SN 1000: One Thousand - Windows Server 2025, Malicious Python Typos
02:17:43 Share

Time for security now, yes, are one thousand episode are going to look back a little bit as to how this show god started. We also have the latest news, including good news for our sponsor, bit warden. They are still open source, how microsoft is fixing user access control and psychologies very serious zero click R C E flaw. That a lot more coming up next on our one thousand episode of security.

Now, podcasts you love from people .

you trust. This is twit. There is a security now is Steve gibson episode one thousand, recorded tuesday in november twelve, twenty, twenty four, one thousand. Its time for security now episode. They said IT would .

never happen. Actually.

in, ladies and gentlemen.

actually some people did say would never happen. I would you.

I said IT would never happen. We've convinced Steve to go to four digits as we continue on in what is now almost our twenty year of talking about security flaws, privacy breaches, how to stay safe online. And just as important, how things actually works gives a master that, ladies gentleman, I give you, Steve gibson.

I coming you from my alternative location because the roof is being changed on my Normal location and found like they were like, walking right on top of my head this morning. And I thought, well, that you can .

say though that episode thousand one thousand blew .

the roof of IT. Ah oh, it's true. Fortunately we have mild weather and I think so. Yeah so ah yes. Ah and I was just same to you before we started recordings.

Ly o that nine, nine, nine was, you know you would have thought that would have been like the the one that I focused on. But IT was when I was putting this together and I put in one zero zero zero, then I thought, wow, that that really is cool. So yes, we got a lot to talk about for the last several weeks.

I have been frustrated that I just there's been so much going on, so much happening that I just wasn't able to make time to share any of the feedback that i've been receiving. So so the good news is, well, okay, so there was a lot that happen this week, but I there just wasn't any need to spend a lot of time, as we often do, sometimes really drilling down into anything. So we've got a bunch of listening or feedback that we're going to end the show with, but we're going to look at whether bit warden, a sponsor of the tweet network, uh, went closed source.

There was some odd rumblings about that over the last few weeks. Uh, the rights of german security researchers have been clarified, thanks to some legislation in germany. Australia, uh, is preparing to impose lower age limits on access to social media for children uh which is gonna be interesting also um IT appears that people got free copies of windows server twenty twenty five without asking for IT to their shared in often we're going to talk about that also.

U A C wasn't in the way enough, so microsoft gona fix that. Uh, also, we've got russia good from russia with fines, uh, or or obey or else. Also, south korea has found meta over some series user privacy violations.

Will take a take a look at psychology is recovering from a very critical zero click remote code execution flaw that affected their photo sharing stuff. Um a really interesting story about malicious ous python packages which are being invoked by types a in an interesting supply chain typo squatting attack. Also, google has said that they're going to enforce full multifactorial diction for cloud service users.

Mozilla foundation just laid off thirty percent of its workforce. So shall we worry about firefox? Also, i've got some feedback from dave's garage who took a look at spin, right? Thank you a day.

clever. And as I said, will wrap up with a bunch of really thought provoking closing the loop feedback from our traffic listeners. And of course, we've got one of our pictures of the week for episode one thousand so they can another great episode.

I feel like i've seen this maybe because somebody sent to me first or something.

Anyway, it's been it's been around I, but we hadn't put them on the podcast. You're I and I just another one of one of those those sky people basket.

Well, congratulations on the episode .

one thousand to us, to you. This would this I wrap up with a little irrespective, look back at at your original invitation.

So I do have to say that while I have not been here for all one thousand episodes you have there is no security now without Steve given. So really the kudos go to you. I've only done maybe nine hundred fifty of them.

Well you you do take vacations and does keep you fresh so do you do that?

Which is odd.

but I I don't know why anyway.

we're so glad you don't and we really appreciate everything you do, Steve and congratulations. Well so um .

let's see IT took us twenty years to get here. I don't think we're going to make two thousand, but we will keep going until we .

can't well will be like in our late eighties, early nineties IT would be interesting. Let's say that .

at the top the end, Jerry cornel, who I think of, when I think of, like pushing the limits, yeah, you know, he was.

he was sub tragedy, but, you know, he was perfectly sharp upstairs. There was never any question about that. Me, not so much. I'll say, what is this about honey monkeys? You, leo, that was forty years ago.

So .

anyway, I do want to say our show that they brought you by bit warden. And I want to reassure you, bit warden is the open source password manager, gpl open source password manager trusted by, I mean, thousands of businesses. IT is the best way to keep yourself safe online, and i'm a big fan of used IT for years.

S S. Steve bit words twenty twenty four cyber security pulse survey results are in we did this last year and I was kind of the almost depressing. Well, it's not much Better.

Ninety two percent of IT in cyberspace songs degree ninety two percent. That's virtually unanimous. The password managers are critical for protecting business Operations.

Now as more employees seek support from generative A I tools, a big number sixty three percent of security professionals are facing significant chAllenges in maintaining proper approvals for devices and applications. It's getting harder. Isn't IT.

You know that if you're work in IT, you know that eighty nine percent of respondents expressed concern over the security risks these behaviors introduced to their organizations. Security posture IT is a big and I think it's safe to say a growing problem. Well, let's talk about IT.

Bit warden might be the cure, right? The holidays are quickly approaching. Peak security is a must have.

Social engineering tactics are getting much smarter. Bit warden is a great choice for business. In really locking down security, you get unparalleled s soo integration and flexibility. Yes, IT works with your s soo solutions.

You get in line auto filled capabilities, including cards at in these and paste is that we pointed out this prevents people from using spooky sites to enter the important private data like cards and identities. That's really a big help. Your business deserves a cost effective solution that can dramatically improve its chances and your employees chances of staying safe online.

That's why we love. But when IT takes a few minutes to set up bit warning supports importing from almost all the existing password management solutions and as I mentioned, will integrate perfectly well into your sso solutions. And I do want to score this, and this is going to dress this a little later on.

But if you're curious, the bit warden source code is open source. It's on github. IT can be inspected by anyone. And of course, they regularly have a added by third party experts.

And always this is really important, not in brightest, is they always publish the results of those third party on its a and if there's any question, it's gpl. That means IT is really, truly open source. Michael crane, who is a CEO a bit warden, sums IT up like this.

We don't need to overcomplicate security. Let's get back to basics, empower employees with the right tools and four strong password habits, and create a culture where security becomes second nature. That's bit warden.

Baby, get started a day with bit wardens, free trial of the teams or enterprise plan. And no, i'm really aiming this as at businesses right now. But I should assure you as an individual fact, even the business place starts with the individual vote as an individual because bit warns open source.

It's free to individuals. That means every device IOS mac, android, linux, windows for individual users, you can host your own volt if you don't want to trust bit ordinary personnel, trust them implicitly. But it's strong security, unlimited passwords, unlimited devices, and the free plan even supports package and hardwork keys like the ubique.

So and that's free forever. So if you have friends and families and i'm not a password venture, I know who wants to spend money on that, you tell bit word is free, it's easy to use and IT really works. Bit warden that com slash to IT, make sure they use that address.

So so we get credit. And if you're a business and you want to really lock your systems down, bit warden dotcom slashed ed to IT. We thank him so much for their support. We thank you for your support. Bit warden docs flash to IT actually I think our first story, well, let's do the picture of the week for okay.

so sr, imagine that you have a beautiful Green park space. yes. And along one side of IT is a sort of a paved roadway, a meant for um pedestrians.

We can see in the distance that uh a concrete pole sticking up in in the back. So go cars are not able to have any three way here. It's just .

people like this would stop bicycles and motorcycles .

and other rolling. Well, not initially initially presumably this always Green. Everything was fine, but somebody was annoyed that that bicycles or scooters, or, you know, something other than pedestrians, were using this presumption at some of sort of high speed. So the genius here figured, okay 啊， we're going to, we're going to slow these people down.

We're going to prevent them from summer along on their scooters or their bicycles or what are new final contraption they might be using by basically putting an obstacle course um in this road way, in what used to be an idea like little a as faul path for people bordering this beautiful Green long park way. And so what what we have here are some essentially some bill gates that that you have to you have to weave yourself through uh overlapping a blockages. So uh so somebody on foot has has to go forward and then move sideways in order to get past, in order to move a skirt the first one, and then slide over in order to get around the second one.

Then they have, they can you catch their breath and walk down, you know, another twenty feet when they hit another one of these things. But boy, is that gonna stop those guys on those on those customers or bicycles or whenever they held, they're using, well, unfortunately, I gave this, I gave this the caption. What they intended was not what happened though, because the beautiful Green parkway is beautiful and Green, not so much any longer. There is a as a consequence of the fact that they basically put an obstacle course in the middle of the road. What all the people who were going to, who are writing something, bicycle, scooters, whatever, just roll over .

on the ground .

that that they is .

slow down.

They yeah they didn't signal. They just now course, the first person who did that had very little effect on the grass, probable the second person also. But after about five thousand people did this.

Well, that took its tool. And so now the grass is give IT up. It's it's made its own path and it's very cleared red.

Now you don't even have if you are a person who hasn't yet approached this area, you know which way you know exactly what to do. You're not get off your shooter and having to go through this little obstacle course. No, the path has been paved for you .

at this point.

Yeah, one of our listeners rode back this morning because I got the show notes out in the late morning. But so if I had time to right back and and he was speaking to a police officer, I can member now what the term was but but there's no there there is a term for this like uh, people finding the the path of least resistant sort of effect and that's certainly what happened. okay.

So on the topic of bit warden, um for the past few weeks our listeners have been sending me notes regarding their concerns that bit warden's licensing might have been changing to make IT less open. I mean, this actually got some traction out on the internet IT turned out that IT was a good thing that I had not found the chance then to dig into whatever was going on, because IT has since resolved itself completely. Now, the register weigh in with an explanation.

And, you know, there are particular brand of snarky ss. I added IT a little bit for podcast clarity. They said, fear not false fans, you know, fox F O S S free open source software bit warden is not going proprietary.

