This Weel in Tech 1056 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Leo Laporte [00:00:00]:
It's time for TWiT this Week in Tech. Stellar panel for you this week. Stacey Higginbotham is here from Consumer Reports. Jill Duffy from PC magazine and Wired magazine. And our favorite security guru after Steve Gibson, Alex Stamos is here. We're going to talk about the time change and how we almost we came this close to avoiding it. Thanks, Congress. We'll talk about YouTube, TV and Disney.
Leo Laporte [00:00:28]:
Alex ain't too happy about his Cal game and the AI layoffs. Are they really AI? And is the big crash coming? All that more next on Twitter. Podcasts you love from people you Trust. This is TWiT. This is TWiT this Week in Tech. Episode 1056, recorded Sunday, November 2nd, 2025. The Big Sleep. It's time for TWIT this Week at Tech, the show.
Leo Laporte [00:01:10]:
We cover the latest tech news. And, man, we got a great panel.
Leo Laporte [00:01:15]:
Oh, man.
Leo Laporte [00:01:16]:
I know I say this every week, but it's true. This week, Stacy Higginbotham is here. She couldn't make it last week due to a power outage on her tight little island, but she consented to join us this week, and I'm so thrilled. Hi, Stacy.
Stacey Higginbotham [00:01:30]:
Hi. Happy to be here.
Leo Laporte [00:01:32]:
Policy fellow at Consumer Reports. She's the person responsible for getting Microsoft to back down on. Wait a minute. They didn't back down.
Stacey Higginbotham [00:01:42]:
I'm the person tilting at windmills. I know they kind of.
Leo Laporte [00:01:46]:
They made it as easy as possible to get another year out of them, but they didn't do what you and your colleagues called for, which was to just give it another year. Microsoft, you're going to do it anyway. Give it another year. It's great to see you, Stacy. We will have another Stacy's Book Club. And I will tell you what that book is soon. She's reading it right now and she's depressed. Also with us, Jill Duffy.
Leo Laporte [00:02:10]:
We haven't seen Jill in a long time. It's so great to see you. She's a contributor to PC magazine and Wired and always welcome on our network.
Stacey Higginbotham [00:02:20]:
Thank you.
Leo Laporte [00:02:21]:
Even though it's five in the morning where she is today. I'm so sorry.
Stacey Higginbotham [00:02:25]:
Yeah.
Jill Duffy [00:02:25]:
Shout out to everybody on Vientiane, Laos.
Leo Laporte [00:02:29]:
They're up early in Laos. It's Monday. By the way, I noticed Brave New World is a library book. You might want to get that back before you.
Jill Duffy [00:02:37]:
Oh, I think it was like a library sale.
Leo Laporte [00:02:40]:
Oh, good. Okay.
Jill Duffy [00:02:41]:
When they were liquidating old stock. Yeah, yeah, yeah.
Leo Laporte [00:02:43]:
I'm very aware of it because I'm reading a book right now. I'M listening to an audiobook from the library at Libby and it's only got eight days and I don't think I'm going to make. And that's a bad feeling. I don't know if you can extend audiobooks.
Jill Duffy [00:02:56]:
You gotta get back on that list.
Leo Laporte [00:02:58]:
I know. It was four people ahead of me, so. Yeah, it's gonna be a while. All right, so it's 5am in Laos, but it could be 4am but you live in a country, a wise country, a thoughtful country, where they don't change the clock twice a year. People who have been here for an hour waiting us for to start the show maybe didn't notice. We are now in standard time, which means we start at an hour later. But that's good for you.
Jill Duffy [00:03:31]:
For me, today? It's good for me, yes.
Leo Laporte [00:03:33]:
It's good for you.
Jill Duffy [00:03:34]:
Yeah. You know, the closer you get to the equator, the less it matters.
Leo Laporte [00:03:37]:
It doesn't matter.
Jill Duffy [00:03:38]:
That's right, because the sun rises and sets nearly the same time all year round.
Leo Laporte [00:03:43]:
It's the people who are farthest from the equator who I think benefit the most from saving time. Ironically, the person who blocked it in the United States is from Arkansas. We were this close, this close in the United States to have permanent Daylight saving Time. In fact, even the president said that changing the clocks is quote. And he said this, of course, on truth, social, a big inconvenience and for our government, all in caps, a very costly event. Yeah, you got all those people going around winding the climb. What do you mean? Anyway, there was a bill to fix this that could have passed in time to keep the change from happening. Last night, Sheldon, White House Democrat of Rhode island, you couldn't get farther left than Sheldon and farther right than.
Leo Laporte [00:04:40]:
Tommy Tuberville, Republican of Alabama, called for the Senate to pass the bill on Tuesday, the Sunshine Protection Act. But Tom Cotton of Arkansas single handedly blocked it.
Jill Duffy [00:04:55]:
There has been a bill like this every year. I'm gonna say every year for at least the last 10 years, maybe longer than, probably longer than that. And every year Americans get their hopes up and it never happens.
Leo Laporte [00:05:07]:
It's not controversial. Well, you know what's controversial? I think one of the reasons it stops is the controversy is, well, should we do Daylight Saving Time or standard time? And it's about 50, 50. And that's probably part of the controversy. Cotton says if permanent Daylight Savings time becomes the law of the land, it will again make winter a dark and dismal time for millions of Americans. The sun wouldn't rise till after 8 or even 8:30 during the dead of winter in Arkansas. Try Alaska. It'll be like 10 in the morning before the sun comes up. I could, you know, why isn't Alaska fighting this? I don't know.
Leo Laporte [00:05:45]:
Anyway, the darkness of permanent savings time would be especially harmful for school children and working Americans. Another year lost.
Stacey Higginbotham [00:05:54]:
I think there is a. The biggest issue is kids waiting for the bus in the dark. Did we want to introduce Alex?
Leo Laporte [00:06:00]:
Did I not introduce Alex? Son of a gun.
Alex Stamos [00:06:04]:
I just. I'm just gonna hack my way in here at some point.
Leo Laporte [00:06:07]:
Oh, sorry. God. I just. It's not that I didn't know you were here. I was just so upset about this. Alex Stamos is here. You know, we get Alex, like twice a year. I'm thrilled to have him on his newest job.
Leo Laporte [00:06:23]:
He's the chief security officer@corridor.dev very timely because corridor.dev is designed to protect people using AI to code. Yeah, the security layer for AI coding. You couldn't be more timely on this. We're going to talk a little bit about agentic browsers because more and more problems with them.
Alex Stamos [00:06:45]:
Yeah.
Leo Laporte [00:06:46]:
Alex Stamos's name, though, is Legend. He. He founded the Stanford Internet Observatory, which is now, sad to say, defunct. But that was watching for disinformation. And of course, we know there's no disinformation, so you didn't really. We didn't need it. CSO @Facebook. Yahoo Zoom called him in to fix their problems during COVID He's legend in the business.
Leo Laporte [00:07:11]:
Alex, it's so great to have you on the show. I appreciate it. Thank you for being here and congratulations on the relatively new gig.
Alex Stamos [00:07:20]:
Yeah, just jumped a couple months ago. Seemed a lot more fun than being a CISO at a big public company. It's.
Leo Laporte [00:07:27]:
Yeah, is. Is quarter. It's a startup, I would guess, right.
Alex Stamos [00:07:30]:
Startup, like eight people right now. Started by two of my former Stanford students, actually.
Leo Laporte [00:07:34]:
Oh, nice.
Alex Stamos [00:07:35]:
I was. I was one of their first seed funders and they seem to be having a lot more fun than I was, you know, csoing at a public company, so decided to make the jump.
Leo Laporte [00:07:45]:
You don't have all those pesky shareholders to think about. You just do your job.
Alex Stamos [00:07:50]:
Yeah. Sec 8Ks and.
Leo Laporte [00:07:53]:
Yeah, yeah, yeah. Well, I'm sorry about the Stanford Internet Observatory. That's, again, another fine act of Congress.
Alex Stamos [00:08:02]:
Yeah, well, yeah, because, I mean, our two big things are disinformation. We actually did a ton of work on online child safety and AI and child safety stuff that we totally care about. Right? So gosh darn it.
Leo Laporte [00:08:15]:
Well, that's probably a little more important than the clocks changing twice a year.
Stacey Higginbotham [00:08:19]:
So.
Alex Stamos [00:08:21]:
This is also. People keep on bringing up the idea this would be the time for us to go to just two time zones in the US just in east and west. Right. Get rid of Central and mountain.
Leo Laporte [00:08:30]:
Well, there are even people who say we should just go to UTC worldwide and forget about it. And you just figure out when the sun's up in your neck of the woods. Right. And schools could, you know, start at whatever 1400 UTC. They wouldn't have the whole issue. But I guess that's a little. That's a bridge too far. It's really silly to be moving the.
Stacey Higginbotham [00:08:51]:
Clocks, but you can't even use the metric system. I mean, you don't know what's going to happen.
Leo Laporte [00:08:55]:
I know. You know, it's funny, Alex, I was vibe coding this morning. I got up early because my, my, my biological clock thought it was 7am but it was 6am So I thought, well, I got. For some free time I'll sit down with Claude code, clean up my Emacs to configuration in time for a couple of coding challenges coming up this month and next. And three hours gone by and it did it, by the way. It's mind boggling what it did. I mean, I thought, oh, it's not going to really know Emacs. That's kind of obscure.
Leo Laporte [00:09:28]:
It's not going to Common Lisp because that's what I code in. No, it's great. In fact, the older the language probably the better, right?
Alex Stamos [00:09:37]:
I mean what it needs is lots of examples and there's tons of examples of people have their Emacs configs out there. There's lots of Lisp, I think structure and interpretation. Computer programs. You know the famous computer program CS61A? I think that's actually completely open source. So it's been trained on the whole. That's right.
Leo Laporte [00:09:55]:
And how to design programs, which is racket but similar. Both are Scheme.
Stacey Higginbotham [00:09:59]:
Yeah.
Leo Laporte [00:09:59]:
Which are lisps. Yeah. I mean that's what got me into Common Lisp. I followed that path and scheme was a little restrictive. But Common Lisp, know it's as old as I am. I like a language that's as old as I am. Anyway, enough of that. But Vibe coding is amazing.
Alex Stamos [00:10:20]:
It is.
Leo Laporte [00:10:20]:
And it's just mind boggling. What I use Claude code, but Codex from OpenAI cursor. I mean so many of these tools now lovable that and I think companies more and more, is there a risk to companies adopting Vibe coding? I mean, it does seem like.
Stacey Higginbotham [00:10:39]:
You.
Leo Laporte [00:10:39]:
Kind of risk not really understanding what the AI has done.
Alex Stamos [00:10:43]:
So first off, I think we have to separate these two things. There's two totally different uses, Right. So there's the Vibe coding, which is like amateurs using these tools to do fun things, to do amateur projects, me hobbyists. Yes. Right. And that's great. I mean, I think this is actually a wonderful thing. Over the next couple of years, we're going to see really positive impacts from normal people being able to use computers for the first time ever as they really should be used.
Alex Stamos [00:11:09]:
Right. Like it used to be if you were just a normie and you had to parse through, you know, megabytes and megabytes of data, you had to either have a data scientist or you had to, you know, get it in Excel and try to, you know, work your way through it. And now you can go into cloud code and it will, if it can't load it into its, into its own context window, it will write Python to do it for you. Right.
Leo Laporte [00:11:33]:
Like, yeah, that's what it does. Yeah, yeah.
Alex Stamos [00:11:35]:
That's the kind of thing that, you know, a lot CS folks took for granted and now billions of people have access to that level of capability over the next couple of years. That's amazing. That's a positive thing. That is different than software. Professional software engineers utilizing AI enabled tools to help them speed up, which is also a really positive thing, but does have some interesting challenges. And that's what we're doing at quarter is basically building the frameworks that if you're a bank, if you're an aerospace company, if you have to live up to existing frameworks, to privacy rules, to safety and security rules, these tools are really cool, but they don't understand those things. They don't understand architecture very well and they certainly don't understand the rules you've had to live before. They make things really fast, but they're still human beings who will go to jail if you break those rules.
Alex Stamos [00:12:26]:
Right.
Leo Laporte [00:12:26]:
So you want to have customers whose Social Security numbers will be leaked.
Stacey Higginbotham [00:12:32]:
There was actually, I'm sure Alex, you saw it. Jen Easterly wrote something in, I think it was Foreign affairs, maybe she had a really good article or op ed about basically Vibe coding, allowing for better cybersecurity on the development side because it'll be cheap and easy. And that's what you need to embed security into things because people don't really pay for it.
Alex Stamos [00:12:58]:
So I don't know Yeah, I think it cuts both ways. I think.
Stacey Higginbotham [00:13:02]:
Exactly.
Alex Stamos [00:13:02]:
The AI tools are going to make fewer of the individual mistakes, but we're also ending up with adversaries being able to find bugs faster. I think we're going to talk about that in some of our stories.
Leo Laporte [00:13:13]:
Yes, yes.
Alex Stamos [00:13:16]:
Also, the other crazy thing is adversaries are using Vibe coding tools as well. That's actually been a big change in the last 6 months. If you look at both OpenAI anthropic have threat intel reports. It's kind of a model they took from the big social media companies of these quarterly Threat intel reports. This is how we see people abusing our platforms. And they've always said folks have done spear phishing and spam and this kind of stuff in the last six months. These reports have really changed that. Now all of the steps of the traditional intrusion kill chain are now being automated on top of OpenAI and Anthropic, including tool creation, exploit creation and such.
Alex Stamos [00:13:52]:
And this is a big deal because, like, one of the dirty little secrets of the attacker world is traditionally only a relatively small number of adversary teams have had the ability to do true O day creation and exploit development. Right. You've got obviously the five eyes, the US and our Anglophone allies, the France and Germany, a couple of the European countries, Israel obviously Russia, China, some of the best Iranian groups. Most of the Iranian groups don't do O day. Right. Like, they get away with like really good password sprays and social engineering and such. India and Pakistan do terrible things to each other, mostly without O day. And with.
Alex Stamos [00:14:28]:
Without new exploits.
Leo Laporte [00:14:29]:
You're saying, oh, day. You mean zero day.
Alex Stamos [00:14:32]:
Zero day. Right. Like without actually creating new exploits or new vulnerabilities.
Leo Laporte [00:14:36]:
I'm sure in your, in your, in your group. I'm sure O day. I just want to make sure everybody understands because I've always called a zero day. And.
Alex Stamos [00:14:43]:
Yeah, I'm sorry.
Leo Laporte [00:14:44]:
No, no, no. If I'm going to call it O day from now on. If Alex Stamos calls it O Day, it's O day.
Alex Stamos [00:14:49]:
Zero day. I'm sorry, but like, meaning, like I.
Stacey Higginbotham [00:14:52]:
Have that same issue there.
Alex Stamos [00:14:54]:
My. My apologies.
Leo Laporte [00:14:56]:
I was thinking od. Is this. Is this a. I'm still thinking about the grunge thing over here.
Alex Stamos [00:15:03]:
Right. ODE is not the SI unit. My apologies. Of exploitation. But yeah. So very few adversaries have ever actually been able to do that. And with Vibe coding, which will mostly not be an OpenAI anthropic, it's mostly going to be open source tools that are specifically Retuned for this and you actually find some of this stuff. If you go to hugging phase, people have built models, open source models specifically do things like write exploit code.
Alex Stamos [00:15:31]:
That is how we can build these exploits going forward.
Leo Laporte [00:15:34]:
Wow.
Alex Stamos [00:15:34]:
And that's going to.
Leo Laporte [00:15:35]:
Can they innovate or is it just rehashing existing the exploit code?
Alex Stamos [00:15:40]:
It's rehashing, but that's good enough. Right. If you use these tools and you take some off the shelf open source thing that's super widely used and you scan through it and you find a use after free bug. Use after free is use after free, right. And AMD 64. And so if you use something that's been trained on 5000AMD 64 exploits in the past, then like, knows where to look. Yeah, exactly.
Leo Laporte [00:16:07]:
That's really interesting. Is it your. I mean, script kitties have always been a problem. These are people who don't have the skills perhaps to create good hacking tools, but can use other people's hacking tools. Is it your sense that if somebody's good enough to write these tools from scratch, they're less likely to be evil and so making it accessible to script kiddies makes it worse, or is that just a nutty premise?
Alex Stamos [00:16:31]:
Well, it's. I mean, even among the adversaries who had this capability, very few of them have. Right.
Leo Laporte [00:16:37]:
Like, yeah, so you're making it more widespread. I mean, that's bad enough all. All by itself.
Stacey Higginbotham [00:16:42]:
Yeah.
Alex Stamos [00:16:43]:
You look at the Russian adversaries, right? You've got like the difference in quality between like the top hacking teams at the SVR versus the not as good hacking teams at the GRU versus the monetarily focused ransomware teams is humongous. Right. Like the people who did the SolarWinds hack, they built a custom in kernel Windows rootkit which swapped out SolarWinds source code in memory. It swapped out the page in memory without touching disk. It decrypted it, swapped it out just for the moment it was compiled and linked and then swapped it back in.
Leo Laporte [00:17:20]:
Oh my God.
Alex Stamos [00:17:21]:
Not try to create a trace on disk. So I got to work on the investigation and the response at Sorbens.
Stacey Higginbotham [00:17:26]:
Right.
Alex Stamos [00:17:26]:
This is the first project Chris Krebs and I did for our consulting firm and they did an incredibly good job because they have probably the best, you know, engineers who work on hacking in Russia working for them. That is a completely svr, right?
Leo Laporte [00:17:41]:
Yes.
Alex Stamos [00:17:41]:
So that's the worse than the GRU sv. Much worse. I mean, much, much more capable than the.
Leo Laporte [00:17:47]:
This is the government. This is the Russian government. Basically, yeah.
Alex Stamos [00:17:50]:
SVR is part of. When the KGB split up, the Foreign Intelligence Service component of the KGB became the svr. The domestic and kind of near abroad part became the fsb. No, GRU has always been gru. GRBU is military intelligence. So they're part of.
Stacey Higginbotham [00:18:08]:
They're the thugs, right?
Alex Stamos [00:18:10]:
They're the thugs, yes. And so the gru, when they break in, they don't, mind you, they're the ones who literally, like, will break in people's apartments and then, like, leave a crap in the toilet so you're there. Like, they do stuff like that.
Leo Laporte [00:18:20]:
So if you're going to be thrown out of a window, it's probably the GRU or fsb.
Alex Stamos [00:18:25]:
Right. FSB is like the KGB part that, like, terrorized Russian.
Leo Laporte [00:18:28]:
But if your memory is going to be swapped in vitro, that's going to be the svr.
Alex Stamos [00:18:33]:
Yeah. Right. Because what? They never want sophisticated. Yes.
Stacey Higginbotham [00:18:37]:
Ah.
Leo Laporte [00:18:37]:
They don't want to get caught.
Alex Stamos [00:18:39]:
Yes. It's quite different. And so my fear with all the AI tools is that it's kind of, you know how, like the Premier League, you can get sent down, you can go back up. Right. If you do well, that's that everybody's going to step up to the next league with AI tools. Right. And that's going to be really terrifying. So on the defensive side, we all have to do the same thing.
Alex Stamos [00:18:56]:
We all have to take a step up because the attackers are all going to be able to go to the next league up with the kinds of things that they're going to be able to build that they've never been able to build before.
Leo Laporte [00:19:06]:
So, Jen Easterly, former director of cisa, and you're right, Stacey was Foreign affairs, great read, a great reference. She wrote an article says, the end of cybersecurity, America's digital defenses are failing. And this is primarily because of the effectiveness of these AI coding.
Stacey Higginbotham [00:19:26]:
It's because. No, it's because we don't invest in security.
Leo Laporte [00:19:30]:
Yeah. Because we basically shut CISO down. Yeah, CISO down. Yeah. But AI can save them, she says. So what's the good news?
Stacey Higginbotham [00:19:38]:
Well, the good news is that because firms don't invest in cybersecurity until they have to. Right. And we don't have a really great regime for forcing that. Her argument is that we can use AI to make it easier to build secure software. She also makes the same point that Alex made, which is we have to do it anyway because everybody's going to use AI to attack us.
Leo Laporte [00:20:06]:
Yeah.
Stacey Higginbotham [00:20:06]:
So we should be leveling up anyway. And AI will just help us level up. But she's making kind of an economic argument here, which is that it will be cheaper and easier, presumably to build more secure software.
Leo Laporte [00:20:19]:
Cheaper is always more likely to happen, sad to say. She says AI systems can autonomously find and patch software flaws. Has that been your experience, Alex? Is that the case?
