SN 999: AI Vulnerability Discovery - RT's AI TV Hosts, Windows 10 Updates
01:53:05 Share

It's time for security now. Steve gibson is here with lots to talk about. Google record breaking fine from russia. I don't think they plan to pay IT firefox one hundred thirty two and nice new features, a really bad exploit involving windows, that rdp files. And then step's gonna talk about his new product plans for his next paid product for the first time announced right here. Next on security now.

Podcast you love from people .

you trust. This is told. There is a security now is Steve gibson episode nine hundred and ninety nine, recorded november fifth twenty twenty four, A I vulnerability discovery .

time for .

security. Now the election day edition with Steve gives in where we cover all of this. Oh, I get the wrong album mark up there.

I'll fix that, Steve. Over all the latest security news, privacy news and AI news. Look at those stickers. Yeah, I got lorries also.

You know, voter ly vote off.

but I only have the one sticker. But there's something really satisfying about about participating in our democracy. I have to say I always enjoy IT and this time was no different.

Even though I did vote by mae, I didn't. I didn't go in. It's just satisfying to put that in the male place. Yes.

and I do. I do appreciate california making IT so easy. You, whether you ask for or not, you get the ballot in the mail. Thank you very much. And you know, you get to do IT three or four weeks ahead of time and drop IT in the box and hope you know what he does, doesn't catch fire and and then are you're done see.

it's security now, everybody, very nice. I have fixed the Albert, which means it's time for you to tell us what's ahead in the show.

okay. So before I forget, i've been receiving some emails from people who say, hey, you're mentioning ing that you send out the announcement about the podcast the day before yesterday. I was the evening before to twelve thousand hundred and fifty four people, I believe, or to the week before I was the afternoon before.

But people are writing saying I didn't get IT and I got them before, but I didn't get anyway. What's happening is I track this down. Some people's email services are in attempt to predict them from malicious ous links, our link following their email, like the links in their email.

And unfortunately, my one click instead unsubscribe really does work and all you just like there's no confirmation on IT you click the link and your but no words so and so apparently people who are using outlook, some people using outlook outlook will protect them by go by by fetching the links in their email or when they fetch ched the instant unsubscribe. That's IT it's they're not going to a get any more email for me. So by everyone who's hearing this who did not get yesterday or the or last week or or or yesterday evening email, i'm sorry you were inadvertently unsubscribed by your overprotective email system by.

So please go back resubscribe. And by this time next week, i'm sure this will be resolved. I will have to take you to a page that asks, oh, you sure you want to subscribe? And then you click, yes.

And now I understand why that's what everybody else does. I know I wasn't doing that and that was not good. It's IT.

Turns out you need to say, are you sure because that outlook goes, oh, look, isn't that nice? He's asking if they're really sure. So we were not going to he's not giving a man wear anything.

So when I looked, that does this. I feel like gmail has some months of scrapping.

Well, gmail makes IT very easy. So the is you you there is a standard where the the one click unsubscribed goes in the headers. I was also putting IT in the body of the mail and and so that's what what outlook is going in and finding our things that users could click on that might get them into trouble.

Or boy, do I have really amazing piece of news about that here today. But but in the headers, that's where google will say, if you mark something, if if you flag something, a spam, you get A A little dialogue. This is, oh, would you like to may be if you just delete them anyway.

Do you get an you can offer from gmail to unsubscribe from this list is the reason IT knows it's a list is that in the headers unseen by users, unless they explicit look is an unsubscribe link, which which your email provider is able to use. And in fact, this was really handy when I was doing that. The mAiling to to the the really old email addresses many of the recipients that that the recipient servers would see.

All that account hasn't been around for a decade and so they deserve itself would unsubscribe them. So I was IT was great for its so of you know it's like automatically cleaned the email list for so anyway we are at security now. Episode nine, nine, nine.

As you mentioned, leo and I should mention to our listeners last week i've noted I had not yet updated grc s side to handle for digital podcasts. I did that. Yes, we are prepared to .

wrap to.

I had to time that this was why I was going to be all over and a boy, I didn't even realized he was going to be on election day. I think impressions .

there is saying, you know, I think my last show should be election.

Wow, did you pick that? okay. Ay, so um we're going to talk about the interesting topic of A I being used for vulnerability discovery, which I think it's gonna be a big deal and I don't want to step on my own story here. So i'm just going to leave at that until we get there. We're going to talk about google record breaking fine by russia and wonder how many zeros does that number have also, uh, russian television's rt editor in chief admits that their hosts are A I generated yeah probably because they said that all the actual hosts afterward, windows ten security updates are set to end.

That's for twenty two twenty two h two set to end next october or are they uh, when a good chrome extension goes bad, we're going to look at a real world event that occurred also, windows IT, turns out, will launch rdp sessions, remote desktop protocol sessions with a dot R D P launch file, which can also config. Your kid can figure your R D P client for full zero security. And we ask, what could possibly go wrong with that? Actually, something has firefox one thirty two just received some new features.

Chinese security cameras have been removed. Well, more than half of them from the U. K. Will check in there. And I know our listeners would not fail for this social engineering attack we're going to look at, but I bet you that lots of people would also, i'm going to announce grc s next commercial software product or at least some I commercial software product, talk about that little bit.

And then we're going to look at the prospective A I, as I said, being used to analyze code to eliminate security vulnerabilities much as I, as I recently suggested that A I running on the local smartphone, maybe the solution to allow us to preserve full to end encryption by preventing bad stuff from being sent, received. I bitche that A I may be the solution to the security problem. And oleo, have we got a picture of the week? Beauty, I love. IT.

all ahead. Security now nine and nine nine is underway, which would have been if you're just joining us. The last security now until Steve changes .

mind a year ago were were right and I was planning, but you know, i'm not ready .

to go yet congratulating lations. That's great. Our show today, we have a great sponsor brought you by delete me.

And if you listen to the show, you know how problematic data brokers have become that national public database that was breached in hundreds of millions of people's social security numbers, and emails and home addresses were basically given out to the bad guys. I think that's one of the reasons are getting the spate of sex torture. Email Steve with your name and address and phone number in IT.

I think IT came from the npd released, you know who doesn't get those, lisa? You know why SHE uses delete me, our sponsor for this segment. If you've ever searched for your name online, you don't like calm.

Much of that personal information is available. You may want to consider doing something about IT. And maintaining privacy is not just a personal concern, is a family here, that's why delete me has family plans, so you can ensure that everyone in the family feels safe online.

How does delete me work? IT reduces the risk of identity theft of cyber security threats, harassment and more, and IT works by removing your private information from these data brokers from these sites on the internet that are collecting all these like npd. Lisa is not getting those exact same emails, and i'm getting because her information wasn't in the npd database.

You know, this is this is actually it's not why we started using IT. We started using IT because of fishing scams, spear fishing scams, bad guys we're using to target leases. Direct reports are she's a CEO of twit and all of the people SHE managers, we're getting text messages saying, this is lisa urgent.

You know, i'm in a meeting, but I need some amazon gift cards right now order to them for me and send them to this address. Fortunate our employees are smarter than that, but IT did give us a little cause for concern, like how do they know what leases number is? Because I was leases number.

Who he? What company is, who works for her? Who was reports were what? Therefore one numbers are. That's always said, you know what we need. Delete me.

How do you feel about compromised info and hacking and identity at theft and spam? I mean, this is this is a nightmare, and we are very pleased that is working for lisa. I'm not so happy about myself.

Maybe I need to sign up to delete me. Experts go out on the that and finally remove your information from hundreds of data brokers. They make IT there specially. They know all the data brokers. And this is a really tough job because there's no one's every day, but they make sure they get them all.

And if you want to use you for your family, you can excite a unique data sheet to each family member that's tailed to them with easy to use controls, so you can manage privacy settings for the whole family. Some people say, no, no, I want to be on this site. I want to be on this site, but not this site.

Here's the thing that I think is most important, the reason we went with delete me. They don't just remove at the first time. They continue to scan and remove your information regularly.

Because these data brokers, there's no one's popping up. They repopulate their databases all the time. I'm talking addresses, photos, emails, relatives, phone number of social media information, property values, at and on and on and on. If you want to protect yourself and reclaim your privacy, do what we did.