After all, the company has changed its license terms once again, but this time IT has switched to the license of its S, D K from its own homegrown license to v three of the G, P, L. Just you were saying, leo, yeah, they wrote the move comes just weeks after we reported that IT wasn't strictly false anymore at the time the company claim. Ed, this was just a mistake.

And how is packaged its software? Writing on twitter, they they said, quote, this is a bit warden. IT seems that a packaging bug was misunderstood as something more, and the team plans to resolve IT. Bit warden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for .

individual users.

the register said. Now it's followed through on this. The bit that get hub commit entitled improved licensing language on quote, changes the licensing on the company's D, K, from its own license to the unmodified gpl. three.

That's good. That's really good.

they said previously, if you removed the eternal SDK, IT was no longer possible to build the publicly available source code without errors. Now the publicly available S D K is gpl three, and you can get the whole you, you can get and build the whole thing, they said.

Chief technology officer kyle spirit added a new comment to the discussion on bug number one one six one one on github, where that bug was titled desktop version twenty twenty four ten to zero is no longer free software. Of course, that's that's the comment that set off this firestorm. So to that, their C, T, O, kyle wrote, we've made some adjustments to how the S D K code is organized and package to allow you to build and run the APP with only G P L O S I licenses included the S D K eternal package.

Reference references in the clients now come from a new S D K internal repository, which follows the licensing model we've historically used for all of our clients. May said c FAQ D M D. For more info, the SDK eternal reference only uses gpl licenses at this time if the reference were to include bit warden license code, in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web volt client builds.

He finished the original S, D, K repository, will be released to SDK secrets and retains its existing bit organ SDK license cure for our secrets manager business products. The SDK secret posture and packages will no longer be reference from the client apps since that code is not used there. So you know, they clean things up and and and fixed what was essentially just sort of A A, A trip in this you what has obviously become a rather complex build process with multiple overlapping licenses and things.

So the register finish saying this is generally good news for the programs more frequently force focused fans. It's all open source and it's possible to build the whole thing, including the SDK from freely available code IT seems to us that bit warden has responded to its users unhappiness with the changes to the licensing around its password manager and is not merely on done the changes, but gone further toward making IT all free software even if he continues to maintain that IT was all just an error. The change is commendable, and we're glad to see IT.

IT does, however, look as if the company is leaving itself room to build more non fast tools in the future. You know fine. So what anyway? So I think the whole thing here, everything that we've just seen is that, I mean, it's it's what free and open source software about.

It's a terrific example of community action, which helped to bring some clarification to some initial confusion over bit ward's licensing terms and their credit as the register reported. But IT weren't really stepped up and did the right thing. So props in some good news for german security researchers.

The german government has drafted legislation to protect security researchers who discovering report vulnerabilities. There were some ambiguity before, so this proposed law would eliminate the risk of criminal liability from cyber security research as long as the bugs are responsibly disclosed to the vendors. At the same time, the law does also introduce harsh prison senses, ranging from three months to five years for any researchers who abuse the process of vulnerability research for their own criminal acts.

These include incidents when researchers cause substantial financial damage during their research, uh, try to do some extortion or act the damage. Critical infrastructure. In other words, if you are a true researcher in germany, any previous grey area has now been eliminated. So yeah, but if you're hope you do abuse, you know the but i'm a security researcher claim your inability to get away with that.

You has also been clarified to so uh, it's good that they're seeing this because you've see the instance is we've talked about a lot on the podcast where you know a well meaning researcher reaches out to accompany and says, uh, you know, I was poking around at your web page and I noticed that, uh, you know, but whatever ba ba blah, you know and I was able to log onto your servers and suddenly, you know, like, rather than than take in this as someone trying to help them, they immediately seek their legal staff on them and start threatened them. So anyway, it's good that germany's made this clear. Australia, ah, this is gonna be interesting.

I think they're preparing legislation that would introduce a minimum age of sixteen years for social media accounts. That is, first, access to social media accounts under this new legislation, which is not yet law, just to be clear, but it's on its way to being law. Access to social media platforms in australia would be legally restricted to only those sixteen years of age or older.

And this legislation would hold online platforms accountable. Online platforms would be accountable for enforcing the ban. Presumably, we will also incurred meaningful fines for failure to do so. Under this new law or this forthcoming law.

Australia's government plans to introduce the bill in parliament this week, so something's going to happen soon um and resume little have some period before IT has to take effect because you need to give the social media platforms some means are responding to this in a reasonable way. Government officials explain that they're introducing the bill due to the harm social media is causing for australian children. Now we've talked about this a lot in the past from from the stamp of the technological chAllenges, A A practical chAllenges associated with filtering access to online services by their accessors age.

You, how is this done exactly? And will the legislation somehow put parents in charge? Can parents, you know, for example, choose to opt their children out of such filtering? And and there's there's a slippery slope there because if that's possible, that creates the problem of one's kids saying, hey, but mom and dad, all the other kids parents let them watch tiktok.

You know, regardless of the degree of the the truth of that, but regardless of the legal and social side of this IT seems to me that if we're going to start legislating age based filtering for internet services of any kind, the underlying platform itself should be robustly providing this information to any application through some sort of platform specific API. You know, for example, at this time, I O S for you know, all of apple's devices, I think I was since the iphone thirteen allows granular restrictions of age foreign ove nine and above, twelve and above, or seventeen and above, but there's no sixteen and above. So that kind of a mess.

And none of this is automatic. You know, it's up to mom and dad to lock down their children's phones, nor does this lock down setting change automatically, like on their birthday. So you know, from that point, the point of like setting the sick, the twelve and above or seventeen or above, whatever the devices apps that had previously declared their own minimum age, uh, usage will then be restricted by the phone, which none of this is the way that should work.

And I am not sure how we got to where we are now. But IT IT doesn't seem like IT was well thought out. Seems to me that a superior solution would be to allow the parent to set and lock in the date of birth of the phones user based upon their feelings, their the parental feelings about the maturity of their child, and or are their feelings about you the perceived dangers of unrestricted access to social media.

They could choose to fudge their child declared birth year in either direction as they see fit. But the advantage of this is that they know this could be a set and forget feature where services would come available on success of birthdays based on there, you know, based on the the, the legislation that restricts what age they can be used in which locale in the world, you know. And at some point, IT will become accepted that on such and such a birthday, access to this or that social media service becomes available. So, you know, this is, you know, certainly another interesting aspect of today's internet, the ubiquity of smart phones among miners and of the platform's willingness to treat them like everyone else. So I don't know I O I know where we're tightening down access based on birthday, but we really don't have the the mechanisms in place yet.

That's the problem is how do you do. age verification without competing on the privacy privacy adults little on kids yes and you know they have the of these companies to say well we just look at them and we could tell other faces with UI and bb that seems right for miss using failure yes yeah no it's one of the i can understand the desire to do IT but it's one of those things where if you don't have the means to do IT in a.

safe way you and and here's here's the legislators in australia is saying you though shall you out and it's like how exactly oh well that's not our problem you're techy people you you know you work IT out.

i know i think your solution is the only way to do IT i think that the mistakes says oh i'll do IT for parents no parents give parents the capability and let them decide they only they know what their kids shouldn't shouldn't do.

yep exactly any if the parent puts in at their birthday and again they could budget you know plus or minus a year or two depending upon they know their own perceptions of the risks and so forth then once that's there an API in the platform can be query by any social media application or anything else for that matter uh to determine the age of the of the person watching now okay is maybe the way the reason apple did this is that having a birth date is considered itself up of a loss of privacy so they're like well we're just going to create these big brackets of fuel four twelve and seventeen and and nine and you know that way we're we're not divulging much but i don't think you can have at both ways you are saying that the platform must enforce an age based restriction well then you have to know the person's age so OK day the register posted another interesting piece that i don't recall seeing anywhere else although i did hear about IT from a number of our listeners the register's headline was sis admin shock as windows server twenty twenty five installs itself after update labeling error and then of course being the register their tagline on the article what was screens spread with coffee after checkpoint find microsoft latest OS in unexpected places so with that teeth you know we need to find out what happens so the register rights administrators are reporting unexpected appearances of windows server twenty twenty five after what was published as a security update turned out to be a complete operating system upgrade web c okay so the problem was flagged by a customer they wrote of the web APP security company hime doll arriving at the office on the morning of november fifth they found to their horror that every windows server twenty twenty two system had either upgraded itself to windows server twenty twenty five or was getting ready to sister mines are cautious by nature they wrote so an unplanned operating system upgrade could easily result in morning coffee being spread over keyboard high doll services include patch management and IT relies on microsoft to label patches accurately to ensure the correct update a is applied to the correct software at the correct time in this instance what should have been a security update turned out to be windows server twenty twenty five is to climb lars while to trace the problem according to a post on redit quote due to the limited initial footprint identifying the root cause took some time by eight o five u t c we traced the issue to the windows update a p i where microsoft had mistaken ly labelled the windows server twenty twenty five upgrade as k b vivo four four two eight four our team discovered this descriptive anc's and our patching repository as the good for the windows server twenty twenty five upgrade does not match the usual entries for kb five four four two eight four associated with windows eleven this appears to be an error on microsoft side affecting both the speed of release and the classification of the update after cross checking with microsoft knowledge base repository we confirmed that the knowledge base number indeed references windows eleven not windows server twenty twenty five okay so whatever they said the register has contacted hang doll for more information and will update this piece should the security organization respond we also ask microsoft comment almost a day ago since then crickets as of last night time to estimated that the unexpected upgrade had affected around seven percent of their customers IT said i had blocked kb five o four four two eight four across all server group policies however this is a little comfort to administrators finding themselves receiving an unexpected upgrade they finished since rolling back to the previous configuration will present a challenge affected users will be faced with finding out just how effective their backup strategy is own dear or paying for the required license and dealing with all the changes that come with windows server twenty twenty five wow what a mess so i cannot speak for other adds but i would be desperately checking everything that everything was still working after such a jump if you were my servers know and if i were i'd probably choose to remain on that platform if IT happened like irrevocable.

broken things which.

you know IT could easily do you know after such a jump like that had been made you know since microsoft would eventually be forcing the move anyway right i mean anybody who is on twenty twenty two well they've got twenty twenty five in their future so wow i can definitely empathy with the panic that that would they.

ouldn't sue to be more clearly that this happen who wasn't a high doll customer.

um a good question.

because if i didn't then its time doll fall.

not micros yes i i did hear from some of our listeners already who who experience this themselves but they didn't specify whether they were hyda customer or not there was some i believe IT was a third party upgrade management right that that was sce so microsoft getting.

all the blame for this but is not microsoft's ault.

no i i believe i was somebody whose who so systems that were under patched management by a third party were updated not by microsoft but by by their patch manager yes and so glad you brought that up because that that is the case um and the other thing that is the case is that the time for me to take a super.

coffee oh i just took a about a sandwich so OK you take that step not try to too fast.