Alex Stamos [00:20:31]:
It is to a certain extent. I mean, they certainly can find it. Patching is a little bit harder. But the. I think for the first time ever, we're in a place where it is economical to refactor code. And we're getting to the point of where it's becoming more economical to actually refactor large amounts of code than to just fix bugs. That we might get to a place where rewriting your old C code to be on a new C21 with a secure templating library is better than trying to find all the memory management problems.
Stacey Higginbotham [00:21:03]:
Or trying to find.
Alex Stamos [00:21:03]:
We're not quite there yet, but in a couple of years, converting your C code to Rust is actually going to be economical. That was insane two years ago, right? That would have cost. It would have been cheaper just to rebuild from scratch.
Leo Laporte [00:21:17]:
It's not automated, though. You still need engineers to supervise.
Alex Stamos [00:21:20]:
Yes, to supervise, yeah, but like the amount of code they're writing, I mean, human engineers are basically becoming really technical product managers, right? They're, they're doing architecture, they're doing design. Again, the, the coding tools are quite bad at architecture. The only one that does a reasonably good job here is Amazon Hero, which is still in beta, which is an IDE based coding tool that makes you do a prd, it makes you do an architecture, it makes you write tests. So it forces you through the steps that you have to do as a professional engineer. The rest of them, like cloud code. You say, I want to build an incredibly complicated client server architecture that is going to take 17 different components. On AWS. It's like, yep, let's get going.
Alex Stamos [00:22:05]:
You're like, no, no, no, wait, wait, wait.
Leo Laporte [00:22:07]:
And you see the code.
Alex Stamos [00:22:08]:
That's not how we build things.
Leo Laporte [00:22:09]:
Scrolling off the screen.
Alex Stamos [00:22:10]:
Yeah, yeah, yeah. It just goes, right? And so I think that's, I mean that's like part of our thesis at Corridor is like, hey, we got to build frameworks around these things. If you're an enterprise. And to their credit, OpenAI and Anthropic in particular, and Cursor understand this, right? Like Cursor in particular is a company that's like trying to target enterprises. It's quite different than like lovable and vercel where they're building stacks that are in particular targeted for the hobbyist consumer and to make it easy for them. So I think you're going to see more bifurcation. Claude Code kind of stuck in the middle.
Leo Laporte [00:22:47]:
Even Claude Code has started to say things like, you know, it'd be good if you made a little to do list here and if you did some things, set some structure around it instead of letting me just go like crazy. Although you can still hit Shift tab. You can still hit Shift tab and let it just go. Which I did this morning.
Alex Stamos [00:23:02]:
I must say, I think what you're going to have is professional engineers are not going to use the clis. They're going to use a tool like Cursor and then Cursor is going to use Sonnet 4.5. They'll use Anthropics models. But you'll be using it through a professional tool that forces you through some kind of engineering plan.
Leo Laporte [00:23:21]:
Well, I didn't anticipate getting in this, but you know what? When Alex Samos is in the house, I think it's pretty important we do no. And it does segue into the next story, which we're going to get to in a minute, which is Amazon firing 30,000 people. Did they do it because of AI? Well, maybe, maybe not. Not exactly. We'll talk about that in just a bit. Jill Duffy is here. She's spending the morning with us. So nice to have you.
Leo Laporte [00:23:45]:
Hope you have a nice cup of tea.
Jill Duffy [00:23:47]:
Thank you. I have some strong coffee. Yes, I do.
Leo Laporte [00:23:50]:
That's. What is this? Vigilante. I like your mug. It says vigilante.
Jill Duffy [00:23:53]:
Oh, this is a great roastery in Maryland.
Leo Laporte [00:23:56]:
Nice. What a good name.
Jill Duffy [00:23:58]:
Makes coffee. Yeah, you know, it's the lead roaster's.
Leo Laporte [00:24:01]:
Last name and it's got the evolution of coffee drinkers on the back, which I like.
Jill Duffy [00:24:08]:
Early man age coffee drinkers.
Leo Laporte [00:24:11]:
Looks like fisherman. Oh no, Spear carrying to coffee drinkers. That's good. Yeah, yeah, I like it. Vigilante. Good. I'm going to try some. Nice to have you, Jill.
Leo Laporte [00:24:20]:
Alex Stamos is also here. His new company corridor.dev helps devs do it securely so you're in the right place at the right time. And Stacy Higginbotham from Consumer Reports where she's a policy fellow. It's great to have all three of you. We will get back to the news in just a second but first a word from our sponsor. Our show today brought to you by ZipRecruiter. We use ZipRecruiter what if you could consistently find whatever it is you're looking for right away? We're talking about everything from parking spots to something on my mind right now. Holiday gifts, jackets or jeans that fit perfectly.
Leo Laporte [00:24:58]:
Imagine how much time you would save. Well, you may never instantly find those things, but if you're hiring, you can find qualified candidates right away time and time again with ZipRecruiter. And today you could try it for free at ZipRecruiter.com TWIT this is their secret sauce. ZipRecruiter's powerful matching technology works fast to find top talent. With ZipRecruiter's advanced resume database, you can unlock top candidates contact info instantly. No wonder ZipRecruiter is the number one rated hiring site based on G2. If you want to know right away how many qualified candidates are in your area, look no farther than ZipRecruiter. Four out of five employers who post on ZipRecruiter get a quality candidate within the first day.
Leo Laporte [00:25:45]:
Right now you can try it for free. Ziprecruiter.com TWIT Again, that's ziprecruiter.com TWDzipRecruiter the smartest way to hire. I'm glad some people are hiring, because some people are firing. Amazon, according to Reuters, is preparing to fire as many as 30,000 corporate jobs starting Tuesday. Now they have one and a half million employees, but that's, that's almost 10% total. And Amazon says it's not because of money, it's because of. And this, this is the quote, culture, according to cnn. This is from Andy Jassy, CEO.
Leo Laporte [00:26:36]:
It's not really financially driven, not even really AI driven. Not right now. It's culture. Amazon added headcount, of course, in recent years, a lot of companies did. Jassy says, quote, you end up with a lot more people than what you had before. He's so folksy, that Andy Jassy. And you end up with a lot more layers sometimes without realizing that you can weaken the ownership of the people that you have who are doing the actual work. Okay, I know it's not AI, although, you know, a lot of tech companies are kind of claiming, oh yeah, we're replacing people with AI.
Leo Laporte [00:27:12]:
I think the truth is maybe a little closer to the fact, yes, AI is very, very expensive and our burn rate is insane. Buying all those Nvidia GPUs, and how are we going to fund that? What if we fire 30,000 people? Would that help? Does that make sense? If you look at the Quarterly. Yes. If you look at the quarterly results, yes. Thank you for that. Affirmative.
Stacey Higginbotham [00:27:42]:
I was like, are you. Are you waiting for your comment?
Leo Laporte [00:27:44]:
Sure, yeah. Just jump right in anytime. Don't I. I will talk until somebody else says something. That's an old radio habit. I don't know. Dead air on this show. No dead air.
Leo Laporte [00:27:53]:
Go ahead, Stacy.
Stacey Higginbotham [00:27:56]:
You know, I'm old. I've been through a couple downturns, and what we're seeing is everybody prepping for things to get tight. And I will say that if you can get rid of people, it's not. I mean, sure, it's easy to be like, oh, it's AI. But they're also slowing down on their hiring front. If you can get rid of some expensive workers, great. So I think this is part of the beginning of a hunker down kind of mentality, and I think we're seeing it across the board. I mean, we're seeing it in other.
Leo Laporte [00:28:23]:
Firms, not just Microsoft did it last quarter after. After a record profitable quarter, they fired a bunch of people, which looked kind of unseemly. Alphabet, which announced its quarterly results this week. Unbelievable revenue. Over $100 billion in revenue for one quarter. That's a growth in the cloud of 34%. Their profits are phenomenal. Amazon's very similar.
Leo Laporte [00:28:56]:
I mean, everybody. The tech sector is doing pretty well right now.
Stacey Higginbotham [00:29:01]:
Yeah, I mean, we're seeing it. I mean, UPS announced layoffs, Target announced layoffs right ahead of Christmas. I mean, this is. I mean, it's not good news.
Leo Laporte [00:29:11]:
Yeah, I mean, I. That's the other thing. And you know, when we talk about this stuff, I sometimes I forget to say, this is terrible for the people who get laid off. That's 30,000 people who will have a terrible Christmas.
Stacey Higginbotham [00:29:23]:
It's only 14 so far.
Leo Laporte [00:29:25]:
So far.
Alex Stamos [00:29:26]:
Right. It's still a lot.
Leo Laporte [00:29:29]:
Only 14.
Stacey Higginbotham [00:29:30]:
Being in Seattle is pretty grim right now.
Leo Laporte [00:29:32]:
I bet it is. I bet it is.
Alex Stamos [00:29:35]:
So, I mean, you talk about it's not financials, but you look at the results, and their operating income's great. Right. So, I mean, if you look at aws, their net income went. It technically held steady, but that's with them taking two charges. Right. They had an FTC settlement and they took a severance charge as part of this. Right. 1.8 billion.
Alex Stamos [00:29:59]:
So with those two things, their quarterly income for AWS was up to 21 billion from 14 billion quarterly. But what's interesting, free cash flow is down to 14 billion, and that's down from 47 billion. Trailing 12 months. So that is a huge difference. And he points out.
Stacey Higginbotham [00:30:16]:
There you go.
Alex Stamos [00:30:16]:
That's driven from a year over year increase of 50 billion for property. So they have been massively investing in AWS and that has taken up a ton of their free cash flow. That doesn't hit their net income because they amortize that. Right. That's capex that gets amortized over the depreciation schedule of that stuff. So I think it might be they are reading the tea leaves like Stacy said, on a downturn, Amazon has more data than probably any other organization other than maybe JPMorgan Chase on the position of our economy. Right. Like they see all consumer sentiment, they see all business sentiment via aws and they are more exposed than any other organization to both the business world and the consumer world.
Alex Stamos [00:31:07]:
Right. And so if there's a downturn and they have been spending $50 billion, 60 billion of their free cash flow just on increase in capex, then it's not a crazy thing for them to start to tighten early.
Leo Laporte [00:31:22]:
What about Meta?
Stacey Higginbotham [00:31:23]:
Interesting to look at actually. So Azure, Microsoft, Amazon and Google. Google, sorry, it was like the other.
Leo Laporte [00:31:33]:
One, the big three cloud data because.
Stacey Higginbotham [00:31:35]:
They have the CapEx. It's a really good point, especially with the costs of Nvidia chips looking at that versus companies that are buying that from them. Because that was the beauty of the cloud is it switched all of your original Capex to opex. So I wonder if there should be like a new classification for some of these companies just for this particular element. I like that subtlety.
Leo Laporte [00:31:56]:
And you know who's doing great. Nvidia crossed the $4 trillion valuation mark this week.
Alex Stamos [00:32:03]:
Yeah. Does that mean that $50 billion charge goes straight to Nvidia?
Leo Laporte [00:32:07]:
It's all Nvidia.
Stacey Higginbotham [00:32:08]:
I'm sure there some Amazon, Amazon, AMD in there.
Leo Laporte [00:32:11]:
Well, everybody's working as fast as they can. Amazon, Google and everybody else to create chips. Because there's. They don't want to spend all this money with Nvidia. But Nvidia is in the catbird seat right now.
Alex Stamos [00:32:21]:
Yeah. Although they do talk about their number one bullet of like for strong highlights is continued strong adoption of their custom AI chip. So they are talking very aggressively about how they're looking to Samsung.
Leo Laporte [00:32:32]:
Everybody, everybody's working hard. Yeah. Google's got the TPUs so they don't have to worry quite so much. But.
Alex Stamos [00:32:39]:
Right. And they highlight that Anthropic is doing trained a lot of their new models on Amazon's custom chips. So a lot of that was not on.
Leo Laporte [00:32:46]:
That is one of the Issues, isn't it? Nvidia has a proprietary system, cuda, which no one else can duplicate because it's proprietary. And a lot of this stuff is based on cuda. Right. It needs cuda.
Alex Stamos [00:33:00]:
No, I mean, you could, you can, you could build on other libraries. I mean. Yes, for consumers, it's a little bit of lock in. If you're anthropic, that's not a lock in.
Leo Laporte [00:33:11]:
Okay. If you're big enough, you don't care.
Alex Stamos [00:33:14]:
Yes.
Leo Laporte [00:33:14]:
Yeah. Now, Meta, I think mark Zuckerberg lost $29 billion or something last week because Meta's stock tanked because they had a $16 billion tax income tax charge. But I think the market's also a little jumpy because Mark's been spending like crazy on AI, bringing in, paying as much as a billion dollars for new. For talent.
Stacey Higginbotham [00:33:42]:
Well, how many times can Mark be wrong and. Or late and acquire his way to success? And I'm not. I'm not being.
Leo Laporte [00:33:48]:
No, that's a good question. That's what the market's asking, isn't it?
Jill Duffy [00:33:56]:
There was a great story in the Atlantic that I really liked that sort of zoomed out and said, how is the AI bubble going to crash?
Leo Laporte [00:34:04]:
Charlie Wurtzel. Yeah.
Jill Duffy [00:34:07]:
And Matteo Wong, I think, was the other writer on the story.
Leo Laporte [00:34:10]:
Yeah, yeah.
Jill Duffy [00:34:11]:
Matteo Wong.
Leo Laporte [00:34:11]:
Here's how the AI crash happens.
Jill Duffy [00:34:14]:
Yeah. And it was just. It explains it reasonably simply, but reminded me that nothing financial in the United States is ever simple, but money is moved around. Sort of what you all were saying, let's amortize, whatever. But so much of this money right now is going into real estate and building out these huge server farms for AI. So when you are acquiring real estate that the Atlantic article poses, they're not really interested in taking on debt to get that land and to build. So they're selling instead of taking traditional loans, they're looking to essentially package up the money they need and get it from.
Stacey Higginbotham [00:35:04]:
Oh, this is the securitization of the data center loans. Yes, the data center contracts by the tech companies.
Jill Duffy [00:35:12]:
Right. So they're going to private investors.
Leo Laporte [00:35:13]:
We work at a business.
Jill Duffy [00:35:17]:
If they're going to private investment.
Leo Laporte [00:35:19]:
Am I a too simple on this?
Jill Duffy [00:35:21]:
Everything is sort of being packaged and sold in ways that makes it harder to trace, harder to figure out who owes money to who, how much debt do they actually.
Leo Laporte [00:35:28]:
And there's a lot of this circular stuff that Nvidia is giving $1 billion to a company so they'll buy $1 billion worth of Nvidia chips, things like this, it's very confusing.
Stacey Higginbotham [00:35:37]:
Well, there's. Okay, so there's a bunch of stuff at play there.
Leo Laporte [00:35:41]:
That's the, that's the opex versus Capex, right? No, so, okay, I'm going to shut up now and let people. I.
Stacey Higginbotham [00:35:52]:
So securitization, which is what this is this the securitization article. Okay. That is when you do a deal, like an extended financial deal and then you, you slice it up into little slices and then.
Leo Laporte [00:36:05]:
Oh, like Red Lobster.
Stacey Higginbotham [00:36:07]:
It is exactly what caused the mortgage bubble in 2008.
Alex Stamos [00:36:11]:
Right.
Leo Laporte [00:36:12]:
Oh dear.
Stacey Higginbotham [00:36:12]:
As a, as a former bond reporter, this is like, this was my.
Leo Laporte [00:36:15]:
Oh dear. So it's so, so okay, so what happens?
Stacey Higginbotham [00:36:20]:
So what?
Leo Laporte [00:36:21]:
So we are in a bubble is what you're saying. This is a bubble.
Stacey Higginbotham [00:36:24]:
It's not transparent. So the issue is there's a lot of insider. So if we sum up the whole thing, there's a lot of insider dealing that people don't necessarily understand. And it's not transparent either to like the media or people watching investors, but even also within like the securities in banking world. So there's a lot of, I would call it financial chicanery or shenanigans.
Leo Laporte [00:36:46]:
Yeah.
Stacey Higginbotham [00:36:47]:
But it is actually legal, so I'm not sure.
Leo Laporte [00:36:50]:
It's not illegal chicanery. It's legal chicanery.
Stacey Higginbotham [00:36:53]:
I'm like, I'm like. So I don't know if that's actually, if I were writing an article. I don't know if I could use those words.
Leo Laporte [00:36:57]:
Wong and Warts will say the US is a burgeoning AI state and in particular an Nvidia state number keeps going up, which is buoying the markets. In the short term, that's good, but it's precarious. And I think there are a lot of people. I'm at retirement age. My IRA is heavily in US equities. Everybody's a little worried about a bubble or a crash. But we just spent half an hour talking about how valuable AI is and how transformative it is to businesses and coding and security and so many areas. In fact, the chairman of the, the Fed said this isn't exactly a bubble because there's value being created.
Jill Duffy [00:37:47]:
I mean, I would ask where is the value? Where is it right now?
Stacey Higginbotham [00:37:52]:
Yeah, we're throwing out AI. We're hyping it up to be this economic powerhouse, which I think it absolutely could be eventually. So it's not like a tulip bubble where there's no underlying value except for like flowers are good. It's more like a Railway or the very early days of, I don't know, oil.
Leo Laporte [00:38:11]:
Yes, that's what Jeff Bezos said. It's not a financial bubble, it's a, it's a, it's an industrial bubble. So what happens with industrial bubbles like railways or the dot com bubble is you get infrastructure which survives the bankruptcy of a number of companies. And the infrastructure is of value.
Stacey Higginbotham [00:38:26]:
Except we have fundamentally changed our definition. We have changed how long our infrastructure can last because this infrastructure is built on a chip that has an 18 month life. Right. If you're really lucky. So we have to think about like if you're doing your financials and you're thinking I'm going to amortize this over 18 months versus I'm going to amortize it over computers have, what is it, a depreciation schedule of like five years?
Leo Laporte [00:38:57]:
Yeah, well in reality it's probably like that. But yeah.
Stacey Higginbotham [00:39:01]:
So I don't, and I don't know where we are on like our accounting yet for accounting for this. But. So we're basically saying, so it's, it's like figuring out what we can do with like oil and gas or even electricity. Right. Like we've got to build all this infrastructure in place, but the infrastructure is not as long lived, so we have to have different financial tables and account for it and value it differently. We aren't.
Leo Laporte [00:39:25]:
So what you're saying is, to paraphrase Terminator 2, we are in uncharted territory making up history as we go along. Is that what you're saying?
Stacey Higginbotham [00:39:35]:
It's charted? We're just using the wrong depreciation schedules.
Leo Laporte [00:39:39]:
Our maps don't match the land mass that we are actually traveling. Is that what you're saying?
Stacey Higginbotham [00:39:45]:
No, I might not be.
Leo Laporte [00:39:47]:
Jerome Powell says. Jerome Powell, chairman of the Fed says unlike the dotcom boom, AI spending is in a bubble. I mean his proof of this is I can't name names, but some of these companies have earnings he did this in.
Stacey Higginbotham [00:40:03]:
So okay, think about, think about akamai in the 1999 Akamai. Think about building out the telecommunications infrastructure for the underlying Internet way back in.
Leo Laporte [00:40:13]:
The late 90s, right before the dot com crash.
Stacey Higginbotham [00:40:16]:
And all of that eventually became super valuable. Right. We were, we were not wrong.
Leo Laporte [00:40:22]:
There's a lot of dark.
Stacey Higginbotham [00:40:24]:
Yeah, but one of the reasons it became so valuable is because the financial and the bubble aspects of it became untenable. And we got bankruptcy for a lot of these companies and it wiped out all of their debt. Right now we have a different financial structure. This isn't necessarily debt funded. This is venture capital funded, which is a little different. But anyway, we're basically. We're spending money too fast on this and we're putting too much money too quickly in it, or we're not accounting for the actual. How.
Stacey Higginbotham [00:40:57]:
Never mind. I.
Leo Laporte [00:40:58]:
Let me quote Wong Wurzel from that Atlantic. Let me quote Wong and Wurtzel from that Atlantic if you really want Dystopia from that Atlantic article that Jill gave us. Listen to the AI crowd talk. Enough, you'll get a sense. We may be on the cusp of an infrastructure boom, and yet something strange is happening to the economy. Even as tech stocks have skyrocketed since 2022, the company's share of net profits from S&P 500 companies has hardly budged. Job openings have fallen despite a roaring stock market. 22 states are in or near a recession.
Leo Laporte [00:41:33]:
And despite data centers propping up the construction industry, US manufacturing is in decline. They say AI is drowning out, is obscuring the wobbling American economy.
Alex Stamos [00:41:46]:
Yeah, I think we can. AI can have value. Part of the problem here is there's a handful of AI skeptics for whom their skepticism has become their entire personality and their entire brand.
