SN 1000: One Thousand - Windows Server 2025, Malicious Python Typos
02:17:43 Share

It's type for security. Now, yes, are one thousand episode. We're going to look back a little bit as to how this show god started.

We also have the latest news, including good news for our sponsored IT warden. They are still open source, how microsoft is fixing user access control and snoozes very serious zero click R C E flaw. That a lot more coming up next on our one thousand episode of security.

Now, podcasts you love from people you trust.

This is quiet. This is a security now is Steve gibson episode one thousand, recorded tuesday in november twelve, twenty, twenty four, one thousand. Its time for security now episode. They said IT would .

never happen.

What actually that, ladies and gentlemen.

actually some people didn't say that would never happen. That would you?

I said IT would never happen. We've convinced Steve to go to four digits as we continue on in what is now almost our twenty eight year of talking about security flaws, privacy breaches, how to stay safe online and just as important, how things actually works. Steves a master, that, ladies gentleman, I give you, Steve gibson.

nice coming you from my alternative location, because the roof is being changed on my Normal location and found like they were like walking right on top of my head this morning. And I thought, well, that you can say though.

that episode thousand, one thousand blew the roof of IT.

Oh, that's true, fortunately literally have mild weather. And so I think look for IT. And so yes, and I was just same to you before we started recordings.

Ly o, that nine, nine, nine was, you know, you would have thought that would have been like the one that I focused on. But IT was when I was putting this together and I put in one zero zero zero, then I thought, wow, that really is cool. So yes, we got a lot to talk about for the last several weeks.

I have been frustrated that just there's been so much going on, so much happening that I just wasn't able to make time to share any of the feedback that i've been receiving so that the good news is, well, okay, so there was a lot that happened this week, but there just wasn't any need to spend a lot of time, as we often do, sometimes really drilling down into anything. So we've got a bunch of listening feedback that we're going to end the show with, but we're going to look at whether bit warden, a sponsor of the tweet network, uh, went closed source. There was some odd rumbling about that over the last few weeks.

A the rights of german security researchers have been clarified. Thanks to some legislation in germany, australia is preparing to impose lower age limits on access to social media for children. Uh which is gonna be interesting also um IT appears that people got free copies of windows server twenty twenty five without asking for IT to their ship grin.

Often we're going to talk about that also. U A C wasn't in the way enough, so microsoft s gona fix that. Um also we've got russia good from russia with fines uh or or obey or else.

Also, south korea has found meta over some series user privacy violations. Will took a take a look at psychology is recovering from a very critical zero click remote code execution flaw that affected their photo sharing stuff. Um a really interesting story about malicious ous python packages which are being invoked by types in an interesting supply chain typo squatting attack.

Also, google has said that they're going to enforce full multifactorial nica for cloud service users. Mozilla foundation just laid off thirty percent of its workforce. So shall we worry about firefox? Also, i've got some feedback from dave's garage who took a look at spin, right? Thank you day, clever. And as I said, we will wrap up with a bunch of really thought provoking closing the loop feedback from our traffic listeners. And of course, we've got one of our pictures of the week for episode one thousand so they can another great episode.

I feel like i've seen this maybe because something sense to .

me first or something anyway, it's it's been around, can I but we hadn't put them on the podcast. You I it's another one of one of those those sky people basket. Well.

congratulations on the episode .

one thousand to us to use this. Would this I wrap up with a little irrespective? Look back at at your original invitation.

So I do have to say that while I have not been here for all one thousand episodes, you have there is no security now without Steve gibson. So really the kudos go to you. I've only then maybe nine hundred fifty of them.

Well, you you do take vacations and does keep you fresh. Well.

do you do not? Which is odd, but I don't know why. Anyway, we're so glad you don't and we really appreciate everything you do, Steve, and congratulations. Well.

so let's see IT took us twenty years to get here. I don't think we're going to make two thousand, but will keep going until we can't well.

will be like in our late eighties, early nineties IT would be interesting.

Let's say that at toward the end, Jerry pornell, who I think of when I think of like pushing the limits, yeah, you know, he was sub tragedy.

but now he was perfectly sharp upstairs. There was never any question about that. Me, not so much. I'll say, what is this about honey monkeys you like? That was forty years ago.

Anyway, I do want to say our show that they brought you by bit warden, and I want to reassure you, bit warden is the open source password manager, gpl open source password manager trusted by, I mean, thousands of businesses. IT is the best way to keep yourself safe online, and i'm a big fan of used IT for years. S S Steve bit warden, s twenty twenty four cyber security pulse survey results are in we did this last year, and I was kind of the almost depressing.

Well, it's not much Better. Ninety two percent of IT in cyber professionals aggam ninety two percent. That's virtually unanimous. The password managers are critical for protecting business Operations.

Now as more employees seek support from generative A I tools, a big number, sixty three percent of security professionals are facing significant chAllenges in maintaining proper approvals for devices and applications. It's getting harder. Isn't IT.

You know that if you're work in IT, you know that eighty nine percent of respondents expressed concern over the security risks these behaviors introduced to their organizations. Security posture IT is a big and I think it's safe to say a growing problem. Well, let's talk about IT.

Bit warden might be the cure, right? The holidays are quickly approaching. Peak security is a must have.

Social engineering taxes are getting much smarter. Bit warden is a great choice for business in really locking down security. You get unparallelled s soo and integration and flexibility. Yes, IT works with your soso solutions.

You get in line auto fill capabilities, including cards at in these in axis is that we pointed out this prevents people from using spoofed sites to enter the important private data like cards and identities. That's really a big help. Your business deserves a cost effective solution that can dramatically improve its chances and your employees chances of staying safe online.

That's why we love. But warned IT takes a few minutes to set up bit warning supports importing from almost all the existing password management solutions and as I mentioned, will integrate perfectly well into your sso solutions. And I do want to score this and see he's going to address this little later on.

But if you're curious, the bit warden source code is open source. It's on github. IT can be inspected by anyone.

And of course, they regularly have a audited by third party experts. And always this is really important, not everybody. This is they always published the results of those third party auditors.

And if there's any question, it's gpl. That means IT is really, truly open source. Michael crane, who is a CEO bit warden, sums IT up like this.

We don't need to overcomplicate security. Let's get back to basics, empower employees with the right tools and four strong password habits, and create a culture where security becomes second nature. That's bit warden.

Baby, get started a day with bit wardens, free trial of the teams or enterprise plan. And no, i'm really aiming this as at businesses right now. But I should assure you as an individual fact, even the business plan starts with the individual vote as an individual because bit warns open source, it's free to individuals.

That means every device IOS mac, android, linux, windows. For individual users, you can host your own volt if you don't want to trust bit ordinary personal, trust them implicitly. But it's strong security, unlimited passwords, unlimited devices.

And the free plan even supports package and hardwork keys like the ubique. So and that's free forever. So if you have friends and families and i'm not to use a password you I know who wants to spend money on that, you tell bit and is free.

It's easy to use and IT really works. Bit warden, that comes flash to IT, make sure to use address, so so we get credit. And if you're a business and you want to really lock your systems down, bit warden, dot com slash hed to IT.

We thank him so much for their support. We thank you for your support. Bit warden, docomo flash to IT. Actually, I think our first story, well, let's do the picture of the week for.

okay, so, sr. R, imagine that you have a beautiful Green park space. yes.

And a long one side of IT is a sort of a paved roadway meant for pedestrians, we can see in the distance at a concrete pole sticking up in in the back. So go cars are not able to have any three way here. It's just people.

Plus, this would stop bicycles and motorcycles and other rolling.

Well, not initially. initially. Presumably this always Green. Everything was fine, but somebody was annoyed that that bicycles or scars, or you know something other than pedestrians, were using this presumption at some bob sort of high speed. So the genius here feared OK. Ah we're going to we're to slow these people down.

We're going to prevent them from swiming along on their sCoopers and their bicycles are what are new fal contraction they might be using by basically putting an obstacle course in this road way, what used to be. And I did little as fall path for people bordering this beautiful Green long parkway. And so what we have here are some essentially some bill gates that that you have to you have to leave yourself through uh, overlapping a blockages.

So uh so somebody on foot has to have to go forward and then move sideways in order to get past the, in order to move a skirt the first one, and then slide over in order to get around the second one. Then they have, they can you catch their breath and walk down you another twenty feet when they hit another one of these things. But boy, is that gonna stop those guys on those, on those scooters or bicycles or whatever they held there that they're using.

Well, unfortunately, I gave, I gave this the caption. What they intended was not what happened though, because the beautiful Green parkway is beautiful and Green, not so much any longer. There is a as a consequence of the fact that they basically put an obstacle course in the middle of the road. What all the people who were going to, who are writing something, bicycle, scooters, whatever, just roll over on the ground that that they didn't .

slow down.

They yeah, they did signal. They just now course the first person who did that had very little effect on the grass, probable the second person also. But after about five thousand people did this, well, that took its tool.

So now the grass is given up. It's it's made its own path and it's very cleared red. Now you don't even have if you are a person who hasn't .

yet approached this area.

you what you know exactly what to do. You're not get off your shooter and having to go through this little obstacle course. No, the path has been paved for you at this point. So yeah, one of our listeners rode back this morning because I got the show notes out in the late morning. But so he had time to right back and and he was speaking to a police officer.

I can member, now what the term was but but there's no there there is a term for this like, uh, people finding the the path of least resistant sort of effect and that's certainly what happened here. okay. So on the topic of bit warden, for the past few weeks, our listeners have been sending me notes regarding their concerns that bit warden's licensing might have been changing to make IT less open.

I mean, this actually got some traction out on the internet. IT turned out that IT was a good thing that I had not found the chance then to dig into whatever was going on, because IT has since resolved itself completely. Now, the register, weighing ing in with an explanation, and, you know, their particular brand of snarky ss.

I added IT a little bit for podcast clarity. They said, fear not false fans, you know, false F O S S, free open source software bit warden is not going proprietary. After all, the company has changed its license terms once again, but this time IT has switched the license of its SDK from its own homegrown license to v three of the gpl.

