Security Now 1045 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security now. Steve Gibson is here. He's got a whole mailbag to go through. Lots of questions and suggestions. We'll talk about Cisco's broken SNMP implementation on some of its routers. Two million people affected and how to fix it. Some good news, if you use Mac products, Safari has randomized its fingerprint. Steve will explain what that means.

Leo Laporte [00:00:24]:
Also, if you're in the EU, you get another year of security updates for Windows 10. We'll have the details on that and a whole lot more. Plus, kids web services, a new way to do age verification. Actually, it's an old way that is now becoming very popular and why you should secure your ollama instance. All that coming up next on Security Now. Podcasts you love from people you trust. This is Twit. This is Security now with Steve Gib episode 1045 recorded Tuesday, September 30, 2025.

Leo Laporte [00:01:06]:
News and Listener views. It's time for Security Now. Yes, if it's 1:00, clock on a Tuesday, it must be time for Security now. The man, the myth, the legend Steve Gibson is here. There's no mythologies. Myth, He's a legend.

Steve Gibson [00:01:23]:
Mythological Steve Gibson.

Leo Laporte [00:01:27]:
Every week Steve gives us the latest security news, explains how things and really gives us just a great list of fascinating stories to talk about. And this week I'm sure is no exception. What do we have?

Steve Gibson [00:01:41]:
We've got a bunch of news. Nothing really stood out as a oh my God sort of thing. So I just called episode 1045 news and listener views because I got a lot of feedback and. Oh my God, Leo. I mean I know that, that everybody's probably been noticing that I'm stuck on this age verification deal, but based on the feedback that I'm getting from our listeners, everybody is too. I mean the idea that, that, that everybody has to defrock in order to access some Internet content because you have to affirmatively prove that that you're old enough. It's not just kids, right? I mean it's everybody that really gets people wound up. It's like whoa, wait a minute.

Steve Gibson [00:02:37]:
And anyway, so do we have a little bit more on that, but lots of other news. I have some feedback from. Yes, from last week's interesting adventure of Spamtopia with, with Gmail and what happened there. IOS26's Safari says that it's randomizing its users fingerprints. We're going to check in on that. There's some argument that Cisco's SNMP actually stands for securities. Not my problem.

Leo Laporte [00:03:16]:
I love it.

Steve Gibson [00:03:18]:
Also major happenings over on the Windows extended security updates front both in Europe and here domestically. Also, I found out, I went looking for and found a six dollar TLS certificate. Get them while they last because they're only going to be good for a few more years. But six bucks sure beats 326, which is what Digicert wanted to charge me. I'll explain all that happened. Also. Yes, and I heard you talking about it before. Jaguar Land Rovers mess continuing.

Steve Gibson [00:04:00]:
Whoa. Yes. Also there's a bizarre new app that hit number two in social media over on the Apple Store, the Neon app, which really tells us that there's a whole different Demographic of Apple IE iPhone user than the old folks that listen to this podcast largely. We're going to check in on that. Blue sky has announced that they're adding age verification now to Ohio in addition to South Dakota and Wyoming. Also, I figured out what they're doing it with and it's not something that they created. It's a third party. So we're going to look at that.

Steve Gibson [00:04:42]:
Also, we found we census found more than 10,000. 10,000 instances of Olama publicly exposed.

Leo Laporte [00:04:53]:
Very easy to do that by accident. Yeah.

Steve Gibson [00:04:56]:
Yes, exactly. And the DNS benchmark I've been working on has reached a release candidate level, so.

Leo Laporte [00:05:07]:
Oh boy.

Steve Gibson [00:05:07]:
Some news. It's not, not available yet, but I'm, you know, we're down at literally, are there any eyes left that haven't been dotted? And I'm very pleased with that. So that, and then a bunch of feedback from our listeners because email is working again and everybody's writing. So I got, I think got probably a worthwhile podcast.

Leo Laporte [00:05:29]:
We used to do this every other week, the, the, the feedback episode and I miss it. I'm really glad that we can do this from time to time. I think what we.

Steve Gibson [00:05:36]:
Yeah, I think it's important because it, it, I mean it really does. It inspires feedback. I'm able to better direct the podcast knowing what our listeners.

Leo Laporte [00:05:47]:
Yeah.

Steve Gibson [00:05:47]:
Are get wound up about.

Leo Laporte [00:05:49]:
That's right.

Steve Gibson [00:05:51]:
I could either wind them up further or unwind them depending upon what. That's what it is.

Leo Laporte [00:05:58]:
Let me think. All right, well, we're going to get to that. We have a picture of the week. I have not looked. All I see is the tag guilty as charged. So I don't know what that means, but we'll find out in just a moment with our picture of the week. Steve Gibson. Security now is on and ready to go.

Leo Laporte [00:06:15]:
Our show this week brought to you by Vanta Compliance Regulations, third party risk and customer security demands all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there must be something more efficient than spreadsheets, screenshots and all manual processes, well, you're right. GRC can be so much easier. All while strengthening your security posture and actually driving revenue for your business. Vanta's trust management platform automates key areas of your GRC program, including compliance, internal and third party risk and customer trust, and streamlines the way you gather and manage information. And the impact is real. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. So you get more time and energy to focus on strengthening your security posture and scaling your business.

Leo Laporte [00:07:19]:
Vanta GRC how much easier trust can be. Visit vanta.com securitynow to sign up today for a free demo. That's V a n t a dot com SecurityNow Let me thank them so much for supporting the important work Steve does here on security. Now I am ready to take a gander.

Steve Gibson [00:07:43]:
So yeah, sure. As you, as you noted, I gave this the caption. Okay, guilty as charged.

Leo Laporte [00:07:52]:
2020. I'll make it a little, make it a little wider here. 2020. Don't force me to install 10. Okay? Yep, 2025 it is true.

Steve Gibson [00:08:05]:
I know it's tr. Upper frame of this little cartoon shows it's the year 2020. It's got a big Windows 7 logo and a little guy there on his knees crying, don't force me to install Windows 10. And of course, guilty as charged because everybody knows that I wrote an app called Never 10 which was specifically designed to endorse this upper frame. And then the second frame of the old cartoon, scant five years later, we've got the Windows 10 logo. The guy's fallen forward on his hands, tears pouring out, and it says Windows 10, don't leave me.

Leo Laporte [00:08:51]:
Oh, so true. So true. Yes, we are guilty as charged.

Steve Gibson [00:08:57]:
And you know, okay, so in my defense, what upset me was this. The was the force that being forced. It was, it was my wife Lori at the time looking at the dialogue that said upgrade now or tonight rather than no thank you. They, you know, the no thank you was there for a while. Then they decided, well, this isn't working. Let's, let's not give them a choice. And that's, you know, that was what upset me was that was that users explicit wishes were being overwhelmed, overrun, ignored.

Leo Laporte [00:09:35]:
Right?

Steve Gibson [00:09:36]:
And so never 10 gave people control and of course when they come out, came out with 11. And people said I don't want that, then what I. Instead of doing never 11, which didn't have the same rhyme to it, I thought, well, if they're going to do 11, they're going to break their promise. I'm sure we knew that 10 was the last Windows ever, but they. Oh no, no one ever said that. Okay, well then instead of doing that, I just, I created In Control, which would use the, the officially documented corporate policy controls to, to prevent Windows from being changed. So of course that's called In Control. Anyway, I do feel, I felt both of those things in 2020.

Steve Gibson [00:10:17]:
It was, I don't want 10 now I don't, I don't want to leave 10. So yeah, yeah, yeah, guilty is charged.

Leo Laporte [00:10:25]:
That's just the way we are. People who have curly hair want straight hair. People who have straight hair want curly hair. It's just, you can never win. You can never.

Steve Gibson [00:10:31]:
Anyway, I got a kick out of that. Whoever put that together was, it was, you know, it was a great observation that it's like first we didn't want it, now we don't want to not have it.

Leo Laporte [00:10:41]:
So we just want control. That's what we really want.

Steve Gibson [00:10:44]:
I think that's exactly right. We exactly, we want to be able to say what happens with our machines. Once upon a time. Remember Leo DOS had like four files and, and we knew what every file on our hard drive or floppy drive.

Leo Laporte [00:10:59]:
Remember autoexec, Bat and Config sys, Remember that? And Win any.

Steve Gibson [00:11:04]:
Remember that? And Ms. DOS sys. Yes. And IO sys or something.

Leo Laporte [00:11:11]:
And it's like that's going way back.

Steve Gibson [00:11:12]:
Yeah, we knew what that, all that stuff was. And now I don't think there's any person alive, no one person who could tell anybody what the files in their Windows machine are. It's just, it's a, you know, it's a sprawling civilization all its own. Anyway, so Don, one of our listeners, Don Edwards, started us off here by writing Dear Steve, last weekend I noticed that Gmail's spam filter rules had changed dramatically. I send a short software generated email message to a gmail address every 5 minutes to test the operation of my mail server. It consists of two lines with no HTML whatsoever. And he provided them email timer sent on and then a, a time stamp, date, date and time and Then automatic version 0.8.0.928. And he says the subject line is equally innocuous.

Steve Gibson [00:12:15]:
And he, he provided that and he said on Saturday 20th of September, Gmail suddenly decided to treat all these messages as spam. I eventually added a filter to Gmail to never send messages from this address to spam, since the not spam button had no effect whatsoever. And he sent me a little screen clip and obscured the email address. And he said, perhaps you should advise Gmail users to do this for securitynowrc.com just in case. He said, keep up the good work and thank you for so many years of great content. Best wishes, Don Edwards. Johannesburg, South Africa.

Leo Laporte [00:12:59]:
Another trick, a lot of newsletters say this is add it to your contacts list. Because, yes, often if it's in your contacts list, people will say, oh, the spam. Oh, you know them. But you know, I think part of this is what Gmail does now, is it? And I know this because people who run, try to run their own email servers come up against this all the time. Gmail is constantly black holing IP addresses if they're not, you know, if ever they send any spam or even nowadays if they're just not a known emailer. So if you're running your own server, it's very unlikely you're going to be able to get through to Gmail. And then of course, you have to have dmarc and you know, all of the authentication, you know, what is it? Spf, dmarc, and I can't remember, the third one has to be set up properly.

Steve Gibson [00:13:50]:
I have them all properly. And so what's significant here is that I've been mailing 19,000 pieces of email for a year every week with no trouble at all. And so does it come from your.

Leo Laporte [00:14:05]:
Server or do you use it?

Steve Gibson [00:14:07]:
Yeah, directly from mine because I'm not. Because. Well, yeah, because I like to have control. So. And all of the people who last week said, I've never had a problem getting your email, suddenly it went to spam. So what. What clearly happened is that something changed. And it was also disheartening that Don reported that using the not spam button caused a problem.

Steve Gibson [00:14:35]:
Okay. So I was glad, bottom line, that my attention was brought back to this because I haven't needed to think about any of this since late last year when I set everything up and did the mailing to all of spin rights, 150,000 plus past purchasers. I remembered that there was a Google Postmaster tools for monitoring what Google thinks about email coming from grc.

Leo Laporte [00:15:04]:
Oh.

Steve Gibson [00:15:05]:
So I went back to pull up a chart of the last 120 days and I've got it in the show notes. Now this is very interesting. Okay, in, in the chart that you're showing above every light vertical line corresponds to a Monday of the week. Now remember that for more than the past four months I've been dumping around 18 to 19,000 pieces of email once per week, every week, every Monday. So what we notice looking at this chart is there is no correlation between the spam reports did. So this is Google's user reported spam rate for email ostensibly coming from grc. But there's no correlation between those Monday light vertical lines and the, this, this chart of spam. That is for example there was like 1, 1, 2, 3, 4, 5.

Steve Gibson [00:16:12]:
There's like five weeks in a row where it's 0% and then there are a couple reports later in the week. So the conclusion here is that email from GRC is being spoofed, meaning that, that there are people sending email pretending to be from GRC, pretending, you know, like with an@grc.com suffix as, as if it came from us. And in this instance here, GRC was suffering from the fact that we send so little email that even a small bit of spam by count equals a large percentage, which appears to be the only thing that Google and others are tracking. Now the puzzle is that I've always had, since I began doing this more than a year ago, GRC actually GRC's own server. Because we've been, you know, I've been running my own server from the beginning. So I put dkim and SPF records in DNS years and years ago. So that's always been there. And GRC's DMARC.

Leo Laporte [00:17:32]:
So DKIM, these are authentication policies, right?

Steve Gibson [00:17:36]:
Yes, SPF stands for Sender Policy Framework. The so an an SPF record in in DNS indicates which physical servers by IP address and domain name are valid originators of email from GRC. So, so I, and so that record says GRC.com and client GRC.com because my email server for architectural reasons emits email from a different IP address than GRC.com or www.grc.com and, and so, and, and so that, that SPF record is, indicates who is a, who is a valid originator of GRC.comemail. nobody that nobody else can that attempts to send email to some service like Microsoft or Google or, or whatever from a diff from another IP address will be generating valid mail from grc. The the DKIM is an actual cryptographic signature of a set of headers in GRC originated email. So, so every email that GRC sends actually contains a signature which can be verified from the Public key which is published through DNS. So what the DKIM record in DNS is, is the public key which allows any recipient of email to, to use that public key, which we publish through DNS to verify the signature that, that envelopes that set of headers to verify they've not been changed. So what that does is very strongly prevent anybody from spoofing those headers.

Steve Gibson [00:19:47]:
Nobody else will have the private key the GRC's server has. So there's no way for them to produce a signature which qualifies that for any headers which differ. So this is strong protection. So what the, the puzzle that I had was, with all this in place, how can Google be saying that it's getting any spam from me? It, it ought to be checking these things and, and ruling them out as just spoof as crap and just dropping them. Doing some further research, I believe that I was not using the strictest of all possible enforcement policies. It turns out that there were two, there were, there were two other arguments which could be part of my dmarc. So, so I said SPF is sender policy framework which tells anyone who asks which servers can, which physical servers by IP and domain can originate mail. DKIM is the.

