a hacking side, they're quite good. They're probably the largest thieves of Bitcoin in the world.

43:53
Oh really, yeah, so something that's super unique about their state hacking apparatus is most of the state hackers in the world are all L no P in the P&L right, like NSA Cyber Command. We pay them with our taxpayer dollars to hack on behalf of the national interest. They are not meant to make money, but the North Korean hackers are meant to be profitable and in fact they are humongously profitable. They generate billions of dollars a year.

44:24 - Leo Laporte (Host)
Well, they need hard currency.

44:26 - Alex Stamos (Guest)
Yes, but can they convert?

44:28 - Leo Laporte (Host)
that Bitcoin to dollars, I mean, is there?

44:30 - Alex Stamos (Guest)
It's an interesting question of how do they spend the Bitcoin, and they do, yes, they do spend it. There have been a number of DOJ indictments about both the theft and then the laundering, but they have been able to spend the Bitcoin directly to buy something they need, in some cases turning into dollars and euro and yen, um, and yuan, right, so they spend some of it in china, um, but, yes, bitcoin has been fantastic for the north koreans I thought bitcoin was illegal in china.

44:54 - Leo Laporte (Host)
You can't spend it in china. Uh, didn't they ban bitcoin?

44:58 - Alex Stamos (Guest)
yes, I mean, yeah, sure, I love that answer there's a bunch of things they did. Yeah, there's a bunch of things that it's illegal to sell to the north koreans from china.

45:08 - Owen Thomas (Guest)
I mean, yeah, sure, I love that answer they did.

45:09 - Alex Stamos (Guest)
Yeah, there's a bunch of things that it's illegal to sell to North Koreans.

45:12 - Leo Laporte (Host)
I'm sure Chinese smugglers are not. They'll take Bitcoin. Sure, Taking Bitcoin right. We'll take whatever you got South.

45:15 - Alex Stamos (Guest)
Korean smugglers people who are illegally crossing the Yellow Sea to bring stuff to North Korea are taking whatever.

45:23 - Leo Laporte (Host)
Probably better taking bitcoin than like you know soggy, you know yen or whatever, right? Yeah, I don't know what the the north korean currency is, but I doubt that it's widely accepted worldwide, not something you can walk into a chase with and deposit yeah, the fascinating thing.

45:39 - Owen Thomas (Guest)
Uh, and alex, you can correct my technical knowledge here, but, um, you know, people think of bitcoin as anonymous and untraceable, and that's half correct. It's actually quite traceable through transaction by transaction. It's all in the blockchain. That's the whole point.

45:57 - Alex Stamos (Guest)
Yeah, it's not at all untraceable, it's very traceable.

46:01 - Owen Thomas (Guest)
And there are, in fact, companies like Chainalysis that make a whole business of this, and I think maybe North Korea has gotten more sophisticated about this or maybe they're just kind of willing to pay this cost, but their use of Bitcoin has given intelligence agencies that exploit this blockchain intelligence. You know some insight into those operations and it's you know it's an interesting trade-off. I guess for North Korea is that you know there are obvious advantages with using Bitcoin, but I don't think they quite realize how much they're giving away by using it.

46:43 - Alex Stamos (Guest)
Yeah, I, I think they know, they just don't care right, like what are you gonna do?

46:46 - Leo Laporte (Host)
come get them chain.

46:47 - Alex Stamos (Guest)
Alice is great. They give our students free 90 licenses.

46:49 - Leo Laporte (Host)
So my colleague at Stanford, shelby Grossman, uh, she teaches a class, uh, an open source intelligence class, and she gets these licenses and teaches our students how to just just to be clear, you can trace all the transactions, but all you have from Bitcoin is a long identifier, a long number, right, that isn't necessarily tied to any person, right?

47:13 - Alex Stamos (Guest)
Right, so you have to do something else then to tie it to a person.

47:17 - Leo Laporte (Host)
Yeah, I mean, if they create a custodial wallet somewhere on Coinbase and use their real name, we know right, we can tie it.

47:25 - Owen Thomas (Guest)
For example, if there's a ransomware attack, that is, you know where the software can be tied to a North Korean group, and then you know what that wallet address is, where they're collecting you know collecting, and you know it's going to North Korea. That's how they, alex. Is that a good way to kind of describe how you make those connections?

47:47 - Alex Stamos (Guest)
Right, yeah, so that's exactly right. So you know that kind of tracing happens all the time. For a ransomware actor does a ransom, it gets moved into a temporary wallet. It then gets moved into intermediate wallets and you trace it until the final beneficial owner and then you assume that beneficial owner is a member of that ransomware crew, or you know that's the kind of thing. Or, yes, it gets moved, it gets tied into a self-hosted Bitcoin D that you can tie it to. This is on a virtual machine and you're able to tie that virtual machine to somebody who actually physically had access to it.

48:20 - Leo Laporte (Host)
Did you guys watch the Money Electric documentary uh documentary on uh. Colin hoback's documentary on on max uh about bitcoin and about the purported identity of satoshi nakamoto no, I saw the the proof, and the proof is like it's pretty weak yeah, because it's like a reply.

48:42 - Alex Stamos (Guest)
Guy was just kind of jerking a reply, it's like that's.

48:44 - Leo Laporte (Host)
However, people talk online. Watch the documentary because at the end he confronts, uh, uh, alan back and peter todd. He thinks todd is satoshi. I think they're. I think the two of them are satoshi. Uh, he confronts them in a I think a croatian, abandoned croatian factory and uh, todd asks very squirrelly I mean, if you were satoshi, you would not want anybody to know that, because satoshi, as far as we know, still controls billions of dollars in bitcoin, the original coins that were mined and uh, you know that that mean you would be prime for kidnapping in. In fact, peter Todd, the guy fingered by Halbeck, is now in hiding.

49:28 - Alex Stamos (Guest)
Yeah.

49:29 - Leo Laporte (Host)
And what we're waiting for is any movement in those early coins, those early wallets, because, you know, I guess he'd be smart not to touch them at any point.

49:45 - Owen Thomas (Guest)
Yeah, that's the irony of like you know it's an untouchable fortune.

49:50 - Leo Laporte (Host)
Yeah, yeah, yeah, it could be worth trillions. If the bitcoin gets to a million dollars, it'll be worth a trillion dollars but if somebody touches them, bitcoin price massively drops right well, you could, okay, you could take a billion out, it wouldn't kill it well, but if you touch it, then it it effectively.

50:04 - Alex Stamos (Guest)
I mean the current price of bitcoin right is currently assumes that a bunch of that you could take a billion out. It wouldn't kill it. Well, but if you touch it, then it it effectively. I mean the current price of Bitcoin right is currently assumes that a bunch of that is not right tradable.

50:11 - Leo Laporte (Host)
So there's an interesting point that Hoback makes in the documentary which is there there is a way to burn Bitcoin in public, to burn it on the blockchain so that it cannot be used. Yes, which Nakamoto never did. Either he died before he could do that or he doesn't. He's still around and he says maybe someday I'd like to take a little bit of that out, knowing that it would destroy his invention, right, right, right, I mean there's a party lost the keys.

50:40 - Alex Stamos (Guest)
I mean I like you know that's, yeah, I mean this is a theory that people threw around of like what if it was like a government project or something?

50:47
like let's say it was you know, I mean, I don't, I don't believe this. But let's say it was like a project of five people working at, you know uh, asd or or nsa or something, and then they got found out by their government masters who are like um, that's government property, right, and that gets put. Those people no longer have access to it and it's in a government vault somewhere it's next to the Ark of the Covenant and now nobody can touch it. That's a possibility. I think it's. I mean, to me it is most likely. I think it's very unethical to point out that it's any individual person unless you're 110% sure, because you are putting that person's life at spectacular risk. It's not a theoretical risk, right?

51:30 - Leo Laporte (Host)
No, no, no. People have been kidnapped, people have been killed over Bitcoin right, so in a way that would be unconscionable.

51:37 - Alex Stamos (Guest)
On the other hand, Right, and if something happens to these guys like?

51:42 - Leo Laporte (Host)
You did it, you did it.

51:46
It's your fault. On the other hand, there is a reasonable interest in the bitcoin community over satoshi if he's still alive, and whether he controls those coins and what he might do with them, because he, you know, he is the sort of damocles hanging over the entire bitcoin operation. Yeah, uh, so I don't know. United states supreme court declined to take on a case. The government does have 69 370 bitcoin it got from the silk road worth 4.38 billion dollars. Uh, the supreme court decided not to hear the case. That could clear the government to sell that bitcoin, which I thought was kind of interesting. Uh, in other cases they have or courts have said, yeah, the government can sell the bitcoin yeah, they've actually sold a bunch.

52:29 - Alex Stamos (Guest)
They sold it pretty cheap. Holding onto, it would have been good, just hold it man.

52:34 - Leo Laporte (Host)
Yeah, diamond hands I have. I have lost the password to my wallet where my 7.85 bitcoin reside and I'm going to wait no. Well, I figure that software water hardware, it's a. It's a. It's a Bitcoin core software wallet, it's RSA encryption. I did not use robo form. Don't, don't send, I get email every time I mentioned pardon me.

52:55 - Alex Stamos (Guest)
What kind of RSA is it?

52:56 - Leo Laporte (Host)
I don't know what kind of encryption this strong encryption, obviously. But um, it's Bitcoin core spot. Uh, I'm figuring it's just a way of holding it and when quantum computing comes along, I'll crack it and then it'll be worth some. I might be dead, long dead. What do you think? What do you think? Quantum decryption of Bitcoin passwords? When do you think that's going to happen?

53:21 - Alex Stamos (Guest)
Okay. So if it's, I mean if it's symmetrically, if you have a symmetrically derived key, I I hate to break it to you but quantum only gets you.

53:31 - Leo Laporte (Host)
Oh, um right, it only makes it yeah yeah, so it doesn't actually get you much yeah, I think it only gets like yes, it's a metric key, yeah, so it doesn't.

53:37 - Alex Stamos (Guest)
So I'm screwed um quantum gets you a lot for the asymmetric algorithms which is why. So it's interesting because the real problem from actually a big problem for Bitcoin.

53:47 - Leo Laporte (Host)
Chinese uh, uh. Researchers this week said oh, we were able to, uh, you crack some encryption with uh, they didn't, they didn't. It was a bad headline. I think they they were able to do some quantum computing factoring, but I don't think it was anywhere near enough. It was 22 bits. I don't think it was near enough to uh. We were talking about north korea. Uh, the other north korean story we've been talking a lot about on security now with steve gibson is they have been planting hackers in american companies by persuading americans to lend them their identity, by persuading Americans to lend them their identity?

54:26
Yeah, and then working in these companies as Americans, but with access, of course, to all of the company's secrets.

54:32 - Alex Stamos (Guest)
Although most of it does not seem to have been for access to secrets. It's just to make money, money.

54:37
Because a lot of it is not Like the salary, it's to make the salary, yeah, wow. And so the FBI has busted a couple of these people and you'll have an American whose identity has been used for 10, 15 companies, and they'll have like 15 laptops in their apartment and each one's got like team viewer on it. And then there's 15 people in North Korea who are doing their job Amazing, yeah, and it's a bunch of different jobs. So it'd be like some of them are graphic designers, some of them are real programmers, some of them they're all knowledge jobs and things that are like you never have to, you don't have to be in a lot of meetings for right, because that's where you run trouble. So it'll be things that are like, or it'll be kind of temp work stuff, data entry, things like that yeah, do they have the American pretend to be the?

55:21 - Owen Thomas (Guest)
you know the American will do the interview right, so the American will do the interview.

55:25 - Alex Stamos (Guest)
And one of the things you can look for is you can look for if it looks like the person is getting prompted, so they'll do the interview and the north korean person will be listening into the zoom interview and prompting them with the answers, like if there's a programming interview or something. So if somebody's doing it and looks like maybe they're reading off the screen or it takes them a while to answer it, if it's like a weird back and forth, that's one of the warnings you can look for.

55:48
The other thing technically you can look for is like if you're shipping laptops to somebody and then you get like a team viewer installed or an A desk or something like that because they have to use a remote desktop tool, you know if you're hopefully not allowing to bring your own device right, so if they're on your, if you should not be allowing remote desktop tools installed on your, your devices, but that's, that's another. There's a bunch of technical things you could be looking for, but it has been a actually a real challenge and it's a good demonstration of a bunch of different kind of control failures in a bunch of organizations and some really big companies have been hit. I'm not at Liberty to say but you'd be shocked at the companies that have been hit with this. Really, yeah, really big companies. Oh, fortune 50 geez.

56:34 - Leo Laporte (Host)
But it's funny. They're not trying to hack it, they're not trying to to put in ransomware or exfiltrate information. They just want a job. They just want to make a living. Do they? Are they quality? I mean, are they good employees? Do they do a good job?

56:47 - Alex Stamos (Guest)
in a lot of cases, yeah, they're actually doing a very good job so no harm, no foul.

56:52 - Owen Thomas (Guest)
Well, maybe there is okay, there's a little harm, but you know we do have an embargo, I'm sure, against that but it seems like the problem would be getting the dollars out of out of the country and to you know whatever once again, it's bitcoin, right, so that person's getting paid, they're getting 10, 15 paychecks, uh, and then they're they're using cryptocurrency to get the money out of the country.

57:14 - Leo Laporte (Host)
Wow, got it the idea I said I was going to ask you about the supply chain attack, the. I mean a brilliant uh I. You have to admire the skill and the tenacity that it took for the I don't know if it was the Mossad or the IDF, but for the Israelis to put explosives in these pagers and to get them distributed to the leadership at Hezbollah and then to blow them up, killing hundreds. It is a kind of a terrorist action. I'll be honest in my opinion.