Just as you were saying, leo, yes, they wrote. The move comes just weeks after we reported that IT wasn't strictly false anymore. At the time the company claimed this was just a mistake and how is packaged its software writing on twitter, they they said, quote, this is a bit warden quoted IT seems that a packaging bug was misunderstood as something more, and the team plans to resolve IT.

Bit warden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users. Yes, the register said. Now it's followed through on this, the bit that get hub commit entitled improved licensing language and quote changes the licensing on the company's S, D, K from its own license to the unmodified gpl three.

That's good. That's really good.

they said previously, if you removed the internal SDK, IT was no longer possible to build the publicly available source code without errors. Now the publicly available SDK is gpl three, and you can get the whole you you can get and build the whole thing, they said.

Chief technology officer kyle spirit added a new comment to the discussion on bug number one one six one one on github where that bug was titled desktop version twenty twenty four ten to zero is no longer free software. Of course. That's that's the comment that set off this firestorm.

So to that, their C. T. O. Kyle wrote. We've made some adjustments to how the SDK code is organized and package to allow you to build and run the APP with only gpl osi licenses included the SDK eternal package.

Reference references in the clients now come from a new SDK internal repository, which follows a licensing model we've historically used for all of our clients. They said, cfa q dmd for more info, the SDK eternal reference only uses gpl licenses at this time. If the reference were to include bit warden license code.

In the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web volt client builds. He finished the original S D K repository, will be released to SDK secrets, and retains its existing bit organ SDK license structure for our secrets manager business products. The SDK secret posture and packages will no longer be reference from the client apps since that code is not used there.

So no, they clean things up and and and fixed what was essentially just sort of a trip in this, you know what has obvious ly become a rather complex build process with multiple overlapping licenses and things. So the register finish saying this is generally good news for the programs more frequently, forest focused fans. It's all open source and it's possible to build the whole thing, including the SDK from freely available code IT seems to us that bit warden has responded to its users unhappiness with the changes to the licensing around its password manager and is not merely on done the changes, but gone further toward making IT all free software even if he continues to maintain.

That IT was all just an error. The change is commendable, and we're glad to see IT. IT does, however, look as if the company is leaving itself room to build more non foss tools in the future. You know fine.

So what anyway? So I think the whole thing here, everything that we've just seen is that, I mean, it's it's what free and open sore software about. It's a terrific example of community action, which helped to bring some clarification to some initial confusion over bit warden's licensing terms and their credit as the register reported.

Bit warden really stepped up and did the right thing. So crops. In some of good news for german security researchers, the german government has draft legislation to protect security researchers who discovered report vulnerabilities.

There were some ambiguity before, so this proposed law would eliminate the risk of criminal liability from cybersecurity research as long as the bugs are responsibly disclosed to the vendors. At the same time, the law does also introduce harsh prison senses, ranging from three months to five years for any researchers who abuse the process of vulnerability research for their own criminal acts. These include incidents when researchers cause substantial financial damage during their research, try to do some extortion or act the damage.

Critical infrastructure. In other words, if you are a true researcher in germany, any previous grey area has now been eliminated. So yeah, but if you're hoping to abuse you know the but i'm a security researcher claim your inability to get away with that.

You has also been clarified to so uh, it's good that we're seeing this because and we've see the instance is we've talked about a lot on the podcast where you know a well meaning researcher reaches out to a company and says, ah you know, I was poking around at your web page and I noticed that whatever ba ba blah and I was able to log onto your servers and suddenly you know like rather than than take in this as someone trying to help them, they immediately seek their legal staff on them and start threatened them. So anyway, it's good that germany is made this clear. Australia, this is gonna be interesting.

I think they're preparing legislation that would introduce a minimum age of sixteen years for social media accounts that is worth access to social media accounts under this new legislation, which is not yet law, just to be clear, but it's on its way to being law. Access to social media platforms in australia would be legally restricted to only those sixteen years of age or older. And this legislation would hold online platforms accountable.

Online platforms would be accountable for enforcing the ban. Presumably, we will also incurred meaningful fines for failure to do so under this new law or this forthcoming law. Australia's government plans to introduce the bill in parliament this week.

So something things going to happen soon and presume little have some period before IT has to take effect because you need to give the social media platforms. Some means are responding to this in a reasonable way. Government officials explain that they're introducing the bill due to the harm social media is causing for australian children.

Now we've talked about this a lot in the past from from the stamp in the technological chAllenges, A A practical chAllenges associated with filtering access to online services by their accessors age go, how is this done exactly? And will the legislation somehow put parents in charge? Can parents you know for, for example, choose to opt their children out of such filtering? And there's there's a slippery slope there because if that's possible, that creates the problem of one's the kids saying, hey, but mom and dad, all the other kids, parents let them watch tiktok.

You know, regardless of the degree of of the truth of that, but regardless of the legal and social side of this IT seems to me that if we're going to start legislating age based filtering for internet services of any kind, the underlying platform itself should be robustly providing this information to any application through some sort of platform specific API. You know, for example, at this time, IOS for you know, all of apple's devices, I think I was since the iphone thirteen allows granular restrictions of age foreign above nine and above twelve and above or seventeen and above, but there's no sixteen and above. So that kind of a mess.

And none of this is automatic. You know, it's up to mom and dad to lock down their children's phones, nor does this lock down setting change automatically, like on their birthday. So you know, from that point, the point of like setting the sick, the twelve and above or seventeen or above, whatever the devices, apps that had previously declared their own minimum age, uh, usage will then be restricted by the phone, which none of this is the way that should work.

And I don't not sure how we got to where we are now, but IT IT doesn't seem like IT was well thought out. Seems to me that a superior solution would be to allow the parent to set and lock in the date of birth of the phones user based upon their feelings. They're the parental feelings about the maturity of their child and or their feelings about you, the perceived dangers of unrestricted access to social media.

They could choose to fudge their child declared birth year in either direction as they see fit. But the advantage of this is that they know this could be a set and forget feature, where services would be come available on success of birthdays based on there, based on the legislation that restricts what age they can be used in which locale in the world know. And at some point I will become accepted that on such as such a birthday, access to this or that social media service becomes available. So you know, this is, you know, certainly another interesting aspect of today's internet, the ubiquity of smart phones among miners and of the platform's willingness to treat them like everyone else. So I don't know you know where we're tightening down access based on birthday, but we really don't have the the mechanisms in place yet.

That's the problem is how do you do age verification without competing on the privacy privacy of adults, let alone kids? Yes, I know they have the of these companies to say, well, we just look at them and we could tell other faces with UI and bb ba that seems right for miss usen failure. So yeah, it's one of the I can understand the desire to do IT, but it's one of those things where if you don't have the means to do IT in a safe .

way and and here's here's the legislators in australia is saying you though, so you're out and it's like how exactly oh, well, that's not our problem. You're teckel people. You know you will work IT out.

I know I think your solution is the only way to do IT. I think that the mistakes says, oh, i'll do IT for parents. No, parents give parents the capability and let them decide they only they know what their kids shouldn't shouldn't do.

Yep, exactly. And if the parent puts in at their birthday, and again, they could budget, you know plus or minus a year or two depending upon you know their own perceptions of the risks and so forth, then once that's there, an API in the platform can be query by any social media application or anything else for that matter, to determine the age of the of the person watching. Now, okay.

Is maybe the way the recent apple did this is that having a birth date is considered itself up of a loss of privacy. So they're like, well, we're just going to create these big brackets of fuel, four, twelve and seventeen and and nine. And you know that way, we're we're not divulging much, but I don't think you can have at both ways, you are saying that the platform must enforce an age based restriction.

Well, then you have to know the person's age. So yeah, okay. Last wednesday, the register posted another interesting piece that I don't recall seeing anywhere else, although I did hear about IT from a number of our listeners.

The registers headline was sis admin shock as windows server twenty twenty five installs itself after update labelling error. And then, of course, being the register, their tag lying on the article. What was screens spread with coffee after checkpoint? Find microsoft latest OS in unexpected places.

So with that teeth, you know, we need to find out what happened. So the register rights administrators are reporting unexpected appearances of windows server twenty twenty five after what was published as a security update turned out to be a complete Operating system upgrade. Web c. okay. So the problem was flagged by a customer.

They wrote of the web APP security company hindle, arriving at the office on the morning of november fifth, they found to their horror that every windows server twenty twenty two system had either upgraded itself to windows server twenty twenty five or was getting ready to this. That means are cautious by nature, they wrote. So an unplanned Operating system upgrade could easily result in morning coffee being spread over a keyboard.

Hindle services include patch management, and IT relies on microsoft to label patches accurately to ensure the correct update a is applied to the correct software at the correct time. In this instance, what should have been a security update turned out to be windows server twenty twenty five is to climb all a while to trace the problem. According to a post on redit quote, due to the limited initial footprint, identifying the root cause took some time by eight, no five UTC.

We traced the issue to the windows update API, where microsoft had mistakenly labelled the windows server twenty twenty five upgrade as K B vivo four four two eight four. Our team discovered this discription cy in our patching repository as the good for the windows server twenty twenty five upgrade does not match the usual entries for kb five o four four to eight four associated with windows eleven. This appears to be an error on microsoft side, affecting both the speed of release and the classification of the update.

After cross checking with microsoft knowledge base repository, we confirmed that the knowledge based number indeed references windows eleven, not windows server twenty twenty five. Okay, so whatever they said, the register has contacted hindle for more information and will update this piece should the security organization respond. We also ask microsoft comment almost a day ago.

Since then, crickets. As of last night, high dollar estimated that the unexpected upgrade had affected around seven percent of their customers, IT said. I had blocked kb five o four four to eight four across all server group policies.

However, this is a little comfort to administrators finding themselves receiving an unexpected upgrade they finished since rolling back to the previous configuration will present a chAllenge affected users will be faced with, finding out just how effective their backup strategy is own dear, or paying for the required license and dealing with all the changes that come with windows server twenty twenty five. Wow, what a mess. So I cannot speak for other ads, but I would be desperately checking everything, that everything was still working after such a jump.

If you were, my servers know. And if I were, i'd probably choose to remain on that platform if IT happened. like.