Leo Laporte [00:41:59]:
And we know who they are. Yes.
Alex Stamos [00:42:00]:
Yeah. And I'm not going to say the name because they have, like, followers who.
Leo Laporte [00:42:03]:
We know who they are because we've had them on our shows.
Alex Stamos [00:42:06]:
Okay. Yeah. Some of these people, their followers will send you death threats and stuff like.
Leo Laporte [00:42:10]:
Yeah, I know they're very. Yeah, yeah.
Alex Stamos [00:42:12]:
And so, like, they make it hard to talk about this because if you're not fully in their camp, you're. You're a mush. And then they also make any kind of AI skepticism seem like you're a Luddite. Right, Right. And AI, from my perspective, AI is incredibly valuable. I use it every day in a variety of ways. And I think it. These companies will make a bunch of revenue, but there's a bunch of ways this can still be a bubble.
Alex Stamos [00:42:36]:
One, if the real economy is hollowing out. Right. The way the AI companies will make money is from the real economy giving them money to do things. So if State Farm and Walmart and every consumer products company, the Procter and Gambles and Boeing and all of these folks are losing money, then they will not have as much economic flow. They will not have as much free cash flow to shave money off the top to send it to the AI companies. Right. So if we end up because of a confluence of issues, including tariffs, the business cycle, a bunch of Other things hollow out the real economy. Then we can be in a bubble no matter what's going on with the AI companies.
Alex Stamos [00:43:19]:
Second, I think even if things were going great, you can have this bizarre financialization that Seycie's talking about. I saw this personally of a friend of mine, got in on one of these deals and then offered for me to invest in a data center. And I didn't do it because in the end I do some seed investing in companies. Every once in a while I know what I'm buying. I'm buying stock in a company or I'm getting a safe, which is debt that can turn into stock. I had no idea what I was buying, what my money was being turned into.
Leo Laporte [00:43:49]:
It's like bitcoin. It's like NFTs.
Alex Stamos [00:43:51]:
Oh, at least in Bitcoin I know I'm getting some kind of bs.
Stacey Higginbotham [00:43:56]:
You're getting the promise of a payment from a, from a bank that is getting a payment or a chunk of a payment from the data center company. But yes, it's. Right, but it was like repackaged.
Alex Stamos [00:44:07]:
Yeah, but yeah, and it was like a contract with an entity with another entity and there's like five entities with made up names. And you're like, this is so spectacularly sketchy. I'm going nowhere near this. Right. Like. And so it screamed financial bubble to me. Right. Like.
Alex Stamos [00:44:22]:
And so everything could be growing great, even if the economy is going great. That could be insane that you have like this crazy financialization where you have the AIG mortgage issue stuff going on now. Like Stacey said, we're not talking about banks here. You're talking about like hedge funds and VCs and a bunch.
Leo Laporte [00:44:38]:
Yeah, who cares if they go belly up? Right?
Alex Stamos [00:44:40]:
Yeah, but like it's still, who knows, like that's what people said about aig. Right?
Stacey Higginbotham [00:44:45]:
You do care because they're all over the economy and if they go, they're going to start. So I mean that's a. You do not want them to start selling all their debt.
Alex Stamos [00:44:54]:
And then I think there's a third way. This could be an interesting bubble, which is with the railroads. Like we laid all this infrastructure. Like there was no situation in which all of a sudden the railroad tracks themselves were not going to be useful or the engines. Like when all this railroad track was being laid in the mid 19th century, we were not going to have all of a sudden like diesel electrics were going to be invented like in 1865 or something. 1870. Right, right. But we're in these revolutions.
Alex Stamos [00:45:24]:
Stacy Talked about like 18 month chips, I think the depreciation on these things, that you can use them more and stuff. But all this money is going. For example, I just gave this talk, I gave a talk at Vercel and I gave a different talk at Infosec World, but in both cases I talked about. Gary Marcus at MIT talks about this a lot. If you think about what AI is, AI is a study in computer science of making computers act like humans. Within that you have machine learning, right? Which is getting computers to learn from data. Within that you have reinforcement learning. And within that you have LLMs.
Alex Stamos [00:45:59]:
And LLMs are like a tiny little bubble of these concentric circles of which AI is this huge circle. And all the money is going to LLMs because it's the first thing that people are like, oh, this is actually useful.
Leo Laporte [00:46:13]:
Yeah. Marcus has said that's a mistake. Because we're spending so much on LLMs, we're not paying attention to other systems.
Stacey Higginbotham [00:46:20]:
They're so fundamentally limited. We just like them because they look like us. That is all it is.
Alex Stamos [00:46:26]:
And so there's all this cool other research, right? Like people are building these models are much smaller that are much better at like solving real interesting problems. They can't write poetry, but they solve like useful things. And so I think we also could have technological breakthroughs that either make LLMs much more efficient and therefore massively change the economics of all this, or that replace LMS for certain use cases and then invalidate a bunch of this spend. I mean, there's all kinds of stuff that's unpredictable that could happen in the next five years and then that could blow up parts of the stuff. So that wouldn't be like an overall bubble, but that could create micro bubbles or partial bubbles and cause all kinds of churn. And overall it'd be great because we'd be having a, a new efficiency. But it could absolutely kill one of these companies that looks dominant right now. And in the long run it would be great.
Alex Stamos [00:47:20]:
In the short term it would cause lots of damage. And so I think it's crazy to have all of us have decided it was good to put all of our money in the S and P. But the way that The S&P 500 allows these companies to expand, I think somebody at Standard and Poor needs to get slapped.
Leo Laporte [00:47:41]:
Richard Campbell told me there is an S&P 500 minus the Magnificent Seven. There's a EFT that has, it's like 493 and I guess that might be a good investment. I don't know. I'm not an investment expert, and I don't know what to do because, yes, it's overvalued. AI is highly overvalued. Even in something as supposedly as diversified as the s and P500, if you're.
Alex Stamos [00:48:06]:
Going to call it an index and you're going to say there's 500 companies, then you should not allow seven of the companies to be 50% of the 500 or whatever. Right. Like, it's. I think there is this. This crazy thing is like, as the companies get bigger, we cannot. This index investing has gone too far. Right. Like, we need to.
Leo Laporte [00:48:24]:
Don't tell me that that's the only way I can invest because I can't buy individual stocks.
Alex Stamos [00:48:29]:
Yeah.
Jill Duffy [00:48:29]:
I'm just waiting for somebody to start using the term too big to fail about all of these seven tech companies, because, I mean, they're all administration. Right. Like, why do you think they've donated so much money, so cozy with the president? Like, they. They need not just laws and legislation on their side, but I. I have a feeling that they meet, they may in the near future need some help making regulation problems go away or investment.
Leo Laporte [00:49:02]:
Are they too big to fail in that respect? Can they be bailed out like the banks?
Jill Duffy [00:49:06]:
Yeah, well, that's kind of what I mean. I mean, if you have 56% of the S&P riding on these seven companies, how can you let any one of them fail?
Leo Laporte [00:49:18]:
Well, thank goodness the president is a business businessman. Oh, never mind.
Alex Stamos [00:49:23]:
He knows the art of the deal, Leo.
Leo Laporte [00:49:25]:
He knows the art of the deal. I'll grant you that.
Stacey Higginbotham [00:49:30]:
There is an argument to be made that they're too big to fail on the actual infrastructure front, as we saw with, like, all.
Leo Laporte [00:49:37]:
These networks, operations centers that are being built. This is.
Stacey Higginbotham [00:49:39]:
Although, does anyone else remember when AWS E or the Eastern.
Alex Stamos [00:49:45]:
The one in US East? One.
Leo Laporte [00:49:46]:
Yeah.
Stacey Higginbotham [00:49:47]:
USC thing, I was like, that used to go down all the time. I mean, I remember when Adrian Cockroft was doing his, you know, chaos monkeys and that's. That's why that came around. So I actually think we're really amazing. But it is too big to fail from that perspective.
Leo Laporte [00:50:02]:
Yeah. It's amazing how many people were dependent on AWS East.
Alex Stamos [00:50:07]:
That was a big deal. All going down at the same time was a big deal.
Leo Laporte [00:50:11]:
Yeah, we learned.
Alex Stamos [00:50:12]:
A lot happened.
Leo Laporte [00:50:13]:
Yeah, yeah.
Jill Duffy [00:50:16]:
But financially, too, I mean, like, Leo, like you were saying, you know, your retirement accounts are completely vested in these companies. I'm terrified if we have just this massive number of baby boomers who are starting to collect on their retirement and that money collapses, that value collapses. Are we gonna, Is the government going to allow that to happen? Is there going to be some rectification there?
Leo Laporte [00:50:41]:
Yeah, because we baby boomers vote. Don't forget.
Stacey Higginbotham [00:50:43]:
They can sell their houses. They'll be fine.
Leo Laporte [00:50:45]:
Oh, that's right.
Jill Duffy [00:50:46]:
All their houses.
Leo Laporte [00:50:47]:
All our houses. We'll just sell them. Yeah. No, it's a, it's a, it's a scary time because if you look at the s and P500 for the last 10 years, boy, that was a good thing to buy into.
Jill Duffy [00:51:01]:
You know, in the financial news world, everything I keep hearing is K shaped economy. K shaped economy, which is, you know, the people who are doing well, it's going up, up, up. For the people who are not doing well, it's going down.
Leo Laporte [00:51:11]:
Right.
Jill Duffy [00:51:13]:
Is that just not the story of America?
Leo Laporte [00:51:15]:
Yeah. And income inequality is really on a fast track.
Jill Duffy [00:51:21]:
You're going to sell your houses, but to whom? Who's going to buy houses?
Leo Laporte [00:51:23]:
Yeah, well, that's the point. You know, if you fire everybody to make money for AI, who's who buy your stuff, you're making.
Jill Duffy [00:51:32]:
Who's going to buy your stuff?
Leo Laporte [00:51:33]:
Yeah.
Jill Duffy [00:51:34]:
The other story, I mean, not to get too much into financial news and the economy, but, you know, the other one I keep hearing about is the birth rate.
Stacey Higginbotham [00:51:40]:
Right.
Jill Duffy [00:51:41]:
So the birth rate is low. People are not having enough children. Big, big problem in South Korea. But it's starting to be talking again in China. In China, yeah.
Stacey Higginbotham [00:51:50]:
And.
Jill Duffy [00:51:51]:
But in the United States now, so the average birth rate for women is a little over two children.
Leo Laporte [00:51:58]:
But once it goes under two, that's.
Jill Duffy [00:52:01]:
Well, it's already, it's already a little too low. So it's a little too low for the economy.
Stacey Higginbotham [00:52:07]:
Right.
Jill Duffy [00:52:08]:
Like, it's not a problem for anything but the economy. It's not necessarily a bad thing for the environment for keeping the human race alive. Like, it's fine for most things. It's a problem for the economy. And it's because we want our economy to keep growing. And like, like that is just a fundamental problem that we're going to have to deal with at some point.
Leo Laporte [00:52:31]:
We need to make more customers get to work.
Stacey Higginbotham [00:52:33]:
Our standard of living in addition to the economy.
Leo Laporte [00:52:36]:
Yeah.
Stacey Higginbotham [00:52:37]:
So I'm not by any stretch of the imagination, like, arguing that we all should be.
Leo Laporte [00:52:41]:
So you have one kid.
Stacey Higginbotham [00:52:43]:
I guess I am not contributing.
Leo Laporte [00:52:44]:
Jill, how many kids do you have?
Jill Duffy [00:52:46]:
Zero.
Leo Laporte [00:52:47]:
Okay. Alex, how many kids do you have? Two. Three. I have two, but I have three wives. So the Five of us only made three kids, so we're negative. This whole panel, even with Alex, is overproductive.
Alex Stamos [00:53:02]:
My wife and I did our part. She did the hard part. Obviously.
Leo Laporte [00:53:07]:
You did the hard part. All right, I want to take a break on that note. I will talk about. Well, there's many other things to talk about, and we have such an excellent panel. No more financial talk because, I don't know, you know, we're not a financial podcast, but this is kind of what hath tech wrought in a big way.
Alex Stamos [00:53:27]:
Have your ads started? Are you gonna start selling food and survivalist stuff?
Leo Laporte [00:53:31]:
Gold, yeah. Gold, baby, Gold.
Alex Stamos [00:53:36]:
This is gonna turn into the same ads as, like.
Leo Laporte [00:53:39]:
Yeah, it's AM radio as talk radio. Yep. Gold, baby. All right, let's take a break. We do have a fabulous panel and lots of good things to talk about. We'll get to those. The president actually is in Asia right now. He's apparently made a deal for TikTok.
Leo Laporte [00:53:59]:
No one knows what it is, but we'll find out. Maybe we'll get to that in just a little bit. And the FCC has voted to make it easier for your ISP to rip you off. Isn't that good news? All that and more still to come. Alex Stamos is here. Always a pleasure to have him. From corridor.dev. our security guru, Stacy Higginbotham is here.
Leo Laporte [00:54:21]:
We'll talk about the Neato vacuum cleaners in just a bit. Policy fellow at Consumer Reports. And Jill Duffy is also here. We could talk about EVs. What's your beat these days? You're doing PC Mag and Wired.
Jill Duffy [00:54:35]:
Yeah, I'm writing still about organization a little bit. I had some fun stuff recently about death. Death in organization.
Leo Laporte [00:54:43]:
Yes. I want to talk about death. Swedish death cleaning. I believe you brought this up. Okay, we'll get. It's not as bad as it sounds. I've actually been. I embarked on a little Swedish death cleaning myself because I am almost 70.
Leo Laporte [00:54:56]:
I mean, it's time, right, to start. I don't want to dump all this on my kids. Anyway, we'll get to that uplifting topic in just a moment. This is this Week in Tech. Well, I'm glad you're here. Anyway. I hope you. Hope you feel the same way.
Leo Laporte [00:55:12]:
Our show today, brought to you by Zscaler, the world's largest cloud security platform. They could not be in a more timely position. As you can tell, AI, you know, it's changing the world. The rewards for enterprise are too big to ignore. The risks for enterprise are also Humongous. The loss of sensitive data and attacks against enterprise managed AI, generative AI increases the opportunities for threat actors. We were just talking about. I can't remember if it was before the show or during the show, but helping threat actors rapidly create, you know, perfect phishing emails or write malicious code, automate data extraction.
Leo Laporte [00:55:56]:
There were. This is, I mean these numbers are terrifying. 1.3 million instances of Social Security numbers leaked. And how were they leaked? Through AI applications, often by your employees who are using AI. Right. ChatGPT and Microsoft Copilot alone saw nearly 3.2 million data violations. So there's all sorts of things to think about. This is time to think about your organization's safe use of public and private AI and perhaps to protect yourself against overachieving bad guys.
Leo Laporte [00:56:32]:
Chad Pallet is acting CISO at BioIVT and he says Zscaler helped them reduce their cyber premiums. I was just looking at our cyber premiums. What a depressing number that is. They got theirs down 50% and doubled their coverage plus improved their controls. Take a look at this. We got a video from Chad.
Alex Stamos [00:56:56]:
With Zscaler.
Leo Laporte [00:56:57]:
As long as you've got Internet, you're good to go. A big part of the reason that we moved to a consolidated solution away.
Alex Stamos [00:57:02]:
From sd, WAN and VPN is to eliminate that lateral opportunity that people had and that opportunity for misdirection or open access to the network.
Leo Laporte [00:57:13]:
It also was an opportunity for us to maintain and provide our remote users.
Alex Stamos [00:57:18]:
With a cafe style environment.
Leo Laporte [00:57:20]:
With Zscaler Zero Trust plus AI you can safely adopt Genai and private AI to boost productivity across the business. Zscaler's Zero Trust architecture plus AI helps you reduce the risks of AI related data loss, protects against AI attacks because you know, zero trust is the way and guarantees greater productivity and compliance. Learn more@Zscaler.com Security that's Zscaler.com SL Security. We thank you so much Zscaler for supporting this week in tech. I have to say AI has been very, very good to us advertising, advertising wise. There's no question about that. So maybe, maybe we're the magnificent little Magnificent Seven. The baby Magnificent Seven.
Leo Laporte [00:58:14]:
The benefactors of all this. US government is has voted to tighten restrictions on Chinese tech companies deemed threats. This is from the FCC, including. They're getting close to banning the number one. According to Wirecutter, the number one router and I know there's millions in the US TP links, routers.
Stacey Higginbotham [00:58:39]:
Yeah, they've got like a 52% market share or something.
Leo Laporte [00:58:42]:
52% for years. Wirecutter said, you know, the TP link routers are the best. The Washington Post says a number of US government agencies are backing a mood by the Commerce Department to fully ban TP link routers. Now we've done this and I think understandably with things like Huawei networking gear and infrastructure gear, should we be worried about TP link routers? Alex, what's your take on this?
Alex Stamos [00:59:11]:
So I think this is a hard one to justify for a ban. I mean, TB links have a really bad security history. They have lots of bugs and they get exploited a lot.
Leo Laporte [00:59:23]:
But so does Microtick. So does. I mean so many consumer routers are awful.
Alex Stamos [00:59:28]:
Consumer routers are awful. They don't, you know, this is why I usually push friends and family to Eeros and other ones that are both made by big companies but are also. Amazon owns, Amazon makes Eero and they're cloud connected and they auto update.
Stacey Higginbotham [00:59:45]:
Right.
Alex Stamos [00:59:45]:
That's the thing about.
Leo Laporte [00:59:46]:
That's the key, isn't it?
Alex Stamos [00:59:47]:
Yeah, yeah.
Leo Laporte [00:59:48]:
Because if there is a flaw, you want it to be owned by a company that cares enough to fix it and then you need the mechanism to do that without you checking. Because no one checks their router firmware.
Alex Stamos [01:00:01]:
Is it up to date? I mean normal people will never log in again. Right. They'll set it up once and they'll never touch it. I like the euros too because then I can manage them remotely. Right. Over the.
Leo Laporte [01:00:10]:
I might. I set my mom up with Euro.
Alex Stamos [01:00:13]:
Yeah.
Leo Laporte [01:00:13]:
For that reason.
Alex Stamos [01:00:14]:
But they're expensive, right?
Leo Laporte [01:00:15]:
Yeah, they're very pricey. And so I have use ubiquity here is ubiquity. Okay.
Alex Stamos [01:00:20]:
I love ubiquity. That's what I have at home. But I mean that is, that is prosumer slash. Yeah, that is SME gear.
Leo Laporte [01:00:25]:
Like expensive. Yeah.
Alex Stamos [01:00:27]:
And they're like, they're. They're great for if you have Cat 6 through your house or in your office.
Leo Laporte [01:00:34]:
Right.
Alex Stamos [01:00:34]:
But their mesh stuff isn't that great. Right. Like, so the ERO mesh works pretty well. Some people are saying it's the best, isn't it?
Leo Laporte [01:00:41]:
Do you think it's the best or is Orbi? Orbi is another one that people.
Alex Stamos [01:00:44]:
I think Orby. I mean I've heard Orbi is fine. So I just haven't used it myself. Some people were saying Asus. I like Asus stuff. Right. But I mean TB links are famous.
Leo Laporte [01:00:53]:
For getting owned a version of ddwrt which is an open source router firmware. So you're.
Alex Stamos [01:00:58]:
But again, if you're not updating it. Like anybody can have a flaw but like unless I have not seen evidence. I mean there's a difference between like a TP link and a Huawei, right? Like the Huawei stuff is going into American core networks. It's going into, you know, the Verizon's and the T mobiles and stuff like that. And you know we are coming out of the largest mass hacking incident that we stopped talking about. Right. Which was the salt typhoon campaign against the US telecom industry.
Leo Laporte [01:01:34]:
And they're still in there, right? We can't get rid of them.
Alex Stamos [01:01:37]:
It is widely discussed that they are still in there. There was supposed to be an investigation by the csrb, the Cybersecurity Review Board which was unfortunately disbanded in the first month of the Trump administration. Security completely nuked the CSRB and it was never restaffed. And my understanding is the report they were going to put out was scathing like the, the one they did on Microsoft was extremely enlightening and it would have been great to get this. I saw a briefing from a CISO of a telecom company that is not an American telecom company. This is a closed door briefing. So I can't really speak about who it was but it was shocking.
Leo Laporte [01:02:22]:
Well the telecoms in the US say yeah, we could get rid of it. We'd have to swap out all our equipment and the entire telecom infrastructure be down for a few days. Is that okay?
Alex Stamos [01:02:32]:
It's that it's money basically. They never patch these devices, they never reboot these devices to a certain extent.
Leo Laporte [01:02:40]:
Is it SS7 still a problem or.