57:48 - Owen Thomas (Guest)
John centerman, senator john fetterman of pennsylvania, said good on them, uh, but it's also scary because it it shows you that a determined opponent can really screw you over with the with by suborning the supply chain one thing that uh played in israel's favor, as, as I understand it and I I'm just reading the same reports that you probably have is that, um, because of sanctions, um, you know, hezbollah's options for acquiring technology like these pagers were kind of limited, and it makes them a little vulnerable to you bet, uh, this kind of action and the reason they went to pagers is because they knew the israelis had cracked the phones using, probably, ss7 well, and also because with the phones you have a two-way connection, right.

58:36 - Alex Stamos (Guest)
So with the pagers it's like, not, not a modern pager, it was like the old, I think, 700 megahertz, so broadcast only, right. So they moved to a pager, because those pages are sent out unencrypted to everybody and the pagers never go up, they only receive. And so that's why they were using these pagers, because you couldn't be tracked with them in theory. Wow, um, yeah, they're not IP based. They weren't. They didn't have like a GSM or LTE connection. They were receiving these old old style Uh, you know they don't. They didn't have like a gsm or LTE connection. They were receiving these old old style uh, you know, they don't work in most countries, I think. Um, uh, and so that's why they ordered them, which made it also, I think, much easier for the supply chain attack to happen, because the number of people who are ordering this kind of pager is extremely small how worried should we be about a vulnerable supply chain?

59:22 - Leo Laporte (Host)
I mean, we talk all the time about, uh, the chinese being opponents, and yet almost everything we buy is made in china for cyber attacks. I think we should be very worried and and that's why we, that's why we forbid huawei uh equipment in the united states right, and so targeted cyber attacks those have happened and I am aware of a number of.

59:41 - Alex Stamos (Guest)
There's a bunch of cases that have not been publicized where it's generally the firmware level, right, so a device that is being ordered by a company where it is known by the OEM that it's going to a specific company, right, so it's not being bought out of the and that's what's true here, right? So, like, the key thing you have to be thinking about if you're worried about this kind of level of adversary is you want to be buying out of the channel. So if you're going to CDW and they've got a warehouse full of computers that were made in China, you're probably fine, right. But if you're ordering directly from the factory and you look at the shipping manifest and it's like shipping started in Shanghai, then you might have a problem, right, the problem could start with the company or it could start with it getting intercepted, and again, the united states doesn't have clean hands here.

01:00:31
There is, in the snowden documents there's a picture of, with their faces blurred out of nsa employees and polo shirts, very carefully unwrapping the cisco box and then changing out the firmware. Right, that they knew, yeah, so, um, the, the US was doing this a long time ago. I mean, that was over a decade ago um, so the odds that the Chinese are doing it is basically 100 if the US was doing it a decade ago. So, yes, I I think it's absolutely something we should be worried about. Wow, I think explosives probably not so much, right, uh, although but hardware hacks?

01:01:07 - Leo Laporte (Host)
remember the uh, the, the super micro motherboard story that Bloomberg never was able to prove?

01:01:14 - Alex Stamos (Guest)
right, and that's the problem is that, like they wrote this bad story, that you think it was a bad story at the time.

01:01:19
I mean, it was silly of like, oh, a grain of rice thing. Like that's not how you would do it, right, like, if you, if you wanted to back to our Supermicro motherboard. There's 20 or 30 places on that motherboard where state is stored. You don't need to add a new piece of hardware, right you? You would replace one of those pieces of state that already exists and one of the e-promps that are existed in the firmware. That already exists, right, um, and so that's in the.

01:01:43 - Leo Laporte (Host)
It's essentially a man in the middle attack, though, right, you're not accusing, say, somebody like super micro of perpetrating. It'd be somebody, some supplier or somebody who got a hold of the motherboard I don't think it's like an official somebody at super micro.

01:01:55 - Alex Stamos (Guest)
It could be an employee at super micro well, that's true.

01:01:57 - Leo Laporte (Host)
Who's been could be a north korean employee, right or or it could have been.

01:02:03 - Alex Stamos (Guest)
It's got to go through a lot of hands when it's through, and every box that leaves China goes through customs right. Right, you. You know this, like when you order something, sometimes it says waiting in customs. Right, it says it right there. And like the FedEx manifest, when you buy an apple computer it'll say waiting in customs, maybe for a couple of days, and so it's absolutely a concern and companies that really are concerned about this kind of stuff. That's why you buy it from the channel, that's why you buy it again from a CDW or somebody who bought 5,000 and they put it in a warehouse. I, in fact, at one of my previous employers, we bought a device that we were suspicious about, that there was some weirdness about it, and so we ended up going to, I think, ingram Micro like that and we ended up like going and saying we want that one.

01:02:49
We just pointed on like a palette and we're like we just picked out a random one from a pile because that's that way. The nobody could have possibly known that that was the one that was coming to us. So if you're playing at that level where you're, you're being targeted by state actors. That that's not an unreasonable thing to be thinking about, wow.

01:03:09 - Leo Laporte (Host)
But for the explosive stuff like yes, I mean that's, that's a little harder to do obviously.

01:03:11 - Alex Stamos (Guest)
It's a little harder to do and like the level, like if you're playing at that level, like if you're a terrorist group and people are willing to blow you up, then you have to be worried about it. I think you know the the only people who are playing at that level, uh, who realistically have that threat, are probably terrorist groups well, oh, that's okay.

01:03:33 - Leo Laporte (Host)
Well then, I don't have to worry, so it's okay do you, leo geez? Oh it's, it's only terrorist groups.

01:03:40 - Owen Thomas (Guest)
And we can, we can relax, we can sleep easy well, you know, I, I, I do, I do think we have to worry um, you know, not about hardware but, like the, you know, software spillover, um, you know, I think there have been examples of um of malware that's been, you know that's targeted at sure, sure, alex, I'm thinking of the incident where malware that was targeted at the Iranian nuclear program got out in the wild and affected a lot of other equipment.

01:04:11 - Alex Stamos (Guest)
Okay. So it didn't directly affect equipment, right? So Stuxnet was actually very carefully built. There's a quote by somebody of like it was clear that Stuxnet was American malware because it was clearly malware built by lawyers. It had lots of checks in it to make sure it didn't damage Siemens PLCs were the final target, and Siemens PLCs are used in everything. So it was very carefully built to not break anything but that.

01:04:37
But the problem about releasing a piece of malware like that is is the difference between a cyber weapon and a normal weapon. Is a cyber weapon can be repurposed and used against the person who shot it at you. You shoot a rocket at somebody, they can't turn around and shoot that rocket back. But if you use a cyber weapon against somebody, they can just take it apart and use it against you, and that's for a short period of time. The only people who had those exploitsits were the united states, maybe israel and the islamic republic of iran. They didn't know it the iranians but if they had looked closely they had some really hot exploits that they could have used. Uh, if they had been a little more careful why did they not know?

01:05:21
uh, they weren't looking carefully enough and they were not. Uh, they did not figure it out. Um, they, they thought air gapping was enough and that's what at in that time frame. That was kind of the uh, conventional wisdom those uh skater devices were air gapped.

01:05:36 - Leo Laporte (Host)
But uh, what do they use? A they they used usb keys. They candy dropped them, there's a bunch of different theories.

01:05:46 - Alex Stamos (Guest)
One of the theories is that they infected. They attacked a bunch of Farsi language websites and infected them, and so somebody got their personal iPod or something infected, took it in and plugged it in locally. Wow, there's also discussion that that might be a cover and that the Dutch actually had a human intelligence asset. Who planted it? And that that whole thing was just a cover for the human intelligence asset uh, that's interesting wow that's a that's quite a story.

01:06:19 - Leo Laporte (Host)
We're uh, yeah, I know, yeah, yeah, some really good. It's really good coverage. Um, yeah, it's a fascinating story. Um, we're going to take a break. We have Alex Stamos with us, formerly of the Stanford Internet Observatory, now he's the CISO at Sentinel-1. We'll talk a little bit about Sentinel-1 later, because we're going to get to CrowdStrike in a minute and they do kind of a similar thing. But what did you say? Sentinel-1 is the one that didn't destroy the airline industry, is that it? I think you said it, leo.

01:06:49 - Alex Stamos (Guest)
I said it, not you, I'm thinking it.

01:06:53 - Leo Laporte (Host)
Oh, and Thomas is you're thinking it, but you're not saying it because you're good guy. Oh, and Thomas is also here, managing editor of San Francisco Business Times, which also has never hurt the United states airline industry in any way, shape or form, I believe not that we know of, not that you know.

01:07:08
I have some great stories actually from owen. Uh, we'll talk about that in just a little bit, but first a word from our sponsor, veem. When I found out about v, when I talked to the guys at veem, I thought why doesn't end? Everybody use veem to protect themselves from ransomware. You know your data is the most important thing in your business. Without your data, your customer's trust turns to digital dust. That's why Veeam's data protection and ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it, no matter what happens.

01:07:46
We call this data resilience and, as the number one global market leader in data resilience, veeam is trusted by. This is a telling statistic over 77% of the Fortune 500. Use Veeam to keep their businesses running when digital disruptions like ransomware strike. And then the 23% who don't? You're going to see them in the headlines, right? That's because Veeam lets you back up and recover your data instantly across your entire cloud ecosystem, no matter where it lives.

01:08:17
With Veeam, you can actually stop ransomware before it bites you proactively detect malicious activity. Also, and very important, you remove the guesswork by automating your recovery plans and policies. You do have a recovery plan and policy right. Right. Get real-time support, should the worst happen, from ransomware recovery experts. Data it's so. Get data resilient with Veeam V-E-E-A-M. Go to Veeamcom V-E-E-A-Mcom to learn more. We thank Veeam so much for supporting the show and we thank you for supporting the show by going there and visiting them and, if they ask, say I saw it on Twitter. Veeam, I like the phrase malware made by lawyers. I might make that the title of this show. I think that was. I'd never heard it quite described. Stuxnet quite described that way, but that's that's not my line.

01:09:14
I I don't know who said it's a good line, well, we'll steal it. I don't mind, I take from the, I steal from the best. Actually I was, you know. One of the stories that's been going around this week is the expulsion of russian maintainers from linux. And linus torvalds uh, this is from the registers defended that. Uh, you know saying look there, there's, uh, there's an embargo. If you haven't heard of russian sanctions yet, he writes, you should try to read the news someday. And by news I don't mean russian sanctions yet, he writes, you should try to read the news someday. And by news I don't mean russian state sponsored spam. Um, so he, he says I'm finnish, you think I'd be supporting russian aggression.

01:09:56
But there are quite a few people saying you know those maintainers, russian or not, were contributors. They, they contributed great stuff. They have now been. A handful of Linux developers have been removed from the maintainer's file. The explanation was remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided. Is this a fair move? There's been some criticism of linus and the and the maintainers I.

01:10:29 - Owen Thomas (Guest)
I mean, and you know, if it's open source, you can inspect their contributions and I agree, decide for yourself right, right.

01:10:39 - Leo Laporte (Host)
And just because somebody's russian doesn't mean that they're, you know, bad I mean, but when?

01:10:44 - Owen Thomas (Guest)
when you bring up compliance, I think that means that companies are looking through their software supply chain and maybe saying you know, hey, free, you know free, open source or not, we can't have this, you know, we can't run our business on the software. Right, right, what do you say, alex?

01:11:05 - Leo Laporte (Host)
have this, you know we can't run our business on the software, right, right. What do you say, alex?

01:11:08 - Alex Stamos (Guest)
you agree, you agree with the move yeah, I don't really understand it, so um yeah, why now?

01:11:14 - Leo Laporte (Host)
for instance, why sanctions are two years old?

01:11:17 - Alex Stamos (Guest)
right I, I I can't put my finger on a sanction requirement to to not allow, r allow Russians to contribute to open source, okay.

01:11:27
So there's a bunch of sanctions that are very hard to apply to any kind of open source or free service. You know, in social media, companies and other websites deal with this all the time of there's a big kind of controversial conversation around. Can you provision free services to people under sanction? And the sanctions on Russia are not the strictest sanctions the United States has, right, the strictest sanctions we have are like Cuba and Iran and some other North Korea countries like that. The Russian sanctions are pretty. You could still fly to Russia, right, it's legal to fly to Russia. It's legal to go there. It's not a good idea, but it is legal in a way that is not legal to say, to go to North Korea and spend money. So you know they're pretty porous. And he does not cite a specific legal requirement. Is there risk? I mean, the Linux kernel is the most reviewed piece of open source software in the world, right, um? And so, compared to, like, the SSH patch, that that really was scary, right Um? No kidding.

01:12:37
That very possibly could have been Russia. Like I actually, I think that was probably SVR.

01:12:43 - Leo Laporte (Host)
Oh, interesting, and for some reason I thought it was Korea, north Korea.

01:12:46 - Alex Stamos (Guest)
That's what everybody wants you to think. That's the problem.

01:12:49 - Leo Laporte (Host)
It's very hard to do attribution, isn't it? Because there's always misdirection involved. This was the case where there was code introduced by the maintainer. This is the one where the maintainer kind of retired and a guy who's really spent some time establishing his reputation contributed malicious code. Yeah, is that the one?

01:13:11 - Alex Stamos (Guest)
yeah yeah, that's right, and we haven't really had any good updates. Um, and it was like it was a library that went into a library that went into ssh, right. So it's very smart. Somebody spent a couple of years, yeah, working on it and they worked very hard on making people think it was in asia you know how interesting the work and the emails were all in an asian time zone. It was just very obvious, which makes you think it wasn't right.