Irregularly broken things which .

you know IT could easily do you know, after such a jump like that had been made you since microsoft would eventually be forcing the move anyway, right? I mean, anybody who is on twenty twenty two, well, they've got twenty, twenty five in their future. So wow, I can definitely empathy with the panic that that would would .

ensue to be more clearly that happened. But who wasn't a hy dog customer?

A good question because if .

I didn't, then a time to fall. Mr.

yes, I did hear from some of our listeners already who who experience this themselves, but they didn't specify whether they were hindu customer or not. There was some, I believe IT was a third party upgrade management, right that that was right source. So microsoft .

getting all the blame for this, but is not microsoft's ault.

No, I believe I was somebody whose who so systems that were under patch management by a third party were updated not by microsoft but by by their patch manager. yes. And so glad you brought that up because that that is the case. Um and the other thing that is the case is that the time for me to take a sip coffee oh.

I just took a by the sandwich. So okay, you take that chip, not try to too fast.

And my eye on the clock where thirty four minutes in. So a good time before we talk about what IT is that microsoft has decided they're gonna do to windows eleven to further protect people from user account control. IT turns out it's not in your face and up. So well.

that's true, everybody. Just you get the prompt to elevate and you go .

here here I have my turned off.

you don't use.

you see no, the first .

hundred complete.

bring IT down the minimum. And then I go into the registry and I disable IT completely because it's just, you know, i'm a mother hand over this over machine on two .

mothers hands once enough no.

And the fact is, I mean, the problem is people are saying, oh, there's that annoyance again. They just click yes yeah and so it's like, okay, what protections is that? Well, microsoft gna fix that.

Let's not make this easy. Our show today brought you by actually, this is a very appropriate company to talk about right now, threat locker. Threat locker makes zero trust, easy, affordable, and it's really effective if zero day exploits and supply chain attacks are keeping you up at night.

And if the you is in this show, they probably are working in a war because you can hard near security. The best way to do IT with threat locker worldwide, companies like jet blue trust threat locker to secure their data to keep their business Operations flying high, the key is a proactive. And this is that I want to underscore this.

I don't know how you to do that. Nadia underscore this. Deny by default approach, a proactive deny by a default approaches.

Cyber security. That means, by default, your block, every action, every process, every user they just know, unless explicitly authorized by your team. And this is zero trust.

This is how zero trust works. And IT works so well, and threat locker does IT so well, they make IT easy to do. And and this is equally important, they provide a full audit of every action.

So if somebody is authorized, some process is authorized. You know exactly how who is set. That's great for none ly risk management, but also really important for compliance. Thread lockers twenty four seven U S based support team fully you supports you getting on board and beyond.

And by the way of very easy implement, thanks to them, thread locker, stop the exploitation of trusted applications within your organization that keeps your business, or yes, IT protects you from around somewhere all unknown. Zero day threats. This is the problem.

This threats never been seen before. How do you prevent IT? Well, you just don't let anything in across your border.

Organizations across any industry can benefit from. They call IT rainfall cy, threat lockers, ring fencing. They isolate critical interested applications.

Cy, they put him inside the ring fense right from unintended uses from web ization limit attacker's lateral movement within their network. There, there. But they can't get there right threat.

Locker's ring fencing is so effective, he was able to foil a number of attacks. The traditional edr just couldn't stop, like the twenty twenty cyber attack on solar winds. A yan effectively foiled by ring fencing thread lockers.

Customers are really happy about that. I can tell you a threat locker works for max to so you're whole new ork get unpressed and visibility in control of your cyber security quickly, easily and cost effectively. Threat locker zero trust and point protection platform offers a unified approach to protecting users, devices and networks.

It's the exploitation of zero day vulnerabilities. I think this is so cool. And if you look at reviews, look at thread lock or customers, you'll see i'm not alone in this.

It's very affordable. Get a free thirty day trial. Get at least try to learn more how threats locker can help mitigate unknown threats and ensure complaints.

Visit threat locker dot com. That's threat locker, that calm. We think of so much for supporting security now.

And our friend, mister Steve gibson, use supporters when you, if they ask you, if you say, oh yeah, Steve gibson told me all about threat locker dot. Come now. I want a cup of coffee.

It's my turn for your time. You're up a coffee. okay? So we all know u ac user account control. This is windows clever and workable solution to the agal dilema of users running root privileges on a system just so they are not constantly being told that they can do what they want to do with their own system.

The problem was doing this with, you know, running as root is that it's their log on that has the root privileges. This means that anything they might do inadvertently, like innocently run some malicious software, you don't buy mistake inherence. There are counts root privileges and allows their system to be easily and potentially irreversibly compromised.

So the solution, microsoft evolved, and we talked about this when I first appeared in windows and I I said then I think this was very clever. I mean, I think it's a it's a like the best solution we've had so far. What they did was they split credentials where an administrative user, even though they are at an administrative as opposed to a standard windows user and administrative user effectively logs on with both standard user and elevated credentials or tokens as microsoft calls them, while always running as a standard user with reduced privileges.

This way, they are protected from anything that might inadvertently happen when they're not like intending to have anything happen when they are not looking um then when they try to do something that their lesser privileges doesn't permit, such as installing the new application into the system or disabling some system protections, windows will pop up you know, the user account, control the u ac prompt, which essentially serves as then are you sure you want to do this? Required confirmation and when the user size and clicks, yes, i'm sure I want to do what I just asked for. Windows briefly switches over to their elevated permission token credentials to allow that requested action to be performed.

okay. So that's the way it's bit now for many years. But we learned last week that, that will be possible to optionally add another layer of security to this existing mechanism. Microsoft wrote administrator protection, which is what they're calling an admin protection, is an upcoming platform security feature in windows eleven, which aims to protect free floating admin rights for administrator users, allowing them to still perform all admin functions with just in time admin privileges.

This features off by default, meaning that, okay, just for clarity, when this is part of windows eleven, IT will not be enabled by default, so U, A, C will continue working the way IT has. But IT needs to IT can be enabled via group policy. So systems that are being administrated remotely over the network and enterprises can can cause this to be on for all of their windows climb machines.

Microsoft that we planned to share more details about this feature and microsoft c night now the hacker news dug into this a bit and did some reporting. They said microsoft will add a new security system to windows eleven. They will protect admin accounts when they perform highly privileged and sensitive actions named admin protection.

The system is currently being tested in windows eleven canary bills. The new feature works by taking all the elevated privileges and add min needs and putting them into a separate super admin account that's most of the time disabled and locked away inside the core of the Operating system. okay.

I'll just note, we don't know how they're implementing this yet. I mean, this sounds like more than U A C with more protection. So maybe IT is that I don't know know like maybe maybe their intention is to make this super dupr bullet proof anyway. The hacker news says when users select the run as administrator option, they will receive a prompt from the admin protection feature.

The difference from a classic U A, C prompt that features yes and no buttons is that the admin protection features will ask the user to authenticated with a password, a pin or some other form of authenticity before they're able to go forward, they said. But a change in prompting authenticity is not the only major change according to technical and non technical rives for microsoft M V P. Rudy arms, who first spotted this feature, admin protection is a lot more powerful than an innovative than you might expect.

IT changes how the entire windows OS assigns admin privileges. Okay, so that answered my question. This is not just adding additional automation to U A C.

You know, this bury IT down somewhere in the bowls of windows and was whatever whatever that means. That's you. That's apparently what's going on. Changes the entire windows the way the entire windows OS assize assigns admin privileges.

In past versions they wrote, windows created two tokens for an admin account, right, one to use for Normal Operations, and one for when the admin needed to do admin things. With the user switching between the two, they finished saying, unfortunately, this allows threat actors to develop U. A, C.

I passed techniques and abuse admin accounts for malicious purposes. Okay, so, you know, stated another way. U, A, C, even as intrusive and potentially annoying as IT was, was still too easy to use.

So IT was being abused also. So microsoft is gonna give you another go. And even more rust, robustly lock up these privileges, which are too powerful to allow bad guys and bad wear to get their hands on, hacker news said.

The new admin protection basically locks away all those highly privileged actions into a separate system managed account. The threat actor would not be able to switch to that super admin account unless they could now bypass all the extra authentic ation options. The way this will have exactly work in detail, they said, is unknown.

Microsoft is set to provide more details about the new adman protection feature at its gnant developer conference later this month. And we hope, write the hacker news that these extra authentication problems will be able to support some form of mfa. If they do, threat actors that compromise admin accounts will have a much harder time exploiting those accounts for high privileged actions.

So I know, I suspect that the Operational profile of a developer such as myself is probably very different from the typical office worker. Even having U A C constantly popping up drives me nuts, as I said earlier. So i'm extremely careful with what I do with my system, and I maintain somewhat obsessive management over my machines, my my machines.

So i've never felt that I really needed microsoft to protect me from myself. Now, the other end of the windows user spectrum, you know, we have someone sitting behind a desk at a large enterprise. They are probably running a fixed set, a preapproved software and logging into a standard rather than an admin account.

So they would already need to provide complete administrative credentials that they wanted to change anything in the system. This still sounds like the admin privileges that the system will have somewhere, you know, because there there is an account defined on a system um that has admin privileges even when the the user who's currently logged in as a standard user. So microsoft is good as you know much more deeply.

Lock this down. And this shows that all this suggests that the first coming windows eleven admin protection feature, you know, is intended to Better protect everyone else, you know, all of those who have been logging in with admin accounts, but very know for whom they are. You sure? Yes, no.

U A C pop up is not been providing sufficient protection. So again, I I can't fault microsoft for providing options and for for also first of all, making IT option. Don't think goodness, although I don't tend to be under windows eleven control any type soon, but also providing an option to more thorough locked down this security. And ah I got just say and given that like a biometric multifaceted authority might be available, then that .

would make a table you would say yes.

you would have to constant going over and if you know two to your smart phone and and getting a one time password in order to to continue doing things you want to do.

Do you run as an administrator? Yeah but of course you do. yeah. But I mean, that was always the advice, so I don't want to administrator and U I C. Solved that by kind of having these from levels.

right? right? I mean, i'm i'm windows has become such A O S that I have to. I mean, i'm creating brand new code, right? That's what I do, right?

So that's .

every time. Yeah, no, I hit well, it's not dangerous.

Nobody looks that way.