Go to join, delete me that come slash to IT u the offer code T W I T you'll get twenty percent off that's join delete me that come slashed with twenty percent off with our offer code T W I T and we think I delete me so much for supporting at the show, and we thank you for supporting the show by using that address. Join delete me up on slash twit. Are I Steve? I have prepared myself stealing myself, if you will, for the picture of the week.

Just hold on your desk.

IT looks like something .

out of Alfred hitchcock. Eeco, wow. So I gave this when they they caption when head rails are not optional. And I I truly wonder whether you could walk down these stairs without to close .

your eyes ma? I think there are looked stairs .

are completely Normal. Someone put the the worst, a measurable pattern of carpeting on these stairs. It's all like, all full of like off access crosswise.

It's it's horriston tal strips, but they're all Kitty Walkers is the technical term? yes. And I mean, you have to really focus in order to wow to get down these things. So no, I i've had this one for a while and I thought I was great that, you know, you could see the aisle that IT goes down to is the same pattern and that's gonna OK. But boy, when when IT turns around and goes ninety degrees and goes up the stairs.

this looks like it's a ship too. I don't want to make IT worse, but i've magine you're rocking .

on this thing wo oh wo not good, good. okay. So it's a shame that our favorite ite russian internet watchdog.

rock none.

is not the russian entity that's been levering. These fines against google over its management of youtube says IT won't been fun to say that name many more times during this reporting only get that once. But nevertheless, this bit of news was too fun and bizarre to pass up.

IT seems that rushes accounting, uh, by rushes accounting. Google currently oes some large russian media outlets, a rather significant sum in fines. We note a last week that the few millions of dollars that the uc had levy in fines against four publicly traded U.

S. Companies would be unlikely to change those companies of behavior because the fines fell far short of being significant for them. However, that's not the case here with google and these russia media companies.

Quite the reverse. In fact, here's the story. As IT was recently reported in the moscow times, under the headline russia finds google two point five Dylan U. S.

Dollars over youtube bans, they wrote, the rbc news website reported tuesday that google has racked up some two units alium rubles, which is the equivalent of two point five dillion us. Dollars worth of fines in russia after use years of refusing to restore the accounts of programming and and state run media outlets. You know, although like google just said, no what we're of kick this off.

The youtube rbc cited an anonymous source familiar with court rulings against google. According to rbc sources, gool began accumulating daily penalties of one hundred thousand rubles in twenty twenty after the pro government media outlets sr grad and R, F, I fan one lawsuits, you know, russian lawsuits against the company for blocking their youtube channels. Those daily penalties get this have doubled each week.

And we know when we're Young, we learn about the power of compound interest, right? So these penalties are doubling each week, leading to the current overall fine of around two undissolved rubles. Now, unto sicilian, they explain, is a number equal to one, followed by thirty six zeros, or one trillion, trillion trillion rubles.

Google, whose parent company alphabet, there they they report, which reported revenue of more than three hundred and seven billion dollars in twenty twenty three, is unlikely, you think, to ever pay the incredibly high fine, as IT far exceeds the total amount of money on earth. A total of seventeen russian TV channels have filed legal claims against google, according to one of rbc sources. Among them are the state run channel one, the military affiliated ated zaanan, a broadcaster, and a company representing rt.

And to and chief Margaret symons, an youtube they write, which is owned by google, blocked several russian state run media outlets over their support of the full scale invasion of ukraine. Authorities in moscow retaliated with these fines, but stop short of blocking youtube out. Right on thursday, the kremlin called the find against google symbolic.

I'd being planned to call IT embarrassing, but okay. Kremlin spokesman, the metric gov. Told reporters at a daily briefing.

Quote, although IT is a concretely formulated some, I cannot even pronounce this number. Rather, IT is filled with symbolism. In fact, it's also to filled with zeros.

In fact, there should be a reason for google management to pay attention to this and fixed the situation. Googles matter. IT doesn't care anyway.

Finally, that they said this seems unlikely, given that google russian subsidiaries filed for bankrupcy in the summer of twenty twenty two and was officially declared bankrupt last fall, and google had earlier halted all advertising in russia in order to comply with russian sanctions over the war in ukraine. So yes, I find them all you want dw double IT every week. You're going to run out of areas at some point.

Uh and as I also noted that the top of the show um this editor and chief s name Margaret soni an um was was mentioned as one of the company, one of the other seventeen companies that have also filed more recent suits google. I had noted that we are also recently admitted that many of rs you know russian televisions hosts do not exist and are entirely AI generated along with their fake social media accounts because I guess you got, you know, you want to respond to them interactively get all engaged. They need to have a social media account to allow you to engage with them with their fake A I hosts.

Anyway, he predicted that journalism would disappear the near future. Know what ready has in russia. So maybe he thinks that's gna spread unfortunate SHE may be right. We will see um a recent posting to the and this is important for all of our listeners, unlike that first one that was just a little bit of junk food A A recent posting to the zero patch blog regarding next year's end of windows ten security updates contained a bunch of interesting related news.

This included what microsoft plans to charge users who would rat end users who would rather remain on windows ten come next, doctored or may not be a matter of rather remain. They may have no choice due to what we know are microsoft arbitrary minimal system requirement policies for moving to windows eleven. So here's what the folks at zero patch recently wrote.

Um their blog post headline was long live windows ten with zero patch and their subhead was end of windows ten support looming ing. Don't worry, zero patch will keep you secure for years to come. So they wrote a tober twenty five o tober twenty twenty five will be a bad month for many windows users.

That's what windows ten will receive their last free security update for microsoft. And the only free they having air quotes way to keep windows using a being used securely will be to upgrade to windows eleven. Many of us don't want to or simply can't up upgrade to windows eleven. They wrote. We don't want to because we got used to win the windows ten user interface and we have no desire to search for some button where it's been moved and why the APP that we were using everyday is no longer there.

While the system we have is already doing everything we need, we don't want to because of increasing, and this is their word in the pod, posting in certification, including blow weare start menu ads in serious privacy issues, we don't want to have an automated integrated screen shot and key logging feature constantly recording our activity on the computer. We we may have applications that don't work on windows eleven. We may have medical devices, manufacturing devices, point of sale terminals, special purpose devices, atms that run on windows ten and cannot be easily upgraded.

And finally, our hardware may not qualify for an upgrade to windows eleven. Um canalis estimates that two hundred and forty million computers worldwide, two hundred and forty million computers worldwide are incompatible with windows eleven hardware requirements, lacking trusted platform module. You know tpm version two supported CPU four gig of RAM U F I firm are with secure boot capability or so. I supported G P U.

So what's going happen in october twenty twenty five? Nothing spectacular really. They say windows ten computers will receive their last free updates and will, without some additional activity, start a slow decline into an increasingly vulnerable state as new vulnerabilities are discovered, published and exploited that remain indefinitely present on these computers, the risk of compromise will slowly grow over time, and the amount of luck require to remain unharmed will grow accordingly.

The same thing happened, they said, to windows seven in january twenty twenty. Today, a windows seven machine last updated in twenty twenty with no additional security patches would be really easy to compromise, as over seventy seven zero publicly known critical vulnerabilities affecting windows seven have been discovered since leaving a windows ten computer unpatched after the october twenty five will likely open IT up to the first critical vulnerability within the first month and to more and more in the following months. If you plan to do this, at least make sure to make the, to make the computer difficult to access, physically envy the network for everyone else.

There are two options to keep windows ten running securely. Option one, microsoft extended security updates. They wrote, if you qualify, microsoft will happily sell you extended security updates, which means another year or two or even three of security fixes for windows ten, just like they've done before with windows seven, server two thousand and eight and server twenty twelve, extended security updates will be available to consumers for one year only until october twenty twenty six.