01:13:37 - Leo Laporte (Host)
If it were asia, they would have made sure it was russian time. So it's in a russian name and the russians do that a lot, right, sure?

01:13:43 - Alex Stamos (Guest)
you. You see that a lot where it's like all good hackers do that like oh hello from beijing. Right cover your tracks.

01:13:50 - Leo Laporte (Host)
Yeah, exactly yeah, but then there's circles within circles, because if they had, they really were asian. And then they thought, well, you wouldn't think it was asian if we said it was asian. So we're going to say it's asian because oh my gosh anyway so like there's several levers levels above that, what's?

01:14:08 - Owen Thomas (Guest)
the what's the quote from donald trump about attribution? You know it could be. Could be the russians, could be the chinese, could be a 400 hacker 400 in his basement.

01:14:18 - Leo Laporte (Host)
Yeah, yeah right.

01:14:19 - Owen Thomas (Guest)
Who knows who knows, no one knows, could be baron are there no overweight hackers in Russia or China or North Korea?

01:14:26 - Alex Stamos (Guest)
So I mean in this case, Torvalds, like Finns, have no lost love for the Russians, and I get that. I feel, like you know, some of the biggest victims in the world of Vladimir Putin are the Russian people, right, and so I once again feel a lot of sympathy for normal Russians, Like they live under a yeah.

01:14:47 - Leo Laporte (Host)
I mean, they're suffering just as much, right.

01:14:49 - Alex Stamos (Guest)
Yeah.

01:14:49 - Leo Laporte (Host)
And um inflation is 20% now in Russia because of all the military spending.

01:14:55 - Alex Stamos (Guest)
Right, yeah, and uh, if you're a young Russian man, uh, you are being sent to the meat grinder.

01:15:01 - Leo Laporte (Host)
Even if you're an old Russian man, you're a Russian man.

01:15:04 - Alex Stamos (Guest)
You're a convict, you're not convicted anybody? Yeah, I don't think anybody Right and uh, it'll be interesting to see if they start taking women right. Like it's uh, you know it's not exactly the most woke society, but like it's. It's hard to start justifying 2024 only drafting men, it seems to me, but, um, anyway, well, well that's one, that's one area of it's a weird one is women's, women's liberation.

01:15:26 - Leo Laporte (Host)
I don't know if I support Russian women being sent to the front. It would be hard in the US to have oh no, here we do it, we would definitely do it, and it's just like it's just interesting that they're so desperate for that.

01:15:37 - Alex Stamos (Guest)
They'll take like like oh, you got one leg, we'll take you, but we won't take women. Right, like it's just kind of interesting when you also, like the Russians have like an incredible history of, you know, women throwing Molotov cocktails at at Nazis and tanks, right Like. But anyway, I I just find this weird because it does not seem legally required to me and the actual technical risk is quite low. It just mostly seems like Torvalds kind of doing his thing, um, which I understand, but uh, but a little bit bizarre.

01:16:12 - Leo Laporte (Host)
The people dropped, according to the register from the maintainer list, oversee Linux drivers that provide interoperability with hardware from vendors like Acer and Cirrus Logic. So it's a they're hardware drivers, and do you think maybe those companies said, hey, I don't know. Thing is, if a company doesn't want the open source maintainer to write the drivers, they could just write the drivers themselves. Thank you very much.

01:16:33 - Alex Stamos (Guest)
Right, and there's about Taiwanese companies, right, so it's like provide the drivers for Linux.

01:16:38 - Leo Laporte (Host)
Thank you, yeah, I mean, there's not exactly.

01:16:41 - Alex Stamos (Guest)
Russian hardware companies. Yeah, anyway, it's a little. I mean it's fine. Exactly a card Russian hardware companies. Yeah, anyway, it's a little, I mean it's fine, it doesn't hurt me. I just don't understand the justification without there being a real proceeding. It's quite possible there's something that happened that we're not, we're not aware of, which is unfortunate, because if something happened, he should be honest about it. He should say we got this patch and it's sketchy Right, and that should be something that we all know about so I'm sure you were paying attention.

01:17:06 - Leo Laporte (Host)
I know Owen and I were last July when CrowdStrike pushed out an update that forced Windows. I haven't heard about this to reboot over and over and over again. We should mention Sentinel. One does something similar to to CrowdStrike. You monitor uh malware activity we're in a similar business we didn't do that similarly, if that's what you mean no, I understand, but you, but you do, you have yes, so the, the, the crowd strike uh we.

01:17:34 - Alex Stamos (Guest)
We make basically the same. We're in the same business. Yes, we're, we're, they're, we're their biggest independent competitor so the biggest company in the space is microsoft. Uh, because their products free they also have monitoring software out there, right windows defender, uh, is like the biggest product in the space because they give it away for free. Like you buy mail, you get defender, um. But it's not great. It's like the. It's the free thing, it's what I wrote, but every windows user has it.

01:17:56 - Leo Laporte (Host)
So wait a minute, I never thought of that. That's why microsoft offers defender, puts defender on all versions of windows. It's not. It's not a one-way street. They're not just protecting you, you're also sending back telemetry.

01:18:07 - Alex Stamos (Guest)
Telemetry, yeah, malware right, well, and they have an enterprise version, so it's not exactly the same. So there's an enterprise version if you buy an e5 license or if you get e3 with like a package, right, that is edr. So there's, they have a basic antivirus version and then crowdStrike and SentinelOne make products that we call EDR. Edr, right Right Endpoint Detection Response. So it looks for malware. But also what it does is it basically records everything that happens on your computer.

01:18:32 - Leo Laporte (Host)
It's a sensor system.

01:18:34 - Alex Stamos (Guest)
Yeah, it sends it up to the cloud. And so you don't do this for a normal computer. This is like for an enterprise, and so the enterprise security team can see oh, something ran on Leo's computer. It called in these DLLs, it talked to these IP addresses. I can reverse, engineer all of it without even touching. You can do all the forensics and such without even touching the machine, right, Because all the data's already up in the cloud. And that's when you're playing against this level of adversary, if you're playing against the North Koreans or the Iranians or you know really high end ransomware actors and such, that's what you have to do, because you can't just be looking for known malware that exists in signature files. You have to be recording everything that goes on and be looking for new stuff.

01:19:13 - Leo Laporte (Host)
But I think that's how you find out about zero days, right? You need to.

01:19:16 - Alex Stamos (Guest)
Exactly yeah.

01:19:19 - Owen Thomas (Guest)
Yeah, to me, alex, one of the fascinating things is that to defend in real time against these kind of threats creates a new kind of fragility in the system, and I think that's what the CrowdStrike incident revealed.

01:19:31 - Leo Laporte (Host)
Yeah, because they were running in ring zero. They were running at the lowest possible level.

01:19:37 - Owen Thomas (Guest)
And you know, like you know, you don't always have the opportunity to kind of like stress test these, these updates that are sent out. Well, you do.

01:19:48 - Alex Stamos (Guest)
I mean, this is the difference between CrowdStrike and everybody else in the marketplace. You should test them.

01:19:53 - Leo Laporte (Host)
Yeah, yes, right.

01:19:55
So this is where, kind of like, the issues arise there is a there is an urgency to pushing out these updates, yeah, yeah, but at the same time there is a certain it's incumbent on you to make sure. If they had put it on one or two machines at work and noticed they were rebooting over and over again, they might have said oh wait, a minute, we got a little problem. They actually was a chain of failures and it is an old story, I know. But the reason we're bringing it up is because Delta Airlines has hired David Boies yes, that, david Boies to seek damages from CrowdStrike and Microsoft. You may remember, delta was the airline that was down for I think, 10 days, suffered half a billion dollars in losses, canceled, thousands of flights stranding many, many people, including many Christina Warren and others. Thousands of flights stranding many, many people, including many Christina Warren and others. And they say if CrowdStrike had just done their appropriate due diligence, this wouldn't have happened.

01:20:52 - Alex Stamos (Guest)
This is Delta's complaint.

01:20:57 - Leo Laporte (Host)
CrowdStrike caused a global catastrophe because it cut corners, took shortcuts and circumvented the very testing and certification processes it advertised for its own benefit and profit. If CrowdStrike had tested the faulty update by the way, capitalized faulty update on even one computer before deployment, the computer would have crashed. Now again we're going to say that you are kind of Alex and kind work for a competitor.

01:21:24 - Owen Thomas (Guest)
So take this, you know, in consideration and in response, crowdstrike said that it was Delta's fault for having antiquated infrastructure, which you know like. I don't know how you vet that, but it would not shock me that an airline has antiquated infrastructure If you look at Southwest, you know they've. They have struggled with this problem of technical debt for for some time.

01:21:52 - Leo Laporte (Host)
That's right and and you know many, many people who were bit by this CrowdStrike thing got up and running much more quickly, In some cases instantly. We had one listener email us saying we had CrowdStrike running on our perimeter machines so they crashed immediately, which kept all of the internal machines safe, and we were able to fix that fairly quickly. We had a lot of our listeners who spent long hours that weekend uh fixing uh the thing. So yeah, I mean I have to say it does. It seems less credible that the delta's problem was crowd strikes and microsoft's problem and was more delta's problem to be clear, they didn't end up suing microsoft, so that was the original about microsoft, but that okay.

01:22:40 - Alex Stamos (Guest)
The lawsuit was only against crowd strike, which I think is the right thing, because in the end microsoft didn't do anything wrong, so it looks like um it yeah well, mike, yeah so.

01:22:50 - Leo Laporte (Host)
So microsoft has an api that crowd strike could use. Sentinel one could use to operate not at ring zero with these sensors so every edr, every like high-end anti-malware product has a kernel module you, it has to. Huh, you have to, yeah, so Microsoft's APIs are insufficient to do the job.

01:23:11 - Alex Stamos (Guest)
That's right they are. What they have done is, after this incident, they held a summit up at Redmond and they actually went up there. Crowdstrike was there, trend Micro, sophos, kind of everybody from the anti-malware industry was there, and they're talking about a future in which you don't have to run in the kernel. I don't think it's going to happen for quite a while, and it's because there's at least three reasons why you have to be in the kernel. The first is to see all the things you need to see.

01:23:38
There's a bunch of telemetry you need to gather that is just not made available to user mode. Now, that could be made available to user mode, but Microsoft would have to just do a really good job of being comprehensive in doing that, and they never have in the past. The second is to, at a very fast rate, be able to let these pieces of software intercept and decide whether or not a piece of potentially malicious code can actually do something. So we don't just alert oh this thing's bad. We do things like stop file access, stop network access, and doing that from user mode can cause humongous performance issues. Right, so you're never going to have Microsoft create a call out to user mode that then synchronously blocks a file read. That would be insane to have like 128 core machine production Windows server that is doing. Synchronous user mode calls for individual file accesses and so doing that from the kernel, from a kernel thread, is really the only way.

01:24:42 - Leo Laporte (Host)
You just have to. You just have to be at that low level to monitor and to do the kind of blocking that you need to do, yeah.

01:24:49 - Alex Stamos (Guest)
And the third reason that I don't see ever being fixed is if the bad guys get into the kernel. The only way we can protect ourselves from being killed by the bad guys is from being in the kernel. And it's only been a couple of months since Microsoft had a massive kernel vulnerability right. So it turns out they had this IPv6 kernel vulnerability that has existed in every version of Windows Vista, so it's been around for like over a decade. And if the bad guys can get in the kernel and we're only in user mode, what would happen is they could just make us disappear.

01:25:20
It's like you know, traveling back in time and killing your grandparents, it's. It'd be impossible to protect ourselves, and so that it's called anti tamper and so CrowdStrike, us trend, microsoft themselves all have kernel modules. Now the difference here is you don't have to put all of your code in the kernel, and that's an engineering, architectural decision. Crowdstrike made was was they have a bunch of dangerous code in the kernel and they're pulling their signature files into the kernel and they're parsing them in the kernel. In fact, they were doing regexes in the kernel and they're not checking these regexes and they did an out-of-bound regex oh geez, it was a regex that crashed it.

01:25:57
Yes, it was a regex that was looking for too many items and and and they were doing like an unbounded regex, and so it just filled the buffer yeah and overflowed right and so what you need to do is like, if you have a kernel module, you just minimize it and it does the minimal stuff, and then you do all the dangerous stuff in user mode, and that's what we've done the entire time. And so I think where we'll end up is microsoft. They have this dream of pushing everybody out of the kernel. Realistically, I think what they can do is they can push CrowdStrike to one test stuff, so you know to not deploy everything all at once.

01:26:33 - Leo Laporte (Host)
And do the minimal amount in the kernel.

01:26:35 - Alex Stamos (Guest)
And do the minimal amount that you have to do. Yes, which is then? This is the big argument now that Delta is going to make right Is that everybody else in the industry pretty much was doing these things. And so the fact that CrowdStrike was not doing stage rollouts, was not doing telemetry on rollouts, was not doing testing Cause, like you said, this instantly killed a windows machine as soon as a name pipe was created. Same pipes are created dozens of times a second, even on an idle Windows machine.

01:27:03 - Leo Laporte (Host)
So like it's the kind of thing you should know immediately if you do any testing. What they said was that their test harness was broken and the guy who pushed it out didn't know that, so he did test it, but the test hadn't been updated, so the test had a stub that just said yeah, yeah, yeah, passed Right and you didn't run it, even on a Windows virtual machine. Yeah, I mean yeah. Yeah, it's fine to have tests, but you should probably run it once on a machine.