But so so I have to completely shut down windows defender or in this my xc, the moment IT gets created, this got, we never saw this before. Get the government no, it's so so you know, being a developer really requires you to just like calm down windows. It's all right.

It's me sitting here. So yeah but again, i'm glad that they're able to to allow enterprise ad means to really crank the security up. And clearly, they're not doing this because they don't have anything Better to do.

They're doing up because they've seen problems with not having you enough of the ability to lock this down as much as they are. okay. So under the category of who cares, last week, we noted that fine, happy russian courts had levied such insanely large fines against google for refusing to allow youtube to spill russian media anti ukraine propaganda.

But not only did their own spokespeople have no idea how to pronounce the number of russian rubles levied, but the fine far exceeds the total amount of money in the known universe. Moreover, you know the google branch of russia, you know that the the local google entity russia has find, wait, belly up and bankrupt about a year and a half ago. So there's no assets there either.

So good, like squeezes in rubles out of google. I don't think that's going to happen. But IT seems that russia has not been deterred in the finding department, apparently decided that levering a reasonable fine against a going concern, might actually produce some cash.

You know, if not, any change in that energy is behavior. So to that end, a moscow court has find apple, mozilla in tiktok for fAiling to remove content. The russian government dims as being illegal.

Apple was fined for not removing to podcasts, mozilla for fAiling to remove some ads from its store, and tiktok for fAiling to remove videos related to the war in ukraine. The fines range from thirty five thousand us. Dollars to forty thousand U.

S. Dollar equivalent in russian rubles. Now since finds on that scale probably fall into the pity cash category for those three companies, you know at least there's something for them to discuss about you going forward. It's not some ridiculous number with thirty zeros that knowing knows how to prince that google has been hit with. Um and while we're on the topic of fines, south korea has find matter twenty one point six two billion one now although IT takes around fourteen one hundred one to equal one us dollar when the fine is twenty one point six two billion one, that's still equals around fifteen point six seven million us dollars for a fine um so that's an attention getting amount unlike rush is fine for you know google uh south korea actually expects matter to pay okay, so what did meta do? Upset south korea's privacy watchdog define is for illegally collecting sensitive personal information from south korea facebook users, including data about their political views and their sexual orientation, and wait for IT sharing that data with meta advertisers without their users consent.

The countries, uh, the organization is called the personal information protection commission pip c, so the P, I, P, C in south korea says that meta gathered information such as religious affiliations, political views and same sex marital status of about nine hundred and eighty thousand domestic south korean facebook users, so just shy of a million, and then shared IT with four thousand advertisers on meta, the pip said in a press statement, quote. Specifically, IT was found that behavioral information such as the pages the users liked on facebook and the ads they clicked on was analyzed to create an Operate advertising topics related to sensitive information. Okay, actually that sort of sounds like a level or two removed, but still of a breach of privacy because, you know, facebook is analyzing their users behavior and then join conclusions about who they are based on what they do, and then making the who they are information available to their advertising.

The pip c added that these topics categorize users as following a certain religion, identifying them as gay or a transgender person, or being a defector from north korea. The agency accused made up of processing such a sensitive information without a proper legal basis and that IT did not seek users consent before doing so. That also called out the tech giant for fAiling to enact safety measures to secure an active accounts, thereby allowing malicious actors to request password resets for those accounts by submitting a fake identification information made to approved such requests without sufficient verification of the fake ideas, resulting in the league of the personal information of ten south korean users.

So just sloppy and not caring on metal part P I P C said. Going forward, the personal information protection commission will continue to monitor whether meta is complying with its corrective order, and we'll do its best to protect the personal information of our citizens by applying the protection law without discrimination to global companies that provide services to domestic users. On quote, so over their part, in a statement share red with the associated press, meta said that IT will quote carefully, review and vote the commission's decision, after which you will probably get out checkbook and to pay the fine, I would imagine.

So you know, the good news is everywhere we turn IT appears that you know those early free whaling behavior of unaccountable internet services, uh, is being increasingly brought to heal if user profiling has been as valuable as advertisers claim IT to be, and if this profiling is gradually being freezed and reduced out of the population of services, that suggested the economics of all my advertising will eventually be changing too. You know, they hope the advertisers don't wanted anything to change. They want all the information they can get about everybody all the time.

And governments are beginning to say, not so fast there. We don't want you to have that. And course, governments are able to make the laws that they want to.

Our favorite nest supplier, the o snooty, just patched a critical zero click a zero authenticity of law that would have created chaos had had been discovered first by bad guys. The the for the flaw affected sono logy disk station and b photos and could be used for full remote de execution. It's being tracked.

Ed, yeah, it's being tracked as C V E twenty twenty four ten four forty three. And IT has been dubbed risk station by security researcher rick diggers of midnight blue. He is successfully demonstrated and exploited the vulnerability at the recent phone to own ireland twenty twenty four hacking contest.

And this one is as bad as they get. Risk station is a quote unauthentic ated zero click vulnerability, allowing attackers to obtain root level code execution on the phonology disk station and b station next devices, which would affect millions of devices. Now as we know, zero click means full remote takeover without any action required on the part of the owner of the device.

We also know that the only way this could be possible would be if sono logy photos for this state or b photos for b station have open and exposed ports to the internet. So i'll say you again, IT doesn't matter how tempting and cool IT might be to have roaming access to your photos and other features available to one or all on the internet. IT doesn't matter that is necessary to log in and authentic to use such a service.

Everything we see reinforces the truth ism that there is no safe way to do that using today's technology, no matter how much we wish you were otherwise. Now the good news here is that this was disclosed during a pone to own competition. So the bad guys have no idea how this was done.

And in keeping with a responsible disclosure that's inherent important to own, no technical details about the vulnerability have been released, nor will they be soon. They're currently being withheld to give snoozes customers sufficient time to apply the patches, the night blue said. There are between one and two million sonos gy devices that are currently simultaneously affected and exposed to the internet.

So you know, easy to do, right? You just ask, uh, census or or any of the online scanning services like showdown. Give me a list of all the IP s that have that are listening on this particular port and then you get the list.

Um so is that happens? I just updated my two psychology masses. They notified me that there was new, far more available, and that presumably fixes this, you know, any other, lesser problems, but I would never expose my next to the internet.

You know, it's sitting behind the nt services of A P F sets firewall that has U P N P. disabled. My masses were never in danger. And I hope and trust that that's true for all of our listeners. But you know, it's certainly not true for those one to two million sono logy as users who said, oh, hey, cool. I can publish photos for my friends and and what could possibly go .

wrong somehow I doubt you use syn logic photos APP, but no, I don't. I don't do that either. Never needed you.

So, you know, IT IT is definitely more of a hassle not to simply be able to open ports and expose services to the internet. I get IT, you know, but that's exactly what between one, two million sono logy nas users have apparently done. There are ways to safely obtain remote access. You know, for example, i'm a huge fan of port knocking, which has never taken off the way I could.

But there are there are truly secure mechanisms that exists, which are still not being built into our devices due to, I don't know what, programme r hubris, which continues to imagine, despite all events to the contrary, that the last horrific bug that was just found fixed will be the last whenever. So we don't need more security. This is what needs to change.

Okay, this is really interesting. Over the supply side of attacks, we learn that cyber security researchers have discovered in the furious malicious package in the python package index, you know, pipi code repository and get this this particular python package is called fabris. It's been downloaded tens of thousands of times over the past three years of its availability while going undetected for those three years as its steadily refilled.

Ted developers, amazon web services, you know AWS credentials. Now the packages name is fabris, which you know sounds like some sort of an air fresher or something. And IT would be a believable package name on its own.

It's actually derived from a typo of a very popular python library called fabric. Oh, so it's an e added to the end of fabric. The legitimate python fabric library is used to execute shell commands remotely over S S H. But any developer who told who too hastily types fabric into their code might instead wind up with fa breeze. And that's where things begin to go very wrong for them.

Whether the legitimate fabric package has over two hundred and two million downloads, its malicious ous typo squat counterpart has been downloaded more than thirty seven thousand and one hundred times since developers trust the well deserved reputation of the fabric library. That's what they assume they're getting even when they first type the name and enter fabris. Unfortunately for braces, then able to exploit the trust that associated with fabric to incorporate payloads that steal credentials, create back doors and execute platform specific scripts, the breeze Carries out various malicious actions depending upon which Operating system IT finds itself running in.

If it's executed on a linux machine, IT will download the code and execute four different shells ript from an excursion server located at the I P address, eighty nine, about forty four, that nine, that two, two, seven. When the same script runs on windows two different payloads, a visual basic script named p dot V, B S and a python script named d that P Y will be extracted and executed. The p that V B S script runs the hidden python script D A P Y, which resides in the downloads folder.

This D W P Y script downloads another malicious executable, which IT saves as chrome dixi then sets up a scheduled task to run that chrome oxi every fifteen minutes. Once that's been done, the D P P Y file is deleted. In any case, regardless the Operating system and the path taken, the common goal is credential theft, A W S access and secret keys are gathered and x file traded to the server at that address.

By collecting these AWS access keys, the opportunistic attacker gains access to potentially sensitive cloud resources. Now who knows what developer will run this and what resources might be obtained since twenty twenty one, when this malicious for breeze library was first dropped into the pie e repository, thirty seven thousand and one hundred developers have downloaded IT by mistake, thinking they were getting fabric the first time they ran IT. Their machines were compromised when they later corrected their typo.

IT was too late. Their development systems were already infected with a trojan designed to seek out and send any A W S credentials they might have. So at this point from time to time, the attackers server at eighty nine, four or four, nine, five, two to seven simply receive unsolicited AWS credentials every time someone news shows up, the attacker is probably head over to AWS to see what their trap might have snared.

So we have A A sophisticated typo squat attack crafted to impersonate trusted library, which exploits unsuspecting developers who enter the wrong library name just once. This thing SAT undetected for three years, collecting more than well. We don't know how many aw s credentials were collected, but IT was installed in more than thirty seven thousand systems and then began looking for AWS credentials before IT was finally spotted and removed from the library.

And of course, this as this big the question, what other similar typo traps are still sitting out there, salted out of one the thousands of legitimate repository packages? This is why we've got researchers scalery. The repository is looking for these kinds of of nefert's ous.