Steve Gibson [00:21:01]:
Is publishes the public key, which is used to verify the signatures of the headers. DMARC is the policy statement. It's the thing that, that specifies what to do if the DKIM and or the SPF don't match up. And so DMARC is the enforcement, it specifies the enforcement policy. The reason you have to have that is that it's very easy to get this stuff wrong. I mean, this is. There are like, there are many companies out on the Internet that their entire business model is telling people how to do this, like setting this up and handling it for them. And that white glove service, and you pay hundreds of dollars for that.

Steve Gibson [00:21:47]:
You know, it's like, okay, but you know, I've been here forever so I could figure this out. Anyway, the point is, you may need, while you're getting this thing all working, you may need to tell people, I want to publish this stuff, but if you're not happy with what it says, don't reject the mail. Just report that to me. So the other thing that DMARC has is you're able to provide reporting email addresses where, where the results of these tests are sent back to you so you can work on getting it all right before you, before you tell people, okay, it's all working. We now want you to just reject any email that, that isn't verifiably from our email server or or servers anyway there was they called it alignment and unless you specifically say that you want to reject unaligned dkim and or SPF then they call it you you have a relaxed policy. I wasn't specifying strict alignment and so it turns out now so a lot has happened in this past week as you as you may be able to tell I turned on monitoring I've been been collecting reports every day I've been looking at what's going on. It turns out that there were people spoofing GRC because I did not have the strictest alignment. Alignment is says that the the mail from the mail from domain must be the same as the the the domain that is specified when you connect to GRC server.

Steve Gibson [00:23:33]:
So if so those headers must be aligned with the the domain specified by the server. Turns out they weren't being and so all this work I had it was there but it wasn't rigorously forcing rejection of anything. So what happened last Yesterday is that 19 +, or no, I'm sorry almost 19,000 pieces of email went out. Gmail didn't bounce anything. So I don't think that's because of any of this. I think given that I and other listeners said suddenly Gmail was routing things to spam that it never had before. I think Google screwed something up. I think someone tripped over a cord somewhere in Gmail Central and for a brief period of time, which just happened to be last weekend when our listener Don mentioned that this was happening to him, a bunch of other listeners said they saw the same thing and of course I did my mailing on Monday and they all went into the spam bucket in where they never had before.

Steve Gibson [00:24:46]:
Google fixed that. But I'm getting ready to announce the D the DNS benchmark. So I don't want Google to get upset with me when I start sending out you know, 150,000 pieces of email. And so I'm now we'll see that this chart that they have is has about a three day lag to it and it's only a couple days ago that I made these changes in DNS and got everything locked down tight. The reports I'm now receiving from from all the different recipients of email from GRC indicate that there was misalignment and it's the fact that I'm now saying I want to strictly enforce alignment. They're now dropping email that they would have allowed to their users. So GRC should have zero false positive spam events now. And I just wanted to share this with any of our listeners.

Steve Gibson [00:25:43]:
I know that a bunch of our listeners are running their own email servers. You just want to make sure that. And by all means, my d, my DNS is public so you can go to like MX toolbox and they've got a DMARC button there. Put GRC.com in, it'll dump out. It'll show you the exact DNS records that we're now publishing. And this, it is really locked down tighter than a. Whatever tightly. Anyway, so I think I've got it figured out and I think what happened last week was an anomaly on Google's end.

Steve Gibson [00:26:22]:
But I'm really glad for this runaround because it did cause me to wonder what. Why is Google thinking I'm sending any spam? And it's clearly not false positives from the, from GRC's mailings because there's like a run of five weeks in a row where's not where there's zero percent report. And it's when I'm not sending anything that a few come in, you know, one or two. And unfortunately that's a large percentage because I'm not sending anything. So I think the mystery is solved and it'll be interesting to see when I'm ready in a few weeks probably to tell the world about the DNS benchmark to do another big mailing. We'll see how that goes. But again, 19,000 email every week goes out with zero trouble. So I think that's been solved.

Leo Laporte [00:27:14]:
I think that by itself might be an indicator to Google. They might say, well, that's a lot of traffic we're seeing from the same IP address. Maybe it's. Did, did this. Do they still have the black hole? Remember they used to have these black hole lists like Maps and Orbs that. Are those still around? Because. Yeah, that was problematic. If you'd get on that list, man, you'd.

Leo Laporte [00:27:37]:
You'd never be able to send email again. I mean it was just. Correct. Problematic.

Steve Gibson [00:27:41]:
Yeah. And it was very difficult to get yourself off of it.

Leo Laporte [00:27:44]:
Right.

Steve Gibson [00:27:44]:
And, and, and so those things predate this really strong authentication.

Leo Laporte [00:27:51]:
I think SPF D Mark and dkim are really good, right?

Steve Gibson [00:27:54]:
Yes. Once you have those. And again, I, I can understand how, how many people don't want to deal with this. So they just want to run their mail out through mailchimp or, or you know, or aws. You know, Amazon has a, what is it, SES service where they do all that for you. I tried that with. Oh, and and, and Postmark is, is. Postmark is the service that I used for when I was initially doing like the first mailing I had done ever.

Steve Gibson [00:28:26]:
You know, I don't remember now how many hundreds of thousands of email addresses I had collected. But I get it. I mean, you have to really want to do this and understand what, you know, ip your email will emerge from your network on and have reverse IP a reverse DNS set up for that. It takes a lot to get it done. But no, I enjoy that. So I, this has been an interesting hunt for me and I just like, you know, now I'm going to watch that, that graph in a week and see whether in fact I've nipped all of these other spammers who are spoofing GRC in the bud because I mean, that's what you want. You don't want anybody sending email on your behalf, certainly not using GRC's reputation and you know, for phishing emails or, or to send malware to people. You absolutely don't want that.

Steve Gibson [00:29:21]:
So I, I think probably I've closed the last little loophole there and we'll know in a couple weeks. Mac Observers headline was Apple is turning on a powerful Safari anti tracking tool for everyone. And the coverage opened with the sentence Apple is widening Safari's privacy Shield starting with iOS 26 and iOS. Tahoe 26 advanced fingerprinting protection is enabled by default in every tab, not just in private browsing now. Okay, we know, because we talked about it last week, that Mozilla also just claimed to have improved their fingerprint protection, which caused me to check my updated Firefox against the EFF's excellent Cover your tracks website, which sadly informed me that my Firefox browser still had a unique fingerprint, even though Mozilla said they'd improved it. Well, apparently not improved enough. So upon seeing the this iOS 26 claim, and of course having recently been disappointed by Mozilla, I headed right back over to coveryourtracks eff.org with my iOS 26 updated phone. And remember that I had purchased that phone.

Steve Gibson [00:30:52]:
It was an. It was. Well, I purchased an iPhone 16 earlier this year during that initial panic over Chinese tariffs that that might be hitting us. I did not update that to iOS 26 because I didn't want all that Liquid glass nonsense and I won't until Apple allows us to turn that off, because I don't need it. But it was my iPhone 12 could be updated to iOS 26 yet it's too old to run the liquid glass UI. So and I have to say Leo, I like the features. It's got a little more. It has a sort of a fit and finish polish that, you know, after all these years you think they would have done everything they could but just little subtle details of like lines around things and stuff that are nice.

Steve Gibson [00:31:40]:
Anyway, so using iOS 26 going over to coveryourtracks.eff.org and it's 100% success. Blocking tracking ads. Yes. Blocking invisible trackers. Yes. And protecting you from fingerprinting. And it says your browser has a randomized fingerprint. Significantly I changed nothing about my default browser settings and cover your tracks reports that I am now strongly I have strong protection against web tracking.

Steve Gibson [00:32:22]:
So we know the importance actually the critical importance of defaults. Defaults are what matter. And so what Apple has done is for everybody by default. They they now have strong tracking protection enabled in iOS 26. They they said fingerprinting uses subtle device and browser traits to identify you across sites. Safari now standardizes and noises more of those signals by default, making it harder for trackers to single you out while you browse normally that is Now I should mention it used to be available under private browsing mode only, not normal. And that's the other big change. They not only made it better, but they made it universal.

Steve Gibson [00:33:14]:
They wrote Safari reduces access to to high entropy web APIs commonly abused for fingerprinting and limits script written storage and navigational state reads. Practically that translates into fewer stable identifiers for tracking scripts and less durable stickiness across sessions. This doesn't change how link tracking protection works in mail messages and private browsing. It also doesn't remove normal cookies from sites you sign into. If someone breaks on. If, if something breaks on a niche site, you can temporarily relax protections and try again. So if you go to settings Safari Advanced is you have to scroll all the way down to the bottom of the Safari settings page. The very last thing there is advanced.

Steve Gibson [00:34:09]:
Then under that is advanced tracking and fingerprinting protection. What you want to do is confirm that it's set to all browsing. It could be set to off or to private browsing. Should be on all on a Mac it's under Safari Settings Advanced and it's used advanced tracking and fingerprinting protection. You want to set to in all browsing. So my iPhone 16 we write the most recent iPhone it's still running the last iOS before this jump to 26 which was 18. So I decided to see how it compared that is what, what was the last iOS before they fixed this and jump to 26 doing. I'd also never missed messed with Safari settings there.

Steve Gibson [00:35:10]:
So its advanced tracking and fingerprinting was still set to private browsing, which had been the default for Apple until then. I changed it to all browsing and then went back over on this IO. On the iPhone 16 still running iOS 18, I went back over to the COVID your track site. I'm getting blocking of tracking ads and invisible trackers, but I'm told that Safari under that last iOS before the move to 26 is presenting a non unique fingerprint to the world. Now I have to say it's way better than Firefox's cover Your track says that my my latest Firefox browser is unique among every one of the 301,784 other browsers that have visited that site during the past 45 days. Not good. So it's no problem. You know, nobody would have any problem following me around the Internet using fingerprinting.

Steve Gibson [00:36:23]:
However, it adds that this means it's providing at least 18.2 bits of entropy. By comparison, among those same 301,784 other browsers that cover your tracks encountered during the past 45 days, iOS 18s, that is the pre 26 iOS 18 Safari shared a fingerprint with fewer than 1 out of every 2340 browsers. So everyone using any version of Safari on iOS or Mac before this latest 26, iOS 26 would also be well served to change their browser's anti tracking and blocking to all browsing. You know, why not? It's not perfect protection, which is what 26 is offering, but still, rather than a unique fingerprint, which is what Firefox is still giving me among 301,748 or 784. Sorry. Now iOS at least gives me a unique fingerprint among one out of every 2,340. So I'm sharing a fingerprint with a large population of other Safari users as opposed to being unique on the Internet. So an improvement.

Steve Gibson [00:37:53]:
And Leo, I've talked a long time. We're already half hour, which is also an improvement. We're gonna, we're gonna, we're gonna look at, at how Cisco's SNMP actually stands for security. Not my problem.

Leo Laporte [00:38:07]:
Not my problem. I love that. All right, well, let's take a break. As you hydrate, I shall tell everybody about our sponsor for this segment. 1Password. You know that name, right? Over half of IT pros say that securing SaaS apps is their biggest challenge. With the growing problems of SaaS sprawl and shadow it. It's not hard to see why.

Leo Laporte [00:38:29]:
Thankfully, there's a solution. Trelica by 1Password it can discover and secure access to all your apps, managed or not even shadow it. Trelica by 1Password inventories every app in use at your company, every app, then pre populated app profiles. Assess SaaS risks, letting you manage access, optimize, spend and enforce security best practices across every app your employees use. This is a way you can manage shadow it, you can securely onboard and offboard employees, and you can meet your compliance goals. Trelica by 1Password this really fills a missing piece in your security. It provides a complete solution for SaaS access governance. And it's just one of many ways that extended access management helps teams strengthen compliance and security.

Leo Laporte [00:39:25]:
Of course, you know 1Password's award winning password manager. It's trusted by millions of users, over 150,000 businesses from IBM to Slack. But now they're securing more than just passwords with one Password extended access management. And of course they have an impeccable security record. They're ISO 27001 certified, they have regular third party audits. And Steve's talked about this before. It's very important. The industry's largest bug Bounty, very important.

Leo Laporte [00:39:54]:
1Password exceeds the standard set by all the authorities and it's a leader in security. Take the first step to better security for your team by securing credentials and protecting every application, even unmanaged. Shadow it. Learn more@1Password.com SecurityNow that's 1Password.com SecurityNow all lowercase 1Password.com SecurityNow it's really interesting, Steve, how modern security companies like this are not assuming perfection on the part of their employees. They're figuring out they're gonna. We don't know what kind of weird SaaS apps they're gonna use. So we're just gonna protect against everything. Because one takes one mistake, as we've said before, just one mistake.

Steve Gibson [00:40:42]:
I think that's the only mature way to operate now is to just assume that. Well, and as, as we talked about it, you can't tell your employees that. Never click on anything in email. We do business. We do business in email.

Leo Laporte [00:40:56]:
Right?

Steve Gibson [00:40:56]:
Yeah, it's, it's. You have to.

Leo Laporte [00:40:59]:
Right?

Steve Gibson [00:40:59]:
Yeah. Okay. So I was reminded of the old joke that SNMP stood for securities. Not my problem.

Leo Laporte [00:41:09]:
It's normally simple network management platform or protocol. Something like that.

Steve Gibson [00:41:13]:
Protocol, Exactly. It's a joke.

Leo Laporte [00:41:17]:
Well, because maybe, maybe it's not a joke.

Steve Gibson [00:41:20]:
Yeah. Well, and it's, it's kind of not SNMP's fault, but kind of is. Anytime the name of a widely used ancient Internet protocol begins with the word simple, you can bet that the S would never be confused with standing for security. And, and that is nowhere more true than SNMP. The original RFCs which specify the operation of SNMP date from 1988. And believe it or not, it was never intended to be used in the long term. It was originally created. That's right.

Steve Gibson [00:42:03]:
That's how these things happen, right? As a quick hack, stopgap solution. Because the work that some other groups were doing was. Was believed at the time to be far too burdensome and unimplementable. You know, they were just like creating a massively complex system for doing what SNMP does. That's actually why they called it Simple Network Management Protocol. They were saying, no, no, no, no, no, we don't need all that complexity. We just want something simple. So SNMP was thrown together quickly without any essential effective security.