And my eye on the clock, we're thirty four minutes in. So it's a good time before we talk about what IT is that microsoft is decided they're gonna do to windows eleven to further protect people from user account control. IT turns out it's not in your face and up so ah well.

it's true everybody just you get the prompt to elevate and you go OK .

here I have not turned off.

You don't use your A C no .

the first time and .

I bring IT down a .

minimum and then I go into the registry and I disable IT completely because it's just, you know, I am a mother hand over this over machine you know .

two mother hands .

once enough no the fact is, I mean, the problem is people are saying, oh, there's that annoying again. They just click yes ah yeah and it's so it's like, okay, what protection is that? Well, microsoft going to fix that.

Let's not make this easy. Our show today brought you by actually, this is a very appropriate company to talk about right now, threat locker. Threat locker makes zero trust, easy, affordable, and it's really effective if zero day exploits and supply chain attacks are keeping you up at night. And if the you is in this show, they probably are were in a war because you can have your security the best way to do IT with threat locker worldwide, companies like jet blue trust threat locker to secure their data, keep their business Operations flying high.

The key .

is a proactive, and this is that I want to underscore this. I don't know to do that, nadia underscore this, deny by default approach, a proactive deny by a default approach, a cyber security. That means, by default, your block, every action, every process, every user they just know, unless explicitly authorized by your team.

And this is zero trust. This is how zero trust works. And IT works so well, and threat locker does IT so well, they make IT easy to do.

And and this is equally important, they provide a full audit of every action. So if somebody is authorized, some process is authorize. You know exactly how who is that.

That's great for none ly risk management, but also really important for compliance thread lockers. Twenty four seven us based support team fully supports you're getting on board and beyond. And by the way of very easy implement, thanks to them, thread lockers, stop the exploitation of trusted applications within your organization.

IT keeps your business. yes. IT protect you from around somewhere all unknown.

Zero day threats. This is the problem. This threads never been seen before.

How do you prevent IT? Well, you just don't let anything in across your border or organizations across any industry can benefit from. They call IT rainfall cy threat lockers, ring fencing.

They isolate critical interested applications and say they put IT inside the ring fence right from unintended uses from weaponization limit attacker's lateral movement within their network. There there. But they can't get there right threat.

Luck's refenced is so effective, was able to foil a number of attacks. The traditional edr just couldn't stop like the twenty twenty cyber attack on solar winds. o.

Ryan, effectively foiled by ring fencing thread lockers. Customers are really happy about that. I can tell you, threat locker works for max to so your whole network get unprecedented possibility in control of your cyber security quickly, easily and cost effectively.

Threat locker zero st end point protection platform offers a unified approach to protecting users, devices and networks. It's the exploitation of zero day vulnerabilities. I think this is so cool.

And if you look at reviews, look at thread lock er customers, you'll see i'm not alone in this is very affordable. Get a free thirty day trial. Get at least try to learn more how threats locker can help mitigate unknown threats and ensure compliance.

Visit threat locker dot. Calm that threat. Locker that calm. We think of so much for supporting security now.

And our friend, mister Steve gibson, use supporters when you, if they ask you, if you say, oh yeah, Steve gives, son told me all about threat locker dot com. I know I want a cup of coffee. It's my turn for your time, your coffee.

Okay, so we all know U A C. Use your account control at this is windows clever and workable solution to the agal dilema of users running root privileges on a system just so they are not constantly being told that they can do what they want to do with their own system. The problem was doing this with, you know, running as root is that it's their log on that has the root privileges.

This means that anything they might do inadvertently, like innocently run some militia software, you don't buy mistake inherence. There are counts root privileges and allows their system to be easily and potentially irreversibly compromised. So the solution, microsoft evolved, and we talked about this when I first appeared in windows and I I said then I think this was very clever.

I mean, I I think it's a it's a like the best solution we've had so far. What they did was they split credentials where an administrative user, even though they're at an administrative as opposed to a standard windows user and administrative user effectively logs on with both standard user and elevated credentials or tokens as microsoft calls them, while always running as a standard user with reduced privileges. This way, they're protected from anything that might inadvertently happen when they're not like intending to have anything happen when they are not working.

Um then when they try to do something that their lesser privileges doesn't permit, such as installing the new application into the system or disabling some system protections, windows will pop up, you know, the user account control the U A C prompt, which essentially serves as an are you sure you want to do this? Required confirmation and when the user size and clicks, yes, i'm sure I want to do what I just asked for. Windows briefly switches over to their elevated permission token credentials to allow that requested action to be performed.

okay. So that's the way it's bit now for many years, but we learned last week that, that will be possible to opposite add another layer of security to this existing mechanism. Microsoft route administrator protection, which is what they're calling an admin protection, is an upcoming platform security feature in windows eleven, which aims to protect free floating admin rights for administrator users, allowing them to still perform all admin functions with just in time admin privileges.

This features off by default, meaning that, okay, just for clarity, when this is part of windows eleven, IT will not be enabled by default. U, A, C will continue working the way IT has, but IT needs to IT can be enabled via group policy. So systems that are being administrated remotely over the network and enterprises can can know, cause this to be on for all of their windows climb machines.

Microsoft that we planned to share more details about this feature at microsoft at night. Now the hacker news dug into this a bit and did some reporting. They said microsoft will add a new security system to windows eleven.

They will protect admin accounts when they perform highly privileged and sensitive actions named admin protection. The system is currently being tested in windows eleven. Canary builds.

The new feature works by taking all the elevated privileges and admin needs and putting them into a separate super admin account that most of the time disabled and locked away inside the core of the Operating system. okay. Now just note, we don't know how they're implementing this yet.

I mean, this sounds like more than U A C with more protection. So maybe IT is I don't know know like maybe maybe their intention is to make this super dupr bullet proof anyway. The hacker news says when users select the run as administrator option, they will receive a prompt from the admin protection feature.

The difference from a classic U A, C prompt that features yes and no button is that the admin protection features will ask the user to authenticate with a password, a pen or some other form of authenticity before they're able to go forward, they said. But a change in prompting authenticity is not the only major change, according to technical and non technical rios for microsoft M V P, rudy arms, who first spotted this feature. Admin protection is a lot more powerful and an innovative than you might expect.

IT changes how the entire windows O S assigns admin privileges. okay. So that answer my question. This is not just adding additional automation to U A C.

You know, this bury IT down somewhere in the balls of windows and was, so whatever whatever that means, that's you. That's apparently what's going on. Changes the entire windows the way the entire windows O S.

Size assigns admin privileges. In past versions they wrote, windows created two tokens for an admin account, right, one to use for Normal Operations, and one for when the admin needed to do, add things. With the user switching between the two.

They finished saying, unfortunately, this allows threat actors to develop U. A, C, I pass techniques and abuse admin accounts for malicious purposes. Okay, so you know, stated another way, U A C even is intrusive and potentially annoying, as IT was was still too easy to use.

So IT was being abused also. So microsoft is gonna give you another goal, and even more rust, robustly lock up these privileges, which are too powerful to allow bad guys and bad where to get their hands on. Hacker news said the new admin protection basically locks away all those highly privileged actions into a separate system managed account.

The threat actor would not be able to switch to that super admin account unless they could now bypass all the extra authentic ation options. The way this will have exactly work in detail, they said, is unknown. Microsoft is set to provide more details about the new aden protection feature at its ignite developer conference later this month.

And we hope write the hacker news that these extra authentication prompts will be able to support some form of M, F, A. If they do threat actors that compromise admin accounts will have a much harder time exploited those accounts for high privilege tions. So I know, I suspect, that the Operational profile of a developer such as myself is probably very different from the typical office worker.

Even having U A C constantly popping up drives me nuts. As I said earlier says, i'm extremely careful with what I do with my system. And I maintain somewhat obsessive management over my machine, my, my machines.

So i've never felt that I really needed microsoft to protect me from myself. Now the other end of the windows user spectrum, you know, we have someone sitting behind a desk at a large enterprise. They are probably running a fixed set, a preapproved software and logging into a standard rather than an admin account.

So they would already need to provide complete administrative credentials if they wanted to change anything in the system. This still sounds like the admin privileges that the system will have somewhere, you know, because there there is an account defined on a system up that has admin privileges even when the the user who's currently logged in as a standard user. So microsoft is good, as you know much more deeply.

Lock this down. This is that all this suggests that the first coming windows eleven admin protection feature, you know, is intended to Better protect everyone else, you know, all of those who have been logging in with admin accounts, but very know for whom they are. You sure? Yes, no.

U A C pop up is not been providing sufficient protection. So again, I I, I can't fault microsoft for providing options and for for also first of all making IT option. Don't think goodness, although I don't tend to be under windows eleven, uh, control any type soon, but also uh providing an option to more thorough locked down this security and I got just can say and given that like a biometric multifactorial might be available, then that .

would make a table you yes.

you would have to constant going over and even know two to your smart phone and and getting a one time password in order to to continue doing things you want to do.

Do you run as an administrator? Yeah, yes, of course you do. yeah. But I mean, that was always the advice is so I don't want an administrator and U I C solved that by kind of having these levels.

right, right? I mean, i'm i'm windows has become such an always that I have to try. I mean, i'm creating brand new code, right? That's what I do, right? So that's .

and you know .

yeah I know I hate well, it's not dangerous.

but looks .

that way so so I have to completely shut down windows defender or let's my xc the moment IT gets created this go we never saw this before.

