SN 999: AI Vulnerability Discovery - RT's AI TV Hosts, Windows 10 Updates
01:53:05 Share

It's time for security now. Steve gibson is here with lots to talk about. Google record breaking fine from russia. I don't think they plan to pay IT firefox one hundred thirty two and nice new features, a really bad exploit involving windows, that rdp files. And then Steves gonna talk about his new product plans for his next paid product for the first time announced right here. Next on security now.

Podcasts you love from people you trust.

This is quiet. There is a security now is Steve gibson episode nine hundred ninety nine, recorded november fifth twenty twenty four, A I vulnerability discovery. It's time for security now, the election day edition with Steve gibson, where we cover all of this oh, I get the wrong album mark up there.

I'll fixed that, Steve. Look over all the latest security news, privacy news and AI news. Look at to stickers .

yeah that I got lorries also you know voter ly vote often.

but I only have the one sticker. But yes, there's something really satisfying about about participating in our democracy, I have to say, and I always enjoy IT, and this time was no difference, even though I did vote by mal, I didn't. I didn't go in just satisfying to put that in the male because.

and I do, I do appreciate california making IT so easy. You, whether you ask for or not, you get the ballot in the mail. Thank you very much. And you know, you get to do IT three or four weeks ahead of time, drop IT in the box and hope you know IT IT does doesn't catch fire and then you're you're done.

See it's security now, everybody, very nice. I have fixed the album t which means it's time for you to tell us what's ahead in the show okay.

So um before I forget uh i've been receiving some emails from people who say, hey, you're mentioning ing that you send out the announcement about the podcast the day before h yesterday I was the evening before to twelve thousand hundred and fifty four people I believe um or to the week before I was the afternoon before but people are writing saying I didn't get IT and I got them before but I didn't get anyway.

What's happening is I track this down. Some people's email services are in an attempt to predict them from malicious ous links. Our link following their email like the links in their email. And unfortunately, my one click instead unsubscribe really does work and all you just like there's no confirmation on IT you click the link and your but no words.

And so apparently .

people who are using outlook, some people using outlook, outlook will protect them by go by by fetching the links in their email or when they fetched the instant unsubscribe. That's IT. It's they're not going to a get any more email for me. So by everyone who's hearing this who did not get yesterday or the or last week or or or yesterday evening email, i'm sorry you were inadvertently unsubscribed by your overprotective email system.

Uh, by so please go back resubscribe and by this time next week, i'm sure this will be resolved and I will have to take you to a page that asks, oh, you sure you want on subscribe and then you click yes and now I understand why that's what everybody else does. You know, I wasn't doing that and that was not good. It's IT.

Turns out you need to say, are you sure because that outlook goes, oh, look, isn't that nice? He's asking if they're really sure. So where are we? We're not going to is not giving the mail or anything.

So only I looked that does this. I feel like gmail has some .

months of scribing. Well, gmail makes IT very easy. So the is you there is a standard where the the one click on describe goes in the headers.

I was also putting IT in the body of the mail and and so that's what what outlook is going in and finding are things that users could click on that might get them in the trouble. Or boy, do I have a really amazing piece of news about that here today. But but in the headers, that's where google will say, if you mark something, if you flag something as spam, you get A A little dialogue.

This is, oh, would you like to or may be if you just delete them anyway? Do you get an you can offer from gmail to unsubscribe from this list? Yeah, the reason IT knows it's a list is that in the headers unseen by users, unless they explicit look, is an unsubscribe link, which which your email provider is able to use.

And in fact, this was really handy when I was doing that. The mAiling to to the the really old email addresses, many of the recipients that the the recipient servers would see. All that account hasn't been around for a decade, and so the server itself would unsubscribe them.

So I IT was great for, you know, it's like automatically cleaned the email list for so anyway, we are at security now. Episode nine, nine, nine. As you mentioned, leo and I should mentioned to our listeners, last week I noted I had not yet updated grc s side to handle for digital podcasts. I did that. Yes, we are prepared to wrap to, I had to do IT well as this time that this was why I was gonna all over and a boy, I didn't even realized I impressions .

there saying, you know, I think my last show should be election.

Wow, did you pick that? okay. So um we're going to talk about the interesting topic of A I being used for vulnerability discovery, which I think it's gonna be a big deal and I don't want to step on my own story here.

So i've just going to leave at that until we get there. We're going to talk about google record breaking fine by russia and wonder how many zeros does that number have also, uh, russian televisions. Rt editor in chief admits that their hosts are A I generated yeah probably because they said that all the actual hosts afterward uh, windows ten security updates are set to end.

That's for twenty two, twenty two h two set to end next october or are they uh, when a good crime extension goes bad, we're onna look at a real world event that occurred also, windows IT, turns out will launch rdp sessions, remote desktop protocol sessions with a dot R D P launch file, which can also config your can can figure your R D P client for full zero security. And we ask, what could possibly go wrong with that? Actually, something has firefox one thirty two just received some new features.