And this is a continual problem in these pots. I wish to have some easy way to fix this.

Yeah, you know.

there has been particularly notorious.

I nbm, of course.

the manager.

it's a problem because we want public software, right? I mean, the whole idea is degree, the community of of people working together publishing software packages and libraries like this, intending to share IT. Well, how do you keep the bad guys out? You really can't. And leo, speaking of good guys.

I bet you, I have a product, they can get the bad guys out. Let me check. We continue on episode one thousand .

Steve .

gets this cup. I already had my mug. I'm wishing now that I had the quad ventilate that you always order. I only made a double and IT IT went quick our so that they've rought to you by flash point. An information is power.

right?

It's absolutely key. It's critical to being effective in in the world in a whole lot of different ways. If you're a security leader, you know, this has been A A year to remember, shall we say, cyber threats and physical security concerns on on the upswing now geopolitical instability adding a new layer of risk and uncertainty.

Just i'll give you a one step to illustrate. Last year, there was a staggering eighty four percent rise and ransom attacks eighty four percent rise. There was a thirty four percent jump in data breaches, neither of which would be good for your company, right? And of course, the result is trillions of dollars in financial losses, but not just financial losses, threats to safety worldwide.

I've got a great solution for you. And IT comes down information. That's where flash point comes in. Flash point empowering organza to make mission critical decisions. It'll keep their people, their assets safe by combining cutting edge technology with the expertise of world class analyst teams.

You know, governments have intelligence agencies, but why should IT only be governments? Shouldn't businesses also have people working to give them the intelligence they need to succeed? Well, with ignite flash pois award winning threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get analytics, and you get all in one place.

You can use IT to maximized your existing security investments, of course, because you know where the threats are coming from, right? Some flash point customers that have avoided half a billion dollars in fraud loss annually. Half a let me says that again, half a billion dollars saved from fraud loss annually thanks to flash point four hundred eighty.

That's a four hundred eighty two percent in six months flash pointer and frost itself of its twenty twenty four global product leadership award for unrivaled threat data and intelligence, an svp of cyber Operations at a big company, you would know big U. S. Financial institution said and quote, flash point saves us over eighty million dollars in fraud losses every year.

Their proactive approach and sharp insights are crucial in keeping our financial institution secure. They're not just a solution. They are a strategic partner helping us stay ahead of cyber threats.

Don't you want to stay ahead of pyper threats? No wonder. Flash point is trust by both mission critical businesses. And, yes, governments worlwide to access the industry's best threat data and intelligence. Very simple to go to the website.

Flash point dot IO do IT right now, you all to yourself and your company, flash point dot I O I mean, you listen this show for that kind of intelligence, right? Get even more flash point dot I O thank so much for supporting the intelligence. Steve gibson, when we go. okay. So we've .

seen this when to come on for a while, and we're nearing the year twenty twenty five, which is the year during which google has said they're going to be requiring, with no excuses, all of their cloud services users, which includes all gmail users, to be authenticating with some form of multifactorial thenk. good.

Yes, it's like it's time, right? So more than just their user name and password, which will no longer cut IT, google still hasn't provided explicit deadlines, but anyone who doesn't already have mfa set up can expect to start being push to do so near the beginning of next year. So there's not much more amnesty for for people who haven't done that yet.

okay. So I don't know how to read between the lines of some recent worrying news from the mozilla foundation. Just to be clear, that's not the same as mozilla.

The mozilla foundation is the nonprofit ARM of mozilla, but the foundation is just laid off thirty percent of its employees. Even though it's not, mozilla still makes me nervous since I depend upon firefox for the web and thunderbird for email. The official statements from the foundation, well, to me they sound like gobbi cook.

Get load of this quote. The mozilla foundation is reorganizing teams to what I read this think about the turbo and cabuli or and the reverse trunnions that IT uses because similar language. The mozilla foundation is reorganizing teams to increase the ugly and impact as we accelerate our work to ensure a more open and equitable technical future for us.

All that unfortunately means ending some of the work we've historically pursued and eliminating associated roles to bring more focus going forward. Our mission at mozilla is more high stakes than ever. We find ourselves in a relentless on slot of change in the technology and broader world, and the idea of putting people before profit feels increasingly radical.

Navigating this topsy turvy distracting time requires laser focus and sometimes saying goodbye to the excEllent work that has gotten this far because IT won't get us to the next peak. Lofty goals, demand hard choices, choice. What obviously.

does that mean that the whoever was on their P, R team who spoke sense, yeah, wow, that is bad. P.

that's another.

Here's here's the good news. The mozilla foundation had more than doubled its staffing in the last two years. okay.

So thirty percent cut still puts them ahead of where they were. It's also not the browser. It's there. As you said, they're not .

profit ARM right? OK good. So don't work.

You use mazilla or no. You use a chrome browser.

No, i'm a firefox hundred percent. no. Yeah, yeah, ah, yeah, yeah, yeah, yeah, yeah.

We need diversity. Is the last man standing? That's that's a fry are the only two mainstream brothers that don't use chromium.

I know. And and for me, my computers run cooler and quieter. What i'm not running chrome. Reason I like, the reason I left grow was that like my files were spinning up is like, what the heck is just it's just sitting here.

To be fair, mozilla's had its problems in the past with resources, but I think right now it's it's a pretty .

darn good Price well, and IT is getting heavy donation from google.

Oh yeah, two hundred million a year, I think from google. Not donation. They spent.

It's the same reason. Google to twenty billion. The apple is right. Yeah right.

In order to feature .

the and and .

I do use firefox's, whatever that the home page that that comes up with sponsored stuff yes, I do.

I want yeah good you yes yeah.

I have no problem seeing that. And so often kind of interesting because I know what's that about. So yeah okay. So that covers the most interesting news of the week today is patch tuesday. So we don't have any results of from that yet.

but count on that next week.

Absolutely, we will if when not sure that the number of things fixed will be two digits or three digits, but it'll be one of those two. Yeah, I was glad that there was not a torrent of news for today's one thousand episode of security. Now since there's been so much news recently that i've been unable to share, as I said, at the top of some of the truly great listener feedback we've been receiving.

So we're going to do that today. But I i've got a couple things. First, um dave plummer was an early microsoft engineer, among other things, Davis, credited with creating the original task manager for windows.

He wrote IT uh and also the space could that pinball ports for windows N T. He was also the developer who added native zip file support to windows. Thank you, dave.

Hard to get. Just one of those is his most important.

Yeah, I like pinball or yes yes, space. Get that fit ball. So today, dave's best known for his two very popular youtube channels, he has dave's and dave attic.

I'm mentioning this today first because they puts a lot of effort and energy into the videos he posts to his channel, and our listers might find a lot there to enjoy. So I created one of grc s shortcut links to make finding dave's garage easy. It's just gc 叫 sc slash dave， so you sc as a shortcut grc got sc slash dave.

But the main reason i'm mentioning this is that one week ago today dave posted his look at spin right six point one his subhead was optimize your hard drive and extend data life, including S. S. D, with spin right.

And this review of spin right was so positive that in the meta data info about this video, he made his motivation clear by explicitly stating, by the way, this is not all caps, a sponsored episode. I'm just a thirty plus year customer and fan of the APP explanation point. So anyway, everyone who has been following this podcast already knows everything dave talks about.

We all know that SSD are prone to slowing down over time when their data is only ever being read and never written, such as know the file systems, Better data and most of the Operating system files and drivers and so forth. And early in the work on spin right six one, we discovered that running a spin right level three past over SSD that had slowed down over time would restore their original factory performance. So i'm mentioning this due to two viewer comments that were posted to dave's spin right video last week.

Brent smith, line said, have used spin right since the early eighties. After talking with the head of support at compact, he stated that they used spin right to test hard drives before they were installed in compact devices. The bad ones were wedded out and sent back to the manufacturer, so they did not become a support issue at the very start for compact. Now i've mentioned this anecdotal several times through the years, but I was fun to see IT independently restored and IT brought to mind a useful strategy that may still be useful today. One of the things i've noticed while running drives on spin right is that the drives self reported smart health parameters will often be pushed downward while spin right is running.

This is one of the biggest mistakes may by all of the various although they really don't have a choice of smart drive health reporting tools, a drive this just sitting there idle and doing nothing is always going to be relatively happy because it's not being asked to do any work and it's not the drives fault for not reporting anything since that has nothing to report. It's only when the drive is overload by being asked to read or write data that it's able to gage its own ability to actually do that. For the past thirty five years, this has been one of the fundamental tenants of spin rights value.

A drive could only determine that IT has a problem. When I asked to go out into its media and attempt to reader write those regions. The fact that, in a sense, IT owns that media doesn't automatically mean that IT knows everything about what's going on out there.

IT needs to be asked to go take a look. And I turned out today's spin right can still be used the same way that compact, once used IT to help qualify the relative integrity of spinning hard drives. And S, S, S, another interesting comment that was posted there among seven hundred and fifty six others since last tuesday was by c gates x chief technologist Robert. Type to tito.

yeah.

Type to. In addition to being chief technologist at spin at c gate for years, Robert is also one of the six founding directors of carnegy melon universities robotics institute, from which he resigned in order to guide c gates development of, among other things, self encrypting drives.

In response to dave's spin right video last last tuesday, Robert posted, he said, as a chief technologist for sea gate for years, spin right is generally done right. There are some errors in David's presentation, but they are minor. The biggest thing that needs to be said is that if you wish to retain digital data and leo, you're gone to love this plan to keep essential data on multiple drives that do not depend on each other, he said.

RAID is not a solution except for transactional data management or in this duplication mode. I think he means full mirror, yeah, he says, and always keep a full data copy or two other gapt, meaning not connected to anything electrical, he said. Safe deposit boxes are useful for this and plan to make new copies on new drives every few years, he said.

Digital storage devices can fail in more ways than you can count, and the ones that can preserve data for decades are really not commercially available and often give a false sense of security, leading to catastrophic data loss. The design life of storage devices is generally five years, although it's not unexpected that a given device will will preserve storage for ten plus a few years. Knowing what I know, I buy new drives every year, so and make new full copies, as well as keeping at least a couple of copies.