Get the other .

minutes no, it's so so you know, being a developer really requires you to just like calm down windows. It's all right. That is me sitting here so yeah but again, i'm glad that, that they're able to to allow enterprise ad means to really crank the security up.

And clearly, they're not doing this because they don't have anything Better to do. They're doing IT because they're y've seen problems with not having you know enough you know of the ability to lock this down as much as they are. okay.

So under the category of who cares, last week, we noted that fine, happy russian courts had levied such insanely large fines against google for refusing to allow youtube to speak russian media anti ukraine propaganda. But not only did their own spokespeople have no idea how to pronounce the number of russian rubles levied, but the fine far exceeds the total amount of money in the no universe. Moreover, you know the the google branch of russia, you know the, the the local google entity russia has find, wait belly up and bankrupt about a year and a half ago.

So there's no assets there either. So good, like squeeze in rubles out of google. I don't think that's going to happen.

But IT seems that russia has not been deterred in the finding department, apparently decided that levering, a reasonable fine against a going concern, might actually produce some cash. You know, if not, any change in that energy is behavior. So to that end, a moscow court has find apple mozilla in tiktok for fAiling to remove content.

The russian government m dims, as being illegal. Apple was fined for not removing to podcasts, mozilla for fAiling to remove some ads from its store, and tiktok for fAiling to remove videos related to the war in ukraine. The fines range from thirty five thousand us.

Dollars to forty thousand U. S. Dollar equivalent in russian rubles. Now since finds on that scale probably fall into the petty cash category for those three companies, you know at least there's something for them to discuss about you know going forward. It's not some ridiculous number with thirty zeros that knows knows how to products that you know google been hit with.

Um and while we're on the topic of fines, south korea has find meet up twenty one point six two billion one now although IT takes around fourteen one hundred one to equal one us dollar when the fine is twenty one point six two billion one, that's still equals around fifteen point six seven million U S. Dollars for a fine um so that's an attention getting amount unlike russia fine for you know google. Uh south korea actually expect matter to pay okay, so what did matter do upset south korea?

Privacy watchdog define is for illegally collecting sensitive personal information from south korea facebook users, including data about their political views and their sexual orientation, and wait for IT sharing that data with meddles advertisers without their users consent. The countries, uh, the organization is called the personal information protection commission P I P C. So the P I P C in south korea says that meta gathered information such as religious affiliations, political views and same sex marital status of about nine hundred and eighty thousand domestic south korean facebook users, so just shy of a million, and then shared IT with four thousand advertisers on meta, the pip said in a press statement quote.

Specifically, IT was found that behavioral information such as the pages the users liked on facebook and the ads they clicked on was analyzed to create an Operate advertising topics related to sensitive information. Okay, actually that sort of sounds like a level or two removed, but still of a breach of privacy because you know facebook is analyzing their users behavior yeah and then join conclusions about who they are based on what they do and then making the who they are information available to the advertise. The pip c added that these topics categorize users as following a certain religion, identifying them as gay or a transgender person, or being a defector from north korea.

The agency accused made up of processing such as sensitive information without a proper legal basis, and that IT did not seek users consent before doing so. That also called out the tech giant for fAiling to enact safety measures to secure an active accounts, thereby allowing malicious actors to request password resets for those accounts by submitting fake identification information made to approve such requests without sufficient verification of the fake ideas, resulting in the league of the personal information of ten south korean users. So just sloppy and not caring on medals, part P I P C said.

Going forward, the personal information protection commission will continue to monitor whether meta is complying with its corrective order, and we'll do its best to protect the personal information of our citizens by applying the protection law without discrimination to global companies that provide services to domestic users. On quote. So over their part, in a statement share with the associated press, meta said that IT will quote carefully review and quote the commission's decision, after which you will probably get out check check book and to pay the fine I would imagine so you know the good news is everywhere we turn IT appears that you know those early free whaling behavior uh of unaccountable internet services, uh, is being increasingly brought to heal.

If user profiling has been as valuable as advertisers claim IT to be, and if this profiling is gradually being freezed and reduced out of the population of of services, that suggests that the economics of online, my advertising will eventually be changing too. You know, they hope the advertisers don't wanted to change. They want all the information they can get about everybody all the time.

And governments are beginning to say, uh, not so fast there. Uh, we don't want you to have that. And of course, governments were able to make the laws that they want to.

Um our favorite nest supplier, the o sonic, just patched a critical zero click uh zero authenticity of flaw that would have created chaos had had been discovered first by bad guys. The the for the flaw affected sono logy disk station and b photos and could be used for full remote de execution. It's being tracked.

Yeah it's being track as C V E twenty twenty four ten four forty three. And IT has been dubbed risk station by security researcher rick the degree of midnight blue. He successfully demonstrated and exploited the vulnerability at the recent pond to own ireland twenty twenty four hacking contest, and this one is as bad as they get.

Risk station is a quote unauthentic ated zero click vulnerability, allowing attackers to obtain root level code execution on the sonsy ology dix station and b station nass devices, which would affect millions of devices. Now, as we know, zero click means full remote take over without any action required on the part of the owner of the device. We also know that the only way this could be possible would be if sono logy photos for direction or b photos for b station have open and exposed ports to the internet.

So i'll say IT again, IT doesn't matter how tempting and cool IT might be. Do you have roaming access to your photos and other features available to one or all on the internet? IT doesn't matter that is necessary to log in and authenticate to use such a service.

Everything we see reinforces the truth ism that there is no safe way to do that using today's technology, no matter how much we wish you were otherwise. Now the good news here is that this was disclosed during a pone to own competition, so the bad guys have no idea how this was done. And in keeping with a responsible disclosure that's inherent important to own, no technical details about the vulnerability have been released, nor will they be soon.

They're currently being withheld to give snoozes customers sufficient time to apply the patches, midnight blue said. There are between one and two million sono logy devices that are currently simultaneously affected and exposed to the internet. So you know easy to do right you just ask uh h census uh or or any of the online scanning uh services like show down uh give me a list of all the IP s that have that are listening on this particular port and then you get the list.

Um so is that happens? I just updated my two sono logy masses. They notified me that there was no firm more available, and that presumably fixes this, you know, any other lesser problems, but I would never expose my next to the internet. You know, it's sitting behind the net services of A P F sets firewall that has U, P, N, P. disabled. My masses were never in danger and I hope and trust that that's true for all of our listeners but you know, it's certainly not true for those one to two million sonos gy as users who said, oh hey, cool, I can publish photos for my friends and and you know what could possibly go wrong .

somehow I doubt you use synods gies photos APP, but no, I I .

thought I don't do that either. So you know, IT IT is definitely more of a hassle not to simply be able to open ports and expose services to the internet. I get IT, you know, but that's exactly what between one and two million sono logy nas users have apparently done. There are ways to safely obtain remote access. You know, for example, i'm a huge fan of port knocking, which has never taken off the way I could.

But there are you know there are truly secure mechanisms uh, that exists which are still not being built into our devices due to, I don't know what programme r hubris, which continues to imagine, despite all events to the contrary, that the last horrific bug that was just found and fixed will be the last whenever so we don't need more security. This is what needs to change. Um okay, this is really interesting.

Um over the supply side of attacks, we learn that cyber security researchers have discovered in the furious malicious package in the python package index, you know pipi code repository and get this this particular python package is called fabris. It's been downloaded tens of thousands of times over the past three years of its availability while going undetected for those three years as it's steadily x filtration developers, amazon web services, you know A W S credentials. Now the packages name is fabrics which you know sounds like some sort of an air fresher or something um um and IT would be a believable package name on its own.

It's actually derived from a typo of a very popular python library. Called fabric. Oh, so it's an e added to the end of fabric. The legitimate python fabric library is used to execute shell commands remotely over S S H. But any developer who told who too hastily types fabric into their code might instead wind up with fabris, and that's where things begin to go very wrong for them.

Whether the legitimate fabric package has over two hundred and two million downloads, its malaise typo squat counterpart has been downloaded more than thirty seven thousand and one hundred times since developers trust the well deserved reputation of the fabric library. That's what they assume they're getting, even when they must type the name and enter fabris, unfortunately for breath, is then able to exploit the trust that associated with fabric to incorporate payloads that steal credentials, create backup ors and execute platform specific scripts. The breeze Carries out various malicious actions depending upon which Operating system IT finds itself running in.

If it's executed on a linux machine, IT will download the code and execute four different shell scripts from an expert server located at the I, P. address. Eighty nine, that forty four, that nine, two, two, seven.

When the same script runs on windows two different payload, a visual basic script named p dot V B S and the python script named d that P Y will be extracted and executed. The p that V B S script runs the hindu python script 的 D W P Y， which resides in the downloads folder. This D W P Y script downloads another malicious executable, which IT saves as chrome dixi then sets up a scheduled task to run that chrome doxy every fifteen minutes.

Once that's been done, the D P P Y file is deleted in any case, regardless the Operating system and the path taken. The common goal is credential theft. A W S access and secret keys are gathered and x file traded to the server at that address. By collecting these A W S access keys, the opportunistic attacker gains access to potentially sensitive cloud resources.

Now who knows what developer will run this and what resources might be obtained? Since twenty twenty one, when this malicious for breeze library was first dropped into the pie positon, thirty seven thousand and one hundred developers have downloaded IT by mistake, thinking they were getting fabric the first time they ran IT. Their machines were compromised when they later corrected their typo.

IT was too late. Their development systems were already infected with a trojan design to seek out and send any A W S. Credentials they might have. So at this point from time to time, the attackers server at eighty nine dot four or four thousand nine to two to seven simply receive unsolicited A W S credentials. Every time someone news shows up, the attackers probably head over to A W S to see what their trap might have snared.

So we have A A sophisticated typo squat attack crafted to impersonate a trusted library, which exploits unsuspecting developers who enter the wrong library name just once. This thing SAT undetected for three years, collecting more than well. We don't know how many aw s credentials were collected, but IT was installed in more than thirty seven thousand systems and then began looking for AWS credentials before IT was finally spotted and removed from the library.