For the Price of thirty dollars, educational organizations will have a cheap, just seven dollars for three years, while commercial organizations are looking at spending some serious money, sixty one dollars for the fear, first year, one hundred and twenty two, that is to say, twice that for the second year, and two hundred and forty four, doubling again for the third year of security updates, totally, four hundred and twenty seven dollars for every windows ten computer across three years that you for the enterprise. In other words, to interject here for just a moment, the cost to have microsoft repair the mistakes that IT has previously made in the design and Operation of their own windows software will double for their enterprise users every year, but not for end users who could apparently, maybe it's not clear to me. Maybe just pay for one year for thirty dollars and then that's supposed .

to be .

enough of a you pushed off windows ten so they so they continue zero patch says opting for extended security updates will keep you on the familiar monthly update and reboot cycle. And if you have ten thousand computers in your enterprise network, IT will only cost four million dollars, they said, if only there was a way to get more for less. Or wait, there is option to zero patch with october twenty twenty five zero patch.

Will security adopt their phrase, windows ten version twenty two h two, the final release of windows, and provide critical security patches for IT for at least five more years, longer if there is a demand in the market, they wrote, were the only provider of unofficial security patches for windows. And we've done this many times before after security adopting windows seven and windows server twenty two thousand eight. In january twenty twenty, we successfully took care of six versions of windows ten as their official support ended.

Security adopted windows eleven twenty one eight two to keep users who got stuck their secure to care of windows server twenty twelve in october twenty twenty three and adopted two popular office versions twenty ten and twenty thirteen when they were abandoned by microsoft. We're still providing security patches for all of these. With zero patch, you will be receiving security micro patches for critical, likely to be exploited vulnerabilities that get discovered after october fourteen th twenty twenty five.

These patches will be really small, typically just a couple of CPU instructions, hence the name, and will be applied to running processes in memory without modifying a single bite of original microsoft binary files. There will be no rebooting the computer after a patch is downloaded, because applying the patch in memory is done by briefly pausing the application, patching IT and then allowing IT to resume, users won't even notice that their computer was patched while they were writing a document. In the same way that servers protected by my, by zero patch get patch without any downtime at all.

And just as quickly and easily, our micro patches can be unapplied if they're suspected of causing a problem. Again, no rebuilding or application relate ching zero patch brings zero day won't fix and non microsoft security patches with zero patch, you will you won't only get patches for known vulnerabilities that are getting patched on still supported windows versions. You will also get zero day patches, which are they explain patches for vulnerabilities that have become known and are possibly already exploited, but for which no official vender, that is to say, microsoft patches are available yet.

We've fixed many such zero days in the past. For example, for ola, thirteen days before microsoft dog walk, sixty three days before microsoft. Microsoft access force authentication sixty six days before microsoft and event log treasure more than one hundred days before microsoft, on average are zero day patches become available, forty nine days before official vender patches for the same vulnerability become available.

Then there's wt fix patches, patches for vulnerabilities that the vendor r began. Microsoft has decided not to fix for some reason. The majority of these patches currently fall into the N T L M you know nt landman coerce authentication category. Anti landman protocol is more prone to abuse than turbo s. And microsoft has decided that any security issues related to ntl should be fixed by organizations abandoning their use of N T L M.

Microsoft therefore doesn't patch these types of vulnerabilities, but many windows networks can't just give up on N T L, M for various reasons, and our won't fix patches are there to prevent known attacks in this category at this time. Our won't fix patches are available for the following known N T L M covers, authentic ation vulnerabilities, D F S covers, printer bug, slash pool sample and petite porter. And finally, non microsoft patches.

They wrote with most of our patches, while most of our patches after a microsoft code, occasionally, a vulnerability in a non microsoft product also needs to be patched when some vulnerable version is widely used or the vender doesn't produce a patch in a timely manner. Patch products include the java run time, adobe reader, fox ireader, seven zip, win raw zoom for windows drop box, APP in nitro PDF. Though you're probably reading this article because you're interested in keeping windows ten secure, you should know that these patches are also available for the supported versions of windows such as eleven and windows server twenty twenty two, and we keep updating them is needed.

Currently, about forty percent of our customers are using zero patch on supported windows versions as an additional layer of defense or for preventing known N T. Landmen attacks that microsoft doesn't have patches for. So what about the cost? Our windows ten patches will be included in two paid plans, zero patch pro suitable for small businesses and individuals, management on the computer only single admin account currently Priced at twenty four ninety five euros plus tax per computer for a early subscription.

Zero patch enterprise suitable for medium and large and organizations include central management, multiple users and roles, computer groups in group based patching policies, single sign on a seta currently Priced at thirty four ninety five year s plus tax per computer for a usually subscription. They write and they conclude the Prices may be adJusting in the future. But if when that happens, anyone having an active subscription on current Prices will be able to keep these Prices on existing subscriptions for two more years.

okay. So this was obviously a sales pitch, but that doesn't make this any less true or relevant. We know from our many years of covering zero patch, these guys are the real deal and that they really do present a viable alternative to microsoft, doubling every year extortion for the enterprise. So in this instance, I don't mind this sales pitch because it's easy to endorse what they're selling.

Microsoft has clearly made a strategic gamble to deliberately abandon its users to its bugging and vulnerability written software as a clear means of scaring them in the migrating to fully supported Operating system that most users would rather avoid, even when what that really means is that there will still be a constant flow of new vulnerabilities always being introduced to this new Operating system while older problems are still being resolved. And let's not even get started on the fact that microsoft replay is an issue for windows eleven users. So considering that remaining on a platform that works and that you love into which microsoft will no longer be continually introducing new vulnerabilities and which will nevertheless continue receiving updates for any newly discovered critical security vulnerabilities, this is the niche zero patch has decided to fill.

And I think that for just twenty five years was per year, which at the moment is around twenty seven us dollars per year, extending the security coverage of that beloved platform for a minimum of another five years starting in october twenty twenty five makes a great deal of sense. And to top at all off, they are on the fly rm based code patching system is significantly more user friendly than microsoft nagging reboot and weight system. Windows ten users still have a year to go before that final windows ten twenty twenty version twenty two h two will need either third party or extended microsoft update help.

This podcast will be somewhere around episode ten forty five at that point. And among the other things, we should know a lot more about recall by then. So anyway, I just wanted to to let everybody, yes, I have some questions.

So first of all, how zero patched IT sounds like is patching in memory on the drive.

Yes, you can patch on the drive because that would break the signature of the field, right? And so they would never load.

So you have something running all the time that the zero patch tool that just loads in patches as needed.

Yes, there there's a zero patch agent o which is small and runs. And what we've talked about this in the past, the patches are literally twenty three bites. I mean, they're like there there a few instructions where they just fixed the problem. They know.

So all of the patches of their own, they are, how do they get so microsoft releasing security patches and zero patches duplicating those patches, do they reverse engineer them?

How do they know, just like the bad guys do, in the same way that the bad guys do a delta on on the pre post .

patch code? I S yeah.

you just find the thing that microsoft changed and so they say, fine. Yeah.

what is this? Yeah okay. That's it's an interesting business actually.

I think it's a great business and and I mean, they've been around for a long time. If you look if you search grc transcripts for .

we've talking about .

three years, yes, for zero patch because they often jump in before microsoft has an update and and and they don't charge you anything if you for an update, which is not yet beneath facially patched. So where they're filling IT had meet as just as a public service where where they are, they're filling an emergency need that microsoft has not filled for something being exported in the wild. You can get that for them for free. Mean, they're like cloud flare in just having this feeling of being really good people.

Well, they are gona sell IT down the road, which is good. That's fine.

They're to work for a year of protection. Many people rather do that, then be forced to use windows eleven.

Are you running?

Have you run IT? No, no. Because I don't believe any this nonsense about you can't run all versions of windows. I'm running windows seven. I'm just fine.

Those seventy vulnerabilities don't bother you.

No, I just don't go to bad places. No, my site doesn't have any and right and and i've got up to date browsers. Browsers are the big vector, the web, what the wait stuff gets in and all, boy, leo, wait to you see one of the ways, a new ways that people are being treated.

Let's take a break and they we're going to talk about what happens, a case in point of good extensions going bad in chrome. Okay, I recommend zero patch. I I think everybody who's listening should take a look at IT if if that if the idea appeals to them, I don't see a downside.

And I mean, IT keeps you running for as long as your apps continue to be secure. I mean, ultimately, that's what breaks IT is the browser is no longer supporting when does ten or something like that? right? Yeah, very interesting.

aren't. Let's talk about our sponsor for the hour, a name you, i'm sure, are very familiar with. One password, you remember that we used to do an ad for a company called collide with A K company.