Alex Stamos [01:02:43]:
SS7 is definitely a problem. That is not the core problem here. A lot of the attacks here are IP level attacks. But SS7 is definitely a problem and causes a lot of the, you know every one of our mobile devices has an SS7 stack on it, right. So like when you send an SMS message that actually has SS7 framing. SS7 was never meant to be something that it was untrusted device.
Leo Laporte [01:03:06]:
It was hacked years ago, I mean more than a decade ago, right?
Alex Stamos [01:03:09]:
Yeah, it's a problem. And SS7 causes all kinds of issues. That's why foreign adversaries can track Americans around the world is through SS7 signaling attacks and such. There's this home record location attack that actually some colleagues of mine demoed at Black Hat I think in like 2006 or 2007 that still hasn't been fixed. So yeah, I mean there's, there's all kinds of layers of problems here. The idea that TP links at the Top of the list is low to me in a high inflation environment where we're like raising prices on consumers. Like, I don't see this as the top of my list unless there's some classified data out there that these really bad bugs in TP Link are intentional. I think they're just like crappy devices.
Leo Laporte [01:03:50]:
We're about to ban DJI drones because they're made in China, right?
Stacey Higginbotham [01:03:55]:
Yeah. And in the article, the WaPo article, they talk about this being another bargaining chip for Trump. And look, I don't love TP link. I've been doing a lot of research on cybersecurity for routers, like consumer routers for cr. That's one of my side projects that one day you'll see out in the world. Yay. In TP Link, all of consumer routers are terrible or not all. Many do not have the features that we need.
Stacey Higginbotham [01:04:26]:
And there was actually an effort. Biden did a 2021 executive order that was like, hey, it's the same one that did the trust mark. They were like, let's make a router standard for secure routers. And NIST actually did it. Very few router companies actually participated in the nist.
Leo Laporte [01:04:42]:
I remember that. Yes, there was going to be a seal that you could put on the box and all that.
Stacey Higginbotham [01:04:48]:
Well, they didn't know what was going to become of that. But yes, NIST actually came up with a secure router framework. And one of the top things, like Alex said, was you've got to be able to update it over the air. And people, it should be opt in and you can opt out if you feel like you're a super expert and want to. There's a bunch of other recommendations in there about like, remote access, what port should be open. My favorite thing, you have to declare the end of life for the router when you're planning to stop supporting it because thank you. Doesn't happen.
Leo Laporte [01:05:21]:
Thank you.
Stacey Higginbotham [01:05:22]:
So, yeah, so I. On the TP link front, we test a lot of routers at cr. We see a lot of the same stupid bugs. I'm just going to call them stupid bugs because they are. There are things like your SSID and password going over the network in plain text. We see this across multiple brands and I'm like, why is this still happening in the year of our Lord 2025? And we tell consumers for this front, look, don't panic. If you've got a TP link router, just your next router, maybe look at some other options. I know they're expensive, but Think about.
Leo Laporte [01:05:59]:
This as like they're all made in China though. I mean. Right. Everything's made in China.
Stacey Higginbotham [01:06:03]:
I don't know how. They're all made with basically the same underlying chips they've got. A lot of them use the same like reference designs. I mean this is not like.
Leo Laporte [01:06:13]:
The Post quotes Jeff Seidman, a spokesman for TP Link, saying it's nonsensical to suggest that any measure taken against the company could serve as a bargaining chip in US China talks. As the administration suggests any adverse action against TP Link would have no impact on China but would harm an American company. If that's true, I'm sure China knows that, you know.
Stacey Higginbotham [01:06:35]:
Well, so I mean his brother's still in China. The guy, the person who owns the company. I mean, like. But I don't know.
Leo Laporte [01:06:42]:
It's not, it's split, but it's not fully split or it's. They say we're fully split.
Stacey Higginbotham [01:06:47]:
They fully split, but his family is in China.
Leo Laporte [01:06:50]:
Okay. I mean it seems like it's a pretty tenuous.
Stacey Higginbotham [01:06:55]:
Well, the FCC has done some really.
Jill Duffy [01:06:58]:
They've been very.
Stacey Higginbotham [01:06:59]:
So the FCC itself has been very focused on China, like much of the administration. So they've done a lot of their bad labs. So they're trying to make all of your, you know how everything electronic gets tested by the FCC for interference.
Leo Laporte [01:07:12]:
Yeah.
Stacey Higginbotham [01:07:12]:
So they're trying to take all of that testing capacity outside of China. That's their bad labs efforts. So they don't want Chinese owned companies or labs that are in China to be testing this stuff. The reason that stuff's in China is because it's all built there and you don't want to ship your boards back and forth across the ocean. And then there's a lot of the cyber trust mark right now is actually in the air because the FCC is investigating the fact that UL has a Chinese testing relationship.
Leo Laporte [01:07:43]:
I'm disappointed because as you know, every time I buy a drone, I crash it. But the new DJI drone has LiDAR built in and, but it may be banned as well because guess what? Made in China Chinese company. And I guess if I have a Chinese drone, it could be sending pictures of my house or something.
Stacey Higginbotham [01:08:03]:
If we go down this route, we're.
Leo Laporte [01:08:05]:
Not going to, we're not going to.
Stacey Higginbotham [01:08:06]:
Have anything hoes consumers so much.
Alex Stamos [01:08:11]:
This is stupid too because the Chinese are way ahead of us in drone technology. Right. Like yes, the irony here is that China is begging for American tech. Right. Like in these negotiations, what they're trying to do is to get the boundaries for American exports lowered. And we're looking to increase. Yes. There's this basic arrogance.
Alex Stamos [01:08:29]:
The idea that the US is better at everything tech. That is just not true. And drones are one of those things. So getting American kids to play with drones, taking DJ drones apart and then going to college and then going and working at Andrew or whatever next generation of American drone companies are and then competing with DJI to build. Unfortunately, the truth is the weapons that World War 3 will be fought with is way smarter. Like the idea that like this is as dumb as China boycotting Nvidia. Right. Like if they did that, we'd say that is ridiculous.
Alex Stamos [01:09:06]:
That is as ridiculous as us boycotting DJ right now.
Leo Laporte [01:09:09]:
Right. So just to get back to this because I see in our chat room there are a lot of our listeners have TP link routers, some of them still in the box. Should.
Alex Stamos [01:09:20]:
I'll send all those listeners a link they can click and just your advice.
Leo Laporte [01:09:26]:
Is make sure you check the firmware regularly.
Alex Stamos [01:09:29]:
Is that update the firmware, change the default password. Right. Yeah, the usual. Because a bunch of these have CSRF attacks against the interface is also the.
Leo Laporte [01:09:38]:
Way turn on WPA3 encryption. Turn off WAN administration change.
Alex Stamos [01:09:45]:
Yeah. Most of them should have nothing on the wan. But yes, make sure you have like WAN SSH and wan.
Leo Laporte [01:09:50]:
Turn that off.
Alex Stamos [01:09:52]:
Admin off for sure.
Leo Laporte [01:09:55]:
To the usual. But you do. You're supposed to. You should do that with anything. Any router you put on your network, you know.
Alex Stamos [01:10:00]:
Yeah. If you know what you're doing, you can map yourself from the public Internet or you can look yourself up, see what happens.
Leo Laporte [01:10:04]:
Yeah, yeah.
Alex Stamos [01:10:05]:
I mean you can. Like after, you know, after you have it set up for a day or two, you can.
Leo Laporte [01:10:09]:
There's some advice. Look yourself up on Shodan. You know, I'm scared to do that, but you just put your IP address and showed in and see what happens.
Alex Stamos [01:10:19]:
Yeah.
Leo Laporte [01:10:20]:
Oh, God. Your public IP address. Don't put 192.16.
Alex Stamos [01:10:24]:
No. Right. You're probably. But like, I mean. Or you know, go to a coffee shop or I mean go to a place where you have free.
Leo Laporte [01:10:31]:
See if you can log in, go.
Alex Stamos [01:10:32]:
To school and then end up yourself. You know what you're doing. I mean people are on the twit discord.
Leo Laporte [01:10:36]:
They know what they're doing.
Alex Stamos [01:10:38]:
Install Brew install and map. Yes.
Leo Laporte [01:10:41]:
Yeah. Brew install. Nmap. Ladies and gentlemen, there's your tip for the week.
Stacey Higginbotham [01:10:45]:
And if your router is more than five years old, look it up. Put the model Number in and see how long and Google that with, like, end of life and see if it's actually still supported.
Leo Laporte [01:10:55]:
Were you shocked that Nito vacuum cleaners are no longer going to work? Because the NEATO folks.
Stacey Higginbotham [01:11:06]:
So they announced that in 2023. What they announced, though, at the time was that they were going to try to do the cloud updates for five years and keep inventory for.
Leo Laporte [01:11:15]:
They went out of. They went out of business in 2023. Although they're owned by the same company that makes my. The thing. I bought that. You told me to buy my Thermomix. When I saw vor work owns neato, I thought, what is my Thermomix gonna stop working in a year or two?
Stacey Higginbotham [01:11:35]:
I mean, maybe.
Leo Laporte [01:11:36]:
So it's expensive.
Stacey Higginbotham [01:11:38]:
Yeah.
Leo Laporte [01:11:38]:
I love it.
Jill Duffy [01:11:39]:
I'm curious, where did you buy your Thermomix?
Leo Laporte [01:11:43]:
I don't know. Why do you have a Thermomix?
Jill Duffy [01:11:46]:
No, no, no. But for the longest time they were not available in the U.S. oh, are they in the U.S. now?
Stacey Higginbotham [01:11:52]:
Yeah, they came to the U.S. like three or four years ago.
Leo Laporte [01:11:55]:
So you know about the Thermomix?
Jill Duffy [01:11:58]:
Oh, yeah.
Alex Stamos [01:12:01]:
Makes sense.
Jill Duffy [01:12:01]:
No, it was like.
Leo Laporte [01:12:02]:
It was really hard. Best risotto.
Stacey Higginbotham [01:12:04]:
Best.
Leo Laporte [01:12:05]:
The best tomato soup I ever had. All of three. That's all I had.
Jill Duffy [01:12:08]:
You could get them in Europe, but then it would have a 220 plug. Right. So you. And then I think they finally started selling them in Canada, but they wouldn't ship them over. So you physically had to go to Canada if you wanted to buy a 110 version.
Leo Laporte [01:12:21]:
You can now buy them in the U.S. that's exciting. For $699.
Stacey Higginbotham [01:12:27]:
Yeah.
Leo Laporte [01:12:28]:
This. I tell you, this will give you some idea of this device. If you ever watched Below Deck, which is the Bravo reality show about living and working on a yacht, all the super yacht kitchens have Thermomixes in them.
Jill Duffy [01:12:44]:
Yeah. Should we tell people what it is? Just so they.
Leo Laporte [01:12:46]:
Yeah, I've never figured out a way to. It's the blender that heats up. Is it Thermo?
Jill Duffy [01:12:50]:
It heats and cools. Right. So you can make soup. You can make ice cream.
Stacey Higginbotham [01:12:54]:
All in the.
Leo Laporte [01:12:55]:
Wait a minute.
Stacey Higginbotham [01:12:56]:
Right?
Jill Duffy [01:12:57]:
Is that right?
Leo Laporte [01:12:58]:
Can you make ice cream in a thermal? I don't think it cools.
Jill Duffy [01:13:01]:
It doesn't cool.
Leo Laporte [01:13:02]:
What does it. Stacy does it cool. She's looking it up. If, If. If you've. I don't remember. Oh, my God. I have to stop the show right now and go try it.
Jill Duffy [01:13:11]:
I might be wrong, but it definitely has a heating function.
Leo Laporte [01:13:13]:
It Definitely heats. That's why it's good for soup. But you could. Anyway, I don't know.
Alex Stamos [01:13:17]:
Steam. It doesn't say cooling.
Stacey Higginbotham [01:13:19]:
Yeah, you could.
Alex Stamos [01:13:20]:
Okay.
Stacey Higginbotham [01:13:21]:
You could.
Leo Laporte [01:13:22]:
You probably. I know what you have.
Alex Stamos [01:13:24]:
You would need, like, an external. You would need to run, like, a Freon tube outside.
Stacey Higginbotham [01:13:30]:
You could make your custard for your ice cream and the Thermomix. But then you have to run.
Leo Laporte [01:13:34]:
You still have to put it in the fridge.
Jill Duffy [01:13:35]:
Yeah, yeah.
Leo Laporte [01:13:37]:
You probably have one of those slushy machines that's all the rage right now.
Stacey Higginbotham [01:13:43]:
The Ninja or the really fancy Italian.
Leo Laporte [01:13:45]:
Yeah, the Ninja. Well, I don't know anything about that. I only know about Ninjas.
Alex Stamos [01:13:51]:
This looks like the closest thing to the machine in Back to the Future, right?
Leo Laporte [01:13:56]:
Yeah. Look at this. It comes in purple. It is. It's like the fusion. It's like the. Yeah, just throw your garbage in it and.
Alex Stamos [01:14:02]:
No, no, no. I meant like one of their cooking where it's like the old.
Leo Laporte [01:14:05]:
Oh, yeah, totally.
Alex Stamos [01:14:07]:
Right. Where it's the family. It's all messed up. They put something. It just comes out. Yeah.
Leo Laporte [01:14:13]:
Larry in our discord says we have the Ninja Creamery to make ice cream. This seems like such a bad idea. I don't want anything that can make ice cream in the house. I have enough problems as it is.
Alex Stamos [01:14:24]:
Yeah. Now I want to buy one of these things and just run through Wireshark.
Leo Laporte [01:14:27]:
Oh, here's a bundle. Here's the. But this will make slushies and ice cream. It's. You get the creamy and the slushy. Two for one, baby.
Stacey Higginbotham [01:14:35]:
Okay, let me just tell you. The best ice cream maker, and I got one as a wedding present. It's the Winter automatic compressor ice cream and yogurt maker. It is a heavy, giant wedding difficult thing.
Leo Laporte [01:14:50]:
Yeah.
Stacey Higginbotham [01:14:52]:
And you can't clean it because you put all the ingredients in this, like, stainless steel bowl that's built into the.
Leo Laporte [01:14:59]:
Winter is spelled W H Y. And that's my question.
Stacey Higginbotham [01:15:05]:
It really makes amazing ice cream.
Leo Laporte [01:15:08]:
This looks like my giant herb hermetic sealer. It's huge.
Alex Stamos [01:15:12]:
Oh, my God. Because it actually does have a compressor built.
Stacey Higginbotham [01:15:14]:
It has a compressor? Yeah. No, it's amazing.
Alex Stamos [01:15:16]:
It blows, like, hot air out the side.
Stacey Higginbotham [01:15:18]:
Yes.
Leo Laporte [01:15:19]:
It sounds like. It sounds like a cement mixer, but.
Stacey Higginbotham [01:15:22]:
If you have a Thermomix.
Leo Laporte [01:15:24]:
Well, I might as well, right? I'm out of counter space, to be honest. But this thing.
Alex Stamos [01:15:30]:
Oh, my God.
Stacey Higginbotham [01:15:31]:
I'm just gonna let y'. All.
Alex Stamos [01:15:32]:
It's like, we're not gonna. The laws of thermodynamic to get between us and make an ice cream on. On top of your counter.
Stacey Higginbotham [01:15:39]:
It's the smallest amount of ice. I mean, it's like it only makes.
Leo Laporte [01:15:43]:
A little tiny bowl.
Stacey Higginbotham [01:15:45]:
It's. It's not.
Leo Laporte [01:15:46]:
It does it in 30 minutes, though.
Stacey Higginbotham [01:15:48]:
It's. I mean, it is an awesome.
Leo Laporte [01:15:51]:
Can I make the custard in the Thermomix and then pour it into the winter compressor?
Stacey Higginbotham [01:15:55]:
Yeah, you probably could. You could mostly automate it.
Leo Laporte [01:15:59]:
All right, we're going to take a break now.
Alex Stamos [01:16:01]:
Features and specifications, 180 watts.
Leo Laporte [01:16:05]:
Okay, I'm gonna have to get a new fuse box put in, but other than that, I get another 40amp circuit for this thing and the Thermomix. All right, I'm sorry, folks. I apologize. And trust no one says. I can't believe I'm saying this, but $500 for both the creamy and the slushy is not a bad deal. The Ninjas are very affordable. Very affordable. We're having fun.
Leo Laporte [01:16:35]:
This is this week in Tech, the wonderful Jill Duffy who do you schlep it? You move around a lot. You bring your Thermomix with you everywhere you go.
Jill Duffy [01:16:44]:
I don't have a Thermomix. No, I'm. I actually. I do a lot of old school stuff. I've been making homemade yogurt lately, but I do it just in glass jars. And then I have a. I have a water distiller because I can't drink the water out of the tap here. But the water distiller is warm, so.
Leo Laporte [01:16:59]:
I just use it for making yogurt.
Jill Duffy [01:17:01]:
Glasses, like full jar glasses.
Leo Laporte [01:17:04]:
It keeps it just put them on.
Jill Duffy [01:17:05]:
Top of the distiller and then 12 hours later, I have yogurt.
Leo Laporte [01:17:08]:
Aren't you thrifty?
Stacey Higginbotham [01:17:10]:
Very.
Jill Duffy [01:17:10]:
Yeah.
Stacey Higginbotham [01:17:11]:
Old school.
Leo Laporte [01:17:12]:
Old school.
Stacey Higginbotham [01:17:13]:
Yeah.
Leo Laporte [01:17:14]:
Now I'm hungry for yogurt. If you just got the slushie, you could. You could make fried yogurt.
Jill Duffy [01:17:18]:
I could do that, yeah. But I'd need 220 here.
Leo Laporte [01:17:24]:
That's a problem, isn't it? When you move around and you move around a lot, you have to always have the plugs, the things.
Jill Duffy [01:17:30]:
Yeah. So there's something called the step down converter, which is a giant box.
Stacey Higginbotham [01:17:34]:
Right.
Jill Duffy [01:17:34]:
So that I can plug in.
Leo Laporte [01:17:35]:
Bring that with you.
Jill Duffy [01:17:38]:
I usually have them provided for our house here. Yeah, yeah.
Leo Laporte [01:17:42]:
Right. Yeah, we're going to have the house. You better put a converter, an inverter or whatever. Yeah. It's great to have you, Jill. Thank you for being here. Contributor, Wired magazine, and PC magazine. Stacey Higginbotham's also here.
Leo Laporte [01:17:55]:
She's policy fellow at Consumer Reports, working on that router stuff. I'm excited about that. Your colleague, Paris Martineau has become a radioactive shrimp and lead in your protein powder superstar.
Stacey Higginbotham [01:18:09]:
I loved her radioactive shrimp story. It answered so many questions.
Leo Laporte [01:18:14]:
She figured it out where the cesium was coming from. Pretty impressive. I love CR. I've been a customer, subscriber, a member since 1980, my whole life. Yeah, it's the best. I was so happy when you went there, sir.
Alex Stamos [01:18:29]:
You give it a full pizza.
Leo Laporte [01:18:31]:
Full pizza, all eight slices. Alex Stamos, he's the CSO chief security officer@corridor.dev if you've. If you're using agentic AI to do vibe coding, you better go visit corridor. You need some security. You can't just, you know, do what I did this morning and let Claude code go crazy on your repositories. Well, it was kind of fun, I admit. Tickled a little bit. Great to have all three of you.
Leo Laporte [01:19:00]:
Our show today, brought to you by Miro. Oh, we love Miro. Micah and I used Miro for a long time as we were planning the show because we were in different places. We did the Ask the tech guys show together. Right. And Miro was such a help. The gap between when you're a startup or you got a, you know, you, or you're planning a show or you're working on a project together, the gap between idea and impact can kill your team's progress. And I think it's safe to say, just throwing AI at the problem without you knowing, without the clarity that, you know, the planning doesn't help.
Leo Laporte [01:19:37]:
That's where Miro's amazing. Yeah, it's powered by AI, but with Miro, teamwork that typically takes weeks done in days. So your team, your team focuses on building the right things and having AI available in a contextual, easy to apply way because the AI sees your planning. It's all there in the Miro. Here's how Miro helps teams get great done. Your second brain with Miro AI sidekicks. Okay. AI sidekicks are trained to think like product leaders, like agile coaches, like product marketers, to review your materials, to recommend areas to double down on or to clarify inputs or to add direct feedback.
Leo Laporte [01:20:22]:
You can build custom sidekicks yourself that integrate into other workflows for exactly what your team needs. Think of it as an extension of your team's capabilities. It's not a replacement. No, no, it's an extension. It's great. You can Generate meaningful insights faster by eliminating the need to switch between tools. With Miro Insights, Miro AI sorts through everything you input, even if it's in different formats. That's the beauty of Miro.