Of course, this as this begs the question, what other similar typo traps are still sitting out there, sorted out among the thousands of legitimate report packages? Uh, this is why we've got researchers scoured ring. The repositories is looking for these kinds of of nefer ious body.

And this is a continual problem in these orties. I ish to have some easy way to fix this.

Yeah, you know.

there are particularly notorious B.

N, P, M, of course.

also the age manager.

IT. IT is a problem because we want public software, right? I mean, the whole idea is to create a community of of people working together, publishing software packages and libraries like this, intending to share IT.

Well, how do you keep the bad guys out? You really can't. And leo, speaking of good guys.

I bet you, I have a product. They can get the bad guys out. Let me. We continue on episode one thousand. Steve gets this cup.

I already had my G I wishing now that I had the quad ventilate that you always order. I only made a double and IT IT went quick. Are so they've rought to you by flash point.

No, an information is power, right? It's it's absolutely key. It's critical to being a effective in the in the world in the whole lot of different ways.

If you're a security leader, you know this has been A A year to remember, shall we say, cyber threats and physical security concerns on the on the upswing now geopolitical instability adding a new layer of risk and uncertainty. Just i'll give you a one step to illustration. Last year, there was a staggering eighty four percent rise and ransom attacks eighty four percent rise.

There was a thirty four percent jump in data reaches, neither of which would be good for your company, right? And of course, the result is trillions of dollars in financial losses, but not just financial losses, threats to safety worldwide. I've got a great solution for you.

IT comes down information. That's where flash point comes in. Flash point in power's organizations to make mission critical decisions.

It'll keep their people, their assets safe by combining cutting edge technology with the expertise of world class analyst teams. You know, governments have intelligence agencies, but why should IT only be governments shouldn't. And businesses also have people working to give them the intelligence they need to succeed.

Well, with ignite flash points award winning threat intelligence platform, you get access to critical data, finished intelligence, you get alerts, you get analytics, and you get all in one place. You can use IT to maximize your existing security investments, of course, because you know where the threats are coming from, right? Some flash point customers that have avoided half a billion dollars in fraud loss annually.

Half a let me says that again, half a billion dollars saved from fraud loss annually thanks to flash point four hundred eighty. That's a four hundred eighty two percent are in six months flash pointer and frosts of its twenty twenty four global product leadership award for unrivaled threat data and intelligence, an svp of cyber Operations at a big company, you would know big us. Financial situation said and quote, flash point saves us over eighty million dollars in fraud losses every year.

Their proactive approach and sharp insides are crucial in keeping our financial institution secure. They're not just a solution. They are a strategic partner helping us stay ahead of cyber er threats.

Don't you want to stay ahead of cyber threats? No wonder. Flash point is trust by both mission critical businesses.

And yes, governments worlwide to access the industry's best threat data and intelligence. Very simple. Just go to the website.

Flash point dot IO do IT right now, you owe to yourself and your company flash point dot I O I mean, you listen the show for that kind of intelligence, right? Get even more flash point that I O thank so much for supporting the intelligence. Steve gibson, and we go, okay. So we've .

seen this go when to come in for a while, and we're nearing the year twenty twenty five, which is the year during which google has said they're going to be requiring, with no excuses, all of their cloud services users, which includes all gmail users, to be authenticating with some form of multiple tor. authentic? good.

Yes, it's like it's time, right? So more than just their user name and password, which will no longer cut IT, google still hasn't provided explicit deadlines, but anyone who doesn't already have mfa set up can expect to start being push to do so near the beginning of next year. So ah there's not much more amnesty for for people who I haven't done that yet.

okay. So I don't know how to read between the lines of some recent worrying news from the mozilla foundation. Just to be clear, that's not the same as mozilla. The mozilla a foundation is the nonprofit ARM of mozilla um but the foundation is just laid off thirty percent of its employees uh even though it's not muzi still makes me nervous since I depend upon firefox for the web and thunder bird for email. The official statements from the foundation well to me they sound like gabbi c gook.

Get out of this quote, the mozilla foundation is reorganizing teams to on what what are in this think about the turbo and cabuli or and the reverse trinities that IT uses because similar language, the mozilla foundation is reorganizing teams to increase ugly and impact as we accelerate our work to ensure a more open and equitable technical future for us all that unfortunately means ending some of the work we've historically pursued and eliminating associated rules to bring more focus going forward. Our mission at mozilla is more high stakes than ever. We find ourselves in a relate less on slot of change in the technology and broader world, and the idea of putting people before profit feels increasingly radical. Navigating this topsy turvy distracting time requires laser focus and sometimes saying goodbye to the excEllent work that has gotten this far because IT won't get us to the next peak. Lofty goals demand hard choices.

What .

obviously does.

does that mean he fired whoever was on their P, R. Team who spoke since? Yeah, wow. That is bad. P.

that's much other, not.

Here's here's the good news. The mozilla foundation had more than doubled its staffing in the last two years. okay.

So thirty percent cut still puts them ahead of where they were. It's also not the browser. It's there. As you said, they're not .

profit ARM, right? Okay, good. So don't work.

You use mazilla or no, you use a chrome browser.

No, i'm a firefox. Hundred percent. Yeah, yeah, yeah, yeah, yeah, yeah. Me, yeah, yeah.

We need diversity. The last man standing, that's that's a fry are the only two mainstream brothers that don't use chromium.

I know. And and for me, my computers run cooler and quieter. What i'm not running chrome reason I like, the reason I left grown was that like my files were spinning up is like, what the heck is just it's just sitting here.

To be fair, mozilla's had its problems in the past with resources. But I think right now it's it's a pretty turn .

good bras well and IT is getting heavy donation from from google.

Oh yeah, two hundred million a year, I think from google. Not donation. They spent. It's the same reason google twenty billion to apple is right.

Yeah all right. In order .

to feature .

and and I do use firefox's, whatever that the home page that that comes up with sponsored stuff yeah, I do.

I want to do a good for you.

yes. Yeah, I have no problem seeing that. And so kind of interesting because I know what's that about.

So yeah okay. So that covers the most interesting news of the week today is patch tuesday. So we don't have any results of from that yet. But count IT next week, absolutely we will if when not sure that the number of things fixed will be two digits or three digits, but they'll be one of those two. Yeah, I was glad that there was not a torrent of news for today's one thousand episode of security.

Now since, you know, there's been so much news recently that i've been unable to share, as I said at the top of some of the truly great listener feedback we've been receiving. So we're going to do that today, but i've got a couple things. First, um dave plumber was an early microsoft engineer, among other things, Davis credited with creating the original task manager for windows, he wrote IT uh, and also the space cadet pinball ports for windows N, T. He was also the developer who added native zip file support to windows. Thank you, dave.

Hard to get. Just one of those is his most important.

Yeah, I get pinball. Yes, yes. Please get IT fiber. So, uh today dave's best known for his two very popular youtube channels, he has dave's and dave attic.

Um I mentioned ing this today first because dave puts a lot of effort and energy into the videos he posed to his channel and our listers might find a lot there to enjoy. So I created one of grc shortcut links to make finding dave's garage easy. It's just G R C 到 S C slash dave。 So you know sc as a shortcut, G R C got sc slash dave.

But the main reason i'm mentioning this is that one week ago today, dave posted his look at spin right six point one. His subhead was optimized, ed, your hard drive and extend data life, including S, S, D, with spin right. And this review of spin right was so positive that in the meta data info about this video, he made his motivation clear by explicitly stating, by the way, this is not all caps a sponsored episode.

I'm just a thirty plus year customer and fan of the APP explanation point. So anyway, everyone who has been following this podcast already knows everything dave talks about. We all know that SSD are prone to slowing down over time when their data is only ever being read and never written, such as know the file systems, Better data and most of the Operating system files and drivers and so forth.

And early in the work on spin, right six one, we discovered that running a spin right level three past over S S S um that had slowed down over time would restore their original factory performance. So i'm mentioning ing this due to two viewer comments that were posted to dave's spin right video last week. Brent Smith line said, have used spin right since the early eighties.

After talking with the head of support at compact, he stated that they used spin right to test hard drives before they were installed in compact devices. The bad ones were wedded out and sent back to the manufacturer, so they did not become a support issue at the very start for compact. Now i've mentioned this anodos several times through the years, but I was fun to see IT independently restored and IT brought to mind a useful strategy that may still be useful today.

One of the things i've noticed while running drives on spin right is that the drives self reported smart health parameters will often be pushed downward while spin right is running. This is one of the biggest mistakes may by all of the various, although they really don't have a choice, uh, smart drive, health reporting tools, a drive this just sitting there idle and doing nothing is always going to be relatively happy because it's not being asked to do any work and it's not the drives fault for not reporting anything since that has nothing to report. It's only when the drive is overload by being asked to read or write data that is able to gage its own ability to actually do that.