I really liked one passed were acquire them. And they've used collide in conjunction with their own technology to create something they call one password extended access management. And IT is a very clever idea.

If let me ask you question, I think I know the answer to if you're in IT department, are in your business or insecurity, do your end users always work on company owned devices and IT approved depth? Of course they do, right? They never bring their own phone or laptop, and they never run IT out of date, Operating system, browser or animal plus server on your companies and network, right? Of course they do so.

So in that world of bio d, how do you keep your company's data safe when it's sitting on all those unmanaged baps and devices? One password has figured out a very clever solution, extended access management. It's more than a password manager.

One password extended access management helps you secure every sign in for every APP on every device. Because IT solves the problem, traditional iam and m dm two cannot touch. Imagine your company security like the quality of a college campus.

You got nice brick path leading between the perfect Green lawn from ivy covered building, the ivy covered building. Those are the company oed devices, the IT approved apps, the managed employee. Then that is, it's all perfect.

But as with every college, quite Frankly, there are then the past, people actually use the muddy little shortcuts, warn through the grass that are actually the straitest line from building a to building b. You've got that on your network, those unmanaged device, right? The shadow I tps, the non employee identities, like contractors, people bring in their own tools because they work Better, right? They're the shortcuts.

But the problem is most of the security tools only work on the happy brick path, and most of the security problems take place in the little mute shirt cuts. That's why you need one password extended access management, the first security solution that takes all those unmanaged devices and apps, and that end these and puts them under your control. IT assures that every user credential is strong and protected, but then that goes an extra step, making sure that every device is known and healthy and every APP is visible.

Is security for the way we really work today, not the fancy ed, perhaps, for everything were perfect way that some security companies wanted to be. It's it's down that gets down there on those muddy paths. Now it's generally available to companies that use octo a or microsoft entry for the action.

They are in beta for google workspace customers and it's a great wait up your security check IT out at one password dot. Come slash security now, the number one pass word doc slash security now I know everybody knows in trust one password. I think IT would be very interested in what they've done with this really cool product.

One password extended access management, find out more at one password duck com slash security. Now we thank them for their support, new support, Steve and his good work, too, by using that addressed. And now you saw out here one password dot com slash security. Now.

Steve black, so we have another example of a popular goal crime extension, with more than one hundred thousand daily users suddenly becoming malicious, the extension, known as hide youtube shorts, has been found to be performing a fillip fraud, collecting and transmitting the browsing history of every one of its users.

Finding youtube shorts.

I do youtube short. I do shorts, right? okay. And apparently that's a thing anywhere else. Our second, so security researchers say that the extension appears to have turned malicious. Not surprisingly, we talked about this a lot after IT was transferred to to a new developer. I went over to the google place store to check that out.

Now it's unclear to me why seven would want or need to hide youtube shorts, but it's clearly a thing since there were many other similar extensions listed as alternatives whose names similarly suggest that they do that also. But any event, in response to questions, the extensions new owner defends the overreach of the extensions privileges by saying that in in the future, there might be the need for more attitude. The brief frighted from the the researcher who took the time to dig into this was interesting.

He wrote, what initially peaked, my suspicions were the strange search suggestions on youtube, completely unrelated and disconnected from the context of my searches, sometimes in foreign languages. However, after analyzing the traffic in the browser tab and developer console, I didn't notice any suspicious activity. IT was only after I started debugging the extension that I noted suspicious network activity and requests being sent to an unknown external service containing the addresses of all visited sites and unique identifier.

The extension does what he says he will do, but in the background, IT collects and sends information about all visited pages to an external server hosted on AWS. The information that the extension collects and sense includes a unique user identification number, installation number, authenticity, token, language timestamp, and full URL with path and arguments and parameters, which allows reading the information in the address bar, including, for example, for example, search history and search terms. Some users in the reviews on the extension page in the chrome web store also indicated the possibility of redirecting that is being redirected to fishing pages due to the malicious nature of this extension.

I do not know what other information IT could have collected before, but due to the wide permissions, the browser x of the browser extension IT should be assumed that you could also read information transmitted in forms including credentials, loggins, passwords, personal and sensitive data. Such data can be used for a wide range of attacks. yeah.

So anyone who has used such an extension should assume that all data viewed and transmitted via the browser has been compromised and take immediate precautions. Ons, and again, one hundred thousand users per day. The extension was originally developed, he wrote by a single developer who maintained the source code on github.

However, the github positing was archived on september twelve, twenty, twenty two, i'm sorry, twenty, twenty three. And the pluggin was acquired or maybe sold to another developer, he said. I have not analyzed everything to the extent I would like, especially earlier versions, to find out when the malicious change was made.

Although IT seems that the first developer for some reason decided to use the all pages reading model when the extension was just entered, what apps are when the extension was just entering the google web store, he wrote, I analyzed its behavior and did not see similar problems with IT. So indeed, this did happen downstream. At some point.

He finishes, I have no doubt about the intentional nature of the current developers actions, and as his responses to comments about the extensions permissions being too broad clearly demonstrate his intent. So once again, the caution would be, you know, our take away from this would be to attempt to minimize the use of browser extensions. We know that by, you know, by far for the most part, extensions developers are well meaning and of above board.

But we also have in control and incontrovertible evidence that there are also malicious actors swimming in these waters without the ability to fully analyze and vet every extension. IT becomes a numbers game where statistically, the greater number of of extensions being used, the greater the chance that one of them might be malicious. And I I just haven't had any time to dig in to you block origin further.

But i've got this nagging sense that, for example, if you wanted to block youtube shorts, you block extension, you block origin, would just do that by turning on, by using the dropper and clicking on like something they in youtube shorts and they would just go away because of. I've had anegay reports of that in feedback from from our listeners. So you probably don't even need a more special purpose extensions. You probably just need to Better utilize u block c origin at some point. I'm going to make time to to .

do that for just a css dive. Probably that you could if you knew the name of that.

you could just block IT automatic exactly that ah yeah and in fact, that little the little dropper thing finds that for you the dive just yes, exactly. And just does that and creates a rule yeah so anyway, the fewer the Better when IT comes to extensions. Okay, this is one of the boy we all know the trouble windows has had over and over and over over something as simple as dot ln k linked files. I mean that they on you, you recovering these before the security now cast on on your weekend show.

anything you double click that does something is always risky.

right? Ah so the exploits of those have been epic and we've lost count of the number of times they've been fixed in air quotes only to rear up again. You know some design some some design concepts are just bad and are notoriously prone to abuse.

And leo, you just sum that up. Anything you can double click, that's a problem. So that's that's what I was put in mind of when I read, yeah.

That is possible for a windows dot R D P file to reconfigure and launch a remote desktop session. It's like microsoft never learned anything from the past. And as we know, those who do not learn from the past are destined to repeat IT.

Okay, so the generic take press reporting on this just said microsoft says that a notorious russian cyber pinos group is using a clever, okay, clever new technique to compromise victims and deploy malware on their systems. The technique involves sending malicious rdp configuration files to victims via email. If executed, the files connect a victims PC to a remote R D P server. The connection allows the russian group to steal data and deploy malware onto the compromise device.

but it's .

convenient. Microsoft has attributed the Operation to midnight blizzard. Remember, they're the people who got their email. Also, they don't like the midnight blizzard people. A cyber unit inside russia, S V, R, foreign llagas service.

The group has used the new technique since october twenty second and has targeted individuals in government, academia, defense and ngos across the U. S. In europe.

This is the same campaign that was also that was spotted by AWS. inset. U. A, okay. Now, since the inherent insecurity of this entire design was just too much to believe, I went to the source where microsoft themselves explain. They said, on october twenty second twenty twenty four, microsoft identified a spearfishing campaign in which midnight blizzard sent fishing emails to thousands of users in over one hundred organizations. These emails were highly targeted using social engineering lors relating to microsoft, amazon web services and the concept of zero trust.

The emails contained a remote desktop protocol R D P configuration file signed with a lesson cyp t certificate because get those for free rdp configuration that rdp files they wrote, summarize automatic settings and resource mappings that are established when a successful connection to an rdp server occurs. Imagine that. Let's make that easy.