01:27:30 - Alex Stamos (Guest)
And then you do stage rollouts right, you never roll something out with millions of machines at one time. And we've seen that Apple does that, microsoft does, that does that microsoft does, that they don't push out these things all at once?

01:27:44 - Leo Laporte (Host)
yeah, nobody does that and you have so much, so you think there is some culpability on crowdstrike's part.

01:27:46 - Alex Stamos (Guest)
Oh, absolutely, I think they absolutely screwed this up. These are like basic engineering things, right, like doing stage rollouts is how people have done this for 20 years. Having telemetry and rollouts is how people have done this for 20 years, right I guess you know the.

01:28:01 - Owen Thomas (Guest)
The tricky question is um is delta going to be able to kind of prosecute that level of of, you know, technical argument and well, you do.

01:28:12 - Leo Laporte (Host)
You push for a jury trial, owen. I guess you do right, or no?

01:28:15 - Alex Stamos (Guest)
12, 12 random people in fulton county. You have to explain to them like stage rollouts that's. Yeah, that's the point.

01:28:23 - Leo Laporte (Host)
You just say they screwed us because they didn't do the right thing.

01:28:27 - Alex Stamos (Guest)
And look what happened and the jury goes yeah, that was terrible of course, like I mean, this is also probably why you do it in Fulton County, is, I'm guessing, delta Airlines is like a beloved?

01:28:36 - Leo Laporte (Host)
brand. Yeah, exactly, exactly in Georgia.

01:28:39 - Alex Stamos (Guest)
Yeah, david Boyce knows what he's doing, right like he's a good lawyer he it seems like this will settle.

01:28:45 - Owen Thomas (Guest)
I mean it's yeah, it didn't, though right like that's why they filed it like it hasn't settled yet right, yeah, that that it has not settled so far is suggests that you know, either crowd strike is digging in their heels or Delta's asking for too much we should just mention, for people who don't know, the name, david boys, you should.

01:29:13 - Leo Laporte (Host)
He was the guy who led the government's prosecution of Microsoft back in the late 90s. Uh's, he's been very active, uh, represented uh, theranos not to his best he was.

01:29:27 - Alex Stamos (Guest)
He teamed up with with uh olsen on overturning on like making gay marriage legal right yeah, that's right, he overturned prop 8.

01:29:34 - Leo Laporte (Host)
Good for him. He also represented harvey weinstein, as any attorney does. You kind of you play both sides, but he's a very very, we got paid up front on that one yeah, uh, he did also, uh, represent two of Jeffrey Epstein's victims.

01:29:50
So I think you know, an attorney's job is to be an advocate, and uh, on both sides of it, and he's a very, very good, uh, attorney. So, um, they hired the best, I'm sure the most expensive, anyway, uh, oh my god, I mean, yeah, that's interesting questions like are they paying them hourly or does he get?

01:30:08 - Alex Stamos (Guest)
is he just splitting the 50, 50.

01:30:09 - Leo Laporte (Host)
just take, yeah, just split the the settlement. Half a billion dollars, delta said they they lost due to crowd strike.

01:30:16 - Alex Stamos (Guest)
That's a lot of money it's a lot, uh, and they? I think what they have to do is the big test here is they have to show that CrowdStrike was negligent. Right, Because the way these contracts work is under normal circumstances. You're limited to the amount of money the software costs.

01:30:32 - Leo Laporte (Host)
Well, actually that's another interesting topic which we'll cover at some point, which is software liability. The EU has now ruled. We talked about this Tuesday on Security. Now the EU is now saying companies will be liable for soft. Remember, every time you open a shrink wrap package. It says we make no assertion that this software is fit for purpose, we'll do what it says it does. We make no promises it won't break your machine. It's not on us, man, and the EU has decided no, it is on you. And I's not on us, man, and the eu has decided no, it is on you. And I think that there has been some move in the united states to do the same thing. I think president biden's uh national um security um initiative.

01:31:13 - Alex Stamos (Guest)
It also involves software liability yeah, the national cyber director that's part of, like the national cyber strategy is to create some level of liability like the details of that are or the devil.

01:31:23 - Leo Laporte (Host)
Well, it's very tricky right, and you can bet that there are quite a few software companies, including some of the richest companies in the world maybe the richest company in the world that don't want to be completely held liable for the failure of their software?

01:31:39 - Alex Stamos (Guest)
handle open source.

01:31:40 - Leo Laporte (Host)
Right is like oh, that's a big one, right who's? Liable for open source, you could just carve it out and say if open source is not, you know they're not liable, right?

01:31:48 - Alex Stamos (Guest)
Which then creates all these interesting questions about like that will create a huge amount of incentives for people to quote unquote open source stuff, and then create these weird licensing things where you effectively it's technically open source and you're selling the logo or something.

01:32:02 - Owen Thomas (Guest)
I'm sure like people would find like crazy ways to to use that there's no law ever made that can't be gamed in some way yeah, it would be interesting to see if, um you know, if a future administration or a future congress really takes action against uh click wrap licenses. Courts have generally found that that those are valid, even though no one is actually reading the terms.

01:32:26 - Leo Laporte (Host)
Yeah, it's amazing, isn't it? Anyway, I want to take a little break. We will come back. We have more to talk about. We haven't talked about AI in the whole show. Can you believe it? Oh, you ruined it. We almost made it. Oh, we're going to.

01:32:41 - Alex Stamos (Guest)
We almost made it.

01:32:43 - Leo Laporte (Host)
Almost made it. Yeah, it's hard to do a show these days without talking about AI and I have to say I go back and forth. At first I thought, oh, there's nothing to it. Then I became an accelerationist for a while. I took a walk on a beach with a guy. He convinced me. Now I don't know, but anyway we'll talk about an AI issue and a reason that you might want to tell your doctor not to use AI. In just a moment, owen Thomas is here. San Francisco Business Times. Things going well. You're still printing a paper, a newspaper. Oh wait a minute.

01:33:21 - Owen Thomas (Guest)
he froze you're still printing a paper, a newspaper. Oh wait a minute, he froze. Oh yeah, uh, yes, we are. We still put out a weekly paper. Um on paper on actual newsprint. Yeah, and uh, you know, I, I think it's a useful, you know it's a useful exercise to kind of think about, like what's the, what's the one big story we can give readers a week? It, you know it, forces news judgment. Um, you, you know it hones news judgment and um and, uh, it's a good.

01:33:49 - Leo Laporte (Host)
You know it's a good kind of marketing piece, conversation piece, as opposed to just every day we file another story. Every day, 10 more stories. You have to think what's this week's headline going to be in the san francisco business times? You know I love san francisco. God bless it. I lived there for quite a few years. It's one of my favorite cities and it's gone through some bad times and I'm just rooting for it.

01:34:11 - Owen Thomas (Guest)
Yeah, I think we're kind of shifting from doom loop to boom loop.

01:34:15
Good, I hope that's true, at the very least we're getting out of the gloom loop. True, at the at the very least we're, uh, we're getting out of the gloom loop. Um, and people are kind of trying to trying to think of ways to uh, you know um, get downtown more active. Actually, while I was, uh, while I was walking, uh, down here from north beach, uh, there was a concert going on in, you know, in the downtown area on a sunday, which I think would have been unheard of.

01:34:41 - Leo Laporte (Host)
Yeah, pandemic yeah, well, good I'm I, I just love it, uh, and I it's a. It's a wonderful city, our little fishing village by the bay, and uh, and I'm glad that that's uh yeah, you can.

01:34:54 - Owen Thomas (Guest)
You can still buy dunchin's crab at uh pier 45.

01:34:58 - Leo Laporte (Host)
Yeah but you usually you have to wait until after the Dungeness Crab season because they keep blocking it and putting it off, and last year we couldn't get Dungeness Crab until after New Year's. What's the point? I mean, crab for Christmas, it's a tradition. That crab for Christmas, it's a tradition. It's the best crab too, by the way. I'm sorry, baltimore, all right, we'll have more in just a bit with the great Owen Thomas and, of course, alex Stamos from CrowdStrike, from Sentinel One. See, so it's.

01:35:28 - Alex Stamos (Guest)
You almost said.

01:35:28 - Leo Laporte (Host)
Crab Strike, crab Strike. Hey, there's an idea for a product.

01:35:34 - Owen Thomas (Guest)
When your Dungeness crab season is disrupted. Crab Strike is Crab Strike, rab Strike.

01:35:39 - Leo Laporte (Host)
You turned two Crab Strike, our show today brought to you. There's another show title.

01:35:48
The AI-generated logo makes itself really, oh yeah, get to Midjourney kids, let's see a logo. Our show today brought you. You know what, benito? Can you send Alex the access to the Discord, because I'm sure there'll be some animated logos popping up in our Discord any minute. Now with Crab Strike Yep, there it is, yep, yep. Well, these crabs claws ain't just for attracting mates, okay, okay. Now it's a bunch of crabs, animated crab gifts in our uh, in our discord. Our show today brought to you by lookout. I love look, I love the name and I love what they do.

01:36:33
Data protection from endpoint to the cloud, to your happy place. Today, every company is in the business of managing data. We talk about that a lot. It means, of course, every company is in the business of managing data. We talk about that a lot. It means, of course, every company is at increased risk of data exposure and data loss between cyber threats and breaches and leaks. And, of course, cyber criminals aren't getting dumber, they're getting more sophisticated every day. Modern breaches happen now in minutes, not months, at a time when the majority of sensitive corporate data is out there on the cloud, traditional boundaries no longer exist and it's on a device in the cloud, across networks or, as it often is working remotely at the local coffee shop.

01:37:26
Lookout gives you clear visibility into all your data, at rest and in motion. You'll monitor, you'll assess and you'll protect. Without sacrificing productivity for security. You can still go to the coffee shop With a single, unified cloud platform. Look at it as another advantage. It simplifies and strengthens. One platform means one source of truth Not a lot of complexity, not a lot of cracks for things to fall through. It reimagines security for the world that will be today. Visit lookoutcom right now. Learn how to safeguard data, how to secure hybrid work, how to reduce IT complexity. Lookoutcom, thank you so much for supporting our show and we thank you for supporting the show by going to lookoutcom. We also thank our club Twit members, who make this show possible with their $7 a month ad-free versions of all of our shows and lots of other benefits.

01:38:21
We had a great Stacy's Book Club on Friday. Next one is coming up in December. We've got some books you can vote If you're in the club. Pick the book that you want us to read and we'll all get together in a couple of weeks and talk about it. This Friday it's our photo guy, chris Marquardt. Again, we stream these live so everybody can see them. But if you want to watch them after the fact, you have to use the TwitPlus feed and that's for Club Twit members.

01:38:45
We don't want to have a complete, impermeable paywall, but we do want to encourage people to join the club. It helps us balance the books. Frankly, it doesn't go into my pocket. It helps pay for Benito and all the people who do such a great job keeping this network going, and so we've tightened the belt quite a bit, moved out of the studio, as you can see, into my attic, but we also need your help. Check it out twittv slash, club twit, and whether you're a club twit member or not, I want to invite you to help us out with our best ofs. Benito says help me.

01:39:21
We do this at the end of every year. We take the best clips of the year and we run it as our holiday special. We're going to do it for this show and a number of other shows. If you've been watching all year and you've got a moment, you really remember that you think would be great and the best of. I invite you to contribute. It's easy to do. Have a page on the website twittv slash. Best of give us as much information as you can. If you don't know the exact date and time, that's fine, but whatever you know, do fill that in and that'll help. Benito and John Ashley and Kevin King and our great producers put together a best of for you for this holiday season, oh now, oh, burke, put some delicious crab up on Discord.

01:40:08
We're talking a lot of crab in the club. Yum, yum, yum. All right on we go with the show. Our great panel, alex Stamos, owen Thomas. Let's talk about AI. Researchers say that OpenAI's Whisperai, its transcription tool, is being used in hospitals. I know my doctor I was at the doctor the other day has a sign. He says I'm using a transcription tool so I don't have to type while you're talking, so I can pay more attention to you. The problem is these tools. In fact, whisper specifically says don't use this in high risk domains, but it is unfortunately prone to making up chunks of text or even entire sentences. This is a story coming from the Associated Press. They interviewed more than a dozen software engineers, developers and academic researchers. Experts said some of the invented text, known in the industry as hallucinations, can include and this is really shocking racial commentary, violent rhetoric and even made-up medical treatments. Unfortunately, whisper is being used at many industries, including in hospitals and in doctors' offices, to do transcriptions.

01:41:33 - Alex Stamos (Guest)
Oops.

01:41:36 - Leo Laporte (Host)
A University of Michigan researcher conducting a study of public meetings, for example, said he found hallucinations in eight of every ten audio transcripts he inspected. A machine learning engineer said he initially discovered hallucinations in about half of the hundred hours of whisper transcriptions. Do we use whisper benito for, uh, our transcriptions?

01:41:57 - Owen Thomas (Guest)
no, we use um we use humans podium podium.

01:42:00 - Leo Laporte (Host)
We use ai. It's put ai, okay. Uh, I've used whisper, you know, locally on my mac and I thought it did a very good job, but I wasn't looking. I think if you, if you whisper in a podcast, much less likely to to harm somebody than if you use it in a medical setting yeah, I've used whisper.

01:42:20 - Alex Stamos (Guest)
There's whispercpp is actually like a super optimized version that runs really well. Local mac. I don't know if you is that the version you use. I can't remember uh because the open ai version is like python it's actually quite slow and it's hard to install and so forth.

01:42:34 - Leo Laporte (Host)
I there, it's on the app store. There are a number of whispers on the mac app store, uh, and they're all based on the same model okay, there's a good one called whispercpp which is on GitHub and pretty easy to compile.