For the past thirty five years, this has been one of the fundamental tenants of spin rights value. A drive could only determine that IT has a problem. When I asked to go out into its media and attempt to reader write those regions, the fact that, in a sense, IT owns that media doesn't automatically mean that IT knows everything about what's going on out there. IT needs to be asked to go take a look and IT turns. today's spin right can still be used the same way that compact once used IT to help qualify the relative integrity of spinning hard drives and s s d another interesting comment that was posted there among seven hundred and fifty six others since last tuesday was by c gates x chief technologist robert uh uh type to.

tito yeah.

type to in addition to being chief technologist at spin at c gate for years robert is also one of the six founding directors of carnegy melon universities robotics institute from which he resigned in order to guide see gates development of among other things self encrypting drives in response to dave's spin right video last last tuesday robert posted he said as a chief technologist for sea gate for years spin right is generally done right there are some errors in dave's presentation but their minor the biggest thing that needs to be said is that if you wish to retain digital data and leo you're gna love this plan to keep essential data on multiple drives that do not depend on each other he said RAID is not a solution except for transactional data management or in this duplication mode i think he means you full mirroring yeah he says and always keep a full data copy or two other gapt meaning not connected to anything electrical he said safe deposit boxes are useful for this and plan to make new copies on new drives every few years he said digital storage devices can fail in more ways than you can count and the ones that can preserve data for decades are really not commercially available and often give a false sense of security leading to catastrophic data loss the design life of storage devices is generally five years although it's not unexpected that a given device will will preserve storage for ten plus a few years knowing what i know i buy new drives every year so and make new full copies as well as keeping at least a couple of copies air gapt all the time lightning can and does strike fire he said parents heat the magnetizers and IT is not true that solid state drives are non magnetic unacceptable to failures associated with magnetic field losses so anyway i want those too well i mean you would have you're sticked an m r i machine and i.

mean you can like the n s s with.

my magnetic.

but there's still sensitive.

change to hit with a serious polls but i appreciated robert reminder about the inherent volatility of mass storage you know back when i first designed and roads spin right u i o and i had ten twenty or thirty mea bites of spinning hard drive.

we thought were fat thought well.

because nothing was big fact then so thirty mega bites that one you never going to fill that.

up i know single photos that are big.

right exactly so you know and and those drives cost us thousands of dollars that price dropped rapidly but i was still uncommon for anyone to own more than their system's primary mass storage drive that's why spin rights data recovery was designed to work in place because back then there was nowhere else for a recover data to go that's one of the many things i am very excited to be changing as spin right continues to evolve in the future and thanks to the ongoing support from this podcasts listeners and the greater spin right community as well as independent influences and reviewers like day plummer IT appears that spin right will have a bright future nothing truly nothing could make me happier because there's nothing i will enjoy more to continuing to work on spin right to move this code forward yes but i just to mention that i always made a bit nervous when i get the sense that people are caring around single copies of important data on today's dumb drives or external drives you know in their laptops or desk tops wherever where you know there may not be another copy of that data drives are certainly becoming more reliable as time goes on but there's also a danger in that since as robert reminds us lightnings does still strike so the fact that drives are generally not dying left and right can lead us into a false sense of security of believing they never will with today's data storage being so economical IT might pay off to take some time to make backup s automatic and transparent and that's really where i'm headed here automatic is the key is the main point i wanted to make everybody's busy we get distracted we naturally forget to do things that don't call for our attention that's why IT really makes sense to find some time if you haven't already to arrange to have the data you care about kept safe for you without you needing to remember to do anything at all these days with storage being so inexpensive that doesn't have to be expensive i mean almost free in fact the best case is that nothing bad will ever happen and that and and that your backup system will never be needed but even then the piece of mind that buys of knowing that the system you put in place will have your back i think is worth the time and trouble so i just sort of wanted to take a moment to say really don't have a catastrophe there there just no reason voice there's no reason to have a.

catastrophe any longer i think some things you've changed since dave was working at the gate for instance cloud storage a is is very very common almost everybody i would imagine listening has at least one copy other data in a cloud somewhere it's so cheap it's so ubs.

oh god and now microsoft is like dunning.

you yeah yeah ah so that's a little annoying to be honest but yes but the apple this is the same thing with i cloud i think that most people probably have their most important stuff in the cloud and and you know you mentioned the same thing which i think is a great solution you have everything synchronised everywhere.

yes yeah yes okay one last bit before we get to our library feedback i am last week that my mailing system's instant unsubscribe feature had turned out to be a bit too instant since many of our listers were being repeatedly silently unsubscribed from the security now mailing list the trouble was caused by some email providers uh and this is a known issue i had never encountered but i had they attempt to protect their listeners from malicious links in email by following those links pulling up the content they point to and then checking IT for any sort of malice so it's not a bad idea though IT certainly does make email a lot more tracking able since you know many save users will deliberately not click anything in spam they receive as a means as as a means of remaining invisible because they don't want to give any indication that they have got a live one here on on the end so know that that the issue of tractability must have been a tradeoff that these providers decided was worthwhile in any event the system i had in place until a few hours ago last week a few hours after last week's podcast when i said i was gna fix IT the system i had in place would assume that requesting the content behind the instant unsubscribe link was the user clicking IT so IT would do as requested and instantly on subscribe them so i wanted do a firm that i did in fact change the way the system functions so that links now display an unsubscribe confirmation page that's actually very pretty and you can click on IT and then just to see what what IT looks like if you're curious and then just don't proceed to to give IT the additional click of yes i'm sure um because that's now what's required um so hence forth everyone should now remain properly subscribed if you were not among the twice thousand six hundred and fifty six listeners who received today's podcast topic summary uh on the picture of the week the show notes link and everything in an early morning email you may now resubscribe to g r c s security now mailing list you know g r c docs slash mail and you know subscribe from now on if you do that all subscription should be sticky and remain in place until and unless you choose to later unsubscribe so i'm done with the email system i i as i mentioned last week is now very easy to change your email dress anytime you want uh users can do that uh what this last glitch is gone this mailing to uh twelve thousand six hundred and fifty six of of our subscribers went out uh beautiful ly this morning so i am now i are actually already have turned my attention to my next project which is to create this next d n s benchmark so i am very excited to get that did you get going on a deeper and get IT done as quickly as i can and leo let's take our last break and then we're going to look at some listener feedback for the final half hour of our podcast.

excellent excellent one thousand episodes kids amazing.

wall and by.

the way i wish we had a list of all of the sponsors we've had over the years IT all started with a startle you remember well.

yes and alex are still listening.

alex in house is still a listening thank you alex get regularly emails from probably it's it's not a thousand sponsors but it's been quite a few we're very grateful to all of them IT makes the show possible we are like the mozilla ounces dependent on on your support with club twit and of course on our advertisers support this segment of security now brought you by a company probably know and i've heard of with a really interesting product that's somewhat knew i'm talking about looking today every company is in the business of managing data that means every company is that increased risk of data exposure and loss we're just talking about IT right not just hard drive failure but cyber threats breaches leaks.

cyber.

criminals are getting smarter every day and and modern breaches now happen instantly doesn't take days or months anymore that happens in minutes at a time when the majority of sensitive corporate data has moved to.

the cloud.

traditional boundaries no longer exists the strategies for securing that data have fundamentally changed that's why you need look out from the first fishing text to the final data grab look out stops modern reaches as swiftly as they unfold whether on a device in the cloud across networks working remotely at the local coffee shop with your venting lot look out gives you clear visibility into all your data whether IT is at rest and in motion you will monitor your assess and you'll protect without sacrificing productivity for security and you like this at least the IT department well with a single unified cloud platform look at really simplifies and strengthens you are a posture reimagining security for the world that will be today is IT look out to calm right now learn how a safeguard data secure hybrid work and yeah reduce complexity look out dot.

com.

thank look out so much for supporting the show and we thank you for support us by mentioning You're hurt IT on security now because that's that's how we keep those sponsors happy, right?

Yes, they think, wow, this is really make sense to advertise .

on this doesn't doesn't mean who else what Better place to tell the world about your security product.

Okay, so paul Walker asked him, Steve, just listening to episode nine, nine, nine and your piece about A I to find fixed, prevent security vulnerabilities. I'm sure you're right. It'll be a great tool for developers, but I wonder if it'll just become the next arms race in the field.

Couldn't bad actors deploy A I similarly to find vulnerabilities? And all we're going to end up with doing is raising the bar of complexity, picking off more of the lower hanging fruit as the vulnerability just become more obscure and harder defined by humans. Is there even a danger that a bad actor wielding A I might have an advantage for a while as they turn this new generation of powerful bug hunting tools lose on all the old current software that's already out there?

Don't get me wrong. IT should be a good thing, assuming the overall bounds of power between good and bad as and shift too far the wrong way. But I fear you hope for a world of no vulnerabilities still isn't much closer.

Congratulations on reaching nine, nine, nine, and thank you for going past IT. Here's to the next thousand episodes. Thanks, paul. So yes, paul, uh, i've had the same thought. Um I agree that A I could just as easily be used to design exploits for the vulnerabilities that already exist or that will exist.

And I also agree that the inertial leg and upgrade friction we keep seeing throughout our industry is likely to mean that malaysia, I will initially find itself in a target rich environment. So yes, I agree one hundred percent that things may get rough during the phase where A I is still newly being deployed by both sides. But there is an important lack of symmetry here.

The good guys will have an advantage in the long run, because no malicious A R hi, no matter how good IT is, we'll be able to create vulnerabilities out of thin air. All the malicious A I can do is find problems that exist and cannot create nuance. So once the good guys have their a is working to starve the bad a of any new vulnerabilities to discover and exploit.

The game will no longer be an arms race. There will be a winner, and that winner will be the good guys. So, but certainly an interesting point.

And when we are in for some interesting times, and also speaking of eyes, Matthew, uh, from monkey all canada, he said, a high Steve. I might not be the first person to share this snipped of code with you, but I thought you'd find IT useful. I asked ChatGPT how to remove youtube shorts.

Initially I suggested plugins, but since I have security concerns about plugins, I asked you again, this time specifying that I wanted a solution using only u block origin. Here's the solution that provided. And IT works great.

Okay, so now here I I got IT in the show notes basically uh ChatGPT to which credit uh created a three rule filter which you know you go to you black origin, open the dashboard, look at my filters tab and then paced. It's actually six lines because it's got comments for each of the lines, pace those in click apply changes. Anyway, he said, he worked.

He said, this approach has worked perfectly for me and he said, and I thought you might find IT handy too. Let me know if you tried out. Best regards math. You from montreal. okay.

So as I said, and as he wrote, Matthew for montreal found that this worked for him, but a listener name, dar, deal a man, a few words sent, just a link to a github page. Uh, and it's github dot. And then, uh, J, I have the link in the show notes.

IT looks like, uh, G I J S dev flash, you block hyphen, hide hyphen, Y T hyphen shorts. So I followed that link and was taken to a page that said A U block origin filter list to hide all traces of youtube shorts videos. He said this filter list might work with other content blockers, but I haven't looked into that yet.

He says, copy the link below, go to u block origin dashboard filters, and pace the link underneath the import heading. So that's very cool. Under you black origin, there is an import dot, dot, dot.

You can give IT a link and IT will suck the listing for you. So anyway, I used w get to grab the list that text file referred to in that link. It's an extremely comprehensive yeah well commented seventy one line filter although that includes blank spaces and comments, lots of comments.