Let's make IT one click. These configurations extend features and resources of the local system to a remote server controlled by the actor where we insert what could possibly go wrong. Will have a few more by the time we're done here in this campaign.

The malicious ous dot rdp attachment contain several sensitive settings that would need a light let's map the sea drive that would lead to significant information exposure once the target system was compromised. IT connected to the actor controlled server or by the way, where they say was compromised, they're being quite kind by that. They mean when the user received the email containing the dot R D P extension and click IT, that now that qualifies as you've just compromised your computer, baby, because he was on a file that your email wasn't trained to block.

Notice that you can't send email, you can't send exes anymore. Those die. I mean, those die.

Immediate debt. If you try to email someone in nexi, this is just no hope. But R, D, P, 耶。

submit that your computer was compromised the minute you enabled rdp.

That's well, it's it's enabled by default, and that's another one of those. Here we go. What could could possibly go off that? okay. So as they say, once the target system was compromised, meaning the user clicked on something in email, which is all that takes to compromise windows these days, IT connected to the actor controlled server, and by directionally map, this is microsoft. And by directionally, mapped the targeted users, local devices, resources, meaning hard drives to the server by directly mapped means, not only can, and that's right, resources sent to the server may include, but are not limited to, this is microsoft sadness, all logical hard disks, clipboard contents, printers, connected periphery al devices, audio and authentic ation features and facilities of the windows Operating system, including smart cards. Basically, you've just given them your .

need to .

access to your .

entire system.

they a microsoft route. This access could enable the threat actor, okay, the only way IT went as if they were literally a sleep when this mapping occurred. Otherwise, oh uh, could enable the threat actor to install malware on the targets local drives.

Actually it's probably automated and then so they can be asleep, but it'll happen in their sleep. And mapped network shares, particularly in autos start folders. Oh, so they have those two.

Or install additional tools such as remote access trojans to maintain access when the R D P session is closed. The process of establishing an R D P connection to the actor control system may also expose the credentials of the signed in user to the target system. This again microsoft's ding when the target user opened the rdp attachment and R D P connection was established to an actor control system.

The configuration of the R D P connection that allowed the actor control system to discover and use information about the target system, including files, directories, connected network drives, connected profile, including smart cards, printers and microphones, web authority using windows hello, right, protected by recall, don't worry, you're safe, right? Windows allow not safe past keys or security keys clippard data point of service, also known a point of sale or POS devices. And they go on and on and on in their blog posting.

Microsoft goes in the detail about the attacks and provides pages and pages of I O C S indications of compromise under their mitigation section. They have pages of things that that can be done to keep this from happening. I have an idea, how about never building this inherently incredibly dangerous and abuse prone facility into windows in the first place, which is, I think, the the first thing you suggested upon here and go yeah if it's not there, there's nothing to abuse. Seriously, is that necessary to have an rdp file type that causes a machine to configure to a maximum insecure state and connect to a previously unknown remote server? I use our it's like .

a remote service support right go.

I use rdp extensively. And yes, rdp saves its connection profile settings into individual rdp files and that can be useful. But when those files are given the capability to initiate a connection on their own, this becomes an extremely dangerous design pattern.

If they're going to exist at all, such files should be tightly bound to the machine that created them, not something that can be received in the mail and then clicked on by an unwitting user. Microsoft loves storing things in the registry, so R D P settings for the local machine could be retained there instead of in individual R D P files. And then this problem would not exist.

Handy, as IT inarguably, is there's just no safe way to send somebody, anybody, a file that went executed causes their machine to connect to any foreign unknown machine with all of its local resources shared. There just isn't. There's no safe way to do that.

You know, at the very least, this facility should be firmly disabled by default for everyone yeah and then only those few people who actually need to do this should then be forced to jump through some hoops to enable IT on their machine only and even then, possibly only for some self limited time. And if that were the case, russia would have never bothered to create this because IT would be off for ninety nine point nine nine nine nine nine percent of the people in the world. No, I hope everyone knows to never click on anything received in an email, even if IT appears to have been sent from someone you know and trust.

We can now add another to the long and growing list of email based exploits. Email attachments are too useful to ban out, right? And unfortunately, clever bad guys keep finding new ways to abuse this useful capability.

But man arty feeling is so powerful now, I don't allow port one thirty nine on my right are most people probably don't. But I guess because it's an outbound request.

your father doesn't ter stop IT and IT runs on sixty eight hundred or IT runs on a high port number OK, as I recall also but .

does not matter because you're outgoing, saying, right, but us insert of IT.

come on and you could bet that russia has their port listening for anybody to connect. And at leo, this started on october twenty second meeting that and and thousands of emails went out to hundreds of companies, highly targeted looking, legitimate people clicked on them, and they got themselves immediately compromised. That's how bad guys then get a foot hold inside an enterprise and talk about a foot hold. I mean, this is that, this is a body body hole.

Yeah, you owe IT.

yes. And speaking of owning at leo, let's give our listeners a chance to own something, and then we will continue anxious .

to get to some other I have .

the TV on here, Steve.

You're not missing anything that's not fair. Nothing is are going on the east coast.

at least our .

before George closes. So you good. This is the fastest pace show we've ever done.

Um okay, keep up. H, okay. We'll have some more great stuff coming from Steve.

As always, Steve is amazing with the quality of the information you get here, and we thank our sponsors for making a possible like big ID, you know about big idea. I've talked about them before. They are the leading data security posture management solution, dsp m.

Have you ever heard that it's the only dsp m solution that can uncover dark data that can identify and manage risk, can remediate the way you want and scale your data security strategy through unmatched data source coverage? Big I D seem lesly integrates with your existing text tech, which is nice because you can then use IT to coordinate security and remediation workflows, take action on data risks, all the actions you know, and take delete quarantine more based on the data. And of course, IT maintains an auditor trail.

So every action is recorded. The partners that IT works with are every to say everybody. But I i'll mention a few service now, pale alto and networks, microsoft, google, aw s in on on.

With big ideas, advanced AI models, you can reduce risk, accelerate time to insight and gain visibility and control over all your data. Big ID is so good at finding this dark data that they equipped an organization that probably has more data and more little highty holes than any other. The united states army, the us.

Army, used big idea to find that dark data to accelerate cloud migration, to minimize redundancy and to automate data retention. Listen to the quote, this is from U. S.

Army training and doctoring command. This is amazing. Quote, the first well moment with big ID came with just being able to have that single interface, the inventories of variety of data holdings.

Now remember, this is the army. Think of what kinds of data, I mean, they said, including structured and unstructured data across emails, zip files, share point databases and more. To see that mass and to be able to corporate across those is completely novel.

Again, quoting the U. S. Army training in doctrine. I've never seen a capability that brings us together like big ID does.

That's a pretty nice endorsement when they told me that I said, can I please read that because that's if the army says and is willing for you to hear, that's a pretty big endorsement. Cnbc recognized big idea is one of the top twenty five startups for the enterprise. They were named to the inc.

Five thousand and delay five hundred two years in a row. They are the leading modern data security venture in the market today. right? I got have to give you one more.

This is from the publisher of cyber defense magazine, quote, big idea and bodies, three major features we judges to look for to become winners, understanding tomorrow s threats today, providing a cost effective solution and innovating an unexpected ways that can help mitigate cyberia sk and get one step ahead of the next breach. That's big. Start protecting your sensitive data wherever your data lives.

A big city that comes slash security now, and by the way, the army, cnbc and all the rests to scratch the surface. Go to the website. You will see all of the accolades, all of the people who give big ID thumbs up, all the references. It's pretty down impressive big idea that comes slight security. Now you can also why you're get a free demoniacal of big ID can help your organization reduce data risk.

And by the way, finding all that data, knowing that, that data is and where IT is, is part of the process of accelerating the adoption of generative A I, right? Because you don't I mean, I think about the army, there's stuff there that's top secret, right? You not going to put that in the AI.

So being able to see at all, nowhere at all is in control. That is so important. Big ID dot com, bigger that com slash security now.

And speaking of eye, there's a new for there have lots of reports, lots of White papers, but I know there's one that will give you insights and key trends on AI adoption chAllenges and the overall impact of gena. I across organizations. Christ, all about that big idea.