Steve Gibson [00:42:42]:
Now, okay, what do I mean by that? Like DNS, which was designed to be also around the same time frame, to be lightweight and low overhead, SNMP uses UDP packets. And also like DNS over udp, SNMP has no encryption or eavesdropping protection whatsoever. And what security there is takes the form of a simple clear text password whose textual string must match the one stored in the SNMP equipped device, an sn, an SNMP server which is being queried. It's true that later SNMP v3 did add privacy and encryption and better authentication, finally. But it was a long time coming and it's often no. 1. It's often the case that no one bothers to set it up because they just go, well, snmp. It's simple, right? Supposed to be, right.

Steve Gibson [00:43:47]:
The trouble is, SNMP is also incredibly useful. And even though it was designed in 1988 as a throwaway temporary ad hoc, just until something better comes along, nothing better ever did. So it's still what everyone uses. I've talked about that cute little soft perfect is the publisher Networks Net W O R X is the is the application name, that little network monitor. It's able to watch the SNMP counters on my network LAN interface to show the entire network's bandwidth use. Network interfaces count all the bytes coming and going in in 64 bit counters. And SNMP can be used to query the state of that counter, the value in that counter at any time. So simply by polling it periodically, you're able to get the current count and.

Steve Gibson [00:44:52]:
And by looking at the difference between two counts and how long and the time difference between polling intervals, you're able to determine what the bandwidth is across the interface during that period of time. So yes, it's simple, but it's also incredibly useful. That little client which is running on my Windows machine is sending UDP packets to port 161 of the LAN interface. And the router's little SNMP server is examining those packets, seeing that I'm requesting the interfaces received and sent byte counts, which it then sends back to the client in a returning UDP packet. So no privacy, no security. It's meant to be used internally, not meant to be publicly exposed. So you can imagine where we're headed with this story and Cisco SNMP presents a tree like structure which can be explored by any patient client to discover all of any network's devices and their settings. This includes things like all of its interfaces, all of its routing and ARP tables, the IP addresses and the network masks of its interfaces.

Steve Gibson [00:46:13]:
The way this was designed, network engineers wanted network access to the settings of all of their devices. SNMP provides that, and it's obviously that information is nothing you would ever want anyone to have access to. So turns out it's even worse. It's not just about querying devices, it also supports setting and changing a device's settings, all remotely and all over the network. And remember, by default it uses insecure plain text udp. So it has always been a security disaster just waiting to happen. Here's in fact what Wikipedia has to say in a couple paragraphs under their heading of SNMP security, or which we already understand is an oxymoron, they wrote. Because SNMP is designed to allow administrators to monitor and configure network devices remotely, it can also be used to penetrate a network.

Steve Gibson [00:47:22]:
A significant number of software tools can scan the entire network using snmp. Therefore, mistakes in the configuration of the read write mode can make a network susceptible to attack. In 2001, Cisco released information that indicated that even in read only mode, the SNMP implementation of Cisco iOS is vulnerable to certain denial of service attacks. These security issues can be fixed through an iOS upgrade. And remember here, iOS was the original Cisco term for Internet operating system. Got nothing to do with Apple. Wikipedia finishes this little segment saying if SNMP is not used in a network, it should be disabled in network devices. When configuring SNMP read only mode, close attention should be paid to the configuration configuration of the access control and from which IP addresses SNMP messages are accepted.

Steve Gibson [00:48:32]:
If the SNMP servers are identified by their IP addresses, SNMP is only allowed to respond to these IPs and SNMP messages from other IPs should be denied. In other words, again, IP based access control, it is the strongest protection that exists and it just doesn't get enough attention. And they finished saying, however, IP address spoofing remains a security concern, right? Because UDP you're not you don't need the round trip packets that TCP requires in order to authenticate the IPs of the endpoints. So UDP as we know, is completely spoofable for from its source ip. Okay, so in other words, SNMP is and has always been a security disaster. If SNMP is not actively needed and in use, its service should never be running and the IP addresses of anything using SNMP should be filtered so that only authorized clients can obtain access to a device's services. Unfortunately, as Wikipedia points out, being carried by UDP allows spoofing and so source ips can remain a problem. Although you're not going to get any information back forensically if you spoof the source ip, it's going to go back to where the, the the the server believes the UDP packet came from.

Steve Gibson [00:50:06]:
So all of that foregoing would mean that no network engineer would ever consider placing any system that published SNMP onto any public network. And this of course brings us to Ars Technicus headline last Thursday. Quote as many as 2 million Cisco devices affected by actively exploited zero day and their subhead search shows 2 million vulnerable Cisco SNMP interfaces exposed to the Internet. Unbelievable. What year is this? This is not 1988. This is 2025. The actual number revealed by a Shodan search for the strong I'm sorry for for the string Cisco system, which is what it responds with on Port 161 is 2,303,370. At one point in their reporting ours tells us, quote, the vulnerability is the result of a stack overflow bug in the iOS component that handles SNMP Simple Net Network Management protocol, which routers and other devices use to collect and handle information about devices inside a network.

Steve Gibson [00:51:44]:
The vulnerability is exploited by sending crafted SNMP packets. Note the phrase in Ars Technica's reporting inside a network SNMP has really no business being enabled on the public facing interface of any network equipment. And if you absolutely have to have it, then you absolutely have to filter it so that only known queriers are able to do so. Despite that fact, 2,303,370 individual Cisco devices respond to a Shodan query of their port 161 with the string Cisco Systems I would be very surprised to learn that more than 2.3 million individual network engineers could or would have deliberately enabled the SNMP service, which they almost certainly have no need for anywhere on their Cisco Devices Internet connected interface. And they probably didn't. Unfortunately, this is readily explainable as yet another example of what can only be incredible hubris today in this day and age on Cisco's part, I'm sure that when asked, they would reply, as they have before, that their equipment assumes its use by qualified and trained network engineers, and that the guidelines enumerated in their optional of course how to harden the security of your new Cisco device guide should always be followed, even though of course it's not required and there's no requirement to do so. The reason Cisco's iOS has such a legacy of trouble is that its design philosophy was born back in 1984 with the company's founding by a pair of Stanford University computer scientists. Little thought was given to security back at the dawn of the Internet, as we've often noted, and the design of Cisco's iOS, as I said Internet operating system reflects that that lack of security in its implicit assumption that iOS would only be in the hands of and configured by and used by professional network engineers.

Steve Gibson [00:54:26]:
For example, even today, any internal services such as SNMP or HTTP that run in the device are by default available to all of the devices interfaces. Again, believe it or not, any service that is turned on inside a Cisco device by default is available to all the interfaces. A Cisco iOS device has no intrinsic notion of lands and wans. Those are all just interfaces, equal and viewed by Cisco as network ports. The earlier devices before the early 2000s actually had all of their various services running by default. They were on and available on all of the devices interfaces until and unless the service was explicitly shut down with a configuration command such as no IP HTTP server. Remember that GRC back in the earlier days of the podcast, Leo? While you or I were doing the podcast, I originally used a Cisco device. I had a pair of 1.54 gigabit T1 trunk lines running to to my.

Leo Laporte [00:55:59]:
Home and we thought that was pretty fancy.

Steve Gibson [00:56:01]:
It was like whoa, 3.3.8 gigabits.

Leo Laporte [00:56:07]:
Yeah, that was megabits, right? It wasn't gigabytes.

Steve Gibson [00:56:09]:
You're right, it was mega.

Leo Laporte [00:56:11]:
It was Megabits.

Steve Gibson [00:56:13]:
You're right, it was. I, I said gigabit because I couldn't believe it was megabit megabits. That's. I got really something stuck Tickling.

Leo Laporte [00:56:24]:
Well, I think it's the gigabits that are stuck in your throat and I don't blame you. Those things really, wow. Go down easy. Oh, thank you.

Steve Gibson [00:56:34]:
Anyway, I remember explicitly configuring my Cisco router, placing a no IP HTTP server line into the router's configuration file in order to prevent that unwanted service from running and being present on all of the devices interfaces. Now, thanks to Cisco's long legacy of apparently assuming that only highly trained network engineers would be configuring their devices Today, today in 2025, more than 2.3 million of Cisco's iOS powered routers are exposing their SNMP services to the public Internet for anyone who wants to to poke at and query. And unfortunately the world has learned that until they're patched and you know, what chance is there of that ever happening? Today, 2.3 million routers. I mean it's the classic example of something being in a back room closet somewhere and long forgotten. A stack overflow that's present inside all of those routers. SNMP packet processing is exposing those devices to what is now an actively exploited zero day attack. Patches are available from Cisco. Doesn't matter.

Steve Gibson [00:58:03]:
It's unbelievable. So the takeaway for our listeners is to be very certain that if any of our listeners are responsible for a network containing any publicly facing Cisco iOS based routers, be absolutely sure first of all that you're running the latest version of iOS and then be absolutely certain that if you are, if that router has snmp, you, you might must explicitly block its access to any ports connected to the Internet. What happens is Cisco did update their iOS so that these services are no longer running by default. Instead of having to turn them off if you don't want them, you do need to turn them on if you do. But if you do turn them on, they, they by default bind to all the interfaces of the router. So you then need to go through and create Access control lists, ACLs, which explicitly deny access to that service from that port across all of them. I mean there is a high bar for securing a Cisco iOS device. And it's clear that 2.3 million people, they probably turned SNMP on because they wanted access to it from inside their lan.

Steve Gibson [00:59:35]:
Never appreciating that. By default it's also leaking out onto the public Internet unless they do something about it. I mean, it's, again, this is not the way secure networking equipment should ever be designed today. But it's going to take what probably another decade before Cisco says, huh, you know, maybe we should block these services unless they explicitly allow them on the ports. What? Wow, what a concept. Unbelievable. Speaking of, speaking of vulnerabilities, okay, everything changed in the last week as far as I can tell. But I wanted to bring people along to like what's where we were and what's been happening because they may not have changed for you, for everyone yet.

Steve Gibson [01:00:33]:
There's a great deal of uncertainty currently surrounding Microsoft's plans. As we know for Windows 10 and the availability of the next year's worth of security updates courtesy of their esu, their Extended Security Updates program. The world is asking that Microsoft give it more time to migrate from Windows 10 to 11. It would be ideal if Microsoft were to allow Windows 10 machines to be upgraded to Windows 11. That would beautifully solve their OS frag, you know, version fragmentation problem. You know, I'm sure they could cook up some story about having made a breakthrough in Windows 11 that now allows it to miraculously run on all that older hardware that's currently running Windows 10 and was believed to be stuck there. But oh no, now you can run Windows 11 on it. That would be great.

Steve Gibson [01:01:32]:
But if that cannot or will not happen, I thought that Stacy made a very strong point in her open letter to Microsoft, which we shared last week. She noted that someone might have purchased a brand new PC containing Windows 10 as recently as 2022 whose hardware Microsoft has deemed unworthy of running Windows 11. So now they have a PC that's only three years old that's about to lose access to its constant IV drip, drip, drip of security updates, many of which are critical and all of which are of Microsoft's own making. As Stacy wrote so eloquently, it doesn't seem right. And it also breaks with the expectation Microsoft has previously set of a 10 year life for systems running Windows. I bring this up again as we approach the middle of next month, October 15, right, because it appears to be possible for existing Windows 10 non Enterprise Edition end users, I.e. people who should qualify for this to push their machines over the in like into the enrollment of the next year of free ESU service. I had a Windows 10 instance that was last week that was current with all of its updates and it was logged into my Microsoft account.

Steve Gibson [01:02:59]:
But it had not yet received Microsoft's offer to enroll in the forthcoming year of Extended Security Updates. It wasn't clear what it was waiting for or when that might happen, if it would. We've heard that the ESU enrollment invitation is being handled as a gradual rollout. So I thought, okay, maybe it's just waiting for that. I have to be more patient. But some Windows Explorers have have come up with a sequence of steps that appear that that appear to hurry the process along. So a week ago I wanted to experiment with that. The short version is it worked.

Steve Gibson [01:03:41]:
That machine, which was not offering me enrollment in the ESU program, did after I did a little bit of fiddling. So if you're still running Windows 10, this may have changed for you since last week, but you could still wait to see what happens automatically. Maybe it already has. There were instructions posted to a forum thread at the Ask Woody website. The thread was titled how to extend Windows 10 support now published by G Hacks and that thread was very active. Many people jumped on this. The thread refers to the well known G G hacks.net site where back on July 24, Martin Brinkman, who's the guy there, posted a series of ESU enrollment screenshots. Now, the only trouble is many people were not receiving the offer in the first place.

Steve Gibson [01:04:47]:
Well down the thread at Ask Woody, an Ask Woody MVP with the handle of Abbo86 Abode86 posted some step by step instructions under the title Here is a way to force enable Consumer ESU feature. I did those things and it worked. It successfully induced a Windows 10 machine where I was not invited to enroll in ESU to invite me. I have a link to that posting which is in the Ask Woody forum. But there's more. The same Abode individual has created a very nice and comprehensive set of resources at GitHub which includes PowerShell scripts, ample background material, and also the same manual steps down toward the bottom which I originally used. I've got the link in the show notes and I also made it this week's shortcut of the week. So you can find that GitHub page at GRC SC 1045 that will transport you over to his GitHub page and armed with the information there, you should be able to get any qualifying consumer Windows 10 machine enrolled and ready to continue receiving the next year of updates without interruption.

Steve Gibson [01:06:12]:
Now, since then, just this morning I tried two other machines, the one that I'm using to talk to us on, which is a Windows 10 machine that had never been offered enrollment before. When I turned it on this morning it was and a different Windows machine, a Windows 10 machine, gave me the similar experience different from what I had last week. Now without me doing anything, it's offering me enrollment. So it may be that this was. That I was just jumping the gun here last week, as were, you know, thousands of other people who are impatient and that Microsoft has now, for what you know, in, you know, inscrutably as they are, finally gotten around to doing this. So maybe this is all a non issue. For what it's worth, if you have a Windows 10 machine and it's home Pro Education and Pro Education, you know, the non enterprise editions, this will cause it to give you the enrollment. But it looks like Microsoft is going to get around to doing it for everyone anyway.

Steve Gibson [01:07:25]:
It is worth noting and I was conscious of this because I'm using my single Microsoft login and I think I've now enrolled three different Windows 10 machines. There is a limit of 10 enrollments per Microsoft account. So since I've got Windows everywhere, I've got to be a little conscious of that. I'm not sure what my MSDN developer credential gets me. I guess I'm going to find out but. But I'm going to make sure that the main Windows machines that I am using are able to upgrade. As I said, it wouldn't be the end of my world if I was no longer getting the free updates. It's like, okay, but if I can, I might as well.