I would be quite surprised if anything resembling a youtube short was able to squeak through that god let. Then I discovered where darell found his good hub link. He sent me another piece of email with a link to a piece on medium where a software developer explains, he said, as a software engineer, I typically spend eight to ten hours daily on my laptop.

Following that, I frequently indulged in youtube shorts, which, combined with my extensive screen time, has started to negatively impact my eyesight. Despite recognizing this, I found myself too addicted to simply stop. Hence, I decided IT would be Better not to see any shorts on youtube at all.

That's when I discovered my savior. You block origin. You black origin is a chrome extension that not only blocks ads on youtube, but can also stop youtube shorts, which I hope in turn will save me more time.

Here are the steps to follow. okay. And then he provides a link. Actually, he copies a bunch of stuff into his medium. Posting at the bottom, he provides a reference.

IT turns out that this software engineer is also not the original atoms of this filter list. As I said at the end of his medium posted, he links to the youtube video where he presumably learned about u. Block origin and found this filter.

So first of all, we've confirmed my suspicion from last week that you black origin all by itself, which can obviously function as a swiss army knife for web content filtering, could probably nip this youtube shorts problem in the bud without the need for any sort of possibly sketchy additional web browser at on, which is what brought this whole topic to the podcast. right? Remember that somebody had A A youtube short blocker and and IT became owned by somebody who started using IT to track all of the users around the internet.

So we were saying, hey, do you even need and that on why not just you to, uh uh, you block origin? So, sure enough, but I was still unclear about what all the holly blue was over this so called youtube shorts problem. What's the problem exactly? Why are people creating web browser extensions to hide these? So I followed this software engineers link to the youtube video where Chris tides tech tells us how to do this.

I did not watch crisis video, but some of the, and I kid you not, eight thousand, four hundred and twenty three comments that had been posted to his explainer over the past ten months since he posted his video, which has been viewed one point six million times. We're quite illuminating. So here's a sampling.

For example, people said, the fact that people want to disabled shorts, and there are developers that create these amazing tools, really goes to show how crap shorts really are. Somebody else said, what's wrong? Is you to themselves keep pushing shorts on people? It's a form of spam and should be something you can opt out of.

Unfortunately, opting out doesn't work within the youtube platform. I hate shorts and I hate the way youtube is going. Someone else said, thank you for the tip is a lifesaver.

Youtube shorts are cancer. Somebody else said, alternate title, how to cure youtubes cancer. Somebody else wrote, my child can't stop himself. Once he starts watching them, I have to step in.

He even tells me he wants to stop watching shorts, but can't, which is terrifying, knowing this will make a huge difference in our lives. Thank you. Finally, someone said, dude, I literally cannot thank you enough for this.

I'm currently trying to really focus on my studies, but shorts have been my downfall. All caps, literally. He said, I just get so addicted to IT, and I feel like I physically can't stop.

Once I realized how much I wasted doing nothing, I feel empty and dumb inside. So glad this is a thing and IT works great. You're a lifesaver.

Thank you so much. And the last comment, could you please make a shorter version of your video? Okay, I confess I made that last one up.

Um uh but wow, whatever this is IT really appears to have people in its grasp. It's someone astonishing. But these reactions to the posting of crisis extremely comprehensive youtube shorts content uh no.

And how to block how to block IT using u block origin answers the question of why anyone would want to remove these from their browser. Er so you know also apparently from their life in addition to the from their browser. So anyway we know you can use u block origin.

The show notes have lots, lots of links, and went to a very comprehensive filter list for anyone who feels like a lot of these are, you know, eight thousand plus people who discovered crisis list. Do tom demon said, Steve, I ran into this on lincoln about last week's photo of the week. Just thought I would let you know.

Quote, here's how a bunch of fireman created a viral image that fool the internet. Unquote, that was the title from business insider. He said, thanks.

Been listening since episode one. Tom diamond, okay. Now tom is actually referring to last two week before last photo for uh for episode nine, nine, eight that .

visits the one with the the train tracks yep.

the insane one showing the the fire trucks holds crossing the train tracks while being protected by fire protectors or by tire protectors you know, as if that would do what was intended, you know, for the wheels of a train, right? So tom link to article and business insider. Unfortunately, IT was behind a paywall which placed a firm pop up covering the page in my face and which refused to allow me to proceed.

But I was quite curious to see what tom had seen. So once again, u. block. Origin to the rescue. I simply disabled jas trip for the site.

This site is really hard to get to. I'm glad to know I can do that.

You refresh the page and no more pop up blocking the pages content. So I can tell you that business insider wrote, if you spend any time on the internet over the past a few months, there is a chance you saw a photo, a fireman who had found a full proof way to lay your host over train tracks. The photo went viral, being shared all over twitter and facebook.

Insane right? Not quite. The photo was actually a joke firefighter time. Um uh bone girls from belgium took the photo at the beginning of April, posted to facebook. The caption says something like fire early this morning.

Our houses are still protected from the train explanation point, but that track was down that week for repairs. Those in town, presumably thom's facebook friends, knew that the photo was created and posted for laughs. There was no chance a train would be coming, but soon hundreds of people were sharing the photo on facebook, adding their own commentary.

People who did know tom or about the defunct train track began to see the photo and in disbelief, shared the photo themselves after his picture was shared hundreds of times. IT eventually became separated from its original source and from its sarcastic caption. People believe that was real stories.

Like the one about how a train was derailed. Ed began going viral as well. Several days later, after tons of tweet shares and email forwards and lots of languages, tom route to follow up post explaining what happened.

IT says, hey, this past week, our funny photo went viral throughout the whole world, thousands of shares and likes in many different countries once and for all. The picture was taken in belgium in a small village called borum. After a minor intervention, we had some meaning of a minor intervention, meaning some, some fire related activity. We had some time left near the railway to make this picture. Since there were no trains running at all for a week due to maintenance works, we can state that our joke was a real success.

Oh, and now, many years later, still fAllen people on the internet.

So a big thank you to our own tom, our listener, tom demon, for resolving this mystery for us. It's good to know that those firefighters were aware that either their scheme would not actually survive a train or that any passing train might not survive their scheme. Opinions among our listeners who sent feedback about the photo differs dely about what might transpire if the integrity of that crossing whose solution were ever to be tested.

Paul northrop s. Wrote their Steve, and regards to the new DNS benchmark offering, will there be versions for other Operating systems? Apple, linux, B, S, D.

thanks. okay. Fifteen years ago when I first wrote the D, N, S. Benchmark, I took great pains to make sure that would run perfectly under wine, and IT does beautifully.

So i'll definitely preserve be preserving that functionality anywhere wine can be used with a DNF benchmark. As IT turns out, all three of those non windows O S S that paul mentioned, apple, linux and b sd, are positive compliant and can and do run wine. So while IT won't run natively, IT will be possible to run IT on any of those platforms in addition to windows.

So got that covered. Jim ri poses an interesting question. He writes high.

Steve, thank you for being here for security. Now every week you and leo make a great podcast. I have a question about A I, which is a bit philosophical. A comparison of answers between german I ChatGPT and copilot shows the systems can disagree on basic facts such as who won the twenty twenty presidential election.

There is disagreement in general.

That is exactly to my point, he says, german, I refuses to answer the question. This sounds like big brother and google has annointed itself the ministry of truth, deciding what facts will will support or review. Having our access to knowledge regulated by corporate overseas is disturbing.

How can A I be trusted if IT withholds facts? Do you think a control system should be in A I that will prohibit A I for from withholding the truth regards? Jim, okay.

This is an aspect of A I that I suspect is going to be a real issue. My wife and I have grown to know the neighboring couples within our little community enclave quite well, lorian joyce socializing. And since he lets me work every other minute of the day, i'm happy to join in.

What I know, because i've grown to know our neighbors, is that I could ask each couple the same question and obtain a different answer from each, sometimes radically different answers. And their intelligence is not artificial, though in some cases there may be questionable. So I suspect we may be asking a lot of A I for IT to be some sort of absolute oracle and truth teller.

And moreover, the truest answer may not be a simple binary, yes or no, true or false. I believe in the fundamental rationality of the universe, so I believe there is an absolute truth. But i've also observed that such absolute truth is often extremely complex and colored by subtlety.

Many people just want a simple answer, even when no simple answer can also be completely true. In other words, they will choose simplicity over truth. Having come to know our neighbors, I have also come to understand their various perspectives.

So when they share what they believe, i'm able to filter that through who I know them to be. I know we would like things to be easier and more straightforward with A I, but I see no reason why IT might be. So whether we like IT or not, what we're going to get from A I will just be another opinion.

I couple things. I would add that first of all, the AI didn't give him or refuse to give him the answer the coding did because everybody google ma, everybody except elon muslim rock has a bunch of bumpers put in to keep IT from answering a controversial questions. That's just a human saying, if IT says this, don't answer IT the A, I would give you an answer.

I don't know what the answer would be, but I would give you answer. Everything I would say is this is exactly what timid Gabriel Margaret Mitchell and others who were working in google's ethics department at the time until they were fired for this, said in A A paper called to cash periods where they talked about the problem with their eyes, because it's coming from a computer. People give IT more weight.

They assume it's a computer, so it's smart, so it's gonna right. And that's, of course, mistake, right? And really, if you ask the same I I the same question several times, IT will give you different answers each time is designed to do that. So it's more question of us understanding and I think the term artificial intelligence is part of the problem, understanding what IT is we're playing with yeah and it's not .

intelligent at all well and we've been using the term forever. You know I when I was in high school, I was at the A I lab at stand for university. Yeah so like, okay, that's nothing like what we have today. So although you know .

what's really into, I just write an article, really good article about faa lee, who was one of the early researchers who believed in neural networks. And this was twenty years ago, and the entire AI community had said, now you know what we've tried, they don't work. And SHE persisted, spent two years in putting something like twenty or thirty thousand images into IT, and created an image recognition program that worked.