01:42:47 - Alex Stamos (Guest)
I can't remember which of these I can't recommend anything that's pre-compiled, but if you want the open source, install pre if you want to just do it from the command line. But anyway, works fine for that. This is, I think, actually brings up a good example of where we need AI regulation. I'm glad that Newsom vetoed the kind of crazy California AI regulation. Okay, that's a good question.

01:43:14 - Leo Laporte (Host)
Yeah, so the governor of California vetoed the AI regulation. Yeah, there was a mixed, you know there were. Uh, nancy Pelosi, for instance, lobbied hard for him to veto it. Elon Musk said please pass it. So there's kind of a mixed bag of people against and for. Yeah, newsom said it's too early for regulation and this is not the right regulation, but he would work next year with the California legislature to come up with something more appropriate.

01:43:41 - Alex Stamos (Guest)
Yeah, I actually wrote a, uh, an op-ed in my old hometown newspaper, a sack B, against it.

01:43:47 - Leo Laporte (Host)
Um, good, I bet you, since you're in Sacramento, the state's capital. Yeah, a lot of people, a lot of legislators, might've read it. What were, what were, your objections?

01:43:57 - Alex Stamos (Guest)
So a couple things. One that it was really driven by the doomers. I mean, from my perspective, like the AI regulatory conversation, too much of it is driven by the sci-fi doomer folks, which is probably why you know, elon.

01:44:11 - Leo Laporte (Host)
Elon is one of them, that's right.

01:44:13 - Alex Stamos (Guest)
Some of those people I think legitimately are our doomers right Like they really do believe that AI is gonna take.

01:44:19 - Leo Laporte (Host)
I think Jeffrey Hinton, for instance, nobel Prize, nobel laureate Jeffrey Hinton, who was the father of neural networks, that's what he won the Nobel Prize for. He says yeah, we're headed for doom, doom and gloom.

01:44:36 - Alex Stamos (Guest)
Right, so he knows where, if he where, if he speaks right, I mean absolutely yeah, but I think it doesn't do anything in that area, so he certainly knows wherever he speaks right, Absolutely. Yeah, but I think it doesn't do anything in that area, right, because it only applies to California.

01:44:53 - Leo Laporte (Host)
Although, as some have pointed out, it's the fifth largest economy in the world. As California goes off, and so goes the nation.

01:45:01 - Alex Stamos (Guest)
Right, but realistically this was a law that was just going to push a bunch of companies out of california right like this was the.

01:45:06 - Leo Laporte (Host)
This is the full employment for austin software engineers act right from my perspective I think that's what newsom was saying as well, and one of the things people didn't like was the so-called kill switch. If you had a big enough company, you had to have a. That's very much sci-fi, right you had to have a place to unplug the ai, so it couldn't.

01:45:24 - Alex Stamos (Guest)
And the other problem is like we're only really going to be able to do this once at the state level, right it's something we should do with the federal and it did not address what's going on right now.

01:45:36
So what is going on with ai right now are things like this right that you have well-meaning things that have been toys that have been for AI, right. Open AI put out this experiment Whisper. That's open source. That's meant just for people to play with and to give feedback on and for fun. I use it for you know, I use it for some academic research. I've used it for fun things, and it explicitly says do not use this for anything important.

01:46:01
And this bill would do absolutely nothing to discourage doctors from using it from people from using it in life-saving, in life-critical situations. It would do nothing to punish people who decide to use it in situations where it could actually have real impact. It does nothing for the fact that people are using AI to really cause really serious individualized harm, for the creation of deepfake nudes, the creation of artificial child sexual abuse material, the creation of disinformation and deepfake images to manipulate our election. It does nothing for any of that, and so if we're going to pass a bill, you should address what's going on today and not just apply to one. It was only going to apply to models that aren't going to exist for a couple of years anyway, from the baseline that it had and for risks that aren't going to, modeled by companies that are maybe making you know fundamental baseline models of like thinking about oh, how could this thing take over the world? And so all you're going to do is generate these like huge PDFs of how could this large language model possibly use to take over the world, and then never actually address the bad things that are happening. And all that you're going to do like people to be like wait, didn't we pass a regulation? And then they're reading story after story after story of this kind of stuff. That's that's actually hurting people day to day.

01:47:31
It was. It was really stupid from my perspective. Yeah.

01:47:35 - Owen Thomas (Guest)
I think the I think the risk with with any legislation is really the bigger risk for me is legislative capture, which is essentially that a dominant company like OpenAI shapes the legislation to kind of suit its business model and discourage new entrants. You know, one example, I think, is PayPal. You know, paypal early on said oh, no, no, no, we don't need to be regulated. And then, as they got closer to their IPO, they said oh, you know what, we're going to register as a money transmitter in all 50 states and get legal. And then that created a massive regulatory moat that new companies like, say, Square square, had to jump over.

01:48:23 - Leo Laporte (Host)
Um, to kind of sure you might even say that's why elon musk wanted california to pass that bill, because he has his own ai grok and he he loves the idea of stymieing competition. He also signed that, that letter that said, uh, as long with jeffrey hinton that said we should pause ai development for six months, as if the chinese would pause their ai development for six months. But part of the thing that worries, I think, a lot of people with ai is giving ai agency in the physical world, you know, giving whopper the computer from war games the ability to launch nuclear missiles. That's seems like a bad idea and yet it seems like the direction we are rapidly moving.

01:49:08 - Owen Thomas (Guest)
I mean to take it back to an earlier topic. Isn't that essentially what's happening in in Ukraine?

01:49:14 - Leo Laporte (Host)
yeah, it's become a test bed, hasn't it? For autonomous weapons, uh, including drones, uh which? Scares me a little bit. I think that there's a reason maybe to say don't give ai's agency until they can stop hallucinating, at least well, you know the.

01:49:32 - Owen Thomas (Guest)
The reality of the of the battlefield there is that um jamming has become kind of a you know part of um part of gps jamming. Yeah, yeah, you know part of um part of the GPS jamming.

01:49:41
Yeah, yeah, you know, and communications jamming has become a very strong reality of the battlefield. So you know. The answer to that is you create drones that, can you know, basically function while disconnected on their own. That's autonomy. That's how you respond to that. Yeah Right, so that's where you know, seems like where we are rapidly headed. Take it back to take it back to Taiwan. Taiwan is studying what's happening in in Ukraine and kind of the asymmetrical drone warfare that you know Ukraine is is smartly deploying against against the russian invader, effectively very effectively deploying.

01:50:24
Yeah, uh, and you know they're, they're basically looking at you know, is there, is there going to be a way to sink the chinese flotilla? Um, before it, before it hits their shores.

01:50:35 - Leo Laporte (Host)
Well, it's not just taiwan that's watching what's happening in ukraine. You know china is also watching with great interest, also to see how the us and the west respond. Right, how hard is it going to be to take over Taiwan? One thing that concerned me a little bit this week Anthropic announced a tool that could take over the user's mouse cursor and in response, google said oh yeah, actually, google didn't say it, but there is a report that Google is exploring an AI that could take over your web browser, project Jarvis, which kind of makes sense. The idea is that you tell the AI, hey, I want an Uber, and the AI goes to the Uber website and books the Uber for you, or does the shopping for you, or whatever.

01:51:20 - Owen Thomas (Guest)
You know, my first response to this as a consumer is inject this directly into my veins you want Project Jarvis, you can't wait. How much time do I waste clicking on the button that says yes, I accept your terms to connect to the Wi-Fi, like every day? Just you know, hey, apple, you're claiming to have apple intelligence. Well, apple intelligence, that wi-fi button, just click it for me. I just want to connect to the wi-fi. I don't care what I just agreed to, because I don't have any choice.

01:51:53 - Leo Laporte (Host)
I want to connect to the wi-fi this is aaron woo's story in the information and the headline is a little bit maybe um sensationalistic google preps ai that takes over computers uh, but that does scare me that's agency in the real world.

01:52:11 - Owen Thomas (Guest)
I mean, if you can't trust it but, you're giving it your browser this is super common in the enterprise, like they're. You know it's a, it's a whole field of automation where you know, essentially computers are being trained to do kind of some of the grunt, you know grunt work copy, paste, click and actually automate that at the desktop level well, good news.

01:52:37 - Leo Laporte (Host)
You'll be able to inject this into your veins, mr thomas. Uh, by the end of the year, project jarvis, google's funny because they announce this stuff all the time. Google io is full of announcements for stuff that never really ships, but they are starting to inch closer and closer to uh. You know, right now you can have uh google try to book a hair appointment for you or a barber appointment for you, a restaurant reservation. I was at my barber's the other day and she said yeah, I keep getting calls from Google, I just hang up on it. So I don't know with what success. I keep waiting for the simultaneous translation that both OpenAI and Google have promised. I guess we're getting inching closer to that, although if it's using Whisper AI, maybe that's something to be a little bit nervous about. Do you worry, alex, about AI getting agency, getting actual agency in the physical world?

01:53:35 - Alex Stamos (Guest)
Not so much. I mean the thing that a number of people talk about being the big gap is that AI doesn't want anything right, so that is still something for which there's not a fundamental when we talk about AI taking over the world. The real problem is AI doing bad things because human beings have asked it to. So I do worry about these situations in which people decide.

01:53:59 - Leo Laporte (Host)
It's humans that are the problem. In which people decide, it's humans that are the problem.

01:54:01 - Alex Stamos (Guest)
Humans putting AI in situations where AI is making decisions that are life critical, and we should not do so. Right, yeah, that is what the risk is Right, and we are doing that intentionally because it's cheaper or faster or more convenient for us.

01:54:20 - Leo Laporte (Host)
Yeah, actually, I've seen some say that one of the uses for AI is by companies like xcom, formerly Twitter is because X created its platform based on users' contributions. But as users leave the platform, we have to turn to something else. We've mined all the user contributions, but as users leave the platform, we have to turn to something else. We've mined all the user contributions. Now it's time for AI to fill in the gap based on the user contributions that the AI has scraped right. Let's take a little break. We come back with more. We're talking to the smartest people. I know, of course, alex Stamos from Sentinel One he's a CISO there and Owen Thomas from the fantastic San Francisco Business Times, our show today brought to you by, and maybe, after listening to all this, you might want to use ExpressVPN. A few decades ago, before the internet, private citizens used to be, you know, private. The internet's changed all that, hasn't it? Think about everything you've browsed, you've searched for, you've watched, you've tweeted. Now imagine all that data being crawled, collected and aggregated by data brokers, put into a permanent public record your record. They know everything about you. We know this after the national public data breach where hundreds of millions of people's social security numbers were leaked, their names, their addresses. Having your private data exposed for others to see was once something only celebrities had to worry about. Now, in an era where everyone's online, everyone's a public figure. That's why when I go online especially when I'm out of the house I keep my data private. With ExpressVPN, this is a really great company doing a VPN that really works, because they go the extra. They go the extra mile. Now, it's not a free VPN and I would caution you against any free VPN because if they're not charging you, they're paying for the VPN somehow, very likely by selling your data to data miners. Right, they got to pay for these servers somehow. Expressvpn is very reasonable less than seven bucks a month when you use our offer. But that seven bucks goes to supporting servers all over the world rotating their ip addresses, so it's not even obvious you're coming from a vpn. It's one of the ways they can. They can get around geographic restrictions very effectively. They also have enough bandwidth so you can watch hd video. You can watch that netflix show out of the UK at home and still see it in HD video. They also really respect your privacy. For instance, when you press that button on your ExpressVPN app. It launches the server the default is the closest, fastest server, but it could be anywhere in the world launches that server in RAM. It's sandboxed so it cannot write to the hard drive and then as soon as you leave, as soon as you close the VPN connection, it's gone out of RAM and there's no trace of your visit at all. So that's one way ExpressVPN takes an extra step to protect your privacy. They also run on a custom Ubuntu distribution that, every time the server is rebooted, wipes the hard drive, starts completely from fresh, from scratch. So even if it could somehow write to the drive every morning, it's gone.

01:57:54
That's what I call caring about privacy, going the extra steps. Everyone needs to use ExpressVPN because you're not using your device's unique IP address, you're using their IP address. It's hiding your IP address, which makes it much more difficult for data brokers to put together the information they get about you. It's the best VPN out there because it encrypts 100% of your network traffic, of course, with strong encryption to keep your data safe from anybody on that public Wi-Fi network. That's really important too, because even if you're on an encrypted site, we now know, thanks to FireSheep, that unencrypted non-HTTPS connections would be visible to that guy with the hoodie sitting next to you in the coffee shop. But even if he can't see the content, he can see where you're going. He can see you've logged in, he can see your computer and in some cases, using simple hardware, he can identify the access points you regularly access, including your home access point. Impersonate it. Your computer goes hey, we're home joins his computer. You can't tell because he's connecting you to the internet, but he's also watching everything that's happening.

01:59:07
I mean, there's all sorts of things that express vpn prevents. It works on all your devices your phone, your laptop, your tablet, and you can even put express vpn on your home router. They even offer routers very good routers for sale with ExpressVPN built in and you're protected. Everybody in the house is protected that way. Protect your online privacy by visiting expressvpncom slash twit E-X-P-R-E-S-S-V-P-Ncom slash twit. And here's the deal you get an extra three months free when you buy a one-year package, bringing the price down below seven bucks a month. Express vpncom slash twin. We thank them so much for supporting this week in tech and we continue on with our fabulous uh panel. Uh, we've got alex stamos here.

01:59:56 - Alex Stamos (Guest)
Owen thomas hello, panel hello I was just demoing that kind of interception for my students. Wi-fi pineapple.