Leo Laporte [01:20:47]:
So you throw in your sticky notes, your research, your ideas. Then Miro combines them into a structured research summary. Product briefs. They can even do like things like sentiment analysis, which means you can take concepts, you take 20 concepts, test them rapidly. With Miro Prototypes. You could generate instant and contextually embedded prototypes for right from your board without needing to do it anywhere else. It's kind of miraculous. You'll iterate rapidly on near limitless variations and then feel confident about the feasibility and visualization before you even get get into the high fidelity builds.
Leo Laporte [01:21:24]:
It's nice to have that confidence. We're on the right track. Spend time on building, not digging for information. Miro doesn't replace the design tools your team loves. It works with them. It's aligning before you need them. Okay. Miro's blueprints and spaces organize your team's work in an intuitive and easy to follow format.
Leo Laporte [01:21:46]:
Help your teams get great done with miro. Check out miro.com to find out how that's M I R O.com we thank him so much for supporting this week in tech. You check it out miro.com and if they ask you, I don't know if they do, but if they ask you, say yeah, I heard it on Twitter. So I, I mentioned this in passing before the last break. Let's get to it now. The FCC voted or is about to vote to scrap. This is almost stunning, but it's, I guess, shouldn't be surprised, cybersecurity requirements. Brennan Carr, who's the chair, voted against the rules when he was just a commissioner in January, calls them ineffective and illegal.
Leo Laporte [01:22:31]:
So they'll be voting this month on whether to eliminate cybersecurity requirements for telecom carriers. These were requirements that were enacted after salt typhoon in January.
Stacey Higginbotham [01:22:46]:
Yeah, yeah. This was basically.
Leo Laporte [01:22:51]:
You know, Kali is fine.
Stacey Higginbotham [01:22:54]:
I mean Kali is not the best avenue to do this, but we don't have another avenue. Wyden actually introduced a bill last year, and I think this year as well, to require the FCC to set cyber security rules for carriers.
Leo Laporte [01:23:11]:
So Car said they moved too fast. It was an 11th hour ruling that not only exceeded the agency's authority, but wasn't effective or agile to the cyber.
Alex Stamos [01:23:20]:
I've heard that Mr. Carr really cares about the FCC staying within its lane and not exceeding authority.
Leo Laporte [01:23:26]:
We're correcting course, he says all right.
Stacey Higginbotham [01:23:31]:
Well, as long as, yeah, they're terrible. And we do need cybersecurity rules for our carriers because they are not. I mean, I'm sure Alex can tell you that if you don't force companies to, if you don't require them to have some sort of cybersecurity rules to follow, they will not follow them unless it becomes too painful for them. And Right. You would think Salt Typhoon was too.
Leo Laporte [01:23:56]:
Painful, but yeah, the market's not going to take care of cybersecurity.
Alex Stamos [01:24:02]:
I. It's getting hard to not be conspiracy minded here. For all of the statements that this administration makes about China, Salt Typhoon completely owned up America's telecom networks to the point of where they were able to listen in on the calls of the then candidate Trump and the Vice President, apparently possibly even sitting members of the administration. Those space vulnerabilities have not been taken care of.
Leo Laporte [01:24:39]:
Oh, but we're going to get rid of the TP link routers because those are the problems.
Alex Stamos [01:24:43]:
They closed the Cyber Safety Review Board before the CSRB issued a report that would address those issues. They have destroyed cisa. They've eliminated the vast majority of the good people there. CIS it does not have a confirmed director. A ton of good people are gone. The National Security Council used to have 396 people working for it, including a fully staffed cyber division. There are now fewer than 40 people working for the National Security Council and nobody working for cyber. As far as I can tell, the only person who's been confirmed doing anything for cyber is the National Cyber Director, who seems like a pervasive nice guy but has no background in this.
Alex Stamos [01:25:23]:
And Mitch as as much if you ever meet with him, which I was able to do during the RSA conference, and if you look at the long term advantages the United States has over the People's Republic of China, our ability to attract the best and brightest people from around the world, high skilled immigration, the quality of our university system, our alliances, free trade, all of those things have been destroyed. It has been absolutely the best possible outcome for the People's Republic of China and Xi since January. I don't know what else to say. So this just adds to kind of a complete surrender, at least on the cyber side to the Chinese. We are spectacularly poorly prepared right now for a cyber attack. Another thing that we haven't talked about yet is just recently it was discovered that something like 200 different local municipalities, including especially like their water departments, had been compromised by a different hacking group inside of China, which is something that you would only do if you're preparing for potential significant conflict with the United States that follows years and years of the PRC planting backdoors in power grids, water grids, railroad systems. Are those backdoors in the United States still in there? No, they're discovered and then taken out. Right.
Alex Stamos [01:26:51]:
But what we've seen over the last several years is kind of a real change in the kind of goals of Chinese hacking. Right. Which used to be very much focused on financial and intellectual property focused, and now you see way more focus on infrastructure and the planting of access capabilities, which could only be used in conflict. Right. There's.
Leo Laporte [01:27:18]:
So it's a time bomb. Should they say, invade Taiwan and we decide to respond, they've got a time bomb.
Alex Stamos [01:27:28]:
Right. There are situations that can both. Right. So that would both be to slow a US Response. So that's like the power and water grid in Guam, the rail system in Southern California. That is the mechanism by which Marines would ship out to San Diego to board ships, you know, to be shipped out to the Pacific in case of threat, shutting off water, water and power to our air base in Guam. But then also, you know, if you're talking about 200 water systems throughout the United States, that is a threat to try to make light more difficult for America. And we have not responded appropriately to this in any way.
Alex Stamos [01:28:08]:
And the staff doesn't even exist, honestly to do so. We've also lost a massive number of people in the FBI. There's been kind of political purges that have happened, and a ton of people took early retirement. Because if you've put your 25 years in, if you've dedicated your life to the FBI, you're going to go take your pension and then go make a bunch of money doing something else in.
Leo Laporte [01:28:28]:
The private sector, possibly.
Alex Stamos [01:28:29]:
Right. Instead of possibly waiting to be purged out and then lose all of that time. So I don't know what to say other than it's a terrifying time. When you talk to CISOs who work on critical infrastructure, who work on companies that are possible targets, they feel like they're possibly alone here in California. It's terrifying because we have the World cup in 26, the Super bowl in 27, the Olympics in 2028, and without the federal government possibly here to protect us, so like the state of California and our critical infrastructure companies are kind of gearing up to be able to do our, you know, our own defense without having cisa, the FBI, or Cyber Command, which also had their director fired. The most qualified commander of Cyber Command and Director of the NSA that has ever existed. Fired because he worked for Joe Biden, which every general who is currently in the US military worked for Joe Biden. By definition, that's how it works in the military.
Alex Stamos [01:29:27]:
They're not just hired and fired randomly. They've spent their entire careers in lives.
Leo Laporte [01:29:33]:
They're non political, they're not nonpartisan.
Alex Stamos [01:29:36]:
But he was fired by. At the recommendation of Lord Loomer and then his has been just told that he is not going to be confirmed. So we have no idea who will be in charge of cyber command at nsa.
Leo Laporte [01:29:48]:
The definitive expert in cybersecurity, Laura Loomer.
Alex Stamos [01:29:51]:
Yes.
Leo Laporte [01:29:51]:
Can I ask you about your partner, Chris Krebs? Because of course he was the head of ciso cisa, rather, under, under Trump and had the temerity after the 2020 election to say it was the most secure election in American history. Giving a lie to the, you know, the big lie. And Trump's been going after him.
Alex Stamos [01:30:14]:
Yes, I know. Resigned personally.
Leo Laporte [01:30:17]:
Yeah. Yes, they, they, they killed his Global Entry membership. I mean it's little, it's a little, you know, harassment stuff. Although the DOJ is apparently investigating him. What's the situation with that, do you know?
Alex Stamos [01:30:28]:
I haven't heard anything about any further doj.
Leo Laporte [01:30:31]:
Yeah, because there's nothing to investigate.
Alex Stamos [01:30:34]:
No, he did his job and he, he didn't even do anything particularly political. He just told the truth, which is he believed that the 2020 election was secure and he was fired at the time. And then since then he has not been particularly political. He's talked about publicly about cyber issues.
Leo Laporte [01:30:51]:
Yeah, he was your partner and I thought he, in a really respectable upstanding way, decided to resign that partnership because he didn't want to bring trouble to you and to the company.
Alex Stamos [01:31:03]:
So, yeah, we had sold the company to Sentinel One, so we were both working at Sentinel One, which, which is a much larger public company.
Leo Laporte [01:31:09]:
Yeah, I remember that was the last time you were on. We were talking about that.
Alex Stamos [01:31:11]:
Yeah. And he stepped down after the executive order because the executive order said that everybody who works at Seminole One was going to get their security clearance revoked, which obviously for a company that does.
Leo Laporte [01:31:25]:
$100 million, that's a big deal government work. This is the kind of pressure that a government and a DOJ that works for a political person can put on companies. That is just untenable.
Alex Stamos [01:31:40]:
Yes, this is, I expect, not this exact situation, but this is, I think, why the Constitution specifically says that you're not allowed to single out individuals and say this person's a Bad person. It says that twice, I believe. But, you know, the Constitution does not seem to be too much of a barrier to this. So, yes, Chris stepped down and I have left as well. It was less fun without him, I bet.
Leo Laporte [01:32:07]:
All respect to Chris Krebs. It's just shameful. So let's talk about the FCC again. Brendan Carr began dismantling rules requiring your ISP to offer detail. Remember, I really liked this. The nutrition label that we. You've probably seen it. That actually showed the real broadband numbers and the information about what you were buying.
Leo Laporte [01:32:32]:
They are going to get rid of those.
Stacey Higginbotham [01:32:34]:
You probably didn't see it because it wasn't marketed super well in.
Leo Laporte [01:32:37]:
I saw it because I was looking for it.
Stacey Higginbotham [01:32:39]:
So if you looked for it, you could see it. And there's. So we are actually filing. I am writing up comments this coming week about it. I'm also writing comments about the cybersecurity stuff too. So, you know, yay cr. Arguing against this. The real like.
Stacey Higginbotham [01:32:57]:
So they want to kill the broadband label. It's part of the car's delete, delete, delete efforts. He's got a bunch of them. They're all pretty. Well, some of them are actually reasonable.
Leo Laporte [01:33:06]:
They got rid of the click to cancel rules the FTC passed because Comcast said, if you make it as easy to cancel as it was to sign up, we're going to lose customers. So they said, oh, yeah, you're right, we shouldn't. This is so blatantly anti consumer.
Stacey Higginbotham [01:33:25]:
So that was the FTC's click to cancel. Yes, yes, yes.
Leo Laporte [01:33:28]:
I'm just, I know it's not the fcc, it's the ftc. But it's similar. It's the same idea. It's like broadband. Who. Who doesn't like these broadband nutrition labels? Oh, the broadband companies. Because they don't want you to know you're not getting what you pay for.
Stacey Higginbotham [01:33:43]:
Well. And they don't want it to be easy for. For people to comparison shop and to see. I, I think based on how they've complied with this, like if you can actually pull the labels. So Comcast will give you an Excel file with all of the label Data. There are 3,497 rows for each individual plan. And the idea is to make it as hard as possible to compare broadband pricing across.
Leo Laporte [01:34:09]:
We wouldn't want to do that.
Stacey Higginbotham [01:34:11]:
You wouldn't want to show that.
Alex Stamos [01:34:13]:
No.
Stacey Higginbotham [01:34:14]:
So. So yeah, they're doing this too.
Leo Laporte [01:34:18]:
It's now it's not. It's a rulemaking. So it has 60 days.
Stacey Higginbotham [01:34:23]:
Yeah, you can file comments.
Leo Laporte [01:34:25]:
You can file comments. Everybody should absolutely file comments. Although remember the net neutrality thing? The comments. There were a lot of fake comments.
Stacey Higginbotham [01:34:35]:
But you could file real comments. Yeah, like I'm filing real comments. Y' all could also file real comments. If you do file real comments, you should say like there's, there's a couple points that are really important and that is that I don't want to get into this.
Leo Laporte [01:34:52]:
Yeah, it's like, do you want me.
Stacey Higginbotham [01:34:54]:
To get into it? But it's a lot.
Leo Laporte [01:34:55]:
I mean, I think enough. We, we could spend all.
Stacey Higginbotham [01:35:00]:
You like the labels, you like that they're machine readable. You should say that they provide useful information. You should say that it is important to have the labels in the same language that you were soldier broadband subscription at. You should also say that it's important to have the fees, like the pass through fees. One of the things they're mad about is, you know, they want to take out the state fees and they're, they're enumerated in the label, but they want to take that out. So it'd just be like what Comcast wants to charge you as opposed to what Comcast wants to charge you, plus the utility rates and all the things associated with your.
Leo Laporte [01:35:33]:
Now I should point out Comcast gave a couple million dollars to the ballroom. So if you really want to be effective in this comment, you should probably donate to the ballroom.
Alex Stamos [01:35:46]:
That was your mistake.
Stacey Higginbotham [01:35:47]:
My job seem useless. Don't do that.
Leo Laporte [01:35:51]:
Comcast, T Mobile, Meta, Apple, Microsoft, Google, all donated to the ballroom. So I guess that probably carries some weight with Brennan Carr. You know, he's, he's probably, you know, these are, these are good people. There are people. I'm being cynical. Yeah. Make your comments. Although, Stacy, do you think it's going to make a difference?
Stacey Higginbotham [01:36:21]:
It is important to be on the record.
Leo Laporte [01:36:23]:
Yes. Get on the record. Get on the record.
Stacey Higginbotham [01:36:26]:
Because maybe one day we will not have the current administration and that's a good point.
Leo Laporte [01:36:33]:
That's a good point. We only have three more years of this.
Stacey Higginbotham [01:36:38]:
Everything Alex told you about, like what's happening in cyber security that is literally like every day. That's true at that from a policy perspective. And I'm like, okay, what do I fight on now? Yeah, it's sad.
Leo Laporte [01:36:52]:
It's frustrating.
Stacey Higginbotham [01:36:58]:
Death cleaning.
Jill Duffy [01:37:00]:
Death cleaning.
Leo Laporte [01:37:01]:
Swedish. So what is Swedish death cleaning?
Jill Duffy [01:37:04]:
Swedish death cleaning. It's a concept that was around in Sweden for a long time and then an author put it into a book and it sort of became well known for that.
Leo Laporte [01:37:13]:
It's the Marie Kondo for this generation.
Jill Duffy [01:37:16]:
Let me side note on Marie Kondo for a moment. I love her. She had three kids and she was.
Leo Laporte [01:37:24]:
She got sloppy. She got sloppy.
Jill Duffy [01:37:26]:
She was asked, like, so what do you do with three children? She's like, oh, I don't do that any. I don't do the organizing anymore. I have three kids. Leave me alone.
Leo Laporte [01:37:32]:
Who has time?
Jill Duffy [01:37:33]:
So much respect. Because she could have spun out, like, the artful joy of tidying up for mothers, the artful joy of tidying up for seniors. Like, she could have spun it on anyway. She was just like, no, I'm done. My kids are messy.
Alex Stamos [01:37:48]:
She said thank you to that and goodbye.
Jill Duffy [01:37:53]:
I appreciate that.
Leo Laporte [01:37:54]:
Your kids spark more joy than all the clutter.
Stacey Higginbotham [01:37:58]:
Yeah.
Jill Duffy [01:37:58]:
So Swedish death cleaning. Anyway, it's this really phenomenal concept that we have too much.
Leo Laporte [01:38:03]:
This is your article, by the way, in Wired.
Jill Duffy [01:38:05]:
This is my article in Wired. We have too much stuff. We spend the first half of our life collecting stuff. And we should spend the second half of our life very slow, slowly getting rid of things we don't need and keeping the things that we like in good condition and thinking about handing them down so that we are not leaving a burden to other people of our big mess.
Leo Laporte [01:38:25]:
Now, let me ask you, does this include digital?
Jill Duffy [01:38:28]:
Yeah. So this is what my article was really about. I came up with this idea of beyond just passing along my passwords. Like, what about organizing my photos so that the person who inherits them isn't just faced with thousands and thousands of digital images they don't know what to do with.
Leo Laporte [01:38:45]:
In my case, 32,000.
Jill Duffy [01:38:49]:
What about my diaries? Do I want anybody to see them? Do I want to keep them encrypted and protected and make sure that nobody has that path?
Leo Laporte [01:38:56]:
That's funny. Yeah, that's a good point. Yeah.
Jill Duffy [01:38:58]:
And then I started interviewing people, and it just got more and more interesting. So I interviewed this wonderful woman, Tina o'. Keefe. She has a personal organizing business and she specializes in working with seniors. So the senior element is really important because a lot of people think like, oh, I'll do my own Swedish death cleaning throughout my life, little by little as I get older. But the way that most people first encounter it is with a parent or a grandparent, one of your elders.
Leo Laporte [01:39:26]:
I've done this. My mom is in assisted living. She's got Alzheimer's. She's 92. She'll be 93 in a couple of months. And we have her house. I'm amazed at all the crap that's in there.
Jill Duffy [01:39:38]:
But also, as we age, a lot of people have dementia, Alzheimer's, different cognitive abilities that start to decline. They also have physical abilities that start to decline.
Leo Laporte [01:39:50]:
That's why she's assisted living.
Stacey Higginbotham [01:39:52]:
Yeah.
Jill Duffy [01:39:53]:
And not everybody has a lot of tech skills either. So, anyway, this woman I interviewed, Tina o', Keefe, she's a personal organizer. She specializes in working with seniors. And she said she was working with women who was terminally ill, who had had two marriages. And she said, I've kept all these mementos from my first marriage that I don't want my second spouse to see or find. So they had to come up with a way like, okay, do I give it to my kids? Do I save it for myself? Do I burn it? Like, what do I do with it? And then the digital aspect was just so interesting. So I interviewed a guy named Adam, who is Swedish, and he went to help his grandfather with Swedish death cleaning. And one of the things he found was a phone full of malware.
Jill Duffy [01:40:36]:
So not only did he then want to rescue all of the photos and.
Leo Laporte [01:40:40]:
Important stuff, send it to Alex, I bet he could use it.
Jill Duffy [01:40:43]:
So it was super interesting just to see the real world challenges people have in thinking about, how do I organize my digital life? So then I'm passing it down in a way that's sort of like, respectful, and I'm giving people the things that I want to make sure that some people have. And so you can think, what, do I not have to wait until I die to pass?
Leo Laporte [01:41:06]:
Do it now, because if you're dead, you're not going to do it.
Jill Duffy [01:41:09]:
So share photos and videos, for example, put them in a folder, organize it neatly. But thinking about things like, if you give somebody access to your computer or your phone, is there a very simple read me file right on the desktop, or are they going to have to go digging through?
Leo Laporte [01:41:27]:
On my files, there is a folded piece of paper under the leaf there that it's not visible, but if you know it's there, you can open the leaf. My wife knows about it, that says in case of my death or dismemberment. And it has. That's probably a little overdramatic way to put it, but it has my actually, you know, bit Warden has a form that you fill out. And I think other password managers do this.
Jill Duffy [01:41:52]:
Yeah, they do.
Leo Laporte [01:41:53]:
Yeah, it's clever.
Jill Duffy [01:41:54]:
So that's an easy way to pass on your online accounts. But there are tricky things you have to think about, too. So some social media have terms of service that don't allow you to technically give your account to some.
Alex Stamos [01:42:05]:
Somebody else.
Stacey Higginbotham [01:42:06]:
Can't do that.
Leo Laporte [01:42:07]:
You can't hand that down.
Jill Duffy [01:42:08]:
No, you can't or you really, really shouldn't give anybody your password for your banking accounts. Like that needs to go through the beneficiary form. That's really.
Leo Laporte [01:42:19]:
Oh, really? I shouldn't give that to my wife? Because you're right, it's in my will.
Jill Duffy [01:42:24]:
You know, it's something that you have to educate it. People don't know this from birth. You have to tell people this. So younger people may not know that. You can't just give somebody your financial logins for.
Leo Laporte [01:42:35]:
This is important. Here's my bit warden security readiness kit which I hope you can't read through the paper I'm hiding. Let me just put that away. But this has all the important stuff in it, right. And then Lisa can. But that's a good point. That you probably shouldn't give your access. Well, it's got my.
Leo Laporte [01:42:58]:
All my passwords.
Stacey Higginbotham [01:43:00]:
Right.
Jill Duffy [01:43:00]:
But you, you really don't want anybody touching or moving your money after the.
Leo Laporte [01:43:05]:
Well, I trust executors, so I.
Jill Duffy [01:43:07]:
They'll get in some big trouble if they don't do it through the proper channel.
Stacey Higginbotham [01:43:11]:
You have to have a death certificate and bring it to the bank.