Got com slash security now, thank you, big ID. Thank you very much for the job. You thanks.

I guess I should say thank you for your service and thank you for supporting security. Now we really appreciate that big idea. I can't slash security now. save.

okay? We got a new firefox. We're now at one thirty two IT. Add to some new features and security fixes.

The biggest new feature in one thirty two is support for a post quantum key exchange mechanism under T L. S. One point three and they also block fave icons if they are loaded.

V HTTP. Um back when we were looking at firefox's third party cookie handling, there is a great deal of confusion since firefox is U I. We talking about at the time on the podcast.

Firefox is UI, and its behavior is actual demonstrated. The demonstrated behavior appeared to be at odds with one another. So among the improvements that we got in one thirty two, I was pleased to see the sentence quote.

Firefox now blocks third party cookie access when enhanced tracking protections, strict mode is enabled. So that's what everyone thought I was doing. But we saw that IT wasn't IT is now.

So as we suspected, you know, g rc cookie forensic system showed what was happening. And that's been fixed in firefox one thirty two, which everybody probably has. As I mentioned, the top of the show under the sad but understandable category of we don't trust camera equipped black boxes made in china.

We have the news really? Yeah okay. We have the news that the we talked about D. G, I drones as one example of of a camera equipped black boxes, we have the news that the U. K. Government now says that over fifty percent of all chinese made security cameras have been removed from sensitive sites such as government buildings and military bases.

The government says IT expects removal to be completed by April of next year twenty twenty five, despite the fact that the removal was initially ordered well back in november of twenty twenty two as recovered at the time. And I was thin, wow, you know, IT took them until now to get rid of half of them. But then I thought, okay, there's probably a long procurement cycle for such things.

So I took some time to get the replacement cameras in the pipeline. And as we know, U. K, officials ordered all sensitive sites in the U.

K. To remove all chinese made cameras, citing national security concerns. Because anything is possible.

And basically, that's IT, right? no. But anything possible. So yeah, I think are certainly first for sensitive installations that makes sense.

I'm not sure I would announce that we've removed half of them.

yeah. Yeah, yeah, I used the other half before things.

Yeah, good news. Half of them are gone.

That's right. Okay, now, leo, okay. And I know that our listeners are savy. Yeah, I was first attempted to call this that there's a success born every minute attack in on a repeat barnum. But upon further reflection, I think that would be too harsh, because this is actually a rather clever and horrific form.

I think I would fall, fall, fall for this. I hate to say .

IT again, I can see people like like, I know a lots of people who would definitely very clever form of social engineering attack and I I think I might in sare many non soccer. So it's not the sucker born every minute. It's that, you know, maybe it's a little more than do you have a but still not much.

Okay, IT IT leverages the fact, the true fact, that most people who are using the internet and pcs today have never really been, and probably never will be completely certain or confident about how any of this magical hook s pocus stuff works mostly, right? They just follow the instructions and do what's asked of them and hope for the best. And that's why I can understand why this new and rather blatantly obvious to techies exploit is actually succeeding out in the wild.

And it's her horrifying to contemplate. Okay, IT begins with a fake capture pop up which was were all saying now so you know, IT starts, you get something you expect to see, right? Like, okay, i'm going to have to prove that i'm not a robot .

even in this rec action which is legit.

right? right? So in this case someone, in this case, I was used for somebody, wishes to watch a video.

They need to click on the capture button to start authenticating that they are human. okay? But this click that the user makes actually runs is created by java script. And IT runs a bit of javascript pt, which places a dangerous power shell executable string under their windows clipboard. And oh my god, java script is able to read and write the clipboard.

So when you click on this, IT puts this power shell script onto your clipboard, and IT uses an encrypted command tail, the power shell will developed so, so IT just looks like gobi guk like, okay, whatever, okay. After pasting this trojan invoking power shell script under their clipboard, IT then displays the remaining instructions they must follow to a sensibly proof. They are humanity.

okay? Well, they're definitely about to prove their humanity, but not in the way that they intend that get this. The pop up reads verification steps, press windows button, and then that shows you that little windows, you know, for window pain icon plus R I wouldn't all .

for this part.

I know again, okay, but but we know what people who would.

right? sure. Because most people don't know what windows are and control.

do any clue what any of this is about right now? Step number two, press control v step number three, press enter.

Step number four, what could possibly?

So windows plus r brings up the windows run dialogue with IT know what? Would you like me to run field highlighted control v paste this horrendous power shell xe command into the system clipboard real from the sym clipboard into that run field, so that the run field now contains the executive power shell script to download and install and run trojan malware on their computer.

And then there's all culminates when they follow the violent, should a pressing enter to, as per card would say, make IT. So again, as I observed, none of us would. None of us would do this.

But again, most people don't don't know what any of this is. So they're just following the steps to because they want to see the video, you know, they want the carrot. And so wow.

Fortunately, windows key r does nothing on a Mandatory.

So i'm safe. You're safe. All you in the minority.

the minority is growing for it's because of things like this, i'm convinced. But OK.

wow. Ah yeah so anyway, I don't know what to tell our our listers. I know none of our listers would fall for this, but I know they know .

people who were so.

you know, wow, it's bad enough to be forced to click thing. I forced to click things in your browser when when IT could be a spook ed window. Our browsers are designed to try to minimize the damage, but it's possible for java script t to put something on our clipboard.

And then these instructions, basically they, oh, thank you. Here's what we want you to do now. And IT IT involves getting that thing to run, which those key strokes will do.

Wow okay um. I said last week that I wanted to announce the next thing, the next big thing i'm working on, old. I recently finished the work on rc's email system. And actually I have a cavy t to that now, as I said, because IT turns out that outlook is doing link following to protect people from malicious links and in the process of subscribing people from their their mAiling list. So I got a i'll fix that the next day um and then it's on to what comes next also.

Uh oh oh and I forgot to mention last week, one of these systems of the email systems originally missing features was the capability to allow its users to easily update and migrate their email addresses at any time they may want to. My original al thought was that since an email account didn't have anything other than zero, one or two subscriptions associated with IT, anyone could simply delete their old account under their old email and then create another one under their new email, so not really in need to explicitly remove their existing account. But after I saw very high spam complaint rates, when initially mAiling to spin rights owners from twenty years ago who were like what that is this, I migrated spin rights purchase data into the email system, which allowed me to send email, which opened with the line back in two thousand.

Five, someone named josh mou at this email address purchase spin right um and it's as I imagined at the time, that had a profound effect upon the spam complaint rates suddenly ever was like, oh yeah, I ever remember that anyway uh now the email system is able to handle uh updates. The email system knows about spin right owners. So there is more actual data contained in an account, and i'd like to keep IT there.

So i've added a simple realme field to the the detail management page, which any of our listeners will see next time they go there. Like to resubscribe to the security now podcast, which they were doing mistakenly unsubscribed ed from. So I wanted let everyone know that since I last visited the email management page, editing has been added.

Once that was done, I was unable to address the final remaining lucent of the spin right six one documentation offering, which was to create a video walk through demonstration of showing spin right in action. Since booting doss and using a textual user interfaces becoming increasingly foreign, I wanted a way to allow someone who might be considering whether the purchase been right to get a quick and clear sense for what that looks like, what is running. So that now exists.

I posted IT on my youtube channel. I posted IT over on grc. So it's it's hard not to find IT. And if anyone is curious, there you go.

And that brings me to the announcement of its last week, as i've mentioned a number of times, grc s number one by far I mean him far nine point three million downloads ah. So far, most popular software of all time is the DNS benchmark. I have been astounded by its popularity when I was putting the show notes together.

I guess IT was sunday ah there IT had been download of nine million, three hundred and thirteen thousand, six hundred and forty two times and around sixteen hundred downadup per day. The benchmark pages have a page that solicitors feedback and I am constantly receiving requests for new features. Um mostly people are wondering how the speed of encrypted and priv privacy protecting DNS using encryption doh D O T or DNS crips compares with regular plain text DNS is IT slower.

Is IT faster? what? And despite the glass, the glacial progress of I P V six, as we talked about last week, many people are requesting that I add support for I P V six to the benchmark. And actually, I think that makes sense because when I P V six is available, our systems use IT preferentially. So you may be using on I P V six DNS server, which the benchmark won't benchmark.