02:00:04 - Leo Laporte (Host)
Oh, the Wi-Fi pineapple. You went up. I saw you got up. You got your pineapple.

02:00:07 - Alex Stamos (Guest)
Yeah.

02:00:08 - Leo Laporte (Host)
So that thing is like 100, some bucks, right, yeah, it's not expensive. They, you know, our dear friend Darren Kitchen sells it on his site. What does the pineapple do?

02:00:25 - Alex Stamos (Guest)
There's a bunch of things, but one of the cool things it does is it will listen for beacons from clients who are looking for their memorized list of so that's how it figures out what access points you've joined in the past, right so? What I was doing.

02:00:39 - Leo Laporte (Host)
Your device. I never knew this. Your device is sending out the names, the SSIDs of, of, of, of everything.

02:00:46 - Alex Stamos (Guest)
Of the wifi remembers? Yes, oh my God, all the time, all the time, yeah, yeah, so I was doing that in class is like while I was teaching wifi interception, I was running it and then I popped it up of like, oh, by the way, anything any of these look familiar and it's like all of the frats they live in and all that.

02:01:02 - Leo Laporte (Host)
oh, my god yeah, and of course, the the way to use that is to find the one that looks like home well, right, because you can.

02:01:09 - Alex Stamos (Guest)
What you can do is you can put I wasn't doing this because that would be a violation of the wiretap act, um, but you can set it to a mode where it'll automatically, then, for anything that gets out there, it'll automatically advertise that ssid and it's closer, it's, it's, it's stronger than the uh, the wi-fi access point yeah, you can say it to be illegally loud.

02:01:28
Yes, oh really right shout you, you can tell it to to uh, to transmit at a level uh that the FCC is not happy with yeah, but they're not in the coffee shop at the moment. Right, and so you have it in your backpack as you walk around campus. Wow and yes.

02:01:44 - Leo Laporte (Host)
So now you're impersonating the frat's Wi-Fi access point. That laptop joins it, saying hey, I'm home. Right, you give it a DHCP address it doesn't decrypt TLS traffic, though right, that's still encrypted.

02:01:59 - Alex Stamos (Guest)
No, it should not be able to do that automatically, so you'd have to do something tricky there but you can see metadata and that's so one of the things you can do is you can be so if somebody's beaconing out for an encrypted network, then you can man the middle of WPA and oh, you're kidding, you can take. Yes, so you can take. That's one of things we do in the classes. I actually have them crack a WPA handshake, so WPA one and two take. That's one of the things we do in the class is I actually have them crack a WPA handshake, so WPA 1 and 2.

02:02:23 - Leo Laporte (Host)
Oh, that's why we use WPA 3 now.

02:02:25 - Alex Stamos (Guest)
Yeah, you don't crack it on here, you take it home and you do it on like a fast CPU or preferably a GPU.

02:02:30 - Leo Laporte (Host)
Because you need to collect enough packets.

02:02:33 - Alex Stamos (Guest)
No, just the handshake.

02:02:34 - Leo Laporte (Host)
Just the handshake.

02:02:35 - Alex Stamos (Guest)
Yeah, just the initial handshake. There's a nonce and uh, but it uses, uh, an old algorithm to do that I'm so jealous of your students.

02:02:45 - Leo Laporte (Host)
Zero knowledge, yeah. So what is the name of that course?

02:02:48 - Alex Stamos (Guest)
uh, it's called the hack lab. It's intro to cyber security. Uh, international policy, yeah that's not the. That's the one where you're going teaching lawyers how to do that stuff yeah, yeah, that's my uh intro to cyber for non-cs majors, and then I teach CS in the spring.

02:03:01 - Leo Laporte (Host)
You know, I think everybody should be should, since what you just told us. I don't think people generally know that and that Pineapple is widely it's not an illegal device, right, you can?

02:03:15 - Alex Stamos (Guest)
this is what I told my students buying the device is legal. Owning the device is legal.

02:03:21 - Leo Laporte (Host)
Almost everything you can do with the device is illegal.

02:03:23 - Alex Stamos (Guest)
It's violation of the wiretap law yeah right, I mean, but like actually buying it and owning it is fine, but almost all the buttons you push in it are technically not legal so when hack 5 sells it, they're saying it's for pen testing, right? That's right. Yeah, it'd just be very hard to use it in a way that's legal, because if you ever, even in a pentest situation, if you're using a situation where you ever use it against somebody who did not consent, it would technically be illegal.

02:03:56 - Leo Laporte (Host)
A brilliant pearl programmer, very well known, was working at intel uh and he noticed a vulnerability which he exploited and then revealed to intel and they prosecuted him and he went to jail. He thought he was doing him a favor you gotta be careful, you gotta be careful, don't don't do anybody any favors.

02:04:21
They may not take well, uh. Other news video game preservationists have lost a legal fight with the us copyright office. I think this is really a shame. The copyright office was asked can libraries lend games, particularly out-of-print games, old games for study, just as they would lend books? Kendra Albert, representing the Software Preservation Network and the Library Copyright Alliance, said preservationists weren't asking for a lot. It was the thing that basically exists for all kinds of special collections in the library. The library reviews the quest request. I'd like to.

02:05:06
I'd like to look at this gutenberg bible. Make sure it's not harmful. Then allows access to work. You cannot check out the gutenberg bible. Okay, I know I tried, but but there are plenty of old, out of date, first, first editions. That's kind of thing that you can check out for research purposes. All forms of media, but, but apparently not video game cartridges, because the entertainment software association argued that people would take advantage of this to uh liberate the games, uh to to damage the market for classic video games, and that the preservationists didn't quote. Have appropriately tailored restrictions to ensure that uses would be limited to teaching restriction or scholarship uses. And the librarian of congress agreed uh, which is sad, I think, because these video games are an artwork that, without preservationists, will die, and most of these video games the publishers have no intent to resell they're they're, in many cases they're abandoned. Um, it's funny because the Librarian of Congress just recently uh made it legal to repair the McFlurry machines so well at least they have the priority straight thank.

02:06:25
God but, uh, check out a video game cartridge. No, um, they want. So this is. This goes through the Librarian of Congress because it's part of the DMCA, it's part of the copyright law and the librarian of congress gets to rule on these. The esa said we recognize the importance of preserving video games and protecting game hardware, given their significance and culture and society. Oh, that, that sounds good. That's good. With today's decision, the us copyright office confirms the current level of video game preservation is appropriate. We got enough preservation, okay, uh, okay, congratulations esa. You have, you have protected uh, somebody, nintendo, I guess, I don't know atari.

02:07:14 - Alex Stamos (Guest)
Whoever owns the. Who owns the atari ip now?

02:07:17 - Leo Laporte (Host)
there. Yeah, there is a company. There is an atari. In fact, I I bought a little, so this is the thing there is a market for these games being resold. I bought a little mini atari 400. It was this big with all the games built into it, so some of these companies are re-releasing them. Owen, are you a classic game aficionado?

02:07:36 - Owen Thomas (Guest)
you know, I was reminiscing with my brother about a game we used to play, I think on an Apple II, called Temple of Apshai. Oh yeah, and apparently that is one that you can play online through a DOS emulator it's that old. So the really old games, you know, apparently have kind of fallen into that abandonedware category where, you know, the the publishers either have released them or aren't going after people. But yeah, it's sad that. Um, you know, abandonware is sad. Um, there's, you know there are a lot of abandoned works. Um, you know, I'd be very concerned also about what's happening with the internet archive, which is fighting a variety of uh of copyright lawsuits, as well as a recent um ddos attack.

02:08:26
Yeah, yeah cyber attack. Yeah, um, you know, that's a really important institution and, um, you know, if we, you know, I think people think of of it as the wayback machine, but it preserves a lot of digital culture and content.

02:08:43 - Leo Laporte (Host)
Steve Gibson was talking about the Internet Archive the other day. This was I didn't even. This is an interesting he. There's a new you probably know about this, alex a new email standard called BIMI, b-i-m-i that allows you to embed your logo in email almost like a verification cert. It's kind of certificate-backed, so that people know this really came from the internet archive or McDonald's or whatever. And in the process of doing this he went to his certificate authority. There are two certificate authorities that do this, one of which is DigiCert. Went to digi cert and, uh, they went through the whole process. It's like getting an EV cert. It's you know they call and make sure you're you and all that stuff. But the way they find out that you have legitimate acts, that your logo really has been your trademark and you've been using it for some years, they go to the internet Archive to verify that you've been using this logo and so his application is held up. Because they can't do that right now. There are so many.

02:09:50 - Alex Stamos (Guest)
It's read only right now, but it's kind of weird because you you USPTO, you can just search. That's just yeah, you can search.

02:09:56 - Leo Laporte (Host)
But they wanted more than just the fact that you have the trademark they wanted for some reason to this. I think it's part of the bimmy standard.

02:10:07 - Alex Stamos (Guest)
They want to do this, show that you've been using this for multiple more years. I guess also the uspto doesn't tie it to a domain right, right, so that's what that might also be they probably check uspto. Yeah, that makes sense.

02:10:16 - Leo Laporte (Host)
And then they also need to tie it to like somethingcom yeah, because I have the trademark for this little shiny logo behind me. But I but um they, I couldn't how do they tie it to? Twittv exactly, I couldn't prove and use it on the website or for my email. Without going back to the archives, right because it's tied to like an llc.

02:10:35 - Alex Stamos (Guest)
Yeah, according to uspto.

02:10:35 - Leo Laporte (Host)
Yeah, exactly uh, apple has. This is interesting, the information wayne ma reporting apple has sharply scaled back production of the vision pro, to which john gruber replied no, they've sold exactly as many as they thought they would sell, which wasn't many. Uh, I don't know what the answer of this is. October 31st apple will have its quarterly results for this quarter, but I don't think they will mention how many vision pros they've sold. But there really is some question about what the future holds. Oh, and I know you love your vision pro, right?

02:11:13 - Owen Thomas (Guest)
I am. I am a VR AR, a hard skeptic. I just so am I. So am I. I just don't think people, I just don't think headsets are it? I don't think they get better when they get lighter. I think that, you know, I think there's so much more promise in kind of ambient technologies, like AirPods, for example, and Apple has a huge, growing business in AirPods. I think it's undercovered, underappreciated, uh, the you know, the ability for siri to kind of politely interrupt you and let you know you've got a notification. That's huge and you can. You know, like you only have to kind of distract one sense uh right, keep your eyes and hands free, and and VR kind of assumes that your eyes, ears, hands are all going to be focused on a task. I just think of how people watch TV these days, which is generally with half an eye and another screen in their.

02:12:19
You know another screen in their, uh, in their lap. Um, you know how do you reconcile that with the idea of a, of a vision pro or a meta quest?

02:12:30 - Leo Laporte (Host)
well, and the other thing people do is they watch, usually with other people. It's not like day drinking. You want to do it alone and if you put on, you strap this computer to your face. You're now suddenly in your own world. Whoever is there with you is being ignored. I could I mean I just and also I'm of the opinion nobody wants to strap a computer on their face uh, maybe I I might disagree with you, ellen, on the idea of If these giant glasses that I'm wearing today had a heads-up display and cameras and some AI built in.

02:13:07
I have the Meta Ray-Bans and it's kind of cool. You can look at something and say what is that? And it'll give you kind of an AI generic description of it, although I did do it here in the studio. It said you're looking at several screens and you have the kind of setup that could be used to do a live video stream, which I thought was pretty impressive. I mean, it's obviously early days, but I think that might be. Don't you think that might be kind of cool, owen? You'd walk down the street and you go who is that guy? And it says that's Leo Laporte. He used to host Twit. You know him.

02:13:42 - Owen Thomas (Guest)
I think you know. I think glasses, you know where it's see-through yeah, heads up, it's something you know. Like I have my sunglasses on most of the time when I'm outside. It's California right, so that has potential.

02:14:06 - Leo Laporte (Host)
I, you know, I'm just very skeptical of immersive technologies. Yeah, I think it's because we don't. Yeah, because we. Life happens in multiple, yeah, multiple dimensions. How about you, alex? Are you a vr optimist or pessimist?

02:14:16 - Alex Stamos (Guest)
yeah. So I mean, I, I would love to have an ar. I think that the meta glasses, uh, with actual ar overlay, would be pretty cool they're pretty cool.

02:14:24 - Leo Laporte (Host)
Yeah, they're already halfway there, I think.

02:14:28 - Alex Stamos (Guest)
The situations which I've enjoyed. Vr is when it's actually tied to my PC.

02:14:34 - Leo Laporte (Host)
You like the screens.

02:14:36 - Alex Stamos (Guest)
Yeah, like the full screens. But, I don't like being fully cut off from the outside world. I don't have a life where I can do that, where, like being fully cut off from the outside world, um I, I just. I don't have a life where I can do that, where I can just cut off completely.

02:14:45
I, I just you have children, right it's almost a situation where you have a guitar yeah, right, I mean, it's over a nervous situation where I could just completely cut off myself from the world. So, um, and there's no, none of the headsets would allow me to be in. You know, still have peripheral vision, still feel like I can be somewhat connected if somebody walks behind me, if my wife puts her hands on my shoulder. Um, that, you know, like, the fact that I've been sitting here with you for a couple hours and a kid has not barged in, is a freaking miracle on a Sunday.

02:15:16 - Leo Laporte (Host)
We're almost done, so let the kids can run free. I've been head on a swivel. It's just crazy.

02:15:29 - Alex Stamos (Guest)
I've handled a couple texts of like no, no, you can feed yourself. That's hysterical, it's amazing, it's shocking. But like there's no way we could have done this in VR, right, like something would have definitely happened.