I remember we interviewed the people, the university toronto, when I was up at call for help in toronto about this image, recognized this. This was what inspired Geoffrey hinton and others later to continue on with the AI, in fact, using neural networks and on other techniques that we see today. So even the AI winter, there were people out there who had ideas that made sense and worked, but for a variety reasons, didn't get a chance to try IT out. This is it's bitten up and down thing. There are people who say today, a lot of people seem to know what they're talking about ages like within a few years yeah .

actually I think that's our topic for next week is yes, good. Yeah because sam altman has just got on record. He's a high master, I know, but there are. But there was enough meat in the discussion that I thought I would be interested to share that i've been .

dying to hear what you have to say about this. Oh, I can't wait. I'll look forward to that.

So jump tousy or way tour to jump tourism toy, he said, hi Steve. As someone who has been in security for over twenty years, I have found myself constantly over thinking anything that would result in lowering security, which could lead to a breach or intrusion. As a keen home automation tinker R, I have numerous devices.

He sounds like elio, probably over one hundred at home for controlling everything from lights to fans to monitoring solar and sea. He says, all partitioned off. Of course, with v lands, multiple firewalls, separate S, S, S is set a.

One of my biggest canonry, ms, though, is how do I expose the controller, for example, home assistant, to the internet, so I can access that when traveling around. I have a fixed I P, so that's fine, but I really don't like exposing this type of software directly to the internet. At the moment.

I connect using open VPN, that's fine, but this means I need to turn and on and off every time I want to do something, which is a pain. I have also thought about an overly network, but need to research a bit more on data usage, as IT will be used primarily from a mobile device, enhance limited data. Anyway, going back to the main thread, I know security by obscurity can be somewhat effective in a layer approach.

So what are your thoughts on using an I P V six address rather than I P V four for inbound traffic in these scenarios, as is much harder to do, full network scans across I P V six address space compared to I P V four long time listener and spin right owner from australia, keep all the great work you, leo, and all the team do over there. twitter. Thanks, john.

Thank you, john. So the problem john has is, as we were talking about earlier with sono logy is a problem many people are having. Now this is why those one to two million 3 ology photo sharing services were exposed， are are currently exposed and vulnerable.

Hopefully, they're getting patched. No one appears to have created a solid solution for this because developers keep believing, as I noted before, that they've just founded, fixed the last problem that they're ever gona encounter. So you know, right? Sure, go for that.

What we still need is a clean and efficient means for remotely accessing the devices within our networks at home when out roaming. So Jones wondering about the security of hiding his devices within the larger one hundred and twenty eight bit address space afforded by I P. V.

six. He clearly understands that such a solution is only offering obscurity at best. So I suppose i'd say that doing that would be Better than doing nothing, but that also requires I P V six addressing support at both ends.

And the trouble is that is not as if he gets to pick any hundred and twenty eight bit address at random from all possible one. Twenty eight bit addresses, I, S, P are allocated well known blocks of I P V six address space, and they generously hand out smaller blocks of sixty four k sixteen bits of I P V six addresses per subscriber. So IT would still be possible for bad guys to target any I S P range of known addresses.

And scan across that space. Given the massive scanning power of today's botnet, discovering open ports located within an I S P assigned I P V six space would not be prohibitively difficult. John mentioned the use of an overlay network such as tail scale, zero tear or nebi like I think those solutions are about as close to the perfect user friendly solution as exists today.

They all support all major desktop and mobile platforms as well as popular open source routing software such as P F sense, O, P N sense, uh, and and others. So an instance could be all in an edge router to provides extremely secure connectivity to any roaming devices. Or if you prefer, docker can be used to install, for example, tear, tear on a sinologist.

What do you have an instance of one of these terrific solutions running on something at home? You could have secure connectivity to that network from any roaming laptop or smart phone, and there is no indication of access network band with consumption since all of these solutions are economical in their overhead and the the way they work is exactly what you want. You you just you simply have that client running on your smart phone.

And when you when when a APP you have wants to connect to, for example, home a system, presumably you use a web browser and and you give me your home I P or maybe you you have um done done D N S set up so that your home I P has A A public D N S. You go to that D N S you know collen and then the and the port number and the traffic that is rounded to your home only goes over the overall network. I mean, IT is like IT is the perfect solution.

It's you know not everybody he's going to use IT because, you know it's the kind of thing that our listeners will use. It's not as simple as as you know snooze saying, oh, look, now all your friends are able to browse your photos now that you stick in the public uh photo sharing folder or whatever you know using your your hometown ass battle never be safe. But IT is definitely possible to use an overly network like tail scale, zero tear or nebula to successfully get what what john wants. Allen, our last bit of feedback says, Steve, congratulations on one thousand episodes of security now, he said, I listened to the first episode during my first year of college for computer science while donating blood plasma for money to buy a second monitor.

wow. That's .

dedication. Now I am a senior software engineer at google, where I have been for nine years. I've listened to every episode within the week that came out.

Your podcast was at least is useful to my understanding as my bachelor's degree. And in many cases, your early podcasts helped me understand that material in my class is much more deeply. Thank you for all your years making security. Now, Allen.

that is so beautiful.

And so to Allen and to all of our many listeners who have recently written something similar. And I actually have something else that just came in this morning. I'll share the next week that was really, really wonderful.

I wanted to say, as we conclude this one thousand episode of security now that providing this weekly podcast with leo has been and i'm sure you'll continue to be my sincere pleasure. As I said before, i'm both humbled by and proud of the incredible listenership this podcast has developed over the years. IT has been one of the major features of my life, and i'm so glad the u.

lio. Thought to ask me twenty years ago whether I might be interested in spending around twenty minutes a week. To discuss various topics of internet security. Just look what .

happened.

So thank you for making this possible. Thank you.

I see next thousand, and I just provided you with the platform and you took IT from there. It's been really amazing. Our web engineer patrol delle handy, posted some statistics about the show.

He said, the shortest show we ever did to remember this. We didn't like an extra, saying there was three minutes. I think that was like an update of some kind. I can't remember why, but we had to do an update for some reason. So I guess that will always be the short of show that there was in a whole lot in IT like i'm going to score back to see if I can find his post and then he said the longest when we did. I think that was close to three hours, was two hours of fifty seven minutes.

And wow, yeah, I didn't know that we actually, I thought that week or two ago was that was two a half hours. And I thought that when I was the well.

there was always the you keep IT to two hours, pretty nice.

I think that's a target. I think that's a reasonable a, uh, time we've got a couple listeners who complain I don't .

sten to the whole thing. Nobody making you like you have to. My attitudes always been give. People usually know you supposed to give him less than they want. In my actors, podcasting is as long as it's longer than your commute, that's you don't want you to end half way to work.

And we know how people feel about those youtube shorts.

We don't want to be a few. We don't to be short. No, we are longs.

Yeah, I in the early days of twit, I tried to keep everything under seventy minutes because people were burning the shows to cds. And that was the maximum length of a CD. right?

Yeah, I don't worry about that anymore. You probably know, I think we are now almost all of our shows pushed two hours is the sure test that I do. Almost all of us are two and half to three hours.

So you actually have the honor of hosting our shortish show. sure. congratulations.

And there I say most focused.

a very focused, and we love that IT is easily the geegee show. We do. And I say that proudly. I think that, you know, we try to serve, abolish audience because I don't want people to say no. I don't understand anything he ever talks about. But at the same time, we also want to serve the hard core person who really gets this and really wants to know deeply what's going on well.

And we do have listeners who write and say, well, I think, and I understand about fifteen percent of what you guys talk about, but I like IT. I don't i'm not sure what that is, but you know, IT makes me feel good and I always get a little .

something like, yeah, great. Yeah, that's okay too. I mean, i've often thought of what we do is aspirational.

I was what this could talk you matter about Martha Stuart on netflix right now. It's actually fascinating. I would watch IT even if you're not interesting worth start.

But people said about her and her magazine, nobody can live that way. Nobody can be that perfect. Your setting to higher bar SHE says it's aspirational.

Everybody might want beauty in their life. I want to be able to have that. Everybody wants to understand what's going on in the world of technology.

And if you don't understand at all, you will just keep listening, right? Steve IT has been my great honor to know you and work with you for more than thirty years. I can't believe it's been thirty years IT doesn't .

I know doesn't feel at all and that's the good news. Yeah you know we're early at .

one thousand. Yeah we look we're going to keep doing this as long as we can. But I am so honored and thrilled that you are willing to do this way back then and continue to do IT. I know it's a lot of work, don't I am very aware how much .

work you put a lot of work, but i'm happy to do IT, yeah.

here's Patrick delay hands note. I found IT. The shortest deficit is security.

Now was forty two minutes, four minutes and twelve seconds. That's this one. security.

Now, one of three S. E. Vote for Steve. You remember that? That was, you were trying to win the podcast.

Oh right, right.

The podcast and I think .

you did the new we once we won the first several years the podcast .

to war yeah yeah. Well and rightly so. And then the longest episode, and I have the receipts to prove IT three hours and fifty seven seconds. But IT was the best stuff, so you don't have to take credit for them.

Thank good. Like I can't imagine I would have participate in that. I would have been on the floor .

yeah well, the reason was there were so many good sections sequence in twenty eighteen, we couldn't do lessons or hours. Yeah, so that's that's good. That's fair.

I think that's okay. Steve. Thank you. From the bottom, my heart were continuing on.

I would have been bereft sitting here on this tuesday afternoon without a security now. And I know i'm not alone on that. So now thank you for all the work. You're so much work every week.

No end in sight. Uh, they used to be saying, our listeners was saying to nine, nine, nine and beyond. Now, what thing is going to be to one, nine, nine? You.

how about nine, nine, nine, nine? How long would that take? Two hundred years? yeah.

I feeling great, but all ever said I do believe in a rational universe .

but wait, maybe we are laughing now but somebody in the future we listening to A I Steve, that's true. And episode ten, one thousand .

i'm i'm sure you could dump all the transcripts into an A I N A. Okay, give me the last week's news. As Steve .

would present IT totally. You could probably do that now, probably could do that now, but certainly in the middle before we're done with the second twenty, the second twenty years. Steve, bless you. Thank you like my friend, eternally grateful. And we will see in next .

week onto one thousand and one next year. Security now.