So ah other great ideas have been to allow the benchmark to verify the domain filter ring being done to services like but like buy services like next DNS and others have been wishing to avoid local domain name blackouts where the DNS services they're using don't let them access sites they want to. So the benchmark could be used to help them local servers that would allow them to get access to those sites. So anyway, the other thing I hear more generally is that people would like to have a way of supporting my continuing work here, you know, on all things grc, you know, news groups, forum shield, ds up dn s possibility tests, all the freeware that I write and unable to offer, and everything else.

So i've decided that my next project, before I create beyond recall um for you know super fast, super secure data deletion, which will proceed the development of spin right seven for windows. We'll be to revisit the D N S benchmark and to give you a major version two point o update. There will still and always be a free release available like IT is now.

But I would like you to be able to support itself if IT, if I can. And I think I should be able to, based upon its observed popularity. So I planned to offer all those new features for nine dollars and ninety five cents in a plus edition and also for the real DNS pro guys, a proem tion for nineteen ninety five, which will do a whole bunch more uh, run as a service background logging, lots of long term charting and a bunch of our other stuff. So what is IT available? Well.

and that's my hope.

is that i'm going because it's it's an update to an existing product. We're not not going to be a long time coming since I hate the model of subscription software with a passion despite the fact that the rest of world appears to be going that way. The agreement i'll be making with the purchasers of the benchmark is that they only ever pay once, and they own IT and its future of that addition forever without ever any additional cost.

So if IT succeeds, as IT might, IT would create a revenue stream that would justify its ongoing improvement over time and continuing development, you know, as new DNS related technologies arrive. So anyway, I I will have a substantial new a pair of you, an upgrade to the to the freeway. It'll still be available. And then for people who want more, you know, for less than ten box, while not much less, nine ninety five, you can, you can get that and owit forever and its entire future. So that's my smart to have the .

nine ninety five and then the next one up because I know that everybody looking at that's gona go well for ten box I can get pro, but I want the super goop edition for twenty box because, yes, twenty boxes.

And actually I got that thought from john to iraq who who a he and I talked like just sort of, I yeah, he wrote, he wrote to me be. And we ended up having a couple hour conversation because he wanted to know what email system I was using because he was leaving monkey male, whatever that thing is called. Anyway, and and and and the the point he made was he said, you know, don't put a cap on what people can pay you because they might want to pay more .

he said very well with that, my dad, good. All right.

okay. So let's take our last break and then we're going to talk about ai application in security vulnerability discovery. And I I have A A episode nine, nine, nine sort of inventory, al, to lead, lead in on that with, okay, so good, good stuff.

The good news is nine, nine, nine.

not the last, indeed not .

next week for episode one. Or are you going to do in hacks? I don't know what he's going to do. What would that be? I I even know our show today brought you my molester this much.

I know they have been the trust data quality expert since nineteen eighty five longer than we've been doing this show, that's for sure. With malicious debut in the stripe APP marketplace. This is really cool.

Stripe customers now have access to the same data quality services leveraged by large global enterprises every day. Key features. And this is just one of many millicent integrations.

But let's talk about the stripe integration. Key features include address validation. The APP validates global addresses at both the customer and invoice levels. That's all within stripe. Without leaving stripe, auto completion capabilities reduced the number of key structure required, of course, eliminate fumbled finger errors, only valid addresses, end of the database, your database use your friendly, you bet, of course, that is, users can easily to figure the APP with a few steps of support for both customer accounts and invoice level validation.

The APP offer smooth management of a keys and subscriptions, facilitating transitions from free to paid services, and of course, is Melissa, so you get comprehensive support and quality assurance. Users have direct access to malicious experts, ensuring high quality service and support. This is amazing, enhancing Operational efficiency, boost in customer satisfaction and maintaining overall financial health.

Those should be strategies for any forward thinking business. And if you're a business that relies on stripe, you know, exception and now you have an ever expanding tool set at the ready with Melissa molests is amazing. Molests is services, by the way, understand compliance like no other.

That's important, right? You want to make sure that your data is safe with Melissa. You get secure encryption for all file transfers and an information security ecosystem built on the IOS twenty seven o one framework at hearings to GDP r policies suck two complaints.

Course they do IT right gets started today with one thousand records cleaned for free at malicious. That comes slash. Twit, we love me, lisa, in with this for a long time.

We're glad to see they've become along in twenty twenty five as well. Millions a that com slash to IT. Thank you, millican, for supporting security now. And thank you security now, our listener and viewers for us supporting us by going to that address and that address alone. So they know here a list that come slash twitter okay, Steve vulnerabilities on the occasion .

of episode nine nine nine of this security now podcast. I want to take a minute before we talk about something. Google recently announced where A I was used to discover an important vulnerability in a widely used piece of software.

To put A I into a broader context, by now, i'm sure our listers have correctly determined that i'm one of those in the camp who is overall quite bullish on AI. All of the evidence i've seen and witness the first hand informs me that we are indeed on the verge of something truly transformative. And i'm very glad i'm still Frankly, alive to watch this happen. seriously. No.

my parents, very science fiction feel isn't .

IT and it's happening. no. And my parents and a bunch my close friends who had have been, who would have been fascinated by this are no longer here to see this happen.

And that's a shame, I think, because I believe this is going to be that big. I believe AI is gonna be something that changes the entire world, while like like most of those in the baby boomer generation. During my lifetime and my awareness, i've watched vacuum tubes give way to transistors and transistors give way to many generations of integrated circuits.

Digital memory move from release and then to magnetic cores, to insanely dense electro magnetic and electro static storage. Computers evolved from what was essentially an automated calculator many times more expensive than people's homes at the time, to incredibly powerful devices that we now discard without a second thought. And the internet happened during the second half of baby boomers lifetimes.

We've had the privilege of watching this incredible global network interlink the computers we are all now casually Carry around in our pockets. We are truly living through what was science fiction near the start of our lives. And now those of us who are still here are going to have the privilege of watching A I happen.

Given everything i've already watched unfold during my nearly seventy years on this planet, and given what i've seen of IT so far, I believe that ai's impact upon our lives is destined to be bigger than anything that has preceded IT, more significant than everything that has come before. For the longest time, the technologies that appeared to have the most impact were those that facilitated communication, the printing press, changed the world, and that was followed by the telegraph, which was followed by radio and the telephone, which was similarly transformative. The reason the internet has changed everything again is that IT, too, is about communication.

IT could be argued that automotive transportation is also a form of communication. Communication has been so univerSally transformative because IT, because it's been about linking the thoughts and intentions of people. By comparison, I believe that A I is going to ugly eclipse transformative power of communication, because IT is the thoughts and intentions of people.

A, I is the currency of people. And sure, it's easy for cynics and skeptics to find fall. There's always fault to find in the beginning of anything new where big claims about the future are being made.

That's just the nature of new. New is the start of the journey, not the end. Personal computers were initially a joke, as were the first logical laptops, but no one's laughing.

Now, back at the start of bitcoin and the invention of crypto o currency, there were many skeptics. But I sure wish I had not installed windows over my fifty bitcoin. My point is, what A I is today is not what is going to be tomorrow.

IT never is. And I believe we're only at the start of what is going to be more significant than the invention of anything that has come before because A I is, as I said, potentially the currency of people, and there's never been anything like that before. I'm glad we're all gonna be here to witness IT together.

okay. So what happened with A I and google? Google has a long posting in their project zero blog, but the hacker news assembled a very nice summary. That's what I want to share. Here's what they wrote, they said.

Google said IT discovered a zero day vulnerability in the equal light open source database engine using its large language model assisted framework called big sleep, formally project nap time. The tech giant described the development as the quote, first real world vulnerability uncovered using the artificial intelligence agent, the big sleep teams said in a blog post quote. We believe this is the first public example of an AI agent finding a previously unknown exploitable memory safety issue in widely used real world software unquote, the hacker news said.

The vulnerability in question is a stack buffer overflow in sequel light, which occurs when a piece of software references and memory location prior to the beginning of the memory buffer, thereby resulting in a crash or arbitrary de execution. This typically occurs when a pointer or its index is detrimental to a position before the buffer, when porter a rithmetic results in a position before the beginning of a valid memory location, or when a negative index is used following responsible disclosure. The shortcoming was addressed in early october twenty twenty four.