Steve Gibson [01:08:11]:
So anyway, now everybody knows everything I know about ESU and it looks to me like no one will have to do anything. But if it, if you're not being offered it, there is a way which is now proven and it's worked for many people to get Micro to get that, that ESU to kind of give Windows a little kick in the butt to, to get it to make you the offer. One last bit of news before we leave this. The news out of what's known as the European Economic Area, the eea, which includes everybody in the EU member states, plus Iceland, Liechtenstein and Norway, is that for them? Windows 10 machines for everybody there will continue receiving Windows updates, presumably under the Extended Services Updates program. But not necessarily. It could just keep going. Unless, you know, Microsoft might think better of all this and just give everybody updates. Who knows.

Steve Gibson [01:09:15]:
But the point is without them having to do anything whatsoever, no PC backup, no Bing brownie points, no PC settings synchronization, none of those little things that Microsoft is telling us for a while, they don't have to do anything.

Leo Laporte [01:09:31]:
Oh good.

Steve Gibson [01:09:31]:
It turns out that for them Windows 10 updates will be truly and completely Free with no strings attached do to pressure from an organization called Euro Consumers which is a major eea. That's again European Economic Area Consumer Protection NGO which questioned the legality of Microsoft's offerings compared to the EU's new Digital Markets act, their DMA. And the best news is that the organization is not finished pushing Microsoft. They're now demanding that Microsoft provide additional years of ESUs to home users, you know, consumers beyond next year and the now expected 10-13-2026 cut off. So you know the DMA is doing all kinds of things for our organizations. I heard you talking during Mac break about it and Apple with the DMA.

Leo Laporte [01:10:42]:
And no Apple really is being told what to do. Yeah, yeah. As I'm sure Microsoft does now frankly.

Steve Gibson [01:10:50]:
And, and, and this is the overarching issue of our time LEO is governments are telling technology.

Leo Laporte [01:10:58]:
Right.

Steve Gibson [01:10:58]:
What to do with their legislation. Whether it's age restrictions or decrypting messaging or you know, whether or not we're able to cause, you know, make people jump through hoops to get extended security updates. It's, you know, there's a real clash here of.

Leo Laporte [01:11:15]:
Yeah.

Steve Gibson [01:11:15]:
Of wills. Okay, after our next break I'm going to tell people about the six dollar TLS certificates that I found. I bought one. I'm using it.

Leo Laporte [01:11:28]:
But do they, do they expire in three months?

Steve Gibson [01:11:32]:
No, you still get 398 days.

Leo Laporte [01:11:35]:
Oh good. All right.

Steve Gibson [01:11:36]:
Thirteen months until March 15th.

Leo Laporte [01:11:39]:
All right, well let's get to that in just a moment. But first a word from our sponsor for this segment on security now it's Melissa. We've talked about them before, the trusted data quality expert. They've been doing it longer than we have since 1985. Of course address validation is Melissa's bread and butter. That's what they started doing. That's what they do today. Of course they're getting a lot better and more sophisticated all the time.

Leo Laporte [01:12:05]:
Melissa's address verification services are available to businesses of all sizes. Melissa's address validation app for Shopify is awesome if you do E commerce. If you're using Shopify. International groups like Siemens AG manage diverse country specific address formats that can be very tricky and they gotta make sure the data they hold is correct. Or like any company, they're going to face significant costs and delays to supply and production chains. Since using Melissa, Siemens AG has reliably processed, get this, more than half a billion queries for 174 countries using its dedicated web service. That's, that's remarkable. Global IT Headmaster of Data management at Siemens AG says, quote, thanks to these very stable solutions, we've achieved an automation rate of over 90%.

Leo Laporte [01:12:58]:
Melissa reacts very quickly to our requests and offers us the right solutions to the questions that come up and they consistently meet our service level agreements. That's a pretty high recommendation from Siemens. Data quality is essential in any industry and Melissa's expertise goes far beyond simple address verification. Metabank, like every bank, absolutely must know the exact identities of all its customers. It's a regulation. It's a government regulation. However, when a bank's customers include not only its retail clients, but also hundreds of organizations with their own customers, the challenge suddenly becomes exponentially greater. Senior VP of Data Systems and Business Intelligence at Meta Payment System says, quote, I believe Melissa has helped us improve not only data quality, but also our downstream experience for end users.

Leo Laporte [01:13:48]:
We're now able to identify everything from fraud to, to missing data and allow our individual customers to swipe their cards with confidence. And importantly, as every data engineer knows, having clean data translates to the bottom line. You never have to worry about the security of your data with Melissa. It's safe, it's compliant, it's secure. With Melissa. Melissa's solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified. They meet SOC2 and HIPAA high trust standards for information security management.

Leo Laporte [01:14:19]:
Everything you want. Get started today with 1000 records cleaned for free at melissa.com TWIT that's melissa.com TWIT you ought to yourself to check out all the things Melissa can do in every business category. Melissa.com twit we thank them so much for their support of security now Steve.

Steve Gibson [01:14:41]:
Okay, so I wanted to share another recent discovery of mine. $6 TLS certificates issued with the current maximum allowed 13 month lifetime. Everyone knows about the revoked.grc.com website I created many years ago to demonstrate that the web browsers of that era were completely ineffective in their checks for certificate revocation. You know what really spurred me was that Google was saying, oh our, our Chrome browser, we've got that all. It's like, no you don't. You're lying to the industry. So to demonstrate that fact, the revoked.grc.com server there is deliberately serving a revoked certificate. I mean it's.

Steve Gibson [01:15:32]:
The certificate's no good yet browsers don't care. At the time they didn't. They're get. They've gotten more, much better now and it looks like Bloom filters are now working. The trouble was last year's deliberately revoked certificate was expiring and it needed to be replaced. And since that simple facility has become pretty popular, it receives about 500 visitors a day. It made sense to me to keep it alive. It turns out it's possible to automate both the issuance and the revocation of certificates using the ACME Automation protocol.

Steve Gibson [01:16:12]:
So at some point in the future, I imagine I'll cook up some way of always using a freshly ACME revoked certificate for the revoked.grc.com site once I've been forced to move all of GRC's other TLS certificates over to let's Encrypt. You know, we talked about this before due to the industry's inexorable and I think unnecessary march towards shorter certificate lifetimes. But I'm not ready to do that today. Today I want to get the new and much improved DNS benchmark wrapped up. So I just wanted to do what I've been doing, which is to purchase and immediately revoke a single certificate for that site. For many years Digicert has been my certificate supplier. So I went there first. They no longer offer the least expensive and least verified Simple DV domain validation certificates.

Steve Gibson [01:17:14]:
That's what let's Encrypt produces. I suppose they wisely decided not to attempt to compete with let's Encrypt free ACME Automation Certs. But okay, but that leaves OV the Organization Validation as Digicert's least expensive option where their price for a single one year OV certificate is now a breathtaking $324. Oh, okay. So paying $324 for a certificate that would never even be valid. You know, like I'm gonna, I'm gonna revoke it before I put it online would be pouring money down the drain. So I went looking around for any widely trusted certificate which I could purchase for a reasonable price. That search brought me to.

Steve Gibson [01:18:11]:
I kid you not. Cheapsslweb.com well, of course that's what there's.

Leo Laporte [01:18:18]:
Where you needed to go.

Steve Gibson [01:18:19]:
That's what you want. C H E A P S S l w e b.com wow. And cheap they are. 12. $12 paid one time gives you the right to issue certificates for the domain of your choice as often as you like for two years. So that works out to $6 per domain year reseller.

Leo Laporte [01:18:48]:
They're not the.

Steve Gibson [01:18:49]:
They are. They are. That's exactly what they are, Leo. They are a bottle budget basement reseller. But their certificates are trusted.

Leo Laporte [01:18:57]:
They work.

Steve Gibson [01:18:58]:
Okay. Yep, they work. So they offer a five year purchase for $20 which would bring the price down to $4 per year. But remember the near term schedule for maximum certificate life shortening means that two to three years is likely to spell the end. Like two to three years from today is likely to spell the end of manual certificate issuance and management because it just becomes too frequent to be practical. Okay, so here's. Remember what the story is until March. In case you're curious.

Steve Gibson [01:19:38]:
I went with the. It was up near the top.

Leo Laporte [01:19:41]:
We don't like Komodo. Right. We don't want to use Komodo or Sectigo.

Steve Gibson [01:19:45]:
I think it was at that first one. Yeah, that, that one. And so you see it says 399 per year and buy now. Except that's the, that's the five year price where you're throwing away money because nobody wants to be you in five. In four years from now you got to be changing your certificate every month. And so forget that. So I went with the two year plan which was the 5.99 per year, $6 per year. Okay, so you can see that you buy two years for 12 bu.

Leo Laporte [01:20:18]:
Yeah.

Steve Gibson [01:20:18]:
Okay, so here, here's the way. Here's the, here's the strategy here. So until next March 15, certificates are allowed to have a 398 day life. So 13 months. Right. But the CAB forum requires that to be cut in half to just 200 days on March 15, next March 15, then again cut in half to 100 days a year later and then also that would be in 2027 and then finally down to 47 days two years later than that in 2029, four years from now. Okay, so depending upon how resistant you or your application, whatever it may be, might be to automation, which will, you know, automation will be pretty much required after March 15th of 2029 when certificates will only be allowed to have a 47 day maximum life. You might want to do this two year plan.

Steve Gibson [01:21:29]:
So two years you. Which you can purchase for $12. Now under that plan you would purchase and begin using that certificate now. Then you'd reissue or issue another certificate shortly before next March 15th of 2026 when you can still do so for another full 398 days. So that gives. So you get a half a year between now and then. Then you get a full year from. From then.

Steve Gibson [01:22:01]:
As long as you do it before March 15th, you can make a certificate last 398 days. Then you issue a 200 day certificate a year later, shortly before March 15th of 2027. Again March 15th of 2026. Dropped it to 200 days, but you made your certificate the day before. So you could do it for a full year. But when it comes around to March 15, 2027, it's about to drop to 100. So just before March 15th of 2027, you reissue the certificate again for 200 days. Now you go 200 days, and before that certificate expires, you need to get going with automation.

Steve Gibson [01:22:48]:
But this allows you essentially a full two years from today to have useful, you know, fully honored and recognized TLS certificates for $12 from CheapSSLWeb.com anyway. So if you're not ready yet to invest the time and effort to move to let's Encrypts ACME Automation. For whatever reason, you know, I'm not. I've got other things to do. I wanted to let everyone know that this downward pricing pressure that let's Encrypt has clearly been placing on the traditional DV domain validation certificate market has resulted in extremely inexpensive, yet still widely trusted, manually issued and installed domain validation certificates while they last. I would not want to be in that business in a couple years, but it's still there. Now, you know it won't be feasible to do manual issuance after March of 2029, but certificates issued just before those various deadlines will be able to live long enough for manual management to still be feasible for another couple years. And I have a feeling that's what I'll be doing.

Steve Gibson [01:24:08]:
Okay, I wanted to follow up a bit on the status of this crazy Jaguar Land Rover cyber attack and and what takeaways there are from that, since it's quite a harrowing story. What I saw reported in the Risky Business newsletter was the following they wrote the UK Government has agreed the UK Government has agreed to underwrite a one and a half billion pound loan One and a half billion pounds loaned to Jaguar Land Rover to help the car maker deal with the increasingly costly aftermath, I'll say, of a recent cyber attack that has crippled its production and shut down factories for almost a month. The underwrite was was approved on Sunday after a visit from UK Business Secretary Peter Kyle to the headquarters of jlr. You know Jaguar Land Rover and its main supply chain firm Webosto. This week JLR fell victim to a ransomware attack, supposedly from the hellcat Group on August 31st. Production lines at all JLE factories have been shut down ever since and are expected to last into October, meaning shutdowns into next month. While it looked like another largely benign ransomware attack, I don't know if any Ransomware attacks are benign. That hits the back office and the company then needs to reinstall some accounting systems to get back into order.

Steve Gibson [01:25:55]:
This was not it, not at all. Systems like CAD engineering software and product life cycle software, payments tracking, customer car delivery systems, the works went down. The incident has turned into a legitimate catastrophe for both the company, its suppliers, and even the British economy as a whole. With production lines ground to a halt, hundreds of small companies that supplied Jaguar parts and various services also had to slow their pace and even put workers on leave. Several of the smaller ones are facing bankruptcy and were expected to go under, since several had just days of cash left in their accounts. With no car sales and no secondary economic activity being generated by its supply chain for an entire month, the Jaguar Land Rover cyber attack is likely to impact the UK's economic growth itself. The company alone employs over 34,000 people, with another 120,000 working throughout its supply chain, according to a recent report. The company also did not have a cyber insurance policy at the time of the attack and will likely have to foot the bill for the attack and subsequent revenue losses.

Steve Gibson [01:27:24]:
Just Jaguar Land Rover itself is expected to lose hundreds of millions of pounds, according to reports, which explains the need for an underwrite in the realm of £1.5 billion. Okay, so we're not on the inside. We cannot definitively say why and how this happened. But the fact that that the company was not carrying any insurance against cyber attacks and that whatever happened was able to so deeply and so thoroughly nuke its operational capabilities, all that at least strongly suggests that the management of Jaguar Land Rover was not taking the reality of today's cyber attacks seriously enough. They may have felt that carrying cyber attack insurance would be prohibitively expensive, but one has to wonder how they might feel about that decision today. We've also seen cyber insurance companies themselves becoming increasingly involved in the organizations they're being asked to insure, setting operational requirements to minimize their and everyone else's risk. So it may have been the case that Jaguar Land Rovers observable cyber attack readiness was so poor, as now appears to be the case, that any prospective insurers were forced to quote either ridiculously high premiums or, and, or capping their liability to a point that carrying insurance under those terms didn't make any sense. The big takeaway lesson for all C Suite executives, and I sincerely hope that this, you know, this startling Jaguar Land Rover news reaches them, is that the maintenance of true cyber attack readiness is no longer something that can be just given lip service, then dismissed when the time comes to set budgets.