Alex Stamos [01:43:13]:
That's also why you have a trust, right?
Leo Laporte [01:43:15]:
Yeah, I have a trust. Yeah, we have a trust.
Stacey Higginbotham [01:43:17]:
But there are.
Alex Stamos [01:43:17]:
Your wife can control it without.
Leo Laporte [01:43:19]:
Yeah, yeah, yeah.
Jill Duffy [01:43:20]:
There are a lot. But you have to go through those channels.
Stacey Higginbotham [01:43:22]:
Right.
Jill Duffy [01:43:22]:
But there are lots and lots of other digital assets we have that we don't necessarily think about organizing planning.
Leo Laporte [01:43:27]:
Every time I put another picture in my photo, my photos collection, I go, nobody's ever going to want to see this after I'm gone. Right.
Jill Duffy [01:43:35]:
There's another article I wrote I want to tell you about. There's a wonderful newsletter called Gloria. It's at. Hello Gloria. It's for women in midlife and I've been writing a little bit for them. So a piece I kind of wrote in tandem with this one was about creating a death notification list in my email. So I started. I had a friend who died unexpectedly young and.
Leo Laporte [01:44:01]:
Sorry.
Jill Duffy [01:44:02]:
Oh, thank you. It was really upsetting in part because I didn't find out for almost five months after she died. We had an email based friendship. We didn't really have any friends in common and it was just like so weird. I haven't heard from her in a while and I went to look up her name online thinking like, let me see what her Bylines are. Maybe she got laid off. She works in media. And I found an obituary and I was like, what? Like, it was so.
Jill Duffy [01:44:30]:
It was so unnerving. It was really, really shocking. But it sent me down this path of thinking, like, how do we tell people anymore how we die? And there are so many connections I have that like, my partner doesn't know these people, my sisters don't know these people. Like, how are they gonna know? So I came up with this idea of making sure that I have an email list in my email that I plan to go through once a year and update. And it's lots of like acquaintances and my accountants.
Leo Laporte [01:45:02]:
Have you written the email that's gonna be sent already?
Jill Duffy [01:45:04]:
Yes, yes. So I wrote the email.
Leo Laporte [01:45:07]:
I am dead. If you're reading this, I am dead.
Jill Duffy [01:45:09]:
Yeah. Basically it's a mad lib. I should let you know Jill Duffy has died on such and such date of such and such causes.
Leo Laporte [01:45:17]:
So your husband has to fill that part in.
Jill Duffy [01:45:19]:
I have a different trusted person. I have a different trusted person for this who will inherit some of my passwords. And yeah, I mean, I think it's a little goofy, it's a little wacky, it's a little low tech in some ways.
Leo Laporte [01:45:32]:
I want to make. I'm thinking I should have a dead man switch so that like every month I have to say I'm still alive. But if I don't, then it sends it out to everybody. Leo must be dead because he didn't say he's still alive. That's how the emergency. Yeah, I know you're not a sound like Leo, Alex. You sound like you might have some experience.
Jill Duffy [01:45:55]:
I'm just saying there's the Google Google Inactive Account manager, right? So it will pass on your Google account to somebody, to a trusted person if you don't touch it in so many months.
Leo Laporte [01:46:06]:
Our sponsor, bit warden and every other password manager I know of has an emergency legacy account, legacy feature. And they have it. They have a dead man switch. So if I, if Lisa requests my password, it sends me an email and then you get to set how long it waits for before you don't respond. And then it says, okay, go ahead. He must be gone now. Somebody's saying Leo sounds so morbid. But when you get to my age, you start thinking about these things and everybody probably should think about.
Leo Laporte [01:46:38]:
Because you know, this is, this is.
Stacey Higginbotham [01:46:40]:
Swedish helpful for the people. I mean people.
Leo Laporte [01:46:43]:
You're doing it for them. Yeah, you're doing it for them.
Stacey Higginbotham [01:46:45]:
Think about it that way.
Leo Laporte [01:46:46]:
Yes, they should rename Somebody will have to do Goodbye Gloria. And not hello.
Jill Duffy [01:46:52]:
Somebody will have to do something with your stuff after you die. I think about don't tell them. They're going to throw it out.
Leo Laporte [01:47:00]:
For instance, I have a painting from the 18th, 19th, late early 19th century of an ancestor hanging on my wall. And I don't think either of my kids really want this, you know, 1830s portrait of their ancestor. I don't know what to do with it. I guess it's going to end up at Goodwill and somebody's going to have my Antiques Roadshow. Antiques Roadshow? It's not worth. I doubt. Well, you never know. I should look and maybe there's stock certificates in the lining or something.
Leo Laporte [01:47:31]:
Maybe it is worth something.
Alex Stamos [01:47:33]:
Copy the Magna Carta.
Leo Laporte [01:47:34]:
Yeah, the Magna Carta. Swedish. You know what? This is good advice. Wired.com has a story was just last week. There's a link to various things in there. And Jill's story with hello Gloria is also on their front page. You can read about that. I think this is.
Leo Laporte [01:47:50]:
I think this is wise. This is good planning. Let's talk about the F5 hack in just a little bit. Also, YX may be telling you you need to re enroll your Yubikey.
Stacey Higginbotham [01:48:05]:
Huh?
Leo Laporte [01:48:06]:
And Proton's new data breach observatory. A little competition for have I been pwned? It's got a good name. Well, we'll talk about that and a lot more as well as ads on your two thousand dollar smart fridge when we continue. We got Stacy Higginbotham's here. She sounds. She looks sad now. Are you. Are you making your list of.
Leo Laporte [01:48:27]:
Of people to send emails to if you pass away, you're gonna be with us.
Stacey Higginbotham [01:48:31]:
I'm wondering how often I need to like maintain my. My prep for death.
Leo Laporte [01:48:37]:
No, don't. Don't even think about it.
Stacey Higginbotham [01:48:39]:
Well, don't. Like she said, you do it once a year. Jill. So I'm like is once a year. That feels reasonable. So check. Make sure everything's copacetic.
Alex Stamos [01:48:50]:
Yeah, I guess you have to rewrite the angry because you have your enemies emails that go out too, right?
Leo Laporte [01:48:56]:
Oh yeah. Hey, good news. You know that guy you really hate?
Stacey Higginbotham [01:48:59]:
You're a Brendan Carr.
Alex Stamos [01:49:01]:
I'm dead.
Stacey Higginbotham [01:49:02]:
I'm dead and I hope you really regret it.
Leo Laporte [01:49:06]:
That's so depressing. You won, okay?
Alex Stamos [01:49:10]:
You won.
Leo Laporte [01:49:11]:
You could dance on my grave. It'll be at the cemetery in a few minutes.
Alex Stamos [01:49:16]:
Wait, your guys's dead man switch doesn't have all your blackmail material. It should. Yeah, that's not part of Swedish can't use it anymore.
Leo Laporte [01:49:24]:
You can't blackmail me.
Alex Stamos [01:49:25]:
I guess we have different. I'm gone.
Leo Laporte [01:49:28]:
I'm done. Alex Stamos is here. So good to have you. CSO corridor.dev and the Swedish death cleaning queen, Jill Duffy.
Alex Stamos [01:49:42]:
The Marie Kondo of Swedish Death Cleaning.
Leo Laporte [01:49:44]:
The Marie Kondo of Swedish Death Cleaning. I did the condo thing. I did. I went through my whole closet, but everything sparked joy. So it wasn't really much of a net gain all these shirts.
Jill Duffy [01:49:56]:
The one thing I don't like about the Marie Kondo method is it's sort of framed as do it one time. Like take a couple of hours, take a two day break and do it one time. And I'm much more of the idea that like thinking about it as hygiene, you know, something you do a little bit every day. If you miss a day, it's not a big deal.
Leo Laporte [01:50:13]:
Little bit at a time, all the time. Yeah, that's the key. It's like tidying up. I have about 60 of these cuckoo shirts and Lisa keeps inviting her son over to take them. No, these are mine. I do admit I have at least three quarters of the closet space in the house. That's probably not as it should be. I know.
Leo Laporte [01:50:37]:
Isn't that awful? Stacy, you wouldn't think. You don't. You don't see some sorts. No, I know. It's not the first thing you'd think. Oh, Leo, he's probably got a lot of suits. No, it's all cuckoo shirts is what it is. And costumes.
Leo Laporte [01:50:50]:
A lot of costumes. We will continue in just a moment. Ah, Alex, you probably know what this is. This is our sponsor. This, my friends, is a honey pot. This is brilliant. This is the thinxt Canary, our sponsor for this segment of this Week in Tech. Now, I disconnected my honey pot, so I'm going to get an alert in just a little bit saying your honeypot's disconnected.
Leo Laporte [01:51:14]:
But that's what's the beauty of this thinks canaries. Honeypots traditionally are very complicated. I remember talking to, I think it was Bill Cheswick who wrote one of the very first honeypots and he said it's complicated to create a good honey pot. A honeypot is something that attracts not flies, but hackers. Something that's sitting on your network that will let you know if a bad guy has penetrated your defenses. And you need this. Not just a bad guy or a malicious insider, but because it's so complicated, you really want to get a thinkst canary. This is a honey pot that can be deployed in minutes.
Leo Laporte [01:51:53]:
It can impersonate almost anything from a Windows server to I have a 2019 SharePoint server running in my network. Wink, wink, nudge, nudge. Bad guys can't resist that one. To SCADA device. It could be a SCADA device, it could be anything. It's absolutely indistinguishable from the real thing down to the Mac address. They actually have appropriate Mac addresses. My synology NAS, Tin Canary has the DSM 7 login just like the real deal.
Leo Laporte [01:52:23]:
So bad guys see it on the network. They're irresistible. They're irresistible. You can also create lure files with your Things Canary. I have a wire guard, a fake wire guard configuration file sitting on Google Drive just waiting. How could a bad guy resist that? Right? It's the keys to the kingdom. The minute someone accesses your, you know, your, your Lore file or your or brute forces your fake internal SSH server, your Thinks Canary will immediately tell you you got a problem. No false alerts, just the alerts that matter.
Leo Laporte [01:52:58]:
And you can get them any way you want them. Sms, email, syslog. It supports webhooks. There's even an API any way you want them. The thing is, if you hear from your Canary, there's a good reason. Just choose a profile for your Thinks Canary device and it's easy to pick. There's hundreds to choose from. It's actually so easy.
Leo Laporte [01:53:16]:
I change mine regularly. It's fun. Then register it with the hosted console for monitoring and notifications. And then you just, you know, you sit back and you wait. Attackers who've breached your network, malicious insiders, other adversaries are going to make themselves known by hitting your things to Canary. They can't help it. Visit Canary tools twit $7,500 a year. You get five things Canaries, you get your own hosted console, you get upgrades, you get support, you get maintenance.
Leo Laporte [01:53:45]:
Ah, and if you use the code twit in the how did you hear about us box, you'll get 10% off the price. And not just for the first year, but for as long as you have your things canaries 10% off. You could always return your Thinks Canary. They have a two month money back guarantee, 60 days for a full refund. I have to tell you, they've been advertising with us since 2016. We've been talking about this. That's how long we've been using them. And in all that time, no one has ever claimed the refund.
Leo Laporte [01:54:14]:
Visit Canary Tools Twit Canary Tools Twit don't forget to enter the code Twit in the how did you hear about us? Box for 10% off Canary tools. Twit. This is a must for every network thinkst Canary. This is from Alex and risky biz. F5 says an advanced persistent threat stole source code. This was just a couple of days ago. F5 is one of the, is a huge security company, right?
Alex Stamos [01:54:50]:
Yeah. They make network devices in particular.
Leo Laporte [01:54:53]:
Yeah.
Alex Stamos [01:54:54]:
Not security load balancers.
Leo Laporte [01:54:55]:
Yeah, yeah, yeah. So this is a security threat though because it's one of the largest. This everybody has F5 equipment.
Alex Stamos [01:55:03]:
Lots of large companies use F5 on the edge of their network.
Leo Laporte [01:55:07]:
So what do we do?
Alex Stamos [01:55:11]:
It's a real problem. So it looks like it was the Chinese and they're in the F5's network for at least a year. This looks like it could be a solar winds level attack. So F5 released a patch with at least 40 vulnerabilities. Those look like those were bugs that were reported to F5 during that time that the the Chinese know about.
Leo Laporte [01:55:32]:
So this is an interesting story. Microsoft, this. I, I'd heard this and I'm. Maybe you can confirm it. Of course Microsoft's had some real problems with Exchange and other servers. And, and there was some concern because Microsoft was getting its patches made in China.
Alex Stamos [01:55:48]:
Yes.
Leo Laporte [01:55:49]:
And they would send the breach in for the, the, the security flaw information to China for the fix before it was publicly announced. And weirdly the bad guys knew about it somehow before the patch went out.
Alex Stamos [01:56:06]:
I know, it's a shock.
Leo Laporte [01:56:07]:
How did that happen?
Alex Stamos [01:56:08]:
Yes. So that's the SharePoint bug for the summer. There's a huge bug in on prem SharePoint and it turns out that Microsoft moved SharePoint sustained engineering to China. And so when there was a vulnerability found in SharePoint, it was actually found as part of one of the pwn to own competitions. That vault, that exploit code was turned over to Microsoft.
Leo Laporte [01:56:29]:
That's why you do pwn to own so that Microsoft gets it first before the bad guys.
Alex Stamos [01:56:33]:
Yeah. So Microsoft pays a bunch of money for this exploit. What do they do? They ship it to their engineers in China and then it gets used by the Ministry of State Security and a couple other groups in China to own up over a weekend, tens of thousands of American targets. In fact, one I was still at Santa one at the time. One of the Chinese servers we were actually, we had data from upstream. We found that they did DNS requests for about 120,000 targets and that included a huge number of industrial targets. Most of the local and state government. SharePoint servers in the state Of California.
Alex Stamos [01:57:08]:
Lots of folks important.
Leo Laporte [01:57:10]:
If you think this doesn't affect you, it does. Because those servers had your information, which was then exfiltrated.
Alex Stamos [01:57:16]:
Yes. So what they're doing is they're just spraying everybody, putting it a backdoor so they can get back later before the patch was then, you know, available. This is true zero day. It was not something that you could possibly patch yet. So Microsoft had to rush the patch out super fast. But yeah, so I actually, I was just.
Leo Laporte [01:57:34]:
Do we know how the F5 breaches happened?
Alex Stamos [01:57:37]:
No. So we don't. We don't know exactly how the F5 breach happened yet. There hasn't been a release of a full root cause analysis or investigation yet.
Leo Laporte [01:57:45]:
But F5 says hackers were in the company's network for at least 12 months.
Alex Stamos [01:57:50]:
At least a year.
Leo Laporte [01:57:50]:
By the way, did I mention the things canary?
Alex Stamos [01:57:54]:
Yes. If they had a thinks canary, they would have known that. They would have known that the Chinese would have tripped on one and set off an alarm. So they spent a year inside. F5 says they have not seen that they had planted a back door. But if they have access to source and they could be finding vulnerabilities that nobody else knows about, is that the.
Leo Laporte [01:58:13]:
First thing these state actors do is they look for source code so that they can then implant other exploits.
Alex Stamos [01:58:19]:
If they find the exploit, then they have what's called a bug door, right? They don't need a real backdoor. They can have a bug door.
Leo Laporte [01:58:25]:
They can introduce bugs.
Alex Stamos [01:58:27]:
Well, they don't have to introduce it, right? So changing the code is really risky, right? So if you look at F5's code, remember F5 just patched 40 vulnerabilities, right? So you're talking about a product that had 40 unknown vulnerabilities. So if their code is that buggy and you're the Chinese, the first thing you do is you pull down the code and you're like, you don't need.
Leo Laporte [01:58:46]:
To put introduce that bugs.
Alex Stamos [01:58:48]:
They're there, right? And so if you're the Chinese, you might look at that and say the risk reward ratio here is not worth to plant something. Let's just find five bugs that they don't know about and then use them in targeted circumstances. And then when one gets patched, move to the next one. Move to the next one.
Leo Laporte [01:59:05]:
Could you use AI on a code base to look for vulnerable vulnerabilities?
Alex Stamos [01:59:09]:
In fact, you can, and I believe this is one of the stories that we have there if you want me to pitch to it. But like OpenAI just announced exactly this. Google has a project to do this too. So OpenAI just announced a project called Aardvark where they have an agent specifically to do this and they're going to have this as an agent that you use for your own code. But they're also doing against open source.
Leo Laporte [01:59:31]:
Do you know how effective it is?
Alex Stamos [01:59:32]:
It looks. I haven't gotten access to, to the beta yet, but from what I've seen, it's been pretty effective. Google's is very effective. Google has a project called Big Sleep which is a little, I mean from a naming perspective, I'll look to Stacey or Jill for their professional writers.
Leo Laporte [01:59:48]:
But like Swedish Big Sleep. Yes.
Alex Stamos [01:59:51]:
Yeah, like if you're, if you're like a trillion, multi trillion dollar tech company, would you call something Big Sleep? I mean it just sounds a little Bond villainy, but it comes from, it's.
Leo Laporte [02:00:01]:
It'S, it's Raymond Chandler.
Stacey Higginbotham [02:00:03]:
What.
Leo Laporte [02:00:03]:
It's the Big Sleep. It's a Humphrey Bogart movie. It's the long sleep, the sleep that doesn't end. That sleep. I guess not a good name for a bug hunter, but okay.
Alex Stamos [02:00:13]:
Right. But anyway, so Google's running their bug hunter against large amounts of open source and it's very.
Leo Laporte [02:00:21]:
Is this the FFMPEG story here? Because they were upset over this.
Alex Stamos [02:00:25]:
They are very upset, yeah. So you can go to Google if you search for Google. Big Sleep bugs. Google keeps a listing of all the big bugs that they have found and they have reported a bunch of bugs. FFmpeg FFmpeg is this extremely important open source library that all of us are probably using.
Leo Laporte [02:00:45]:
I have it on all my machines. Even if you didn't think you did, you do Plex installs it. A lot of programs install it.
Alex Stamos [02:00:53]:
It's a transcoder, it's used all the time. It's extremely important for encoding and decoding video. Google uses a ton of their products. So as a result, Google cares a lot because both, you know, Chrome, the browser, Chromium, Chrome os, Android all use mpeg. And so Big Sleep is going through their, their AI is going through the source code.
Leo Laporte [02:01:16]:
That's good vulnerabilities, right? They found one, found some in ImageMagick as well. Another very widely used tool.
Alex Stamos [02:01:23]:
Yes. And ImageMags has been used to exploit Android over and over again. The problem is what Google's doing is they are reporting using AI. AI is writing up these huge bug reports that are extremely detailed. It's great, but there's no fixes attached. And what the FFMPEG people are now tweeting about is they're calling this AI slop CVEs right? Like just like AI slop imagers. And they're complaining that Google is burying them in these reports as they've got.
Leo Laporte [02:01:51]:
Are they not doing responsible disclosure? They're just publishing these?
Alex Stamos [02:01:55]:
Well, no, they're doing responsible disclosure, but Google's policy comes from the project zero days when human beings were finding the stuff, right? And it's 90 days. They give 90 days to these developers to fix it and they're not giving them any money. Right. So the FFMP people are complaining like wait, you're just burying us. You are one of the world's most valuable companies and they're. You have the world's best security researchers that are now backed by the world's best AI and you just expect us now for free to fix these bugs in the software that you guys use to make trillions of dollars.
Leo Laporte [02:02:26]:
Fmpeg says, is it really the job of a volunteer working on hobby 1990s codec to care about Google's security issues? Yeah, well, it is everybody's security issue. I mean FFMPEG does need to fix it, but 90 days is insufficient. These are volunteers, These are, these are, you know, but this is the, this is generally a problem in the world which is a lot of small open source. It's that famous XKCD cartoon where there's one little brick supporting this giant infrastructure maintained by some guy in Wisconsin and he's not getting paid to do it.
Alex Stamos [02:03:03]:
And they both have a good point. Like FFMPEG says that, that Google actually themselves now because of these bugs they have driven one of the FFMPEG developers away because FFMPEG tries to like their goal is to decode every video format that's ever existed in the world. And like this bug was found in a video format that is only was used for like one LucasArts game in the 90s, right? And so it's like, why do you care? Well, the reason.
Leo Laporte [02:03:30]:
But does it affect every user of FFmpeg?
Alex Stamos [02:03:33]:
It does. This is the problem that Google points out, which is by default when you compile FFmpeg, this codec is included and FFMPEG has a bunch of modes in which it will automatically detect. So there are.
Leo Laporte [02:03:44]:
So you put on a browser page a phony file from an old LucasArts game that gets downloaded and the FFMPEG jumps in, says I'll take care of that and you're owned.