02:15:40 - Leo Laporte (Host)
When I first started working at home, the kids were little like two and five or something. They used to come to the door they know dad's in there and they would pound on the door. They'd say, let me in, let me in. It was like it did not work very well.

02:15:52 - Alex Stamos (Guest)
It did not, but I'm sitting in front of like I mean, if I could really have yeah that's kind of cool. Yeah, I mean I feel like a 57 inch. I've got the big Samson 57 inch screen right now. Oh, do you.

02:16:02 - Leo Laporte (Host)
Yeah, that's the super wide.

02:16:03 - Alex Stamos (Guest)
One, the super wide.

02:16:04 - Leo Laporte (Host)
Yeah.

02:16:06 - Alex Stamos (Guest)
And so it lets me do three.

02:16:08 - Leo Laporte (Host)
I do the three screens. Yeah Right, and that's cool.

02:16:10 - Alex Stamos (Guest)
Um it it's great. But if I could get that level of resolution and still be present and have peripheral vision stuff. But that's not what you get right when you put the, it's like you're looking through binoculars, right, and it feels constricting to me, it feels weird. I could not work in it all day and also I don't mind it being tethered. And that's where everybody Oculus, apple, everybody wants to do the full computer and so it makes it too heavy and such. I would not mind having if they could give me the full thing and then have it connected to my computer. But people are moving away from that. I owned the original Oculus as did I.

02:16:48
Yeah, and nobody wants to do the lightweight goggle that still has to be connected to a full computer.

02:16:54 - Owen Thomas (Guest)
Right. Yeah, I think it's one of these things that is not improved by better resolution. You know, better battery life, better technology. It's just a bad idea but the ar.

02:17:06 - Alex Stamos (Guest)
I mean that'd be pretty cool, like if I could have sunglasses that I could walk around with. The facial recognition stuff is super creepy. And then also I always have like my biggest problem I go into conventions is recognizing people's faces, right so it's creepy and I would be unbelievably. It would be unbelievably convenient.

02:17:20 - Leo Laporte (Host)
You should license it, bob. Oh my God, it's great to see you, exactly.

02:17:24 - Alex Stamos (Guest)
Maybe if people opted in because we're LinkedIn, like we know each other on LinkedIn, so they've said I'm supposed to know who they are. That's a good idea. Like if I had a LinkedIn app. That's like, you know this person on LinkedIn.

02:17:43 - Leo Laporte (Host)
Maybe that's what Marissa Meyer is trying to do with sunshine. Yeah, she's just too early. You know she has a contact manager that nobody really seems to want, uh, but maybe that's the whole idea is it could be that opt-in thing. Oh, I like that idea.

02:17:51
That's really cool right, an existing social graph, so you're not doing strangers, right, right yeah yeah, so you can't mac on some woman you meet on the subway I mean, of course other people are going to do that, but like, there's oh yeah, we don't have a general harvard students have already figured out how to do it with the ray-bans yeah sigh.

02:18:11
Um, I actually speaking of isolating yourself, apple. One of the things apple's pushing with the airpods and they just I think it'll come out this week is ios 18.1. There's going to be some limited, uh, artificial intelligence. Apple's going to have a big week. We'll cover it all on mac break weekly on tuesday, but, uh, including new mac minis and so forth, but, uh, they're going to push out this update.

02:18:33
I did try the public beta of 18.1 because I wear, I'm a hearing aid wearer, I wear, I've worn resounds and starky. I'm wearing Oticon hearing aids these days because I have, you know, after many years of being a DJ and listening to rock concerts, I've, you know, pretty much deafened myself. I'm mild hearing loss, not real strong. So I tried the Apple AirPods because they have a new hearing aid mode which they touted, and I tried them and they, they, they do work very much like a hearing aid. They will amplify voices around you. They have a lot of intelligence. But one thing they do and I don't know if Apple realizes it's very similar to this whole Vision Pro issue Expensive, normal hearing aids don't seal your ear.

02:19:18
There's a little thing goes behind your ear and there's a little dot that goes in your ear, but a little thing goes behind your ear and there's a little dot that goes in your ear, but it's an amplifier. You still hear ambient sounds, but it amplifies the voices because that's what people have a hard time hearing. They want to hear people's voices. So it amplifies just a specific range, where your hearing loss is in the, in the human voice range. You're not isolated, is what I'm saying, and as soon as I put in the AirPods, it seals you off. All of the audio input has to come through its microphone and its speaker. You no longer hear ambient sounds except through the computer, and I think that's a mistake. I think that's very much like Apple Vision Pro, where suddenly you're relying on the computer for your perception of the outside world. I was actually a little disappointed because my real hearing aids are thousands of dollars and the AirPods Pro are 250 bucks.

02:20:11 - Owen Thomas (Guest)
This is a really strong example of a productive deregulation.

02:20:16 - Leo Laporte (Host)
Absolutely. Ootc hearing aids Absolutely.

02:20:20 - Owen Thomas (Guest)
I mean the idea that you need to have it like fitted by a specialist. I mean absolutely go to a doctor.

02:20:30 - Leo Laporte (Host)
I will lobby for the use of an audiologist, but a lot of people can't afford it and, as a result that and the stigma of wearing hearing aids, so many people who should have hearing aids don't. And if this puts more hearing aids into the ears of people who should have hearing aids don't, and if this puts more hearing aids into the ears of people who would otherwise not have them, I think that's great.

02:20:47 - Alex Stamos (Guest)
I think that's great it is creating like a weird social issue though, like if you see somebody with an with an airpod in, are you talking to them now?

02:20:55 - Leo Laporte (Host)
like like normally, you assume they're ignoring you, right?

02:20:58 - Alex Stamos (Guest)
yeah, exactly so like are you assuming they're hearing aids? Now? I mean, I think it's great. I think the Bluetooth hearing aids are actually pretty cool. It's Sunday. My mom has benefited greatly that my dad's hearing aids are Bluetooth and so we have the TV set up. That football goes straight into hearing aids.

02:21:14 - Leo Laporte (Host)
And I can take phone calls and I even get Siri saying you got a message in my hearing aids no, that got a message in my hearing aids. No, that's great and you can do. And newer hearing aids use their microphone. So it's, they're just like airpods. Yeah, but they're medical devices as opposed to like you said.

02:21:28 - Alex Stamos (Guest)
I mean the fact that you know it's only a couple hundred bucks versus.

02:21:31 - Leo Laporte (Host)
That's a huge, huge thing yeah let's take one more break and then a couple more uh stories and we're gonna let your kids take you back. Alex stamos is here. He he is the CISO at Sentinel One and I just love having you on, alex. You're so smart and you know so much about these subjects. You've kindly agreed to come on a kind of semi-regular basis and I'm really grateful to that for you, alex Stamos.

02:21:57 - Alex Stamos (Guest)
Yeah, thanks for having me, Leroy Leroy.

02:21:58 - Leo Laporte (Host)
Jones. Yeah, thank you. We just think the world of you and your students probably do too here Owen Thomas. He's managing editor of the San Francisco Business Times and also a dear friend of the network, and we always love having you on, owen as well so I love being here yeah, it's fun.

02:22:14
It's fun to talk this, chew this stuff over with smart people. That's how I learn. I just sit here, go uh-huh, oh, wow, our. And now let's talk about edr. We're talking about edr. There is some. There are some things that edr does not solve.

02:22:30
This episode of our show twit, is brought to you by one password, which has kind of a new approach to all of this. If you're your end, let's let me give you a rhetorical question. Do your end users always work on company-owned devices? Right, oh, of course, and it approved apps. They never use anything else. Right, wrong, wasn't it? Last pass? The guy, the uh, the devops guy was running plex on his laptop and he hadn't patched it in a long time, and that's how the bad guys got in.

02:23:06
No people bring their own devices. How many iPhones are in your Enterprise? They use their own apps. It's so hard to control that. How do you keep your company's data safe when it's sitting on all those unmanaged devices and all those unmanaged apps? Well, that's where this new thing from one password comes in. It's so cool. It's called extended access management one password. Extended access management helps you secure every sign-in for every app on every device, because it solves problems traditional iam and MDM cannot touch.

02:23:43
If you think of your company security we were talking about, syracuse has that beautiful quadrangle like college campus with the green sward and the perfect brick paths leading from IV covered building to IV covered building. That's like your company's network If you just look at the company-owned devices, the IT-approved apps, the managed employee identities but then every quadrangle has it those paths people actually use, the shortcuts worn through the grass that are the actual shortest distance from building A to building B. Those are the unmanaged devices, the shadow IT apps, the non-employee identities. You know the contractors and others in your network. Most security tools work fine on those happy little brick paths. Unfortunately, a lot of the security problems take place on the shortcuts right, the way people actually use their hardware and their apps. One password extended access management is the first security solution that brings all those unmanaged devices and apps and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy and every app is visible. It's security for the way we work today, now generally available to companies using Okta and Microsoft Entra. It's in beta for Google Workspace customers. It's a really clever solution.

02:25:04
I want you to check it out. 1passwordcom slash twit. That's the number one P-A-S-S-W-O-R-D. 1passwordcom slash twit. We thank them so much for supporting the show. We thank you for supporting the show by using that address, so they know you saw it here. 1pass you for supporting the show by using that address, so they know you saw it here. Onepasswordcom slash twitch.

02:25:25
Wrapping things up a little bit on this episode of this weekend tech, I have to mention this kroger and walmart this is from a new york times story are adopting digital price tags. You know, if you've ever worked in a grocery store, you know that price gun that you put us. Remember they used to put stickers on everything for the price and then they stopped doing that. They just put the price on the shelf. Well, now those are going to be digital and there's a little concern that the reason they want a digital is because they can change it like that. And there's a little concern that there will be something called surge pricing on your groceries. Kroger and walmart say oh no, we would never do that. But members of congress are are a little worried.

02:26:13
Dynamic pricing so a lot of people buying eggs this week. Let's raise the price 20 cents. Milk is not selling. We got to get that milk off the shelf. Let's lower it. Kroger says it has no plans to implement dynamic pricing or to use facial recognition software. Uh, walmart says no plans for dynamic pricing and even though we use facial recognition, it's not being used to affect pricing I think it's just a matter of time yeah, then what's the point exactly?

02:26:45
and you could see, I mean, think of the horrible ways this could be used. Oh, those people look wealthy. All the prices just went up 20 as they walked in the store hi, this is benito.

02:26:56 - Owen Thomas (Guest)
There's also a thing where, like, can you pick up something on the shelf and by the time you check out, it costs more.

02:27:03 - Leo Laporte (Host)
Oh Well, there's no reason why that couldn't happen. You're right Technically, yes, but I think that would be. You could sue for false advertising if you pick it up off the shelf being shown a certain price.

02:27:19 - Owen Thomas (Guest)
I would hope so, but you know that happens all the time where you go in and you got the coupon or whatever and they say oh no, that's, that doesn't apply here or you know, or if you go to Macy's where basically you pick something up and you have to, you have to go to a scanner to figure out, because doesn't have any tag on it yeah, right, yeah, yeah, kmart does that sometimes.

02:27:37 - Leo Laporte (Host)
Yeah, they don't have any tag, I do you know. Pay attention though as you're scanning as a. You know you're doing your grocery shopping there's. They don't have any tag on. Do you pay attention, though, as you're scanning, as you know you're doing your grocery shopping, they're scanning, you don't? You don't see if the price is the same. You don't even remember what the price was on the shelf, do you?

02:27:49 - Owen Thomas (Guest)
I, you know like when I go to Safeway they've got so many, so many deals. I kind of keep an eye out to make sure you know like smart, a savvy shopper I'm getting my safe way for you or whatever discount you could, I would be a terrible presidential candidate because you could ask me well, how much is a gallon of milk?

02:28:06 - Leo Laporte (Host)
and I go, I, I don't know. I buy it every week.

02:28:10 - Owen Thomas (Guest)
You know, I don't know I I think, why this story is getting so much traction is just, you know, uh, inflation fatigue right, well, also go to these stores.

02:28:20 - Leo Laporte (Host)
Here's a picture of the Walmart in Grapevine, texas. You look at that, you go. Well, that could change by the minute. There's no.

02:28:30 - Owen Thomas (Guest)
And part of why inflation has happened. You know this is in no way blaming consumers, but the reality is if businesses are able to push price increases on consumers, then inflation will kind of unfold. If businesses try to push price increases on consumers, then inflation will kind of unfold. If businesses try to push price increases and consumers resist because they're feeling frankly tapped out, they can't afford it. Sales go down. Businesses will respond by reducing prices. Ta-da, inflation will slow.

02:28:55 - Leo Laporte (Host)
Yeah, kroger says the new price tags are designed to lower prices for more customers where it matters most, which is the weaseliest way of saying we could change prices. The Times did interview a professor of business at the Olin Business School of Washington University in St Louis who said they could do this anyway. They don't need the shelf tags.

02:29:23 - Owen Thomas (Guest)
They could do this anytime they want, which is probably a good point I, I do think um, there is some, you know, there is some pushback to variability of prices too. I've recently interviewed the ceo of lyft, david risher, um because they do surge pricing right. One of one of the things he wanted to do when he came on board was do away with surge pricing altogether, because he said, yeah, economists love it, it's a great supply and demand thought experiment and consumers hate it, hate it Because we don't know what we're paying.

02:29:55
You know, and it turns out you still need surge pricing in like the New Year's Eve environment, even on like a Saturday night in San Francisco. You need it to draw drivers out Like drivers essentially kind of will you know, kind of quiet, quit and not drive if they don't feel like they're making it Sure.