Steve Gibson [01:29:41]:
The unfortunate reality is that today's cyber threat landscape has truly and significantly increased the cost of doing business. This means that one way or another, today's enterprises are going to pay either in advance for preemptive protection and cyber insurance or in the form of post attack ransoms, possibly serious downtime and reputational harm. And Leo, I heard you mention that there was. You guys had some discussion of this on.

Leo Laporte [01:30:18]:
Yeah.

Steve Gibson [01:30:19]:
Or on an earlier podcast.

Leo Laporte [01:30:21]:
Yeah, not. Not last Sunday, but a week ago Sunday. I'm trying to remember who was. I think it was Father Robert was talking about this. As you know, he's very interested in security. Jaguar's owned by Tata, the big multinational, Indian based multinational. And he said that there. It was this understanding that their security was flat, that they didn't have segmented architecture, they didn't have, you know, they basically had perimeter defense and once the bad guys got in, they had complete control of the network and lateral movement and all that.

Leo Laporte [01:30:52]:
It was just a flat network. That was his understanding anyway.

Steve Gibson [01:30:57]:
And remember it was a week or two ago, I was talking about the principle of least requ. Least required privilege.

Leo Laporte [01:31:04]:
Yes.

Steve Gibson [01:31:04]:
Where.

Leo Laporte [01:31:04]:
Yes.

Steve Gibson [01:31:05]:
You know, every entity on the network should only have access to those assets that it must have.

Leo Laporte [01:31:14]:
It's really a cautionary tale. You just gotta. Yeah.

Steve Gibson [01:31:17]:
It's so easy to plug a whole bunch of routers and switches together and put everyone on the same net on the same lan and it's like, oh, look, everybody can, you know, where do you want to print? What do you want to do? Anybody can do anything. But you're, you know, you're at your, your physical facility, door, access controls, you know, can, can be exploited by some low level assistant in shipping if they click on the wrong link.

Leo Laporte [01:31:44]:
Yeah, that's not good.

Steve Gibson [01:31:45]:
No, it's, it's, it's, it's an old.

Leo Laporte [01:31:47]:
It'S a very old fashioned world. Yeah. This is a very old fashioned way of doing it. And it's my guess that Tata just doesn't invest in modern security. And this is.

Steve Gibson [01:31:57]:
Well. And there it is. Yep.

Leo Laporte [01:32:00]:
Taxpayers have to foot the bill for this. It's just, you know, shameful.

Steve Gibson [01:32:05]:
Wow. Wow.

Leo Laporte [01:32:06]:
Yeah. Yeah.

Steve Gibson [01:32:07]:
Okay. A headline in TechCrunch would give anyone pause. Last Wednesday they posted a story. Listen to the headline. Headline is neon. The number two social app on the Apple App Store pays users to have their phone calls recorded and sells that data to AI firms.

Leo Laporte [01:32:34]:
Oh, for training. Sure, why not? Why not?

Steve Gibson [01:32:37]:
Okay. How much do you think though? Okay, well that's that's an interesting story. It's surprisingly a lot and I don't think it can possibly.

Leo Laporte [01:32:50]:
Suspicious if it's a lot. Yeah.

Steve Gibson [01:32:52]:
Here's what TechCrunch reported. They said a new app offering to record your phone calls and pay you for the audio so it can sell the audio data to AI companies is unbelievably they wrote the number two app in Apple's US App Store's social networking section. The app is Neon Mobile pitches itself as a money making tool offering quote, hundreds or even thousands of dollars per year.

Leo Laporte [01:33:24]:
Wow.

Steve Gibson [01:33:25]:
For access to your audio conversations. Neon's website says the company pays a 30 cents per minute when you call other Neon users and up to $30 per day maximum from making calls to anyone else. The app also pays for referrals. The app first ranked number 476 in the social networking category of the US App Store on September 18, but jumped to number 10 by the end of last Monday, according to data from app intelligence firm App Figures. Last Wednesday, Neon was spotted in the number two position on the iPhone's top free charts for social apps.

Leo Laporte [01:34:11]:
It also I I know.

Steve Gibson [01:34:14]:
Yeah, they know kid. They know today's kids. It also became the number 7 top overall app or game earlier on Wednesday morning and became the number six top app according to Neon's terms of service. The company's mobile app can capture users inbound and outbound phone calls. However, Neon's marketing claims to only record your side of the call unless it's with another Neon user that data is being sold to in quotes AI companies, unquote. Neon's terms of service state quote, for the purpose of developing, training, testing and improving machine learning models, artificial intelligence tools and systems and and related technologies, unquote. So I, I guess AI models had all had a whole Internet full of text, but what they didn't have was a whole Internet full of audio data, people speaking. And so the entrepreneur behind this, some guy in an apartment in New York, I'm not kidding, decided hey, that's a great idea.

Steve Gibson [01:35:29]:
Anyway, we'll get to that in a second. So they said. Its highest ranking within the Apple App Store, meanwhile, is proof that there is now some subsection of the market seemingly willing to exchange their privacy for pennies regardless of the larger cost to themselves or society. Despite what Neon's privacy policy says, its terms include a very broad license to its user data where Neon grants itself a quote worldwide exclusive irrevocable transferable royalty, royalty free, fully paid right and licensed with the right to sublicense through multiple tiers to sell, use, host store, transfer, publicly display, publicly perform, including by means of a digital audio transmission, communicate to the public, reproduce, modify for the purpose of formatting for display, create derivative works as authorized in these terms and redistribute your recordings in whole or in part in any media formats and through any media channels in each instance, whether now known or hereafter developed. In other words, you have given it the right to impersonate you explicitly. Yeah, in this license.

Leo Laporte [01:36:51]:
That's interesting.

Steve Gibson [01:36:54]:
They said that leaves plenty of wiggle room for Neon to do more with users data than it claims. The terms also include an extensive section on beta features which have no warranty and may have all sorts of issues and bugs. Though Neon's app raises many red flags, do you think it may be technically legal? Well sure, if the user says you can record me and do anything you want for forever without limitation with my audio click here. Then yeah. Jennifer Daniels, a partner with the law firm Blank Rome's Privacy Security and Data Protection Group, tells TechCrunch, quote, recording only one side of the phone call is aimed at avoiding wiretap laws. Under the laws of many states, you must obtain consent from both parties to a conversation in order to record it. It's an interesting approach, says Daniels. Peter Jackson, cyber security and privacy attorney at Greenberg Glusker, agreed, and tells TechCrunch that the language around, quote, one sided transcripts sounds like it could be a backdoor way of saying that Neon records users calls in their entirety, but may just remove what the other party said from the final transcript.

Steve Gibson [01:38:12]:
In addition, the legal experts pointed to concerns about how anonymized the data may really be. Neon claims it's you. It's it removes users names, emails and phone numbers before selling data to AI companies. That's probably fine. Who cares? I mean, you've given them your voice, everything you've said, but the company doesn't say how AI partners or others it sells to could use that data. Voice data could be used to make fake calls that sound like they're coming from you. Yeah, no kidding. Or AI companies could use your voice to make their own AI voices.

Steve Gibson [01:38:48]:
Jackson said, quote, once your voice is over there, it can be used for fraud. Now this company has your phone number and essentially enough information. They have recordings of your voice which could be used to create an impersonation of you and do all sorts of fraud uncovered, quote Even if the company itself is trustworthy, Neon doesn't disclose who its trusted partners are or what those entities are allowed to do with a user's data further down the road. And we just read that license agreement. You they you've given them permission to do anything with your voice anytime, for any purpose they could ever imagine. Forever. Neon is also subject to potential data breaches, as any company with valuable data may be. In the brief test by TechCrunch, Neon did not offer any indication that it was recording the user's call, nor did it warn the call recipient that they might be recorded.

Steve Gibson [01:39:44]:
The app worked like any other voiceover IP app, and the caller ID displayed the inbound phone number as usual, they said. We'll leave it to security researchers to attempt to verify the app's other claims. Neon's founder, Alex Kayam, did not return a request for comment. A business filing shows that Kayam, who's identified only as Alex on the company website, operates Neon from an apartment in New York. A LinkedIn post indicates Kiam raised money from Upfront Ventures a few months ago for his startup, but the investor did not respond to an inquiry from TechCrunch as of the time of the writing. So then they ask, has AI desensitized users to privacy concerns? They said there was a time when companies looking to profit from data collection through mobile apps handled this type of things, this thing on the sly. When it was revealed in 2019 that Facebook was paying teens to install an app that spies on them, it was a scandal. The following year, headlines buzzed again when it was discovered that App Store analytics providers operated dozens of seemingly innocuous apps to collect usage data from the mobile app ecosystem.

Steve Gibson [01:41:06]:
There are regular warnings to be wary of VPN apps, which often aren't as private as they claim. There are even government reports detailing how agencies regularly purchase personal data that's quote commercially available on the market. Now AI agents regularly join meetings to take notes and always on AI devices are on the market, but at least in those cases everyone is consenting to a recording, Daniels tells TechCrunch. In light of this widespread usage and sale of personal data, there are likely now now those cynical enough to think that if their data is being sold anyway, they may as well profit from it. Unfortunately they may be sharing more information than they realize and putting others privacy at risk when they do, jackson said. Finishing there is a tremendous desire on the part of certainly knowledge workers and frankly everybody to make it as easy as possible to do your job and some of these productivity tools do that at the expense of obviously your privacy, but also increasingly the privacy of those with whom you are interacting on a day to day basis. Okay So I have several reactions to this.

Leo Laporte [01:42:25]:
I can guess.

Steve Gibson [01:42:27]:
Although I know I'm not talking about this audience, many people really don't care about their privacy all that much. I've received sufficient feedback through the years from the people who take the time to listen to this podcast to know that that the great majority of our listeners would have no problem being characterized as old school as regards their privacy and concerns for online security. But we're the extreme cases. I think the huge majority of people really do not care. So I'm not surprised to learn that an app that promises to pay up to $30 per day in return for having one's voice recorded and sold is succeeding. It's not difficult to imagine this, you know, this this app spreading like wildfire across school campuses, and the bonus of increasing the payout if both parties are using the service is such a clever way of getting the system to go viral. What surprises me is the size of the payout amount, which seems quite high, and I would be surprised if it turned out to be sustainable at that level. So there may be some early adopter bait and switch going on here where the payout rate will eventually drop once the system has been widely established and adopted.

Steve Gibson [01:44:01]:
Also, how are the funds sent back to Neon's users? I downloaded the app to see what I could learn, but there was no option other than signing up giving it my phone number, which, being something of an avid listener of this podcast myself, I was unwilling to do.

Leo Laporte [01:44:20]:
You've learned from yourself, that's good.

Steve Gibson [01:44:22]:
That's right. There's an echo in here, so I got no further than that. So that remains an open question to me. How are users paid this $30 per day? The last thought I have is that I, as I'm sure would be the case for many of our listeners, I would have a big problem with not being informed that my voice was being served, surreptitiously recorded and sold by whomever I was speaking with on the other end of the conversation. They say that's not happening, so we have to take them at their word. Not only is it just creepy, but voice authentication promises to be a serious problem in the future. You know, when you combine AI's ability to convincingly converse with generative AI's ability to to on the fly, spoof the voice of anyone, it has a sufficiently mature sample set for all the pieces are in place for trouble. Some time ago, I told my office manager and bookkeeper sue, that she must verify with me in writing via our internal email, anything she believes I've instructed her to do verbally that regards moving money.

Steve Gibson [01:45:52]:
And we've been practicing that for some time.

Leo Laporte [01:45:55]:
That's really good. I like that.

Steve Gibson [01:45:56]:
I have told her that I will never tell her not to confirm in writing and that no emergency is too great for verification first. So we, we've been doing that for years. Anytime I have a conversation with her and tell her to do something, she follows up by sending me an email. And our, our in our GRC email is internal. It goes to no external services or, or servers. And so I know that may seem extreme and inconvenient, you know, sort of like freezing one's credit reporting. But these sorts of simple measures can make the difference between. Between vi.

Steve Gibson [01:46:35]:
Being a victim or not.

Leo Laporte [01:46:36]:
Oh, no. We get email every day instructing our accounting department to pay some bill or other. That's bogus. It happens every day.

Steve Gibson [01:46:46]:
Yep.

Leo Laporte [01:46:46]:
You have to do it. You have to do what you're doing.

Steve Gibson [01:46:48]:
Yeah, yeah. And you know, I, I hold a bunch of trademarks and one of the scams is the trademarks are published publicly. And so there are firms that go through public trademark registries and just send out bills to, to, you know, to, to trademark holders, to, to the physical addresses that are registered saying it's time to renew your trademark. Send eighteen hundred dollars to this address and we'll take care of it for you. It's like, what? I have an IP firm in LA that does this, you know, but so I see how much of this bogus nonsense there is.

Leo Laporte [01:47:26]:
So much.

Steve Gibson [01:47:27]:
And it just must be that in large firms, some accounting departments just pay whatever invoice comes in.

Leo Laporte [01:47:33]:
Well, it doesn't have to work much. Just once in a while.

Steve Gibson [01:47:37]:
Right. It's like spam. Spam mostly doesn't work, but enough of it does that. And since it costs nothing to send it.

Leo Laporte [01:47:45]:
Exactly.

Steve Gibson [01:47:45]:
Spam we have.

Leo Laporte [01:47:47]:
Yeah, it's amazing. Wow.

Steve Gibson [01:47:49]:
Okay, break. And then we're going to look at a few age verification things.

Leo Laporte [01:47:55]:
Well, I like this next sponsor, especially in light of what we've been talking about. For instance, with the Jaguar story, we're talking about Threat Locker. This is zero trust done right affordably easily. You know, just because you listen to the show Ransomware just killing businesses worldwide. I mean, it's not just Jaguar, but Threat Locker can prevent you, you from becoming the next victim. Threat Locker Zero Trust platform takes a proactive and this is the key deny by default, deny by default approach. It blocks every unauthorized action protecting you from known and unknown threats. Zero days.