Air gapped all the time. Lightning can and does strike fire, he said. Parents heat the magnetizers and IT is not true that solid state drives are non magnetic, unacceptable to failures associated with magnetic field losses. So anyway, I want those too. Well, I mean you to have you sticking and .

MRI machine, and I mean you cat .

like D N S S D with a man in magnetic.

But they're .

still sensitive to change. Hit with a serious polls, but I appreciated Robert reminder about the inherent volatility of mass storage. No, back when I first designed and roads spin, right?

U. I, O. And I had ten, twenty or thirty mea bites of spinning hard drive .

we thought were fat. Well, well.

because nothing was big fact then. So thirty mega bites that what you are never gna fill that up.

I know single photos that are big.

right? exactly. So you know, and and those drives cost us thousands of dollars. That Price dropped rapidly, but I was still uncommon for anyone to own more than their systems. Primary mass storage drive. That's why spin right' data recovery was designed to work in place because back then, there was nowhere else for a recover data to go. That's one of the many things I am very excited to be changing as spin right continues to evolve in the future.

And thanks to the ongoing support from this podcasts, listeners and the greater spin right community as well as independent influencers and reviewers like day plumber IT appears that spin right will have a bright future. Nothing, truly nothing could make me happier because there's nothing I will enjoy more than continuing to work on spin, right, to move this code forward. Yeah but I just to mention that I always made a bit nervous when I get the sense that people are caring around single copies of important data on today's thumb drives or external drives, you know in their laptops or desktops, wherever where you know there may not be another copy of that data drives are certainly becoming more reliable as time goes on.

But there's also a danger in that since, as Robert reminds us, lightning does still strike. So the fact that drives are generally not dying left and right can lead us into a full sense of security, of believing they never will. With today's data storage being so economical, IT might pay off to take some time to make backup s automatic and transparent.

And that's really where i'm headed here. Automatic is the key, is the main point I wanted to make. Everybody's busy, we get distracted. We naturally forget to do things that don't call for our attention.

That's why IT really makes sense to find some time if you haven't already to arrange to have the data you care about kept safe for you without you needing to remember to do anything at all these days. With storage being so inexpensive, that doesn't have to be expensive, I mean, almost free. In fact, the best case is that nothing bad will ever happen and that and that your backup system will never be needed.

But even then, the piece of mind that buys of knowing that the system you put in place will have your back, I think, is worth the time and trouble. So I just sort of wanted to take a moment to say, really don't have a catastrophe there. Just no reason voice, there's no reason to have a .

catastrophe py any longer. I think some of things you've changed in as dave was working at c gate, for instance, cloud storage is is very, very common. Almost everybody I would imagine listening has at least one copy of the data in a cloud somewhere. It's so cheap. So you big is.

oh, my god. And now microsoft .

is like dunning. You, yeah yeah. So that's a little annoying, to be honest. But but the apple is the same thing with I cloud.

I think that most people probably have their most important stuff in the cloud. And and you know you mentioned the same thing, which I think is a great solution. Yeah, have everything synchronized everywhere?

yes. Yeah, yes. okay. One last bit. Before we get to our library feedback, I mention last week that my mAiling system's instant unsubscribe feature had turned out to be a bit too instant since many of our listers were being repeatedly, silently unsubscribed from the security now mAiling list.

The trouble was caused by some email providers, and this is a known issue I had never encountered, but I had heard of IT. They attempt to protect their listeners from malicious links in email by following those links, pulling up the content they point to and then checking IT for any sort of mAlice. So it's not a bad idea though.

IT certainly does make email a lot more tracking able since you many savy users will deliberately not click anything in spam they receive as IT is as a means of remaining invisible because they all want to give any indication that they got a live one here on on the end so that that the issue of track ability must have been a tradeoff that these providers decided was worthwhile in any event. The system I had in place until a few hours ago last week, a few hours after last week's podcast, when I said I was going to fix IT, the system I had in place would assume that requesting the content behind the instant unsubscribe link was the user clicking IT, so IT would do as requested and instantly unsubscribe them. So I wanted do a firm that I did, in fact, change the way the system functions so that links now display an unsubscribe confirmation page that's actually very pretty.

And you can click on IT and then just to see what what IT looks like if you're curious and then just don't proceed to to give IT the additional click of yes, i'm sure um because that's now what's required um so hence forth, everyone should now remain properly subscribed. If you were not among the twelve thousand, six hundred and fifty six listeners who received today's podcast topic summary you know the picture of the week, the show notes link and everything in an early morning email, you may now resubscribe to G R C security now mAiling list, you know G R C dcom slash mail, and you subscribe from now on. If you do that, all subscription should be sticky and remain in place until and unless you choose to later unsubscribe.

So i'm done with the email system, as I mentioned last week, is now very easy to change your email dress anytime you want. Users can do that. What this last glitch is gone.

This mAiling to h twelve thousand, six hundred and fifty six of of our subscribers went out a beautifully this morning. So I am now I are actually already have turned my attention to my next project, which is to create this next DNS benchmark. So i'm very excited to get that did to get going on IT deeply and get IT done as quickly as I can. And leo, let's take our last break and then we're going to look at some list or feedback for the final half hour of our podcast.

ExcEllent, excEllent one thousand episodes, kids, amazing wall.

And by .

the way, I wish we had a list of all of the sponsors we ve had over the years. IT all started with a startle. You remember wait and .

alex are still listening.

Alex house is still a listening. Thank you, alex. Get regularly emails from you. Probably it's not a thousand sponsors, but it's been quite a few. We're very grateful to all of them that makes the show possible.

We are like the mozilla ounces dependent on on yours support with club twit and of course, on our advertisers support this segment of security now brought you by a company probably know and have heard of with a really interesting product that's somewhat knew i'm talking about looking today, every company is in the business of managing data. That means every company is that increased risk of data exposure and loss. We're just talking about IT, right? Not just hard drive failure, but cyber threats, breaches, leaks, cyber criminals are getting smarter every day.

And modern breaches now happen instantly, doesn't take days or months anymore. That happens in minutes. At a time when the majority of sensitive corporate data has moved to the cloud, traditional boundaries no longer exists.

The strategies for securing that data have fundamentally changed. That's why you need look out from the first fishing text to the final data grab. Look out stops modern breaches as swiftly as they unfold, whether on a device in the cloud across networks.

Working remotely at the local coffee shop with your ventilator. Look out gives you clear visibility into all your data, whether IT is at rest and in motion. You will monitor your assess and you'll protect without sacrificing productivity for security.

And you like this, or at least the IT department, well, with a single unified plan platform, look at really simplifies and strengthens your a posture. Reimagining security for the world that will be today is IT. Look out that calm right now.

Learn how a safeguard data secure hybrid work. And yeah, reduce complexity. Look out that com. Thank look out so much for supporting the show and we thank you for supporting us by mentioning you're heard IT on security now because that's that's how we keep those sponsors happy, right?

Yes, they think, wow, this is really make sense to advertise on .

this doesn't IT doesn't mean who else what Better place. Tell the world about your security product.

okay. So paul Walker asked him, Steve, just listening to episode nine, nine, nine and your piece about AI to find fixed prevent security vulnerabilities. I'm sure you're right. It'll be a great tool for developers, but I wonder if it'll just become the next arms race in the field.

Couldn't bad actors deploy A I similarly to find vulnerabilities? And all we're going to end up with doing is raising the bar of complexity, picking off more of the lower hanging fruit as the vulnerability just become more obscure and harder defined by humans. Is there even a danger that a bad actor wheel ding A, I might have an advantage for a while as they turned this new generation of powerful bug hunting tools lose on all the old current software that's already out there?

Don't get me wrong, IT should be a good thing, assuming the overall bounds of power between good and bad as and shift too far the on way. But I fear you hope for a world of no vulnerabilities still isn't much closer. Congratulations on reaching nine, nine, nine, and thank you for going past IT.

Here's to the next two thousand episodes. Thanks, paul. So yes, paul, um i've had the same thought. Um I agree that A I could just as easily be used to design exploits for the vulnerable ties that already exist or that will exist.

And I also agree that the inertial leg and upgrade friction we keep seeing throughout our industry is likely to mean that malicious AI will initially find itself in a target rich environment. So yes, I agree one hundred percent that things may get rough during the phase where A I is still newly being deployed by both sides. But there is an important lack of symmetry here.

The good guys will have an advantage in the long run because no malicious a hi, no matter how good IT is, we'll be able to create vulnerabilities out of thin air. All the malicious A I can do is find problems that exist and cannot create nuance. So once the good guys have their a is working to starve the bad a of any new vulnerabilities to discover and exploit.

The game will no longer be an arms race. There will be a winner and that winner will be the good guys. So but certainly an interesting in point, and we are in for some interesting times.

And also speaking of a is Matthew from montreal, all canada. He said, high, Steve, I might not be the first person to share this snipped of code with you, but I thought you'd find IT useful. I asked ChatGPT how to remove youtube shorts. Initially, IT suggested plugins, but since I have security concerns about plugins, I asked you again, this time specifying that I wanted a solution using only u block origin. Here's the solution IT provided and IT works great.

Okay, so now I got IT in the show notes basically, uh ChatGPT to which credit uh created a three rule filter which you know you go to, you block origin and open the dashboard, looked in my filters tab and then paced it's actually six lines because it's got comments for each of the lines, paced those in click apply changes. Anyway, he said, he worked, he said, this approach has worked perfectly for me, he said, and I thought you might find IT handy too. Let me know if you tried out.

Best regards, Matthew from montreal. Okay, so as I said, and as he wrote, Matthew from montreal all found that this worked for him. But a listener named the deal a man of few words sent just a link to a github page and it's github dot and then ji at the link in the show notes.

IT looks like jj s dev slash u block hyper hide hyphen Y T hyn shorts. So I followed that link and was taken to a page that said A U block origin filter list to hide all traces of youtube shorts videos. He said, this filter list might work with other content blockers, but I haven't looked into that yet.

He says, copy the link below, go to u block origin dashboard filters, and pace the link underneath the import heading. So that's very cool. Under you black origin, there is an import dot dot, dot.