02:30:17 - Leo Laporte (Host)
I'll never forget being in Paris. We were at Notre Dame and wanted to go home, go back to the hotel, and it started to snow and we walked into a cab and the french cabbie's reading the newspaper smoking his gal was. He looked at us and he said no, no, no. He went back to his newspaper. I think he rolled up the window. No, you think I am I do not drive in the snow do I look like a taxi driver? What are you enjoying your newspaper? What's going on there? I'll never forget that.

02:30:52 - Owen Thomas (Guest)
So this list response has been to introduce this uh price lock feature where you can commute for essentially the same price. So you know, if you use Lyft on the regular, you pay this monthly subscription fee and you get a locked price. For you know, basically, from your home to your work, that ride.

02:31:20 - Leo Laporte (Host)
And it's you know, it's their way to kind of try to ease back on surge pricing. Well, I can understand why, if it starts raining in San Francisco and their number of Ubers and Lyfts are limited because everybody's taking one, I can understand why they'd want to raise prices. But it's so offensive to me as a passenger that it sounds to me like they're taking advantage of it. Right, I understand the economics are well, it's a scarce resource and in order to make it more fair, we're going to raise the price. But it just feels like they're taking advantage. Same thing with grocery stores, you know, changing their prices in response to demand.

02:31:56 - Alex Stamos (Guest)
It just seems kind of skeezy, so let's hope they don't do it yeah, I mean, I think the challenge uber and lyft always has is it's they're always walking this line where it's not clear. Sometimes it feels like it's a unified service and they want you to feel like you're getting service from uber again, service from lyft, so it's, it's nice and clean. And sometimes they want to be what it really is, which is they're just introducing you to independent contractors, right, and that they are a bidding service that you are effectively bidding on. They're trying to find some kind of price at which somebody will provide that service to you at that moment, which is clear from Airbnb, right.

02:32:38
When you use Airbnb, you know you are getting the service from some individual who owns this place, because they're clearly setting the price. They're clearly providing the service You're. You know they're showing you the face of that person before you buy it. You know that the reviews say, before you get it uh, sally's place was great, right? Um, but you don't get that with so much with Uber and Lyft, and I think that that little game they play because they want you to feel the safety of the brand, because you're getting some stranger's car, also bites them in this situation, because you feel like Uber is the one ripping you off.

02:33:09
And yes, they do get more money because they're taking a percentage of what you're paying, but realistically they also do need to raise the price because, like Owen said, nobody's going to come out on Fleet Week.

02:33:32 - Leo Laporte (Host)
They're not going to go sit in traffic for 45 minutes to get you out of the city if you're not paying twice or three times the price. Well, yeah, it's tricky. I mean no one, you know it makes sense. It's just as you said. It makes sense from an economic, from an economist would say, oh, this makes sense.

02:33:41 - Owen Thomas (Guest)
But consumers go. Oh yeah, no one blames eBay when you know when a beanie baby goes up in price, right, right. But we're talking about everyday goods and services. We're talking about like a ride to work, we're talking about a gallon of milk, and people like to have predictability around their budget for that kind of thing, and so that is the fundamental tension.

02:34:03 - Alex Stamos (Guest)
Right their budget for that kind of thing, and so that is the fundamental tension, right? Well, in this case, I mean, I think there's been all this talk about stores being the reason that price is going up, and I don't think people pay attention to the fact that the the overall margin for these companies is like one percent or two it's not the stores, yeah it's not the croakers and albertsons like it's.

02:34:17 - Leo Laporte (Host)
They live it's mondays and uh and uh, nest and Nestle and PepsiCo.

02:34:24 - Alex Stamos (Guest)
It's not the story the chicken processors and the you know, the three companies that actually process wheat in this country and stuff like the three companies that none of us can name aren't you, daniels Midland, and I only know that all right but our Target and you watch

02:34:39 - Leo Laporte (Host)
pbs but, aren't target and walmart and them all posting record profits. This like they're all yeah, they're making no exactly why. They are the ones, so they are the ones we yeah well well, maybe walmart is is doing better.

02:34:51 - Alex Stamos (Guest)
That's a little different but yeah, they have huge clout and they all have record profits right now, yeah, I'm talking about the grocery the grocery store is actually that it's different right that for the, for the non-durable goods, for the right yeah, your local market is not, uh, not raking in?

02:35:07 - Leo Laporte (Host)
I don't think, uh. One last story, and I thought, owen, this would be a good one for you there's a reason you don't see a lot of innovation in the eu. A lot of startups, a lot of uh, uh, you know a lot of. They all seem to be headquartered. Many of them are headquartered in the United States, and of course, the EU's government doesn't like that too much. But there's another reason for it is that it's hard to be a VC in or an entrepreneur in the EU because of the corporation regime. So founders and VCs in the EU are now backing a pan-European C-Corp. They call it EU Inc because it's kind of based on the incorporation in the United States. Europe's answer to a Delaware C-Corp States. Europe's answer to a Delaware C Corp. Already, you have in each individual state, each of those 27 states, they have something like that, but they don't have anything pan-European, and so they. But apparently this is going to be a tough haul, according to TechCrunch. A rocky road ahead, they see. Are you covering this at all in the business times?

02:36:29 - Owen Thomas (Guest)
This has not hit our radar but, um, you know, you definitely see, uh, you definitely see, uh, a strong interest in different kinds of corporations. Look at the scrutiny that open AI is weird, Not really where profit slash nonprofit yeah.

02:36:40
But I can definitely see, you know, I can definitely see even even US you have controversies over, you know. Are you incorporated in Delaware? Like most companies, apple happens to be incorporated in California. I still have not figured out why that is pulling his companies out of California and even out of Delaware registration. Because he did not like a Delaware judge telling him he had to buy.

02:37:13
Twitter after agreeing to buy Twitter. Yeah, he really hated that, yeah. So you know, bottom line is it does matter where your company is incorporated and those rules do matter. Um, you know, elon musk aside, I think delaware is popular because their courts are really, you know, are chancery courts.

02:37:28 - Leo Laporte (Host)
Yeah, yeah, the chancery court.

02:37:30 - Owen Thomas (Guest)
It's really geared towards business disputes and um you know they're extremely efficient.

02:37:35 - Alex Stamos (Guest)
Yeah, they're fast, extremely efficient.

02:37:37 - Leo Laporte (Host)
Yeah, it's very fast and it's very predictable when we, uh, when we I incorporated well, it's an llc, but I made an llc for twit. Back in the day, two thousand twenty years ago, I asked kevin rose, who's the only entrepreneur I knew. He said yeah, dude delaware. His rationale was if, if you ever want a vc investment or go public, it's, they prefer it for that very reason. Exactly, alex, that it's efficient, it's fast and it's business, uh, focused. But I have to say there's no tax benefit. We end up having to pay california's. No people think there's a tax benefit. There's no time elon's gonna interesting.

02:38:14 - Alex Stamos (Guest)
I think elon's gonna end up regretting it, because what what happens is is where you're uh, where you're incorporated is where shareholder lawsuits happen, right, and so he's going to have to end up with texas juries in like oh no, but you know he's shareholder lawsuits he's moved all of the xcom arbitration and lawsuits to uh, to the east texas jurisdiction.

02:38:37 - Leo Laporte (Host)
that's very friendly uh to uh, his, his, uh, his losses he's judge shopping.

02:38:45 - Owen Thomas (Guest)
I think what you're suggesting is the theory. Is it's the theory? We'll see right business friendly.

02:38:50 - Leo Laporte (Host)
He's going to find out because we haven't really run this particular experiment yeah, if you go to tyler, texas, that's where the patent trolls go, because there's one particular court that's very friendly to patent trolls I'm just saying like texas has had a history of plaintiff's attorneys actually doing well, so it's just interesting.

02:39:08 - Alex Stamos (Guest)
I think like it's an interesting history.

02:39:10 - Leo Laporte (Host)
I I'm not sure this yeah, I don't, but of course, elon is not necessarily always right. I don't think that was the rationale, uh, for all the arbitration. Uh, let's see if I can find that story, because we talked about it earlier this week. I did not put it on a rundown.

02:39:27 - Owen Thomas (Guest)
But, you know, to the point of the European Union thinking that this is going to be some kind of magic bullet to unlock startup creation, I think they've got a lot of other issues that they, you know, need to deal with first.

02:39:45 - Leo Laporte (Host)
I think that I agree with you. There's a risk aversion. I remember talking to Loic Lemur and that's one of the reasons you don't get a lot of investment is because it's not good to fail, and so there's somewhat risk averse and there's lots of.

02:39:57 - Alex Stamos (Guest)
I agree, there's lots of reasons and it's not going to. I can't imagine. I mean nurse, and there's lots of, I agree, there's. It's not going to. I can't imagine. I mean, I'm not a European lawyer, obviously, but I can't imagine. This releases you from the local labor laws, which is one of the hardest problems there, yeah, or to start a company, is you end up like owing people 13 months of severance, right?

02:40:12 - Leo Laporte (Host)
that's exactly what tech says. Yeah, yeah, yeah start it.

02:40:15 - Alex Stamos (Guest)
So, okay, great, yeah, I'll just start a company that, if it fails, I end up getting sued for more money, owing people more money. Uh, for longer than my company existed, you know like it's yeah I understand why people want to have that kind of security, but it's just incompatible with, like, having an incredibly dynamic startup economy look, if I could take every august off, I would, and if I could go, no, I would.

02:40:40 - Leo Laporte (Host)
but I can't. But you know't? This is from the Guardian. Elon steers X disputes to conservative Texas courts. This is a service term update they did this week. There were a number of service changes at X that drove people away. Taking effect on November 15th, any lawsuits against X must be exclusively filed in the US District Court for the Northern District of Texas or state courts in Tarrant County, texas, even though they don't do business there.

02:41:12 - Owen Thomas (Guest)
You know, maybe this points actually to the need for reforms here in the US. Yeah, no kidding, you know the extent to which you can kind of shop from state to state or court to court, you know, for who's got the friendliest regime. I think that that raises some questions.

02:41:29 - Leo Laporte (Host)
Hey, I know you probably want to go to dinner. I think the 49ers are playing football. There are reasons to get out of Dodge, so let's wrap this up, owen. Thank you so much for being here. Owen Thomas is managing editor at the san francisco business times always a welcome guest used to be. We could get you to entice you up to our studio, not anymore. Nobody wants to come to my attic anymore, although I have a visitor from the past. I'm going to introduce you to a little bit. Thank you for being here, owen. I appreciate it. It's great to see you.

02:41:57
Thanks for having me alex stamos, always welcome as well. See so at sentinel one. Are you liking the new job? Do you miss academia?

02:42:06 - Alex Stamos (Guest)
yeah, I still get to teach, which is the part I like the most. Uh was being a student, so I'm enjoying it and I do enjoy the new job back into the cso saddle uh, it's a lot of fun. It's good to be back in the fight good.

02:42:18 - Leo Laporte (Host)
Well, it's great to have your knowledge and uh and expertise on the show. Really appreciate it, thank you. Thank you to both of you. We do twit every sunday, 2 pm pacific, 5 pm eastern, next week, 2200 utc. Because, uh, we are finally going off summertime so you'll be able to.

02:42:39
I used to say daylight savings time, but every time I would say that my friend john, I would yell at me uh, we, I just want to come over here, john, let's just say hi, uh, we've been trying to entice jammer b to join us in the studio. He's retired now from the twit family. Great to see you, uh. He lives on, though, through his uh contribution of a 128k macintosh and the uh and the and the telephone the first thing and the last thing you gave me, john. That's so nice to have you and uh, wish you bon voyage to your new life in the pacific northwest. Got a beautiful house up there and everything. Uh.

02:43:21
If you want to watch live, as I said, we're on eight different channels now. I love that. We have, uh, almost 1200 people watching live right now on Discord. That's our club. Twit members get to watch their YouTube, twitch, xcom, kick uh, linkedin, facebook and, yes, we added tick tock so you can you can watch us on tick tock. Unfortunately, we are not vertical video on tick tock, so we have big black bars at the top and the bottom, uh, but it's kind of nice to be here do we all, do we all look younger on tick tock, leo, we look younger and hipper and we can do these great dance moves.

02:44:00
Mostly I get all these comments on tic tac. He's still alive, which is which is always. People are like who?

02:44:08 - Alex Stamos (Guest)
are these people?

02:44:08 - Leo Laporte (Host)
no, they know what they go. Oh, I used to watch him on tv years ago. He's still alive anyway, I'm still alive and, uh, we still do great stuff here, so we're glad you're watching. After the fact, you can see the show by downloading it from our website, twittv. There's also a YouTube channel dedicated to the video Great way to share little clips if you want to share with friends.

02:44:30
Thank you for doing that. We really appreciate it. Actually, we found out that's the best way to grow our network and we really want to get it out. Get the word out to everybody is through that, through sharing on YouTube.

02:44:48
And if you're a Club Twit member, we give you a free month when you refer somebody. When a friend joins Club Twit, make sure they use your name so that you get a month's free Club Twit, so you could. I mean, in theory, you have enough friends. You never have to pay again. The information for that is at twittv slash club twit. If you want to know more about that, you can also subscribe, and really that's the best way to get our shows is subscribing your favorite podcast client. It doesn't matter which one you use. You can choose from audio and video. Choose the one you prefer and make sure you subscribe. That way you'll have Twit just in time for your Monday morning commute. Thank you all for being here. We will see you next week. Bye Owen, bye Alex, and as I've always said for the last 20 years, another Twit is in the can Amazing.