Leo Laporte [01:48:35]:
You don't have to know what bad guys are up to? Just say no unless I explicitly say it's okay. It's not okay. That's why it's trusted by companies that just can't afford to be down for one minute. Like JetBlue uses threat lockers. The Port of Vancouver uses Threat Locker. Threat Locker shields them and can shield you from zero day exploits and supply chain attacks while providing complete audit trails for compliance. One of the things we've talked about on security now in the past is this thing, this new malvertizing. Not that new, but it's becoming really an epidemic.

Leo Laporte [01:49:09]:
Malvertizing, you know. And this is another way it's not just phishing emails that a bad guy can get your employees to click and destroy you. You need more than just traditional security tools. Attackers are creating convincing fake websites, impersonating popular brands like AI tools and software applications. They're distributing the links through social media ads and hijacked accounts. Then they use legitimate ad networks. They buy the ads to get on legitimate sites. But these ads deliver malware, which means anyone who's browsing gets infected.

Leo Laporte [01:49:50]:
And if they're browsing on your work system, it means it could be the end for you. Traditionally, security tools often miss these attacks because they use fileless payloads that run in memory. They exploit trusted services that bypass typical filters. That's why you need ThreatLocker's innovative ring fencing technology. Strengthens endpoint defense by controlling what applications and scripts can access or execute. Deny by default contains potential threats, even if malicious ads successfully reach the device. Even if your employees click that link. Doesn't matter.

Leo Laporte [01:50:27]:
I love this. Threadlocker works in every industry. It supports Windows and Mac environments. They've got great US based 24. 7 support. And with Threat Locker, you also get great compliance. And it enables comprehensive visibility and control. Ask Jack Sennasap.

Leo Laporte [01:50:42]:
He's the director of IT Infrastructure and Security at Redner's Markets. Here's the quote he says quote. When it comes to Threat Locker, the team stands by their product. Threat Locker's onboarding phase was a very good experience and they were very hands on. Threat Locker was able to help me and guide me to where I am in our environment today. End quote. It's easier and simpler to implement zero trust than you might imagine and a lot more cost effective. Get unprecedented protection quickly, easily cost effectively with ThreatLocker.

Leo Laporte [01:51:14]:
Visit threatlocker.com TWIT to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT and I can tell you, I can promise you there are people listening right now. We're saying, gosh, I wish we'd had this set up. I wish we'd had Threat locker threat. Don't you be that person. Don't delay. Threatlocker.com TWIT we thank them so much for the work they do. Great company and their support is really appreciated on security now.

Steve Gibson [01:51:44]:
Steve, the world has changed.

Leo Laporte [01:51:47]:
Yeah.

Steve Gibson [01:51:48]:
In the last five years. I mean, the attack landscape, you know, security wasn't better then and worse now. It's always been kind of barely adequate. But the bad guys, the bad guys weren't motivated. There was there, you know, there was nothing that they could do to turn a company's weak security into cash.

Leo Laporte [01:52:13]:
And there's so much money in it now. There's so much money in it.

Steve Gibson [01:52:17]:
Yes. The, the aver. The. The emergence of cryptocurrency that allowed them to get paid and the, the whole, you know, concept of ransomware, it changed everything.

Leo Laporte [01:52:27]:
Yep.

Steve Gibson [01:52:29]:
And, and now security has to be way tighter. I wanted to correct, or at least clarify something that I said about the decentralized social media service Blue sky and its age verification. We know that Blue sky has suspended all of its services in Mississippi, just across the state, due to that state's nutty only proven adults can access any social media law. Which again, as I said, that's just what. And, and I wonder, like, is Meta just ignoring this? You know, it's like, okay, come sue us, you know, because Blue sky is a small group and so they thought, okay, we have to obey the law. I guess Meta is just thumbing their nose at it and saying, I don't know.

Leo Laporte [01:53:16]:
That's a really good question. I don't know what they've implemented.

Steve Gibson [01:53:19]:
Yeah, yeah. And we also recently noted that Blue sky would be doing the same thing in the states of South Dakota and Wyoming as they have in the UK, where there is a saner law in the UK and in those two states, only access to adult content, not all content, just adult content, then requires some proof of age. So that's more reasonable. Okay. Then yesterday I ran across another update on blue sky in TechCrunch. They began the report saying the social media network Blue sky will begin verifying users ages in the state of Ohio to comply with new regulations starting on Monday, September 29th. That's yesterday. The company, which offers an open and decentralized competitor to X and Threads, says it will enable the Kids Web Services age verification solution in the state this is the same solution that Blue sky is already using in South Dakota and Wyoming to comply with similar laws.

Steve Gibson [01:54:29]:
Blue sky announced the move in Ohio on Sunday via its Blue Sky Safety account and in an update to last month's blog posting about the matter. The change has come as a number of US States are rolling out their own age verification laws to protect children from online risks, given the lack of federal guidance. The Ohio law, meant to protect kids from pornography will require users in Ohio to upload a copy of their government issued photo ID or other personal identification before accessing adult content. This includes the type of adult content that can be found on social networks. Kws. That's the abbreviation of a kid's web services. KWS will provide the technical infrastructure that allows BlueSky to verify users ages by offering multiple ways for them to do so beyond only uploading a government issued identity document. According to its website, KWS also lets users verify by facial scans, payment cards, and more.

Steve Gibson [01:55:38]:
Okay, now, I had previously assumed incorrectly or at least intimated that Blue Sky's use of something called KWS Kids Web Services was some homegrown solution that they had cobbled together as a means of verifying age. But TechCrunch reported it as an outside service and indeed that's what KWS is. Www.kidswebservices.com all1wordkidswebservices.com I learned that KWS has been around for quite a while. Four years ago, in fact, on today Four years ago today, on September 30, 2021, they posted a piece under the headline Making the Internet and Metaverse Safer for Kids with Free Parent Verification for All developers, where they explained today one of the biggest challenges for developers and content owners is enabling access for young audiences is okay. But now now putting this into a temporal context, remember four day. That was four years ago, long before all this recent state and federal legislation began blowing up in our face. So what was the need? Back then, it was access to video game content. The year before they posted this, KWS merged with Epic with Epic Games, they said, in order to enable features which may require personal data such as content personalization, navigation or push notifications.

Steve Gibson [01:57:33]:
Children's privacy laws like COPA and GDPRK may require you to obtain the me you meaning developers, you developers of online gaming, to obtain the consent of parents and in many cases verify that the parent is an adult. This is called verifiable parental consent. Securing verifiable parental consent creates a user experience where a child has to educate their has to educate their parent. The parent has to go through the registration process, then verify their identity and only then grant permission to their child. As painful to get through as the sentence is to read, yeah, and this has to be repeated every time a child wants to access a new digital experience. Many developers took the Many developers look at the complexity and cost of the parent verification process and choose to simply avoid young audiences entirely. Large developers can afford the luxury to build their own solution or license ours. Small developers don't have the luxury.

Steve Gibson [01:58:53]:
Our Kids Web Services KWS platform already powers parent verification for some of the biggest games in the world, including Fortnite and Among us. KWS delivers the most frictionless parent experience in the industry thanks to its innovative Parent Graph. Once a parent is verified using kws, they never need to provide their verification details again for any other service using KWS technology, minimizing personal data processing and providing a better user experience for both parents and players. Today, the Parent Graph includes millions of pre verified parents and is growing rapidly. While we're heartened to see more technology companies thinking about access and safety for their younger audiences, the future of the Internet and growth of the Metaverse requires kid tech tools to be available to everyone. The ability to execute at the at this kind of scale is exactly why we joined Epic Games last year. So I was curious to learn how their parental verification worked elsewhere in their faq. Answering the question what type of verification methods does KWS use? They explain KWS continuously optimizes and adopts new parent verification methods and vendors.

Steve Gibson [02:00:28]:
Our verification team continuously researches, tests and adds new methods and vendors to raise the standard of our parent verification service. We offer developers and parents methods that are as inclusive and widely accessible as possible while minimizing personal data collection depending on the child's location. Our current verification methods include the following Credit Card Debit card verification and for that they use Stripe. Stripe has an age verification service, so they sub that out to Stripe facial scan, document ID scan, Social Security number in in the U.S. an SSN or a CPF or CURP checks an eye PIN available only in the Republic of Korea and cell phone available only in the Republic of Korea. So one of the reasons this system was so appealing to Blue sky and will likely be appealing to many others is that it it is 100% free of charge regardless of the usage volume. Anyone, any developer is free to use this established system rather than needing to build their own. For parents whose kids wishing to have access to Epic games, this meant that they only needed to go through the annoying process of proving they were an adult one time.

Steve Gibson [02:02:05]:
And the site does talk a lot about data minimization, hashing identities and so forth. I didn't spend any time digging into the details of the system's operation because I sincerely hope that in the long term, in the long term, its operation will not matter. That is, I hope it's an example of the sort of stopgap measure that websites and online services will be driven. Unfortunately, to adopt in the short term, until we obtain the standardization that we need, we don't have that today. There's nothing for that Blue sky can use. So they're using this third party service that if nothing else, you know, is well established. So, you know, I think, you know, I mean, nobody wants to give their credit card or a facial scan or anything. The whole thing seems kind of flaky.

Steve Gibson [02:03:03]:
But it does give Blue sky the ability to say that they're protecting their adult content with a system they didn't have to roll their own. They just, you know, made an API call to the KWS servers and they're able to do this for no charge. So.

Leo Laporte [02:03:20]:
Yeah, I mean, in order to, you know, talk to the federal government, I have to use ID me, dot me. Right. I mean, this is, Right. We're kind of used to this idea. Do you know anything? I mean, is KWS cool? I mean, are they good? I don't know anything about them. Not that I know anything about I.D. me either, except that the IRS requires it.

Steve Gibson [02:03:40]:
Yeah. And you know, I've got, I've got my California digital driver's license in my phone.

Leo Laporte [02:03:45]:
Right.

Steve Gibson [02:03:45]:
And it is able to do a. Age verification and age assertion. So as soon as, as soon as, I mean, we're just waiting for these pieces to come together. Unfortunately, the legislation is not waiting. And I guess you could argue that unless we had laws that force the technology to move. We know how slowly technology moves, Leo. It, maybe it would never happen unless we had, you know, legislators, you know, screaming about it and, you know, forcing ad hoc solutions and websites going dark across states.

Leo Laporte [02:04:21]:
Right, right. Well, I think it sounds like though, we're getting somewhere, we're getting closer to a possible solution.

Steve Gibson [02:04:29]:
So that's, I, I, yes, I, I, I do think, I, I think what we need is states to widely adopt digital licenses. I think digital driver's licenses, that's a.

Leo Laporte [02:04:40]:
Good way to do it.

Steve Gibson [02:04:40]:
Yeah. Yes. Because you already are known to your state and then allow your phone to assert your age to a, to a, to a third party website.

Leo Laporte [02:04:49]:
Right.

Steve Gibson [02:04:50]:
And that can be done without, without identifying who you are at all absolutely anonymously.

Leo Laporte [02:04:55]:
I'd rather give that get that information that verification from a state than a federal government and or any private company. So I think you're right. I think that's the best of a bunch of imperfect solutions.

Steve Gibson [02:05:08]:
Yeah. Okay. The Internet scanning company Census, spelled C E N S Y S Census posted last Wednesday that their comprehensive Internet scanner had identified 10,600 publicly accessible instances of Ollama large language models just flapping in the breeze, just out there for anybody to query.

Leo Laporte [02:05:36]:
It's pretty easy to do that by accident. I use Olama and it sets up a web server which should be local, right? It's a 192 address, right?

Steve Gibson [02:05:47]:
Yes. It is bound to your local host IP at Port 11434. It turns out though that if you want it, if you add a line to its configuration, it's not difficult to bind it to other interface or 443 or something.

Leo Laporte [02:06:09]:
Yeah, yeah, yeah. Whoops.

Steve Gibson [02:06:11]:
So they wrote that, they said, as we Write this in September 2025, that's, you know, today, actually the last day of September 2025. Large language models are so hot right now. For those who are not familiar with the hype, LLMs are widely used for a range of applications. And frameworks like Ollama make it easy for users to spin up an instance for their personal use. Just like you did, Leo. To add to this, many organizations now publish guides to help users spin up LLM instances faster. However, with this ease of use also comes ease of misuse. Like many other technologies on the web, security is an afterthought and LLMs are no exception.

Steve Gibson [02:06:59]:
We already know of anecdotal cases where open instances of LLMs are being misused by online actors. So we take our Internet wide lens to see what Ollama instances look like today. Fortuitously, Census already has an Ollama scanner that scans for Ollama instances on HTTP and exposes that data on hosts and endpoints Points. Okay, then they go on at some length. But they found that the majority of these instances were concentrated, not surprisingly, on cloud and hosting providers, with some notable exceptions in software as a service companies which appear to have spun up these instances for their customers. But anybody can access them. It's nuts. Census probes all 65535 IP TCP, IP ports.

Steve Gibson [02:07:55]:
They found more than 25% of all Ollama instances were listening on ports other than the default, which is 11434. Olama normally binds to the local host IP 127001 to restrict Ollama's service availability to the local platform. But if instances are being spun up for other others, binding to public ports is understandable. What's not understandable is the apparent total lack of security. The security is designed for local use, meaning the service is designed for local use, so it binds to the local host port as its sole security measure. If that service is bound to a public facing interface, then the LLM will be public and available to all. Which is exactly what Census found and reported. After apparently obtaining a connection to an Ollama instance, Census prompted each instance with two probing prompts.

Steve Gibson [02:09:04]:
They asked, what is your purpose? And could you remind me what your prompt is? Of these 11,600 Ollama instances which they found, 1500 of those responded to at least one of those prompts indicating direct interactivity with the model via the exposed API. Census wrote, like many other entities on the Internet, these instances should not be publicly accessible and definitely not publicly promptable. As technologies proliferate, we must be cautious that about what we post online and how it's accessible to others. So, you know, you can imagine Leo as a home user, as just an individual. You, you want to run this thing and have it running on your machine and then, you know, point your web browser at it and talk to it. You don't want to have to like come up with a username and password. There isn't one. It's just there on your browser at whatever IP and port you've assigned it.

Steve Gibson [02:10:11]:
And unfortunately, if you make it public, everybody else has access to. Crazy.

Leo Laporte [02:10:17]:
Yeah, it's tempting. I can understand why people do it, but don't. I think they just don't know what they're, what they're playing with.