Alex Stamos [02:03:55]:
Right? And so they're both right. I feel really bad for FFMPIC here because they're getting buried in these reports and they are not easy bugs to fix. My position here would be Google should not be reporting these bugs without patches of test. If AI can do these incredibly beautiful reports, it can also come up with, here is a proposed patch. Here is a proposed patch. And if Big Sleep's not ready for that, then they should not be doing the reports at this point. Or Google can have their human engineers go write this up, because Google does have the best paid security researchers in the world.
Leo Laporte [02:04:34]:
Project Zero is amazing.
Alex Stamos [02:04:36]:
And this has been a bit of a problem with Google. Project Zero is. I know some of these people. They're great. They're also kind of arrogant. Kind of is doing a lot of work here. They're extremely arrogant. And they, they embody a bit of what you see with security researchers, which is like lording over them of like, I found problems in your code, it is now your responsibility to fix it.
Alex Stamos [02:05:02]:
And like crushing them under the brilliance of. And then doing that with your AI system now is like, it's very arrogant and it is punching down.
Stacey Higginbotham [02:05:16]:
Right.
Alex Stamos [02:05:16]:
And I do think it is on Google here to do everything they can. If not paying these guys directly, at least every one of these reports should also have it attached of like, hey, our AI did its best to create.
Leo Laporte [02:05:28]:
Make it as easy as possible. Yeah.
Stacey Higginbotham [02:05:30]:
Yes.
Leo Laporte [02:05:31]:
Yeah. We quote Tavis Ormady all the time because he's discovered so many. We talk about him on security now all the time. So many, you know, heartbleed and other very serious issues.
Alex Stamos [02:05:43]:
Right.
Leo Laporte [02:05:45]:
I want to give credit to Manuel Laos, who did patch the Lucas Smush algorithm. That's only used in one case, the first 2010-20 frames of Rebel Assault 2 from 1995. He fixed it. Thank you, Manuel Laos. But, you know, you're counting on some.
Alex Stamos [02:06:07]:
Guy and there's like, if you look in their tracker, let's see how many more open for just FFmpeg. There's like a half dozen more open bugs in FFmpeg.
Leo Laporte [02:06:18]:
And FFmpeg says arguably the most brilliant engineer at FFMPEG left because of this. He had reverse engineered dozens of codecs by hand as a volunteer. It was hugely demotivating and to the fun and enjoyment of reverse engineering. Yeah, this is tough. I have sympathy on both sides. The problem really is open source code like this that's written by hobbyists for the enjoyment of it is everywhere.
Alex Stamos [02:06:49]:
Yes. And it's the volume of what AI can do, right, is it can massively outstrip the capability of the maintainers to fix stuff. But the flip side is the bad guys are now getting these capabilities too. So Google is trying to front. Google and OpenAI and Anthropic is, you know, is probably going to be doing the same thing. They're going to try to front run the bad guys, which is a totally reasonable thing.
Stacey Higginbotham [02:07:14]:
Right?
Alex Stamos [02:07:15]:
Because you want the stuff fixed before the bad guys have the same bug.
Leo Laporte [02:07:19]:
Right. And it's amazing what AI can do. Financial Times story says that AI is generating a surge in expense account fraud because it can create such believable receipts.
Jill Duffy [02:07:37]:
I got so mad about this story.
Leo Laporte [02:07:40]:
Why? What happened? Julia? First, I mean.
Jill Duffy [02:07:44]:
Sorry.
Leo Laporte [02:07:44]:
Jill. Jill.
Jill Duffy [02:07:45]:
Jill E. Duffy.
Leo Laporte [02:07:46]:
Jilly, what happened?
Jill Duffy [02:07:49]:
It is not hard to fake a receipt ever. It is not hard. You go to Staples, you buy a pack of receipts, you can sell out yourself. It has never been hard. What's frustrating is corporations require so much bull in very minimal expense report accounting that is not actually required by the irs. So I used to work for this company that they were a fine organization, but they outsourced their expense account management to another company. And so they didn't really know what it was all about. But they said, everything needs a receipt.
Jill Duffy [02:08:27]:
Everything needs a receipt. And I left hotel tips. And I was like, well, I have a receipt for the hotel tips, but I'm just going to write them in. We might get audited for that. I said, honey, it's less than $95. You like? It's in the IRS code that you will not get audited for that. And if you're not going to reimburse your employees when they say in hotels, that starts to look bad on you. When you have 200 employees, you can.
Leo Laporte [02:08:50]:
Use ChatGPT to create your tip receipts.
Jill Duffy [02:08:54]:
The problem is not employees faking receipts. The problem is that companies are so. They have such a bug up their ass about this for no reason whatsoever. There is no fraud going on for a $28 meal. You know what I'm saying? Like, this is the. The dumbest place to spend any of your time. Time and energy is approving somebody's $8 cab ride to get three blocks quickly.
Leo Laporte [02:09:23]:
I suspect that everyone on this panel shares your annoyance. I worked for Ziff Davis. I remember a very famous story that was told to me by a Ziff Davis executive. He said, leo, you gotta hide the boots. Said what? He said. A while back, we had an account executive who was wining and dining, you know, advertisers. And of course he'd write off the wining and dining. But at one point, he bought a $400, pair of Tony Llama boots and tried to write it off on his expense report and of course got denied because you can't expense the boots that you bought.
Leo Laporte [02:10:05]:
And he said all he had to do was hide the boots. Just put it, put it to the dinner. It was a bottle of wine. He said, leo, when you do your T and E, hide the boots.
Jill Duffy [02:10:17]:
But the thing is, the majority of employees, they are honest people.
Alex Stamos [02:10:21]:
I know.
Jill Duffy [02:10:22]:
Who takes a receipt anymore.
Stacey Higginbotham [02:10:23]:
We forget.
Jill Duffy [02:10:24]:
Like people are not creating false expenses.
Leo Laporte [02:10:27]:
I just want to get paid back for my expenses, please.
Jill Duffy [02:10:30]:
Yes, yes. It's a matter of. You're making it difficult. Just give me, give me a per diem, right? Like, just let me collect a per diem. It's such a minuscule amount of money for large companies. It does not matter. And it's just such a stupid thing to point the finger at employees and say, oh, you're making up this expense report. Like probably the person did spend the money, they just want to be reimbursed for it.
Leo Laporte [02:10:57]:
I suspect there's going to be even more, more link baity articles like this. This was the Financial Times not known for link bait. But if you think about it, this is, this is what you're going to see is a lot of articles about, oh, look what AI can do now. Which is too bad because there is some legitimate complaining about Aisora, for instance, which is extraordinarily popular. OpenAI video generator. And now they have a Sora app that's often number one on the App Store. IPhone App Store. I decided instead of trying to fight it, I just took my generated Persona.
Leo Laporte [02:11:36]:
They call it a cameo. Cameo. By the way, the company's not happy about that. They're suing them. They call it a cameo. I did one of my cat the other day. You can now do pets and you could do objects. And I just made it public.
Leo Laporte [02:11:46]:
I said, anybody can do it. Because that way I, I mean, it's like, well, it was made up, it was AI. It's just, you know, I, everything is going to be AI. But there are people complaining that apparently there, there are influencers, racist influencers who are using Sora to generate videos of poor people using, you know, flouting their use of SNAP food stamps as a way of saying, see, we don't want to give these people benefits. And, and so there is a legitimate misuse of AI. I agree with you. Forged receipts from a company that really should be paying you back for those anyway. It's kind of.
Jill Duffy [02:12:27]:
Yeah, like, are we going to Use AI to start looking where wage theft is happening. Because I feel like that's a much more important concern for employees who are getting shafted.
Leo Laporte [02:12:36]:
I agree. I did mention Proton is now going into competition with Troy Hunter Hunt, whose very famous have I been pwned? Website is fabulous. And I think this is fine. Proton's calling it the Data Breach Observatory. And they say, unlike have I been pwned, they don't wait until a breach is reported. They actually search the dark web. Alex, do you think this is legit? Is this a good idea?
Alex Stamos [02:12:59]:
I mean, I have to look. Troy does a lot of work to try to keep his consolidation from being abused by people. So it's like not easy. Right? It's not easy to pull that data in one place and then let people query it without then that being abused.
Leo Laporte [02:13:13]:
A little conservative in that as in that regard. Yes.
Alex Stamos [02:13:17]:
Yeah, yeah. Haven't been. Pone's pretty conservative. So much more conservative. I mean, there are services in which you can just buy that data, which is good. I mean, that's. You buy that data and then that data is then used by companies to go reset, mass reset passwords, give people notifications and such.
Leo Laporte [02:13:34]:
So it's. And that would not be in the have I been pwned? Database.
Alex Stamos [02:13:40]:
Necessarily a big overlap, right?
Leo Laporte [02:13:42]:
Yeah, yeah. But not all of it is. So companies that are concerned about password breaches might go to a third party service other than have I been pwned.
Alex Stamos [02:13:51]:
Yeah. I mean, there are. This is what you pay intelligence firms for.
Stacey Higginbotham [02:13:55]:
Right.
Alex Stamos [02:13:55]:
There are a bunch of intelligence firms that go into the black dark web and then they have a bunch of competing numbers of I'm the best, I'm the best. And they'll give you advertisements of who.
Leo Laporte [02:14:04]:
Yes, we have advertisers that do that. Yes, yes, right, of course.
Alex Stamos [02:14:08]:
Right.
Leo Laporte [02:14:08]:
And they are the best. By that, I just want to point out, they really are the best. If we. If.
Stacey Higginbotham [02:14:13]:
Yes, I was interested.
Alex Stamos [02:14:15]:
Oh, go ahead, C.B.
Stacey Higginbotham [02:14:17]:
Sorry, no, I was. I'm interested in the verification side of it because they're pulling it from the dark web and they're saying that they're going to use a firm to verify that it is actually legit. Because sometimes you see hackers put it.
Leo Laporte [02:14:29]:
They'Re working with Constella intelligence.
Stacey Higginbotham [02:14:32]:
Yeah.
Leo Laporte [02:14:33]:
To verify it.
Alex Stamos [02:14:37]:
So, I mean, if you're a company buying this, you test against your own stuff. Right. So like when I was at Facebook, we would buy stuff ourselves and we also had our own intelligence team go. And then we'd run username, password pairs and we'd find, like, for any reasonably sized breach, about 5% of username password pairs would match up with the username and passwords people would use on Facebook. And so if there's a match, what we do is lock the account. So nobody could log. You could not log in to a new device. Yeah.
Alex Stamos [02:15:05]:
So we could basically, you could. The cookies that you had. So if you had a browser that was already allowed on Facebook, if you had a mobile device was already allowed, that's fine. And then you would get notifications, please change your password. That's cool. Right. But a new one couldn't. Right.
Alex Stamos [02:15:20]:
So somebody all of a sudden couldn't come from Romania and add a new browser to say, I'm Leo laporte, with a password that was known to be. And it's a controversial thing, right, because either you're paying directly or you're aff. Effectively for a number of those intelligence companies are paying money for those. The only way they can get that stuff is to pay. They're making a market, they're creating a market. Now the upside of it is they're also destroying trust in that market. Right. Because then on this black market, the person they're selling to might be an intelligence vendor, that the moment they sell it to that person, that goes out to Google and Facebook and a couple other companies and then the value of the thing they sold goes to the floor.
Alex Stamos [02:16:00]:
Right, right. And so if you can create dishonor among thieves, if you make people not trust the market, then it makes a much less liquid market and then it reduces the economics. So it is a very sketchy, ethically difficult area for this specific one. Like in any case, where you're not selling it to big trustworthy, trustworthy, but like companies that aren't going to go just use that for their own purposes, then you have to be extremely careful and Troy has been really careful and verifying that people are who they say they are. They have access to that account and stuff. And so I don't know if that's going to be true.
Leo Laporte [02:16:39]:
I have huge respect for Troy and I use. He has an, I think, lesser known feature on haveibeenpwned.com where you can enter a password and see if it's shown up in the breach. And I think people might go, I'm not giving it my password, but it's actually quite cleverly done so that. That no information is exfiltrated. They hash it and then look for hash matches. Yeah, I think that's really cool. I think what Troy does is really important and very cool.
Alex Stamos [02:17:03]:
So, yeah, I mean, I would stick with having Poned unless these guys show that they have a significant. I mean, his data set is pretty, pretty impressive. So I don't see any reason to switch.
Leo Laporte [02:17:16]:
Yeah. If you used a Yubikey or a hardware key on X, X wants you to know they are abandoning the twitter.com domain and your key won't work anymore. So make sure you re enroll your hardware keys. Yeah, they'll let you know.
Stacey Higginbotham [02:17:36]:
Are they really abandoning it? Like they'll let it actually expire or.
Leo Laporte [02:17:39]:
Are they just, oh, I'd like to buy it.
Stacey Higginbotham [02:17:40]:
They're not going to have the infrastructure. I'm just curious.
Leo Laporte [02:17:42]:
I should buy.
Alex Stamos [02:17:43]:
As far as the abandonment go, I can't imagine they're not going to pay the 1299.
Leo Laporte [02:17:47]:
They're going to keep the domain. They're going to keep the domain. They're just not going to the other business.
Alex Stamos [02:17:51]:
I wouldn't even question it.
Stacey Higginbotham [02:17:53]:
But interesting choices.
Leo Laporte [02:17:57]:
Elon might need that $12. He might. You never know.
Alex Stamos [02:18:01]:
Yeah, they don't have a choice here. Right. Like a Fido token. The token itself, it's tied to the.
Leo Laporte [02:18:06]:
Domain name, the URL.
Alex Stamos [02:18:07]:
Yeah. It has a cryptographic relationship with twitter.com like with, you know, auth.twitter.com or whatever. And so they can't swap that over to X.
Leo Laporte [02:18:17]:
So yeah, they'll let you know. If you have done that. They will let you know. But you should know that this is a possibility. I immediately went in and it turned out I have also. Maybe this is a bad idea. But also authenticator totp that I can use. So that wouldn't have gotten locked out.
Leo Laporte [02:18:33]:
It just. My Yubikey wouldn't work anymore.
Alex Stamos [02:18:35]:
Yeah, that's fine. I mean, that's the only time that that's worse is if you're being attacked in the active man, the middle. Right. So as long as you're careful about making sure you're actually on X. Com. And so.
Leo Laporte [02:18:45]:
Oh yeah, I did go once to tvite.com in that case I would not use.
Alex Stamos [02:18:55]:
But that's a great example. That's why the Fido token is locked to the domain. Right. Because in that case, you might not notice the vv. You might not notice a Unicode attack where it looks like Twitter but it's actually a character. Character set or something. Right.
Leo Laporte [02:19:14]:
But this Fido cannot be spoofed.
Alex Stamos [02:19:15]:
The Fido can't be spoofed. It understands Unicode. It understands the bitwise UTF8. It cannot be spoofed.
Leo Laporte [02:19:21]:
That's actually one of the values of using a password manager. Right. The autofill doesn't get spoofed either. Right?
Alex Stamos [02:19:27]:
Yeah. There are some trickiness there in that you have to be careful. Like the autofill stuff can be tricked in way because it's JavaScript.
Leo Laporte [02:19:38]:
It's a little bit.
Alex Stamos [02:19:39]:
Right. If you have like a JavaScript injection, if there's an injection vulnerability. The other problem there is, like, in situations where there are subdomains that are under control of attackers. Right. And so, like, some of them are, like, way too aggressive about filling in, so.
Leo Laporte [02:19:52]:
Oh, yeah, you went to hacker.twitter.com and I'm going to fill that one in too. Yeah, that makes sense. Yeah.
Alex Stamos [02:19:59]:
Yeah. And so what the good password managers do is they try to have a list of these are domains that, you know, have subdomains that you can't trust.
Leo Laporte [02:20:09]:
This stuff is.
Alex Stamos [02:20:10]:
Or they'll log or. Yeah, or they'll lock it to auth dot, whatever. Yeah.
Leo Laporte [02:20:14]:
These guys, they suck.
Alex Stamos [02:20:17]:
Right? This is why Fido is good.
Leo Laporte [02:20:18]:
Fido does use a hardware key. It's a good idea. Let's take a little break. Final segment coming up in just a bit with a wonderful panel, which I would like to spend many, many more hours with. But the sun has come up in Laos and so Jill has got to go run some errands and make some ice cream.
Jill Duffy [02:20:37]:
And I think my brain's finally awake fully now.
Leo Laporte [02:20:41]:
It's so nice to have you. Jill Duffy writes for PC magazine and Wired. But don't worry, she's not going to defraud you with her phony receipts for the tips that she gives the busboy. That's not going to happen. She's an honest, honest person. Do you want us to put the E in there? I forgot. We usually do put the E in your.
Jill Duffy [02:21:00]:
We could put it in there. Yeah. Online. I'm Jill E. Duffy.
Leo Laporte [02:21:04]:
Yeah, Everywhere. We'll put that in. Yeah, that way people can find you.
Stacey Higginbotham [02:21:09]:
Sure.
Leo Laporte [02:21:09]:
Alex Stamos is here. He's the one, the only. He's here. CSO for corridor.dev.
Alex Stamos [02:21:15]:
There'S an unfortunate high school kid in Chicago who.
Leo Laporte [02:21:20]:
Does he get hacked a lot. People go after him. Oh, that's terrible. Do not ever. You never want the name of a famous security researcher because that's. You're gonna just be in trouble.
Alex Stamos [02:21:31]:
Sorry, kid.
Leo Laporte [02:21:32]:
Sorry, kid. By the way, I was gonna use Hide the Boots as the show title. You cannot fool AI anymore. You know, you told that Hide the boots anecdote in 2009, and was used. It was used then. Thank you. I think there should be a. I mean, there's a.
Leo Laporte [02:21:52]:
There's a statutory limit, right? I mean, after 2009, after 16 years, I should be able to tell the same anecdote one more time. What do you think, Stacy? I think it's okay.
Stacey Higginbotham [02:22:04]:
I would. I would even give you one or two years.
Leo Laporte [02:22:06]:
Yeah, 16 years. Come on, man. But no. AI knows all AI or our engineer, Patrick Delahanty. Maybe it was Patrick doing Stacey Eagenbotham's. Also hear from Consumer Reports. Glad to have all three of you and glad to have our. Our club members who.
Leo Laporte [02:22:24]:
Who are so great and fund a lot of what we do here. About 25% of our operating expenses come from Club Twit. If you're not a member, lots of benefits, including Stacy's book club. We've decided on a book. Stacy says it's a depressing book, but it's going to be fun, isn't it, Stacy?
Stacey Higginbotham [02:22:44]:
So fun. If you want to extrapolate out, it's kind of like what. I mean, okay, this is way too much credit, but like, you know how Neuromancer predicted the future? Yeah, this kind of predicts the future. It's just the future.
Leo Laporte [02:22:56]:
Well, what the heck. Well, these things happen. Anyway.
Stacey Higginbotham [02:23:01]:
The times we're living in are so.
Leo Laporte [02:23:03]:
Have we set a date for Stacy's book club? I think we're doing it next month, but I don't know if we set a date yet.
Stacey Higginbotham [02:23:09]:
Don't have a date.
Leo Laporte [02:23:10]:
Okay, so we will set a date, but that's one. We do a lot of things in the club because we want to make it fun. We want you to be a member and be glad you're a member. 10 bucks a month there. By the way, this is a good time to join because we have a coupon at TWiT TV Club TWiT for 10% off the annual plan. Best price. That's a good way to do it. Also good for gifting to the geek in your life.
Leo Laporte [02:23:34]:
There are family plans and corporate plans as well. And as I said, we. We make it fun. You get ad free versions of all the shows. You get lots of stuff going on in the club. Twit Discord, our AI user group is Friday. That's going to be fascinating. We're going to work a show how you can make your own mcp.
Leo Laporte [02:23:51]:
I think Darren has said he would help us with that. That's great. Snow Crash. Not Neuromancer. Neuromancer talks about the future, too. It's that's both of them. Do both of them count?
Stacey Higginbotham [02:24:01]:
Yeah, but Snow Crash is like the quintessential.
Leo Laporte [02:24:04]:
Yeah, it's where the word metaverse came from, right?
Stacey Higginbotham [02:24:06]:
Yes.
Leo Laporte [02:24:08]:
But on the other hand, Cyberverse came from Neuromancer, so both of them are important. Anyway, join the club. I don't know. I'm easily distracted. I'm a little ADD twit TV club Twit. We thank you all so much for your support. Our show today brought to you by Melissa, the trusted data quality expert. They've been doing it longer than we have since 1985.