It's worth noting that the flaw was discovered in a development branch of the library mean IT was flag before IT made into antiviral release. And i'll also note that that made IT you know IT was flag IT was a newly introduced bug that this thing immediately found, they said. Project nap time was first detailed by google in june of twenty twenty four as a technical framework to improve automated vulnerability discovery approaches.

IT has since developed into big sleep as part of a broader collaboration between google project zero yeah and google deep mind with big sleep. The idea is to leverage an AI agent, simulate human behavior when identifying and demonstrating security vulnerabilities by taking advantage of a large language models, code comprehension and reasoning abilities. This entails using a sweet of specialized tools that allow the agent to navigate through target through the target code base, run python scripts in a sandbox environment to generate inputs for fussing, debug the programme and observe results.

Google said, quote, we think that this work has tremendous defensive potential. Finding vulnerabilities in software before its released means that there is no scope for attackers to complete. The vulnerabilities are fixed before attackers have a chance to use them unquote and the hacker news finishes.

The company, however, also emphasized that these are still experimental results, adding the quote, the position of the big sleep team is that at the APP present is likely that a target specific fuzz would be at least as effective at finding vulnerabilities. unquote. okay. So well, this may be just the first time A I has been deployed for this. My own intuition is screaming ing that A I driven code verification and vulnerability detection is going to be huge to me.

IT feels as though this is dead center in a is baily wic, and that IT may be that A I is what finally comes to our rescue in the seemingly never ending and apparently intractable ble fight against both the continuous introduction of new vulnerabilities and the discovery and Erica of old ones, microsoft must be hard at work figuring out how to use A I in this way. Imagine a day when patch tuesday is, sorry, nothing to fix here. No new known vulnerabilities have been found, reported or known to be under the exploitation ation.

Now you're just fantasizing .

that would be something yeah, yeah. And IT really to me, it's it's a it's impossible for us to reach if we don't do something like this. Yes, with A I IT does not seem that far fetched, you know IT IT may be that today's large language model training style doesn't really apply for this.

That that's my feeling. I don't think that's a way to attack this, but i'm not nearly close enough to AI to know. But i'm sure there are people who are of course, you know this won't solve all of our problems since there will always be people who are opening dangerous service ports to the internet or following instructions in a believable looking capture, telling them to just bend over, just happy.

And you even, even when. There, U. S. A, I cautions them not to do that. So, you know, i'm not worry that A, I is going to put this podcast out of business any time soon.

As always, there are users, and users can always be counted on to do dumb things. But I think that was cornel something like that, right? He was famous for citing that.

But but code, code is pure, is why I love you. So it's just coming eti al math and it's fully deterministic. So IT really seems to me as though code verification would be a natural habitat for ai.

And lord knows, we need IT. If I were a Younger man, that might be where I might aim my own focus. And i'm serious about this.

We often get listeners who are just starting out and who are looking for and asking for some direction. So here's some IT feels to me as though A I could have incredible traction in the field of code behavior verification and software vulnerability discovery. And these days, it's possible to borrow big compute resources from cloud providers, which makes basement or garage development not only possible but practical.

And if such technology were created, IT feels like the sort of thing that would be snapped up by any of the big tech giants in our heart beat. So think about that if you're Young and well full of future and you're looking for something to sink your teeth into, I have no idea how you would do IT. But I, I, I guarantee you that in with a decade, and i'll still be here watching this stuff happening, I will guarantee you this is gonna change.

A I, I think is gonna be what solves our end and encryption problem, as I said last week, because it's gonna give governments the the the warm and fuzzy that, you know, abuse of children can no longer get past the AI monitoring their device locally. And I think you, I think A I is gonna be the thing that solves our soft are like our endless software vulnerability problems is a big problem. But you know what fun?

Hey, if I can do that, there's probably a lot of other things that I will be up to as well.

I think it's going to revolutionize medicine, leo. It's going to revolutionize drug discovery, I mean, and IT is going to change the world.

And by the way, this is, I loved how you started because I think this is exactly what you and I have watched. Many changes in our lifetime are hoping for one last big one. And this could be the big one.

This could be the one that changes humanity and watches us into an entirely new realm. I I can't agree with you. So i'm i'm excited to that.

Steve gives in grc dom. He's got a new product coming now. Time frame.

You don't like to do that. I can't guess a couple months probably. I'm hoping a couple months .

put me down for one of those twenty dollars. Subs, thanks. description. I would this I be the first in line to .

get I can see I I can't wait to find out how encrypted DNS compares to earn. I have no idea yeah .

you'll have fun with this or I pv six or what open the what next DNS is doing things like that. This will be really .

useful yeah and because the perversion so there's plus at nine ninety five and that has all the features except the probe can run as a service because because it's all written in assembler, it's a couple of hundred k. It's not these ridiculous hundreds of images sitting in your machine, but but to be able to look at at graphs and charts of long term DNS server performance can be very cool.

It's could be very, very interesting. And that's what we hope for.

H, I forgot, built a possibility testing too. So so you can check the superability of the servers without having to do IT generically over at grc. So yeah, lots of stuff. yeah.

I run a network analysis program in the background almost all the time to keep an iron you our bandwidth south forth frame. And I think this will be equally useful running in the background. I definitely look forward to IT.

mr. j. IT did IT again. Nine, ninety nine. Now, one last chance this could be the last episode for all time is up to you.

The counter. We've remembred when we were Young, the digital clocks people had where they were tumblers, yes, I would just sit there and wait for you to get to be, you know, well, the pay off. What was nine? Fifty nine? right? Because you'd get to see all three going at once or .

in your car when the autometer hit one hundred thousand miles ninety nine, nine, nine, nine to one hundred. That was exciting. But this is even more exciting. Here we are, ladies gentleman, switching from nine, nine, nine to one thousand. And against Steve, I need you think of yourself is in the exit row, you could jump out that window or you could continue on with the flight. You want to continue on with a flight?

Yeah.

right? yeah. Look forward to next week. Episode one thousand. Same bad time, bad channel.

We are every tuesday word after mack break weekly trying to make IT one thirty but no later than two pm pacific that's five pms east to twenty two hundred UTC stream live on eight platforms. Now, count aid. Of course, our club members get discord, which is, which is wonderful.

But our youtube, now, I going to be careful with my fingers here because I did the wrong finger on sunday. Youtube, youtube, twitch, facebook, link in extra com, tiktok and kick, those are all the places you can watch as live. But you don't have to watch live.

You can watch after the fact on the website, twitter, a TV flash, sn, you can, we have audio and video. Steve has several unique versions of the show is got, of course, the audio at grc outcome, but he also has sixteen killed in a bit or he is a small file size. You give up a little quality, but it's a quick download.

He also has transcript ts written by a line fairs. So not in the eyes. They're great, real, genuine transcripts that capture the flavor, the show and of course, his show notes, which really are fantastic.

He does Better shown us to anybody, any podcast out there, all of that at gr C2Come whi le you the re. You have to remember right now, there's one way Steve makes money and that's what spin, right, the world's best mass storage, performance maintenance and recovery utility. If you've got my storage, you need spin right? Go get IT A G R C to come.

Currently, version six point one. There's lots of free stuff. There's two Steve gives away lots of great valuable information, even software.

As an example, valid drive with chips. You test the USB k, you got an amazon to make sure really does hold all that data by itself. That would be with percival mission.

We are a twitter, a TV, and we also have a youtube channel dedicated, getting out. Great way to share clipsed. This is one show.

I know a lot of people listen to them go that that Q R code. I know my dads is gonna. Click that, send that clip to him from the youtube channel.

So because everybody can watch a youtube video and that it'll bring you home to him, okay, things like that. And of course, the best way to get subscribed IT in your favor, podcast player audio or video, you get automatically license were done. In that way, you have a complete collection of all nine hundred, nine, nine episodes.

security. Now, Steve, have a great week. Don't get to aggravated will be, I know, texting back and forth into a progresses.

Have a gummy. I'm waiting. If I need A, I might have to go a bit. Thank you. See.

we'll see you next time. See you for episode one thousand. So are really now.