Steve Gibson [02:10:26]:
Before our final note and our listener feedback, I wanted to mention, as I mentioned at the top of the show, I wanted to update everyone that my last 10 months of work on the development of a major commercial, though inexpensive upgrade to GRC's most downloaded freeware of all, the DNS benchmark has reached the release candidate stage. I imagine we're only a few weeks away from having the work finished, the website updated, e commerce up and running, and everything ready to go. So that happened over the weekend and I am very pleased. It's a, it's turned out to be a really nice piece of work. So I, I really, I thank all the people that have helped me in our, in our news group to like poke it and prod it and do bizarre things that I never thought to do. It's. It's it's actually a much better piece of software now than, than the freeware. The freeware works, but it's free.

Steve Gibson [02:11:29]:
This one is, you know, commercially robust. So I'm. A few weeks from now. I'll have more news on that on that front.

Leo Laporte [02:11:38]:
Yay. Very exciting.

Steve Gibson [02:11:39]:
So let's, let's take a break, our last break, and then we're going to hear from our listeners.

Leo Laporte [02:11:45]:
Good. Well, I want to talk about a company that I've mentioned before I use all the time, Zapier, our sponsor for this segment of security. Now, Zapier is kind of my secret weapon. I use Zapier to collect stories for all of our shows, to put those stories in the right place, to make it easier for producers to take what I've bookmarked and put it somewhere else. But I have to tell you, if you haven't used Zapier in a while or if you're new to Zapier, now's the time to take a look. Because of AI, Zapier has become now even more amazingly useful. You've probably played with AI chat assistance and maybe had some good ideas about what AI could do for you. But there's a missing piece that is having the AI tool integrate with the apps that you use.

Leo Laporte [02:12:39]:
Zapier interfaces to almost 8,000 different apps. Let me go to my Zapier page and show you all the app connections. And that means you can link an AI to a variety of applications. There are so many apps out there that you can connect to. Like I said, almost 8,000 apps. There's interfaces to everything, and you don't have to choose just one AI. Zapier works with all of the AIs that you might want to work with. Zapier is an amazing, amazing tool for anything that you would want to automate, anything you would want to run in the background.

Leo Laporte [02:13:21]:
I have a couple of zaps that are running all the time so that when I bookmark a story in Raindrop IO, it understands Raindrop IO, it takes those stories, it puts them into a Google sheet, it. It automatically posts them on Mastodon on my social. I mean, it does all this automatically. I, I set this up years ago and I haven't had a mess with it since. But let me encourage you to go to the zapier website and take a look at all the different kinds of things, because you'll get some ideas for ways you might want to use Zapier. And now with AI, there is so much power. Zapier has now become really an AI Orchestration platform. You can bring the power of AI to any workflow so you can do more of what matters.

Leo Laporte [02:14:09]:
And it works with ChatGPT, with Copilot, with Claude, with Anthropic, with Perplexity, with all the different AI platforms, Otter AI. So I mean it'd be easy to set up for instance, something that downloads the podcasts you want. Uses Otter AI to transcribe them, uses Chat GPT to summarize and pick out the bullet points. Send you a daily email of the most important things you could learn. I mean there is no limit to what you can do. You can connect all your top AI models, ChatGPT, Claude and so forth to the tools you're already using. Use Slack, it works great. With Slack you can set up an AI response to customer support requests.

Leo Laporte [02:14:50]:
You can add AI wherever you need it. AI powered workflows, an autonomous agent, they've got chatbots for customer facing interactions. I mean, I almost hate to give you an example because it's. The sky is the limit with Zapier and you don't have to be a tech expert. Zapier is for everyone. It's been my secret weapon for years and now with the addition of AI, I've been coming up with idea after idea after idea and I don't think I'm alone. Teams have already automated over 300 million AI tasks using Zapier. They call them ZAPs.

Leo Laporte [02:15:26]:
300 million ZAPs using AI. It's, it's amazing. Join the millions of businesses transforming how they work with Zapier and AI. Get started for free by visiting zapier.com securitynow that's Z-A P I-E-R.com security now. Get started for free. Visit zapier.com security now. Z A P I-E-R.COM security now. I My mind is just overflowing with ideas.

Leo Laporte [02:16:05]:
Project management, data management, customer support, marketing. The sky's the limit with Zapier. Zapier.com Security now and send me. You know what, if you've come up with an interesting zap, they have a great gallery. But send me your idea or say that I've, I've put it up on the Zapier gallery because I just think there's so much you can do with this and I'd love to see what you're doing. Zapier.com Security Now I play with it every evening. I come up with new ways to kind of figure out how to use. How to use Zapier.

Leo Laporte [02:16:40]:
Yeah, I'm that kind of Guy. Now back to Steve and more security now.

Steve Gibson [02:16:46]:
Okay, so Mike Lendvay wrote. Hi, Steve, I wanted to note about the Apple memory protection MTE discussed on the last two podcasts that this functionality has been added to the Cortex line of ARM chips. The implementation is different, but the result is similar. Google enables this for its advanced protection mode. Additionally, Graphene OS enables it at a system level and for for apps likely to be targeted. It also offers a toggle to enable it for every app automatically and then disable it if the app won't work. Okay, so Mike's note was joined by others who wrote to tell me that Android and the Graphene OS both had access to the MTE features of the latest ARM chips, and they're 100% correct. That version 8.5 of the ARM architecture introduced the MTE hardware.

Steve Gibson [02:17:47]:
And Apple also jumped on it immediately at the time trying to use it for security. But security was never MTE's intended use. It was designed as a debugging aid for developers because it could be deliberately configured to detect their mismanagement of memory, which as we know, is all too common, especially while software is in the works. The problem was that if it was operated in its asynchronous delayed notification mode, that was useful for developers, but not for security, which needed to prevent any misuse before it was allowed to occur, not to notify afterwards when it might well be too late. And operating MTE in fully synchronous immediate blocking mode incurs a significant performance overhead, which makes it impractical to use everywhere, all the time, or even often. So Apple first worked with ARM to extend the concepts of MTE after, you know, based on what they learned from trying to use it. As soon as the 8.5, 8.5 ARM architecture came out and that created EMTE, the Extended MTE, then they decided to commit because they still couldn't get what they wanted, that is performance and security both. Then they decided to commit the chip real estate resources which was needed to take those concepts, which they, you know, which had been proven to work, but still introduced excessive overhead when used for security enforcement.

Steve Gibson [02:19:34]:
And that resulted that work resulted that hardware commitment to what you know, the A19 chips and what Apple called MIE memory integrity enforcement, which is not available to anyone else at this point except Apple. So it's true that generic ARM chips such as the Cortex family do now have mte, but it needs to be used very special, sparingly when it's employed in synchronous mode for security enforcement, you can use it asynchronously you get notified of a memory problem but in some cases it could be before, you know, after that memory problem has been used for an exploit. And Apple just said no, we need this thing to operate all the time and operate synchronously. So that was why they extended their, the ARM architecture as they did in a way that nobody else has, at least not yet. And as I said last week, having thought about it further, I'm not sure that it makes sense for anybody else to do it. I don't think Google and Samsung or anybody else probably ought to bother because it is, you know, it's a massive investment in order to get just that last point.000000001 of the people, you know, the, the highly targeted people, Apple just, they've got somebody there in, in, in Cupertino who just refuses to have a single compromise. And the rest of us get the benefit of that. Right?

Leo Laporte [02:21:14]:
It's good for their business. I mean this is, you know, people trust them because of us.

Steve Gibson [02:21:18]:
Yeah, exactly that. And it means that we're not having to update our iOS as often because they're, you know, they got to update iOS for everybody when they find some little problem that might affect almost nobody. And so this just means it's going to be a more stable os. I think it's great. Mick Fink said hi Steve. I tried experimenting with passkeys. We use Microsoft Office and Azure at work and because Entra would not let me install a pass key directly on my Mac for whatever reason, I added it instead to my Microsoft authenticator app on my iPhone. Here are the two login flows side by side.

Steve Gibson [02:22:03]:
Username and password versus pass key. Okay. Username and password. Open password manager. Launch. Click the launch button from my Microsoft account. Username and password are filled in automatically. Right? Allow see said a Windows comes up with a two digit code that I have to enter into my Ms.

Steve Gibson [02:22:27]:
Auth app. Pick up my phone, unlock phone with six digit code, click on the authenticator app on my phone, re enter my phone's device code for the Ms. Auth app. That is the, the six digits again. To unlock the Auth app, enter the two digit code. Tell my computer yes, I would like to remain signed in and I'm in. Okay. Okay, that sounds like a lot.

Steve Gibson [02:22:51]:
He demonstrates that pass keys is worse. He says now let's do this again with a passkey. Click on the login bookmark on my computer, pick an account. I have two accounts. Let's use the passkey one Click the next button on the face, fingerprint, pin or Security key Welcome screen. Click on where my passkey is saved. Not on my Mac, I couldn't do that. So let's click on the phone option.

Steve Gibson [02:23:17]:
I receive a QR code to scan Unlock phone with six digit code. Click on Ms. Authenticator app. Enter six digit code again for Ms. Auth app access. Click on the QR code scanner button. Point the camera at the computer screen. The QR code is seen and registered.

Steve Gibson [02:23:36]:
Ms. Auth app says your iPhone needs to connect to this device in order to sign in with a passkey. Phone's Bluetooth, he said, was already enabled, otherwise that would be more clicks, so click the Continue button to permit Ms. Auth to proceed with permission. Sign in by clicking the Use Passkey button on my phone. Enter 6 digit phone code yet again. Tell my computer yes, I would like to remain signed in, he said. Now the computer screen finally shows me that I'm logged in.

Steve Gibson [02:24:08]:
Is it any wonder why pass keys are not popular yet? Love your show MC Fink. So I did. It did occur to me, looking at that, that using Face ID for all those various intermediate authentication stages would make things easier. The trouble is, man, the trouble that he's basically highlighting there are so many places where abuse could be inserted into the flow that we're stuck needing to continually re authenticate, switch devices, arrange inter device communications and jump through hoops. I'm sure that Mick's point is to acknowledge the enhanced security, but to wonder whether it's really worth all the trouble. And I can certainly see his point. The biggest threat was having a single password that people used everywhere, right? Remember Leo, the old days, 20 years ago it was what's your password? Monkey 1, 2, 3.

Leo Laporte [02:25:10]:
Right?

Steve Gibson [02:25:11]:
It's like okay, or password was most people's password because no one gave a crap back then.

Leo Laporte [02:25:18]:
Didn't matter.

Steve Gibson [02:25:18]:
But yeah, password based password managers, I mean browser based password managers solve that problem and we've had them for years. It's tempting to wonder whether we shouldn't have just left well enough alone with that. Having a passkey is unquestionably useful when super security is called for, but that's really comparatively rare, right? Since I'm the only person who use any of my own PCs, I have every single site logging me in permanently anyway. Yes, I need to authenticate to my computer when I boot it up, but once it's on all the sites, know me. Whenever I need to do anything important, such as, you know, managing investments, I'm required to respond on the fly to email and a phone message loop a one time password, you know and go through all that effort in order to even be working with a pre with a PC that it's previously seen. So I guess my takeaway is since no one is forcing yet pass keys upon us and since they are truly more hassle to use, don't use them when they're not something that you really need. It may seem cool in the beginning to like use a passkey but as we've just seen it puts you through a lot of extra effort every time you need to authenticate yourself which may not be all that important for most of the sites you use. And also using passkeys in same device mode which this guy's system for whatever reason would not allow him to do if it had been on his Mac it would have been a lot easier.

Steve Gibson [02:27:07]:
Same device mode where you don't need to coordinate multiple devices and a separate Ms. Auth app that you need to authenticate to three times that you know makes it much easier to use. So his was probably a worst case situation.

Leo Laporte [02:27:22]:
This is not how I use passkeys at all. I have it in bit warden and it's easier than just doing a password because I, I just, you know, I enter the. It depends on the site. Some sites make it harder. I agree.

Steve Gibson [02:27:34]:
Right. But most sites, there's not a uniform flow.

Leo Laporte [02:27:37]:
Right. Most sites after I enter my email address will say there's a button that says use passkey. Bit Warden handles it from there and I don't have another click. I'm done. It's easier to me than a password so I prefer passkeys if sites make them available. Now I have to say there's some places like Amazon where you still have to enter in for some reason your six factor authentication code. After you enter the passcode you. It's like what is that adding? Nothing.

Leo Laporte [02:28:06]:
I don't know what are you doing? So it isn't. That's part of the problem is it's. It's still early days on past in theory they should be more convenient. I think we'll get there.

Steve Gibson [02:28:18]:
Yeah we'll get there. Yeah. And, and I, I guess I think that maybe he doesn't have a choice with, with his company and, and Entra and the Ms. Off but all that Ms. Off nonsense.

Leo Laporte [02:28:31]:
Yeah that's the problem. It's Microsoft. I, if you're using a normal person using a password manager I, you know I use Bit Warden. I use passkeys whenever possible and because Bitwarden's everywhere or one password or whatever. You know, whatever you choose to use, whatever your tool, it's on everything. It's not tied to your phone specifically. It's on everything. That's very convenient.

Leo Laporte [02:28:52]:
It seems to me it's more convenient. But maybe it's just me. I don't know. Yeah, I don't know. GitLab also requires a one time password after logging in with a passkey, so maybe there's something going on Amazon and GitLab know that I don't. That's what Darren's saying. I don't. That seems odd.

Leo Laporte [02:29:11]:
So GitHub makes it so easy. It's just great.

Steve Gibson [02:29:14]:
I love it. Chris Forrester A listener said hello Steve, after listening to the last few weeks discussions on age verification, I had a thought. I'd like to have your input put on. I realize the onus is currently being heavily placed on the provider of age restricted content similar to physical locations such as restaurants, bars and convenience stores which are required to proactively assert a user's age prior to selling them alcohol. However, as has been pointed out several times, this is not the physical world being dealt with in these discussions and this problem is going to be fought as an unacceptable burden by the providers. Episode 1044 really brought that home to me. Actually that last week's episode really registered with a lot of our listeners, he said. Is it reasonable to believe that we will begin seeing a turn to the client as being the responsible party? For example, let's say there's a single PC in a household of four individuals.