You can give IT a link and IT will suck the list in for you. So anyway, I used w get to grab the list dot text file referred to in that link. It's an extremely comprehensive and well commented seventy one line filter, although that includes blank spaces and comments, lots of comments.

I would be quite surprised if anything resembling a youtube short was able to squeak through that gotland. Then I discovered where darl found his good hub link. He sent me another piece of email with a link to a piece on medium, where a software developer explains, he said, as a software engineer, I typically spend eight to ten hours daily on my laptop.

Following that, I frequently indulged in youtube shorts, which, combined with my extensive screen time, has started to negatively impact my eyesight. Despite recognizing this, I found myself too addicted to simply stop. Hence, I decided IT would be Better not to see any shorts on youtube at all.

That's when I discovered my savior. You block origin. You block origin is a chrome extension that not only blocks ads on youtube, but can also stop youtube shorts, which I hope in turn will save me more time.

Here are the steps to follow. okay. And then he provides a link.

Actually, he copies a bunch of stuff into his medium. Posting at the bottom. He provides a reference. IT turns out that this software engineer is also not the originator of this filter list. As I said at the end of his media posting, he links to the youtube video where he presumably learned about you block origin and found this filter.

So first of all, we've confirmed my suspicion from last week that you black origin all by itself, which can obviously function as a swiss army knife for web content filtering, could probably nip this youtube shorts problem in the bud without the need for any sort of possibly sketchy additional web browser at on, which is what brought this whole topic to the podcast, right? Remember that somebody had A A youtube short blocker and and IT became owned by somebody who started using IT to track all of its users around the internet. So we were saying, hey, do you even need and that on?

Why not just you to, uh, you block origin? So, sure enough, but I was still unclear about what all the holly blue was over this so called youtube shorts problem. What's the problem exactly? Why are people creating web browser extensions to hide these? So I followed this software engineers link to the youtube video where Chris titch tells us how to do this.

I did not watch Chris is video, but some of the, and I kid you not, eight thousand, four hundred and twenty three comments that have been posted to his explainer over the past ten months since he posted his video, which has been viewed one point six million times. We're quite illuminating. So here's a sampling.

For example, people said, the fact that people want to disabled shorts, and there are developers that create these amazing tools, really goes to show how crap shorts really are. Somebody else said, what's wrong is you to themselves keep pushing shorts on people? It's a form of spam and should be something you can opt out of.

Unfortunately, opting out doesn't work within the youtube platform. I hate shorts and I hate the way youtube is going. Someone else said, thank you for the tip is a lifesaver.

Youtube shorts are cancer. Somebody else said, alternative title, how to cure youtubes cancer. Somebody else wrote, my child can't stop himself. Once he starts watching them, I have to step in.

He even tells me he wants to stop watching shorts, but can't, which is terrifying, knowing this will make a huge difference in our lives. Thank you. Finally, someone said, dude, I literally cannot thank you enough for this.

I'm currently trying to really focus on my studies, but shorts have been my downfall. All caps, literally. He said, I just get so addicted to IT, and I feel like I physically can't stop.

Once I realized how much I wasted doing nothing, I feel empty and dum inside. So glad this is a thing, and IT works great. You're a lifesaver.

Thank you so much. And the last comment, could you please make a shorter version of your video? Okay, I confess I made that last one up.

But wow, whatever this is, IT really appears to have people in its grasp. It's somebody astonishing. But these reactions to the posting of Chris is extremely comprehensive.

Youtube shorts content know and how to block, how to block IT using u block origin answers the question of why anyone would want to remove this from their browser. So you know also apparently from their life, in addition to from their browser. So anyway, we know you can use you black origin.

The show notes have lots, lots of links and won to a very comprehensive filter list for anyone who feels like a lot of these, you know, eight thousand plus people who discovered crisis list. Do tom demon, said, Steve, I ran into this on lincoln about last week's photo of the week. Just thought I would let you know.

Quote, here's how a bunch of firemen n created a viral image that fool the internet unquote, that was the title from business insider. He said, thanks. Been listening since episode one. Tom diamond, okay. Now tom is actually referring to last to a week before last photo for episode nine, nine, eight.

that this is the one where the the train tracks.

yep, the insane one showing the the fire trucks hose crossing the train tracks while being protected by fire protectors or by tire protectors, you know, as if that would do what was intended, you know, for the wheels of a train, right? So time linked to article in business insider. Unfortunately, IT was behind a pay wall which placed a firm pop up covering the page in my face and which refused to allow me to proceed.

But I was quite curious to see what tom had seen. So once again, u block origin to the rescue. I simply disabled javascript, the site.

That site is really hard to get to. I'm glad to know I can .

do and refresh the page and no more pop up blocking the pages content. So I can tell you that business insider wrote, if you spend any time on the internet over the past a few months, there is a chance you saw a photo, a fireman who had found a full proof way to lay your host over train tracks. The photo went viral, being shared all over twitter and facebook.

insane? right? Not quite. The photo was actually a joke. Firefighter tom um uh, bond girls from belgium took the photo at the beginning of April post IT to facebook. The caption says something like fire early this morning.

Our houses are still protected from the train explanation point, but that track was down that week for repairs. Those in town, presumably thom's facebook friends, knew that the photo was created and posted for laughs. There was no chance a train would be coming, but soon hundreds of people were sharing the photo on facebook, adding their own commentary.

People who didn't know tom or about the defunct train track began to see the photo and in disbelief, shared the photo themselves. After his picture was shared hundreds of times. IT eventually became separated from its original source and from its sarcastic caption.

People believe that was real stories, like the one about how a train was derailed. Ed gan going viral as well several days later, after tons of tweet shares and email forwards and lots of languages, tom wrote a follow up post explaining what happened. IT says, hey, this past week, our funny photo went viral throughout the whole world, thousands of shares and likes in many different countries once and for all.

The picture was taken in belgium in a small village called borum. After a minor intervention, we had some meaning of a minor intervention, meaning some fire and related activity. We had some time left near the railway to make this picture. Since there were no trains running at all for a week due to maintenance works, we can state that our joke were a real success. Oh.

and now, many years later.

still fAllen .

people .

on the internet. So a big thank you to our own tom, our listener, tom David, for resolving this mystery for us. It's good to know that those firefighters were aware that either their scheme would not actually survive a train or that any passing train might not survive their scheme.

Opinions among our listeners who sent feedback about the photo differ widely about what might transpire if the integrity of that crossing whose solution were ever to be tested, paul northrop wrote. Dear Steve, and regards to the new DNS benchmark offering, will there be versions for other Operating systems? Apple, linux, b, sd.

thanks. okay. Fifteen years ago, when I first wrote the DNA benchmark, I took great pains to make sure that would run perfectly. Underwood and IT does beautifully, so i'll definitely pressure be preserving that functionality anywhere wine can be used with the D N S benchmark.

As IT turns out, all three of those non windows O S S that paul mentioned, apple linux and b sd, are positive compliant and can and do run wine. So while IT won't run natively, IT will be possible to run out on any of those platforms in addition to windows. So got that covered.

Jim ri poses an interesting question. He writes high. Steve, thank you for being here for security. Now every week you and leo make a great podcast. I have a question about A I, which is a bit philosophical. A comparison of answers between geri ChatGPT and copilot shows the systems can disagree on basic facts such as who won the twenty twenty presidential election.

There is disagreement in general.

and that is exactly to my point. He says gemini refuses to answer the question. This sounds like big brother and google has annointed itself the ministry of truth, deciding what facts IT will IT will suppress or reveal. Having our access to knowledge regulated by corporate overseas is disturbing.

How can A I be trusted if IT withholds facts? Do you think a control system should be in A I that will prohibit A I for from withholding the truth regards? Jim, okay, this is an aspect of A I that I suspect is going to be a real issue.

My wife and I have grown to know the neighboring couples within our little community enclave quite well, lorian joyce, socializing. And since he lets me work every other minute of the day, i'm happy to join in. What I know, because i've grown to know our neighbors, is that I could ask each couple the same question and obtain a different answer from each, sometimes radically different answers.

And their intelligence is not artificial, though in some cases there may be questionable. So I suspect we may be asking a lot of A I for IT to be some sort of absolute oracle and truth teller. And moreover, the truest answer may not be a simple binary, yes or no, true or false.

I believe in the fundamental rationality of the universe, so I believe there is an absolute truth. But i've also observed that such absolute truth is often extremely complex and colored by subtlety. Many people just want a simple answer, even when no simple answer can also be completely true.

In other words, they will choose simplicity over truth. Having come to know our neighbors, I have also come to understand their various perspectives. So when they share what they believe, i'm able to filter that through who I know them to be. I know we would like things to be easier and more straightforward with A I, but I see no reason why IT might be. So whether we like IT or not, what we're going to get from A I will just be another opinion.

A couple of things. I would add that, first of all, the AI didn't give him or refuse to give him the answer the coding did because everybody google ma, everybody is accept elan. Musk rock has a bunch of bumpers put in to keep IT from answering of controversial questions. That's just a human saying, if IT says this, don't answer IT the A, I would give you an answer. I don't know what the answer would be, but I would give you answer.

Everything I would say is this is exactly what timid Gabriel Margaret Mitchell and others who were working in google ethics department at the time until they were fired for this, said in a paper called sarcastic parrots, where they talked about the problem with their eyes is because it's coming from a computer. People give IT more weight, they assume as a computer, so it's smart, so it's gonna right. And that's, of course, a mistake. And really, if you ask the same I the same question several times, I will give you different answers each time it's designed to do that. So it's more question of us understanding and I think the term artificial intelligence is part of the problem, understanding what IT is we're playing with yeah and it's not .

intelligent at all well and we've been using the term forever. You I when I was in high school, I was at the A I lab at stand for universe. Yeah so like, okay, that's nothing like what we have today. So although you .

know it's really interested, just written article, really good article about faa lee, who was one of the early researchers who believed in neural networks. And this was twenty years ago, and the entire AI community had said, now you know what we've tried, they don't work. And SHE persisted, spent two years in putting something like twenty or thirty thousand images into IT, and created an image recognition program that worked.