Leo Laporte [02:24:31]:
Of course it started with address validation. Address validation today, still 40 years later is Melissa's bread and butter. But they do so much more. They're really data scientists. But let's talk about address verification for a minute. Melissa's address verification services are available to businesses of all sizes. They're very affordable. And Melissa's address validation app for as an example for Shopify is vital for e commerce merchants, especially if you want to do international business.
Leo Laporte [02:24:59]:
International companies like Siemens AG are they manage a diverse group of customers and clients all over the world. They have to have country specific address formats for many, many countries. They've got to make sure the data they hold is correct. If not, they can face significant costs and delays to supply and production chains. It could be a nightmare. Well, since they started using Melissa, Siemens AG has reliably processed more than half a billion queries for 174 countries. That's close to all of them using Melissa's dedicated web service, Ask the global IT headmaster of data management at Siemens. He says thanks to these very stable solutions, we've achieved an automation rate of over 90, 90%.
Leo Laporte [02:25:47]:
Melissa reacts very quickly to our requests and offers us the right solutions to questions that come up and they consistently meet our service level agreements. They're happy. You will be too. Data quality. It's not just Siemens. It's essential in any industry. Melissa's expertise. As I said, they're data scientists.
Leo Laporte [02:26:04]:
It goes far beyond address verification. Many banks all over the world have know your customer regulations. Similar regulations. Metabank, like any bank, absolutely must know the exact identities of all its customers. These are federal regulations. However, it's problematic, especially if a bank's customers include not only its own retail clients, but also hundreds of organizations with their own customers. And that's what Metabank faces an exponentially greater challenge. Senior VP of Data Systems and Business Intelligence at Meta Payment Systems says quote, I believe Melissa has helped us improve not only data quality, but also our downstream experience for end users.
Leo Laporte [02:26:45]:
We're now able to identify everything from fraud to missing data and allow our individual customers to swipe their cards with confidence. And importantly, as every data engineer knows, having clean data translates to the bottom line. Melissa saves you money. And of course, your data is always safe with Melissa. They're compliant. It's secure. Melissa Solutions and services are GDPR and CCPA compliant. They're ISO 27001 certified.
Leo Laporte [02:27:13]:
They meet SOC2 and HIPAA high Trust standards for information security and management. You know your data is secure with Melissa, they they go the extra mile. Get started today. 1000 records clean for free melissa.com TWIT that's melissa.com TWIT we thank them so much for supporting TWIT. They've been with us for a long, long time. We're really glad to glad to have them. A bunch of this was actually a topic of conversation in our community. A bunch of tech tutorials were removed from YouTube.
Leo Laporte [02:27:50]:
YouTube. I don't know if this is the right denial. They say AI didn't do it. Well, okay. Educational videos that YouTube had allowed for years are suddenly being flagged as dangerous, are harmful, no way to trigger human review to overturn them. Creators were pretty sure AI was running the show Friday, a YouTube spokesperson said, We've reinstated those. It wasn't AI and we'll make sure that doesn't happen again. Sorry, what do they have a renegade content guy? I don't know.
Leo Laporte [02:28:29]:
Some of them were, you know, people were thought, well, you know how to install Windows 11 without having to use a Microsoft account? Maybe Microsoft thought that was piracy. It's not, it's not harmful. Anyway, YouTube says, sorry, it won't happen again. Now here is what something might not happen again. Maybe you saw the YouTube video by Trevor McNally. He is a lock pick former Marine staff sergeant. Seven million followers. You've probably watched his videos.
Leo Laporte [02:29:07]:
Two billion views. A Florida lock company called Proven Industries in March posted a promo video on their social media accounts saying, you guys keep saying you can easily break off our latch pin lock. No you can't. So McNally made a video. Apparently they didn't like it because he was drinking a Juicy juice, swinging his feet, hops down from his seat, goes over to a Proven lock on a trailer hitch and uses a shim from a can of Liquid Deaths that he cut and opens the lock. So Proven Locks didn't like that so much. They, they, they tried to shut McNally down. They tried to get him taken down with DMCA.
Leo Laporte [02:29:58]:
Takedowns on YouTube. He, he didn't bow to the pressure. In fact, he made several more, in fact, because Proven said, oh, he's doing a very. It's very tricky. You gotta cut this shim carefully. He said, he actually did it on camera. He finished the can, cut the shim, opened the lock in seconds. Proven sued him.
Leo Laporte [02:30:21]:
Okay, there's this thing called the Streisand effect you might want to know about. Proven. They charged him with copyright infringement, defamation, false advertising, violating the Florida deceptive and unfair trade practices act, and tortuous interference with business relationships, civil conspiracy, trade libel and unjust enrichment. But they really didn't like was he was drinking the juice. Juice box, swinging his legs. It's actually in the court papers. McNally appears swinging his legs and sipping from an apple juice box, Conveying to the purchasing public the bypassing plaintiffs luck is simple, trivial, and even comical. How dare he? Of course, as you know, McNally had, as I just mentioned, quite a few fans who immediately started commenting on Proven's posts and product videos, mocking Proven.
Leo Laporte [02:31:25]:
They doxxed the Proven executive, which no one should do, but I think the whole thing is going to go away. The judge said, did the plaintiff bring a lock and a beer can? She wanted the plaintiff to actually show that it couldn't be done. There was going to be no live shimming in the courtroom. The judge, after several hours, the judge said, I'm declining to grant the injunction. And the purpose and character of the use to which Mr. McNally put the alleged infringed work is transformative. It's a critique. It's his own way of challenging it.
Leo Laporte [02:32:14]:
He went to court and he, he got his fair use Proven, which I tell you is something I'm not prepared to do, so don't come after me. Anyway. The company dismissed the lawsuit they, they put when it ran as fast as they could in the other direction with their tail between their legs. So 110 million people watched the. The lock pick death of the Proven locks and Proven was not able to shut them down. I love those stories because most of the time, as I think Mike Masdick on Tech Dirt has said, fair use is just the right to hire a lawyer. And most people say, including us, we're just going to back down when you do that. That's why we don't show videos anymore.
Jill Duffy [02:32:59]:
My favorite line in the article was the judge stepped in and declined the injunction and said for her to do so, Proven would have to show that it was likely to win at trial. Among other things, it had Not.
Leo Laporte [02:33:14]:
Yeah, they gave up. They gave up. Oh well, it's a, it's a happy ending now. How do you feel about Samsung's $2,000 fridge showing you ads on that big screen in the front?
Stacey Higginbotham [02:33:28]:
Yeah, I'm against it. And you know what, it's part of that whole software tethering we yelled about like back in the day. It's concept that you don't actually, if you're going to have a cloud connection, you don't actually own your product.
Leo Laporte [02:33:41]:
That's right.
Stacey Higginbotham [02:33:42]:
No rights around them yet.
Leo Laporte [02:33:43]:
My friend has a Samsung Fridge and the browser is so out of date it doesn't work anymore. Maybe they'll use the money from the ads to pay to update the browser next week.
Stacey Higginbotham [02:33:55]:
We actually, I am finally, finally producing the longevity by design recommendations for the device manufacturer.
Leo Laporte [02:34:05]:
It's appalling, just appalling. WhatsApp can now use pass keys to secure your backups. That's good news, right? We like passkeys. Alex, do we like passkeys?
Alex Stamos [02:34:19]:
We do, yeah. Just checking. So I mean this has always been a real challenge with end to end encrypted messengers is that the expectation of people is that if you restore your phone, if you lose your phone, you restore it, that your chats are there. But if you're to do that, if you're not Apple and you don't own the whole stack and you have this really kind of complicated way of providing end of encryption, it turns out to be really hard. And in fact icloud backup has some really not so great security properties itself. And so WhatsApp first provided the ability to back up your chats and when they first did that, the backup itself was non click. So all the work you did, they did around an encryption which shipped while I was at Facebook was negated by turning on backup. So they then created the ability to encrypt backup but you had to remember the passphrase and so now this does allow you to.
Alex Stamos [02:35:15]:
It basically kicks the problem to pass key sync. But for, for example, if you're doing it with an Apple device, Apple has a secure way of syncing pass keys.
Leo Laporte [02:35:27]:
Between devices that is, that's relatively new, right. The original Fido spec did, had no way to do that.
Alex Stamos [02:35:33]:
No, no passkeys. There's different kinds of passkeys. And so this is where it starts to get a little bit complicated and now things are starting to get a little confusing for consumers. There are passkeys that are hardware only. So let me, I can grab an example here. But basically yes, if you're a. Yeah, so here's like a. A yubikey.
Alex Stamos [02:35:54]:
Different kinds of Fido tokens. Fido 2 tokens have identifiers. And so if you're an admin of like a Microsoft Entra or Okta, for example, if you have like an advanced enterprise authentication environment, you can actually tell the difference between different kinds of passkeys. And you can say, I only allow hardware passkeys versus ones that can be synced. And so for. From a Google Gmail or Facebook perspective, they're all the same. From an enterprise perspective, you can actually differentiate. But yes, Fido 2 does have the ability to have these syncable pass keys.
Alex Stamos [02:36:30]:
They're supposed to still be biometrically tied to people, and they're supposed to still be stored in a way that is encrypted, hardware secured. And then if they're synced, there are rules around syncing them to. They shouldn't just be stored in an insecure manner, but like, for example, the ones that are stored in one password and such, you can come up with these scenarios in which they can be compromised. People often does reduce the security in some ways.
Leo Laporte [02:36:55]:
Assume that these encrypted messengers, the backups, are also encrypted. They are not necessarily as spook and sugar and Peso and Scary Terry learned Icloud backups, not necessarily encrypted. Those are the mafia guys who got busted in that gambling scandal. How did they find out? They got into the feds, got into the icloud backups.
Alex Stamos [02:37:28]:
That's right. Unless you're running Apple's advanced security so you can opt into advanced security. Icloud backups are not necessarily encrypted.
Leo Laporte [02:37:37]:
Sorry. Quack, quack.
Alex Stamos [02:37:38]:
Yeah.
Leo Laporte [02:37:40]:
You're going to jail. I don't know if they're going to jail. I shouldn't say that. It's allegedly. Allegedly they were involved in the poker scam.
Alex Stamos [02:37:49]:
Allegedly, alleged. Which is a incredible story and one of the biggest scandals in NBA history, certainly since, like, the. Tim Donaghy.
Leo Laporte [02:37:57]:
Yeah. Although I think some have pointed out that it's a little overstated that the FBI was really hyping up this NBA angle, but it was really Mafia guys. They were using the NBA people to, like, as shills, to attract, like, for advertising.
Alex Stamos [02:38:13]:
I'm sorry. Yeah. The real NBA scandal is the other one, the. The betting scandal where people have been. There's also, like, simultaneously, there's been a betting scandal involving, like, a friend of LeBron James who was leaking in two friends who are betting on whether LA LeBron was injured on the injured list and stuff. So there's.
Leo Laporte [02:38:33]:
Oh, I missed that one.
Stacey Higginbotham [02:38:34]:
Yeah.
Alex Stamos [02:38:35]:
Yeah. So there's another whole NBA betting scandal based upon all the. All the prop bets, Right? Because you bet on these.
Leo Laporte [02:38:42]:
This is just gonna. This is just the beginning of that. I mean, you see, now legalized gambling.
Stacey Higginbotham [02:38:47]:
Is just a really awesome thing, especially.
Leo Laporte [02:38:50]:
With prop bets, because every second there's another bet. And I mean, this is a nightmare. And if I feel. I feel terrible for anybody who has a gambling problem because it's now in your pocket, there's no way to avoid it. And you watch an NFL game, it's nonstop, the advertising for it.
Alex Stamos [02:39:08]:
Well, I don't know if you just saw. Just a couple days ago, Brian Armstrong, the CEO of Coinbase, blew away a bunch of this because there was side betting on the prediction markets of whether he would say certain words on his results call, on the Coinbase earnings call. And somebody in his team had told him about this, so he said all the words. He just read through the list of words at the end of the call.
Leo Laporte [02:39:34]:
Prediction markets are the sneaky way to get these prop bets into real life.
Alex Stamos [02:39:41]:
Yeah.
Leo Laporte [02:39:42]:
Unbelievable. Good for him. I guess. I mean, there's some unhappy people probably.
Alex Stamos [02:39:47]:
Right. But it's also like, it's. It's kind of like you should. You cannot. You should not allow betting on things. Like, does a person say a word on a call?
Leo Laporte [02:39:55]:
But.
Alex Stamos [02:39:56]:
Right, right. At least like an NBA game, right, is there's a ton of people who have, you know, personal money writing on it like the players want to win. You know, like there's. Are you saying a word or not? He doesn't care. Right. Like, there's just no, There's. There's no externalities involved.
Leo Laporte [02:40:17]:
Crazy. Yeah, but it's like bitcoin. There's no externalities. It's there either. You still a Kings fan?
Alex Stamos [02:40:22]:
I am still a Kings fan.
Stacey Higginbotham [02:40:24]:
It's.
Alex Stamos [02:40:24]:
It's, It's. It's a little rough.
Leo Laporte [02:40:26]:
Sorry about that.
Alex Stamos [02:40:27]:
I'm a Kings fan at Cal fan. I'm wearing my Cal colors. You had another story about, like, I. I couldn't watch the game yesterday because I had no ESPN on my YouTube TV.
Leo Laporte [02:40:35]:
I. That's still going on. And it's going to be an issue because tomorrow it's Monday Night Football, which is on ABC SPN. So people with YouTube TV are not going to be able to watch Monday Night Football. I pay for the NFL Sunday ticket. And what are they going to. What is YouTube going to do? They're Going to make a deal. Eventually.
Alex Stamos [02:40:57]:
Eventually. Yeah.
Leo Laporte [02:40:58]:
Disney. Part of the problem is, and this is kind of new, you've seen these carriage battles go on in the past. But what's different now is Disney, ESPN, they have their own streamings. They have FUBU, they have Hulu, they have ESPN streaming. They have an incentive not to let YouTube rebroadcast.
Alex Stamos [02:41:20]:
Yeah.
Stacey Higginbotham [02:41:21]:
And they don't have to abide by any FCC public license.
Leo Laporte [02:41:24]:
Oh, yeah.
Stacey Higginbotham [02:41:25]:
Not working over the public. So there's no, I mean there's no regulator in the picture here.
Leo Laporte [02:41:31]:
It was a disaster on Saturday.
Stacey Higginbotham [02:41:33]:
Straight up capitalism.
Leo Laporte [02:41:34]:
Just. This is capitalism at work. Yeah. No kittens broadcasts, huh?
Alex Stamos [02:41:43]:
No, I mean, Kings are on tnt so it's okay, but. Yes.
Stacey Higginbotham [02:41:46]:
Oh, okay.
Alex Stamos [02:41:47]:
The cow game was. It was espn so that was a little rough. I didn't get to watch. I had to listen on AM radio like it was the 50s.
Leo Laporte [02:41:55]:
There've been all these articles how you can watch these games if you have YouTube TV. And in most cases they're really, you know. Yeah, listen to the AM radio.
Alex Stamos [02:42:05]:
They should do the voices, right? Should be like, ah, he's got the ball at the 10 yard.
Leo Laporte [02:42:10]:
It's like Ronald Reagan going, it's a hit. It's going up that by the way, when Dutch Reagan, before he was the president, before he was the governor, before he was an actor, used to do baseball play by play, would do reenactments on the radio where he would hit with a stick to make the sound of a ball. He would be reading it off the wire. What happened in the game, doing the play by play.
Alex Stamos [02:42:36]:
You know, I feel really old these days because I work with all these gen zers, but I feel better now. Coming on quit.
Leo Laporte [02:42:41]:
That's really old, isn't it?
Alex Stamos [02:42:43]:
You make me feel young.
Leo Laporte [02:42:44]:
That's really old. I have. I got a million of them. That's Alex Stamos, ladies and gentlemen. Check out Carter dot dev. He's a CSO there. He's one of the good guys. And thank goodness, thank goodness you're.
Leo Laporte [02:42:58]:
You're there. Just keep up the. I know it's hard. Keep up the good work. We didn't even get to the story about how someone snuck into the Microsoft Teams call with Celebrate. 404 Media had this story and leaked the phone unlocking details that Celebrate was talking about was pitching. Almost all Google Pixel phones except for the most recent are hackable by Celebrite. So I guess I'm going to put graphene OS on my Pixel 9.
Leo Laporte [02:43:34]:
Is graphene safe, Alex?
Alex Stamos [02:43:37]:
It Sounds like it from this.
Leo Laporte [02:43:38]:
It doesn't. It's not celebratable.
Alex Stamos [02:43:40]:
It's not celebratable. So that's good. Yeah. I mean, I think that is one of the big upsides of the Android ecosystem is the ability to change out your os.
Leo Laporte [02:43:50]:
Yeah. Well, not on all Android phones.
Alex Stamos [02:43:53]:
And I think the pixels. Right, the pixels are all unlocked.
Stacey Higginbotham [02:43:56]:
Yeah.
Leo Laporte [02:43:56]:
You can root them. I'm going to put graphene on it tonight. Thank you, Alex. Great to have you. Stacy Higginbotham. We will make a date soon for the book club. I loved our last book memory called Empire. In fact, I'm reading the second volume of that.
Leo Laporte [02:44:09]:
I can't wait to find out what's going to happen in London. You're reading it now. What's the name of the book?
Stacey Higginbotham [02:44:18]:
Oh, the Hollow Heist of London.
Leo Laporte [02:44:21]:
The Hollow Heist of London.
Stacey Higginbotham [02:44:23]:
Yeah. No, the Heist of Hollow London by Eddie Robson.
Leo Laporte [02:44:27]:
That's going to be our book for the book club next month. So get going. Read it. Look for Stacy's work at Consumer Reports where she's a policy fellow. I can't wait to see the stuff you're. Sounds like you're working on some big stuff right now. It's great.
Stacey Higginbotham [02:44:42]:
It's all big stuff. It's all important.
Leo Laporte [02:44:44]:
It's all important. No, you're doing again, you're doing the work of the angels. Thank you, Stacy. And Jill E. Duffy is an angel contributor at PC Magazine and Wired. She got up very, very early to join us. I appreciate that. Thank you so much.
Leo Laporte [02:44:59]:
It's great to see you again. It's been too long.
Jill Duffy [02:45:02]:
Thank you.
Leo Laporte [02:45:03]:
Anything else you want to plug, you.
Jill Duffy [02:45:06]:
Can find me online, anywhere at JillDuffy.
Leo Laporte [02:45:10]:
What do you prefer?
Jill Duffy [02:45:11]:
I've been using Mastodon. I like to use. I gave up Twitter. I don't really use bluesky, but I have an account there.
Leo Laporte [02:45:19]:
I like it. Blueski. That's good. I'm calling it bluesky from now on. I like it. It's the Polish Twitter. Bluesky. Yeah.
Jill Duffy [02:45:29]:
Somewhere in that region.
Leo Laporte [02:45:31]:
Instagram and Instagram Mastodon I use. And which server are you on on Mastodon or does it matter?
Jill Duffy [02:45:38]:
I'm on the big one. Mastodon Social, I think.
Leo Laporte [02:45:41]:
Yeah. So if I go to R. Masten on Twitt Social and I enter Jill E. Duffy, it should be able to find you. I think it.
Jill Duffy [02:45:48]:
Yeah, I think it works like that.
Leo Laporte [02:45:50]:
Thank you, Jill. Appreciate it.
Jill Duffy [02:45:52]:
Thanks for having me.
Leo Laporte [02:45:53]:
Yeah. Thanks to all of you for joining us. We do Twit on Sunday afternoon. Yes. And we did go to standard time. So yes, we started an hour late. I hope you didn't get here an hour early. We are at 2 to 5pm Pacific.
Leo Laporte [02:46:08]:
That's 5 to 8pm Eastern Standard Time. That's 2200 UTC. Because we moved. But UTC didn't. 2200 UTC. You can watch us live on YouTube, Twitch, TikTok. No, we took down TikTok. It's too complicated.
Leo Laporte [02:46:24]:
YouTube, Twitch, Facebook, LinkedIn, X.com and kick.com plus of course, you're in the club. You can watch on the Discord. You don't have to watch us live. That's just if you want the freshest version. We'll take out all the swear words and we'll put it up on the Internet on our website, Twit TV. There's a YouTube channel dedicated to the video. There's audio and video available for subscription too in your favorite podcast client. That's probably the best way to get it.
Leo Laporte [02:46:49]:
Leave us a review. Let the world know when you've been doing a show for 20 years. In podcasting, that means people, you know, like they're still around. So make sure you put a review up. So people go, yeah, they are still around. And you know what? I bet you're pretty glad you listened to this show. Lots of good stuff. Thank you for being here.
Leo Laporte [02:47:08]:
We will see you next time. And as I've said for 20 years, and I hope I'll stay for another 20 years. Thanks for joining us. Another twit is in the can.