Steve Gibson [02:30:17]:
That PC is a shared device and has a single username. Perhaps these are non techie people who don't think that's a problem in and of itself. Perhaps it's a grandparent who allows their grandkids to use it the PC whenever they come over. I believe it's possible. We will see laws enforcing strict user account controls in order to enforce age verification requirements, where each account is associated with an age verification service of some kind and the abuse of those restrictions is punishable by law. Basically, each account becomes a vault only accessible by the intended user. It seems like this would fall in line with more real world scenarios such as say, a liquor cabinet where the responsible adult is considered fully liable when accessed by minors. I don't like or agree with it, but I feel like this is a real possibility of where the world where the longer road is leading.

Steve Gibson [02:31:15]:
I was a tech TV watcher when I was a kid and I've been a weekly listener to security now since 2007 and cannot begin to tell you how much I've learned from you and Leo over the years. You two are 100% responsible for my career in security focused software development, and I would be honored to have a mention on the podcast if that were to happen. Feel free to use my name. Looking forward to episode 2000. Thanks, Chris Forrester thank you Chris Chris, welcome to what, 18 years of the.

Leo Laporte [02:31:51]:
Podcast so and now fame and fortune awaits.

Steve Gibson [02:31:55]:
So what Chris suggests is an interesting extension of the notion I shared last week. Where a user's browser is aware of its user's date of birth, it never discloses that date, but by using some future W3C browser API extension, a website is able to ask for that information rather than giving it over freely. The browser informs its user that it's being asked for their age, and the user can then decide whether this is a reasonable request based upon where they are, and they would be free to decline. Now, presumably, if the user had not in some way authenticated themselves to the browser already, the prompting for their age would then require that too them to authenticate themselves to the browser somehow. So what Chris has added to this model is that our authenticated operating system logon sessions would provide that authentication. Our OS account, for example, such as Microsoft now has us logging into them all the time, might possess a confirmed date of birth, which a browser running on the system could inherit could inherit from the logged on user, and then only need to confirm whether the user wishes to let the site they're visiting know you know what what their age bracket is. And conceivably, browsers could also be preset with a never ask, always ask or or always just say yes setting to decide how to handle such remote age requests, depending upon the user's preference. So it might just be done for you automatically, very much like the you know, the the do not track or the GPC signals that our browsers give out in their headers.

Steve Gibson [02:33:52]:
So anyway, I'm with Chris and I'm sure that you know, with those most of us or those who are listening that this is all a big mess. But you know, laws are being written whether we like them or not, and we're already seeing services and sites that we use either pulling up stakes or working to remain online and compliant with these emerging laws. We we need standards desperately. Brian Tanner wrote Hey Steve, a while back you pointed to a video by an LLM guy that was a soup to nuts explanation of how the whole LLM system works. Try as I might, I can find neither the reference Nor the video. Could you point again please, Brian? Absolutely. I'm sure that Brian was recalling the amazing presentations created by Grant Sanderson, the animated math wizard over at 3blue1brown.com Go to 3blue1brown.com in both cases use just single characters for the numbers, you know. So the digit 3 blue, the digit 1 brown dot com.

Steve Gibson [02:35:09]:
Then click on Neural Networks. You'll see a big grid of topics. That's where the, the tutorials that I talked about before are located. And they are, they're as good as you remembered. I've got a link to the first one just to get you started in the show notes down here on page 20 if you're interested. But anyway, three blue, one brown and, and there's a bunch of stuff that's fantastic at that site. Not just the LLM stuff, but Neural Networks is the, is the, the series that takes you from the beginning all the way through.

Leo Laporte [02:35:47]:
And I also yeah, this is the Neural Network. So I have a recommendation as well. I, I, I like and I've mentioned this before, Andre Kapathi, who was at OpenAI, one of the founders, went to Tesla, does AI there. He's a very, very smart guy. Does. This is a three and a half hour lecture on how LLMs work that includes training, includes the latest in reinforcement learning how that works.

Steve Gibson [02:36:15]:
Wow.

Leo Laporte [02:36:16]:
Once you, once you watch the, the three round One Blue, I think this would be the next step because this is from an actual AI researcher and scientist and his understanding of this I think is very deep. And how do we find that? His, it's his channel on YouTube. Andre.

Steve Gibson [02:36:35]:
Okay, so K A R P A.

Leo Laporte [02:36:38]:
T H Y T H Y and it's a deep dive into LLMs. Like Chat GPT all of his videos are great, but this one deep dive into LLMs, it's seven months old and has had 3.6 million views.

Steve Gibson [02:36:51]:
Yeah.

Leo Laporte [02:36:52]:
And I think it's because it is, it certainly I felt like taught me what I needed to know about how a, how LLMs work, you know. And as a result I think it made me a better user of LLMs because I understood what they better what they could and couldn't do.

Steve Gibson [02:37:08]:
Yeah, nice.

Leo Laporte [02:37:09]:
But, but I like the, I also like the one, the three Black. Brown one Blue is really good.

Steve Gibson [02:37:14]:
Yeah. Three Blue One Brown is like right. Is a perfect great channel, is a great well and that particular series, I think they're 50 minutes each and there it's a great introduction to the technology and it sounds like then Andres would be at lies it a follow on.

Leo Laporte [02:37:32]:
It's, it's very deep. I mean you're but, but then you're going to understand how these things work, which I think people want, right?

Steve Gibson [02:37:40]:
Ryan Lloyd asked, hi Steve, I watched a video linked to in episode 1044 on the digital age verification implementation from the EU. Oh that. That's the little video that we played, the 2 minute 46 second video, he said. I found it interesting working closely with companies in this space, he said. I can't help but think there's one major oversight in this privacy preserving approach. However, there appears to be no biometric slash liveness verification that occurs at any point during the workflow. It appears to just be proving an identity card to the app or to be to just be providing an identity card to the app. It seems to me a user could easily obtain such an identity numerous ways borrow from their parents, reuse from their cousin, obtain on an Internet on the Internet from a Reddit forum or black market.

Steve Gibson [02:38:38]:
He says young people facing a blockage and gaining access to restricted content material tend to be resourceful. So I'm struggling to see how this approach will really help ensure end users are kept out. It feels like this is less about verifying the age of the user behind the screen as it is about verifying the user can obtain a scan of an identity artifact that is of age. I welcome your thoughts on this. I had similar concerns when you raised the idea of browsers bearing the burden of age verification in the future. My feeling is that even if a browser implements this, the browser has no guarantee that the user with physical access to the device is the same user who verified their age at some point in the history of setting up the browser. Unless you wish to inconvenience every site with reverification using liveness technique techniques. Thanks Ryan.

Steve Gibson [02:39:32]:
And I agree with everything that Ryan observed. Our listeners will recall how many times I've noted that to truly solve this problem, Siri, I mean like, if you really want to solve it, any assertion of identity must be closely bound to some effective biometric authentication. If we don't do that, we're just creating another another easily bypassed solution. The result being that everyone is inconvenienced while the actual problem remains unsolved. What we learn is just how difficult it is to bring real world solutions into the cyber world. You know, kicking and screaming. Lee McKinnell said, hi Steve, I decided to see if I could block my browser's access to localhost. So I asked Google and got this result and he put a link in to a superuser.com question and the question was I am migrating to Firefox from Safari and notice that websites any website that I visit has permission to attempt to make connections to local host ports like Leo.

Steve Gibson [02:40:44]:
Any website you visited could query your your Olama instance for example. He says is there a way to configure Firefox to block such connections? Safari already does this natively. Good old Apple and the response is ublock Origin has this capability but it is not enabled by default. To enable it, enable filter lists then go to Privacy and block outsider intrusion into lan. Block outsider intrusion into LAN under the privacy setting for filter lists in Ublock Origin. Not surprising that old Gorehill was there before us and already has that built in. He said this always works for Chrome based browsers like Brave as it is also a setting in the Ublock Origin Lite version. So even if you can't use full any longer under Chromium based browsers that are using the third generation schema for extension add ons, you can still you can still do this in light the the manifest3 so that's Lee McKinnell, Brisbane, Australia thanks very much for the tip Lee.

Steve Gibson [02:42:03]:
Appreciate it. And finally Joey Albert he said Steve October 14th and then he gave me a link to the Windows end of support announcement and he said we use me and it's clear from his posting we meaning our enterprise use zero patch and it makes sense. The TSR patches in RAM and reapplies all patches when rebooting so the subscription makes sense. It's like subscribing to streaming services. If your subscription expires, no more Music he said zero patch is $41 translator from euros which they charge. Windows 10 support is $30 for consumers but not for businesses. For businesses it's 61 for the first year and doubles each year after it stops after three years. So zero patch is a bargain.

Steve Gibson [02:43:03]:
Meaning instead of going 61, 122 what 240 for the third year zero patch for an enterprise is just 30 or 41 in in euros and that goes for five years by the way, not stopping after three. So anyway, I think I thought that Joey's point was a good one. We need to remember that all of this win 10esu stuff is only for end user consumers, not for commercial business users. None of this, I think as far as I know, none of this applies to enterprise users who have Windows 10 Enterprise as far as I know at this time of course you know, as we know the situation is very fluid. So who knows And Leo, that's 10:45.

Leo Laporte [02:43:58]:
Wow. What a great show. I wish you would do these more often. I really.

Steve Gibson [02:44:03]:
I think we'll do it every week. How about we do it every week?

Leo Laporte [02:44:09]:
How about we do it on Tuesdays?

Steve Gibson [02:44:11]:
How about we do it every week on Tuesdays and maybe for 20 years?

Leo Laporte [02:44:17]:
I meant the listener response, but you're absolutely right.

Steve Gibson [02:44:20]:
Oh, oh, oh, yes.

Leo Laporte [02:44:22]:
I enjoy everything you do. This is an absolutely great show. And yes, let's keep doing it. Thank goodness you gave up on that silly notion of stopping after 999. What would we have done? My gosh. I mean, here we are at 1000. What is it, 45 now?

Steve Gibson [02:44:41]:
Yes, 1045.

Leo Laporte [02:44:43]:
Unbelievable. So that's 45 shows, 135 hours of great content that you wouldn't get. 46. Let's add another three that you wouldn't have. Well, I guess we stopped it. We didn't stop at 999. We continued on. Steve, thank you so much.

Leo Laporte [02:45:02]:
Mr. Gibson is@grc.com that's where he makes his home on the Internet. That's the place you'll find his bread and butter, which, of course is the fabulous Spinrite, the world's best mass storage maintenance, recovery and performance enhancing utility. Currently, if you don't have the latest version, get it. Upgrades are free for existing users. If you don't have a copy, get it. Because there is no doubt in my mind your mass storage will fail at some point and you will be very glad you have a way to get it back and running. Even things like Kindles, which is remarkable.

Leo Laporte [02:45:35]:
Yes, it works with SSDs, it works with all kinds of storage. While you're there, you might want to sign up for Steve's mailing list. There's two, actually. One is show notes for this show, which he mails out usually the day before. Sometimes. And sometimes it goes into your spam. But not always. We're fixed.

Leo Laporte [02:45:55]:
He's fixed that, so check your spam folder if you don't see it. He also has a much less frequent mailing list. In fact, there's only been one email ever on it. But there will soon be a second one because that's how he's going to announce the release of the DNS Benchmark Pro. So click those two boxes. You'll be giving him an email address. The other benefit of that is then he whitelists your email address so you can also send him comments, suggestions, pictures of the week. You can interact with Steve also on his forums.

Leo Laporte [02:46:24]:
They're great@grc.com and there's a lot of other stuff at the website including unique versions of this show. Steve does. Actually, all the versions on his website are unique. A 16 kilobit audio version, a 64 kilobit audio version that sounds a little bit better. Handcrafted transcriptions from Elaine Ferris, an actual human being we've checked. And that's nice because then you can read along as you listen or use it to search really you should have every show. They're all available at the website and, and I guess if you want to save them all, you could put them all in the 16 kilobit version if storage is short, but you'd have them all. And then if you have the transcripts to them, that's great.

Leo Laporte [02:47:05]:
He also has his show notes there, so you don't have to get them via email, you can just download them from the website. GRC.com we have the show at our website as well. TWIT TV SN. We have an 128 kilobit audio version, which is really overkill. But if you want all the bits, that's the way to get them. There's also video which some have said is not necessary, but I personally like to see the picture of the week and things like that. And Steve's mustache, we like to keep check in on that every once in a while. GRC, I mean the Twitter TV, there's a YouTube channel dedicated to the video as well.

Leo Laporte [02:47:42]:
Great for sharing clips. This, of all the shows we do, is probably the one that's most often clipped because people want to share this information with their Boss, with their IT department, with their friends and family. YouTube is a great way to do that. Everybody can see it or best thing to do, subscribe and you're your favorite podcast client, you'll get it automatically. The RSS feeds only go back 10 episodes because we don't want to bloat them with 1045 entries. So if you need them all, you go to the website and actually people have written scripts, but you could go down, download them all from the website. They're all there. Starting with SN1 from 20 years ago.

Leo Laporte [02:48:19]:
We do the show live, so it's also possible to watch us live. And a lot of people like to do that because then they're up, up to date right away. We do it Tuesdays right after Mac Break weekly. That's 1:30 Pacific, 4:30 Eastern, 20:30 UTC. The streams are of course in the Club Twit Discord. People who support the show with their donations thank you get access behind the velvet rope. That's how I think of it. In the Club Twit Discord.

Leo Laporte [02:48:45]:
You can also chat along with me. And sometimes other hosts are in there. Not Steve, but other hosts are in there. You get ad free versions of all the shows too. For that. Find out more at Twitt TV Club Twit. We also for the general public, everybody can watch live on YouTube, Twitch TV, TikTok, X.com, facebook, LinkedIn and Kik. So seven other places you can watch the live streams every Tuesday afternoon.

Leo Laporte [02:49:11]:
Steve, have a wonderful week.

Steve Gibson [02:49:13]:
You'll do. I will see you next month in month of October.

Leo Laporte [02:49:18]:
Sober October. Sober October.

Steve Gibson [02:49:21]:
I like it.

Leo Laporte [02:49:23]:
If you say so.

Steve Gibson [02:49:27]:
Bye.

Leo Laporte [02:49:31]:
Security now.