I remember we interviewed the people at the university of toronto when I was up at call for help in toronto about this image, recognized this. This was what inspired Geoffrey hinton and others later to continue on with the AI, in fact, using neural networks, other techniques that we see today. So even the AI winter, there were people out there who had ideas that made sense, worked, but for a variety reasons, didn't get a chance to a try IT out. This is, it's been in up and down thing. There are people who say today, a lot of people seem to know they are talking about agis close like within a few years yeah actually .

I think about our topic for next week. Is this yeah good? Yeah because some sam altman has just on record is a height master, I know, but there but there was enough meat in the discussion that I thought I would be interested to share that i've been dying .

to hear what you have to say about this. Oh, I can't wait. I'll look forward that.

So jump tousy or way to john tourism. He said, hi Steve. As someone who's been in security for over twenty years, I have found myself constantly over thinking anything that would result in lowering security, which could lead to a breach or intrusion.

As a keen home automation tinker R, I have numerous devices. He sounds like elio, probably over one hundred at home, for controlling everything from lights to fans to monitoring solar at sea. Ta, he says, all partitioned off, of course, with v lands, multiple firewalls, separate ssi as is set.

One of my biggest canon drums, though, is how do I expose the controller, for example, home assistant, to the internet, so I can access that when traveling around. I have a fixed IP, so that's fine, but I really don't like exposing this type of software directly to the internet. At the moment.

I connect using open VPN, that's fine, but this means I need to turn and on and off every time I want to do something, which is a pain. I have also thought about an overly network, but need to research a bit more on data usage, as IT will be used primarily from a mobile device, enhance limited data. Anyway, going back to the main thread, I know security by obscurity can be somewhat effective in a layer approach.

So what are your thoughts on using an I P V six address rather than I P V four for inbound traffic in these scenarios? As is much harder to do, full network scans across I P V six address space compared to IP v four long time listener and spin right owner from australia. Keep all the great work you, leo, and all the team do over there.

twitter. Thanks, john. Thank you, john. So the problem john has is, as we were talking about earlier with sono logy is a problem many people are having. This is why those one to two million 3 ology photo sharing services were exposed， are are currently exposed and vulnerable. Hopefully, they're getting patched.

No one appears to have created a solid solution for this because developers keep believing, as I noted before, that they've just founded, fixed the last problem that they're ever gonna counter. So you know, right? sure.

Go for that. What we still need is a clean and efficient means for remotely accessing the devices within our networks at home when out roaming. So Jones, wondering about the security of hiding his devices within the larger one hundred and twenty eight bit address space afforded by I P.

V six. He clearly understands that such a solution is only offering obscurity at best. So I suppose i'd say that doing that would be Better than doing nothing, but that also requires I P V six addressing support at both ends.

And the trouble is that is not as if he gets to pick any hundred and twenty eight bit address at random from all possible one twenty eight bit addresses. I S P are allocated well known blocks of I P V six address space, and they generously hand out smaller blocks of sixty four k sixteen bits of I P V six addresses per subscriber. So IT would still be possible for bad guys to target any I sp range of known addresses and scan across that space.

Given the massive scanning power of today's botnet, discovering open ports located within an isps assigned IP v six space would not be prohibitively difficult. John mentioned the use of an overlay network, such as tail scale, zero tear or nebula. I think those solutions are about as close to the perfect user friendly solution as exists today.

They all support all major desktop and mobile platforms as well as popular open source routing software such as pf sense o pn sense um and others. So an instance could be installed, called in an editor, to provides extremely secure connectivity to any roaming devices. Or if you prefer, docker can be used to install, for example, zero tear on a sinologist. What do you have an instance of one of these terrific solutions running on something at home? You can have secure connectivity to that network from any roaming laptop or smart phone, and there is no indication of access network band with consumption since all of these solutions are economical in their overhead and the way they work is exactly what you want.

You you just you simply have that client running on your smart phone and when you when when a APP you have wants to connect to, for example, home assistant presumedly, you use a web browser and and you give IT your home IP or maybe you you have done dying DNS set up so that your home IP has A A public D N S. You go to that D N S, you know, collen and the and the port number and the traffic that is rounded to your home only goes over the overall network. I mean, is like IT is the perfect solution.

You not everybody, he's going to use IT because you know it's the kind of thing that our listeners will use. It's not as simple as as you know snooze saying, oh, look, now all of your friends are able to browse your photos that you stick in the public, uh, photo sharing folder or whatever. You know, using your hometown as battle will never be safe.

But IT is definitely possible to use an overly network like tail scale, zero tear or nebula a to successfully get what what john wants. Allen, our last bit of feedback says, Steve, congratulations on one thousand episodes of security now. He said, I listened to the first episode during my first year of college for computer science while donating blood plasma for money to buy a second monitor.

wow. That's .

dedication. Now I am a senior software engineer at google, where I have been for nine years. I've listened to every episode within the week that came out.

Your podcast was at least is useful to my understanding as my bachelor's degree. And in many cases, your early podcasts helped me understand that material in my classes is much more deeply. Thank you for all your years making security. Now, Allen.

that is so beautiful.

And so to Allen and to all of our many listeners who have recently written something similar. And I actually have something else that just came in this morning, i'll share next week that was really, really wonderful. I wanted to say, as we conclude this one thousand episode of security now that providing this weekly podcast with leo has been, and i'm sure he'll continue to be my sincere pleasure.

As I said before, i'm both humbled by and proud of the incredible listenership this podcast has developed over the years. IT has been one of the major features of my life, and i'm so glad the u lio. Thought to ask me twenty years ago whether I might be interested in spending around twenty minutes a week. To discuss various topics of internet security, just look what .

happened.

So thank you you for making this possible. Thank you.

Next thousand.

I just provided .

you with the platform and you took IT from there. It's been really amazing. Our web engineer, Patrick la handy, posted this some statistics about the show.

He said the shortest show we ever did. Do you remember this? We didn't like an extra thing.

There was three minutes. I think that was like an update of some kind. I can't remember why, but we had to do an update for some reason. So I guess that will always be the short to show that there wasn't a whole lot in IT like i'm trying to score back. See if I can find his post and then he said the longest when we did, I think that was close to three hours, was two hours of fifty seven minutes.

And wow, yes, I didn't know that. We actually, I thought that week or two ago was that was two a half hours. And I thought that when I was the.

well, there was always the advise, you keep IT to two hours. Pretty nice.

And I think that I think that's a target. I think that's a reasonable time. We've got a couple of listeners who complain.

I have sten to the whole thing. Nobody is making you.

It's not like you have to. My attitude .

always been, give people usually, you know, you supposed to give him less than they want in my actors, podcasting is as long as it's longer than your commute that you don't want you to end half way to work.

And we know how people feel about those youtube shorts.

We don't want to be going to be short. No, we are longs. Yeah, I in the early days of I try to keep everything under seventy minutes because people were burning the shows to cds.

And that was the maximum length of a CD, right? Yeah, I don't worry about that anymore. You probably know, I think we are now almost all of our shows pushed two hours is the shortest st.

That I do. Almost all of us are two and half to three hours. So you actually have the honor of hosting our shortish show. congratulations.

And there I say, most focused.

very focused. And I we love that IT is easily the geekiest show we do. And I say that proudly. I think that you, we try to serve, abolish audience because I don't want people to say, no, I don't understand anything you ever talks about. But at the same time, we also want to serve the hard core person who really gets this and really wants to know deeply what's going on well.

And we do have listeners who write and say, well, I think, and I understand about fifteen percent of what you guys talk about, but I like IT. I don't i'm not sure what that is, but you know, IT makes me feel good and I always get a little something like, yeah.

great. Yeah, that's okay too. I mean, i've often thought of what we do is aspirational.

I was what this could document about Martha start on netflix right now. It's actually fascinating. I would watch IT even if you're not interest moth story.

But people said about her and her magazine, nobody can live that way. Nobody could be that perfect. Your setting to higher bar SHE says it's aspirational.

Everybody might want beauty in their life and want to be able to have that. Everybody wants to understand what's going on in the world of technology. And if you don't understand at all, you will just keep listening, right?

Steve IT has been my great honor to know you and work with you for more than thirty years. I can't believe it's been thirty years. IT doesn't .

doesn't feel at all and that's the good news. Yeah you know we're only at one thousand.

Yeah look, we're going to keep doing this as long as we can. But I am so honored and thrilled that you are willing to do this way back then and continue to do IT. I know it's a lot of work. Don't i'm very aware how much .

work you put a lot of work, but i'm happy to do IT yeah here's .

Patrick delay hates note. I found IT. The shortest episode is security.

Now was forty two minutes, four minutes and twelve seconds. That's this one. security.

Now, one of three S. E. Vote for Steve. You remember that? That was, you were trying to win the podcast.

Oh, right, right. The podcast.

And I think you .

did you we once we want the first several years the podcast .

award yeah yeah well and rightly so. And then the longest episode, and I have the receipts to prove IT three hours and fifty seven seconds. But IT was the best stuff. So you don't have to take credit for that.

Thank good as I can't imagine I would have participate in that. I would have been on the floor .

yeah well, the reason was there were so many good sections seconds in twenty eighteen, we couldn't do lessons or hours. yeah. So that's that's good.

That's fair. I think that's okay, Steve, thank you. From the bottom, my heart were continuing on.

I would have been bereft sitting here on this tuesday afternoon without a security now. And I know i'm not alone on that so well. Thank you for all the work. You so much work every week.

no one in sight. Uh, they used to be saying our our listeners were saying to nine, nine, nine and beyond. Now I think is going to be to one, nine, nine, nine.

How about nine, nine, nine, nine? How long would that take? Two hundred years? yeah.

I'm feeling great, but all I said, I do believe in a rational universe but wait.

maybe we are laughing now but somebody in the future we listening to A I Steve, that's true and episode ten, one thousand.

i'm sure you could dump all the transcripts into an A I and say, okay, give me the last week's news as Steve would present IT .

actly totally. You could probably do that now.

probably could do that now.

but certainly in a midnight before we're done with the second twenty, the second twenty years. Steve, bless you. Thank you like my friend, eternally grateful. And we will see next .

week onto one thousand and one next day.

so you really now