Chinese security cameras have been removed. Well, more than half of them from the U. K. Will check in there. Ah and I know our listeners would not fail for this social engineering attack we're going to a look at, but I bet you that lots of people would also i'm going to announce G R C S next commercial software product or at least some I commercial software product, talk about that little bit.

And then we're going to look at the prospective A I, as I said, being used to analyze code to eliminate security vulnerabilities much as I, as I recently suggested that A I running on the local smartphone, maybe the solution to allow us to preserve full to end encryption by preventing bad stuff from being sent, received. I bet you that A I may be the solution to the security problem. And oleo, have we got a picture of the week? Beauty, I love. IT.

all ahead. security. Now, nine and nine, nine is underway, which would have been, if you're just joining us, the last security. Now until Steve changed his .

mind a year ago, people were reading and I was planning, but you know, i'm not ready to go yet .

congratulating lations. That's great. Our show today, we have a great sponsor brought you by delete me.

And if you listen to the show, you know how problematic data brokers have become that national public database that was breached in hundreds of millions of people's social security numbers, and emails and home addresses were basically given out to the bad guys. I think that's one of the reasons we're getting the spate of sex torture. Email Steve with your name and address and phone number in IT.

I think IT came from the npd released, you know who doesn't get those, lisa? You know why SHE uses delete me, our sponsor for this segment. If you've ever search for your name online, you don't lie calm. Much of that personal information is available.

You may want to consider doing something about IT, and maintaining privacy is not just a personal concern, is a family for that's why delete me has family plans, so you can ensure that everyone in the family feels safe online. How to delete me work IT reduces the risk of identity theft of cyber security threats, harassment and more and IT works by removing your private information from these data brokers from these sites on the internet that are collecting all these like npd. Lisa is not getting those exact same emails, and i'm getting because her information wasn't in the npd database.

You know, this is, this is what actually not why we started using IT. We started using IT because of fishing scans, spear fishing scams, bad guys we're using to target laces. Direct reports are she's a CEO of twit and all of the people, SHE managers, we're getting text messages saying, this is lisa urgent you know, i'm in a meeting, but I need some amazon gift cards right now order to them for me and send them to this address.

Fortunate our employees are smarter than that, but IT did give us a little cause for concern like how do they know what leases number is? Because I was leases number. Who he, what company is, who works for her, who was reports were, what their phone numbers are.

That's what he said. You know what we need. Delete me.

How do you feel about compromised info and hacking and identity at theft and spam? I mean, this is this is a nightmare, and we are very pleased that he was working for lisa. I'm not so happy about myself.

Maybe I need to sign up to delete me. Experts go out on the that and finally remove your information from hundreds of data brokers. They make IT there specially. They know all the data brokers. And this is a really tough job because there's no one's every day, but they make sure they get them all.

And if you want to use you for your family, you can excite a unique data sheet to each family member that's tailor to them with easy to use controls, so you can manage privacy settings for the whole family. Some people say, no, no, I want to be on this site. I want to be on this site, but not this site.

Here's the thing that I think is most important. The reason we went with delete me. They don't just remove at the first time.

They continue to scan and remove your information regularly because these data brokers, there's no one's popping up. They repopulate their databases all the time. I'm talking addresses, photos, emails, relatives, phone numbers, social media information, property values, at on, on, on.

If you want to protect yourself and reclaim your privacy, do what we did. Go to join delete me. That comes slash twit offer code T W I T.

You'll get twenty percent off. Let's join delete me dot com slashed with twenty percent off with our offer code T W I T. We think I delete me so much for supporting at the show, and we thank you for supporting the show by using that address.

Join delete me outcome slash twit. Are you, Steve? I have prepared myself steeled myself, if you will, for the picture of the week.

Just hold on your desk.

IT looks like something .

out of offered. Hitchcock eco, wow. So I gave this when they, they caption when hAndrails are not optional. And I I truly wonder whether you could walk down these stairs without you.

your eyes mo, I mean, they are.

The stairs aren't completely Normal. Someone put the the worst, a measurable pattern of carpeting on these stairs. It's all all full of like off axis crosswise.

It's its horriston tal strikes, but they're all kiddy wipers is the technical term? yes. And oh, I mean, you have to really focus in order to wow, to get down these things.

So no, i've had this one for a while, and I thought I was great that you can see the aisle that IT goes down to is the same pattern. Yeah and that's gonna OK. But boy, when when he turns around and goes ninety degrees and goes up the stairs h this looks .

like it's a ship too. I don't want to make IT worse, but i've magine you're rocking .

on this thing wo yeah wow. Good, good. okay. So it's a shame that our favorite ite russian internet watchdog, ROM, is not the russian entity that's been levying these fines against google over its management of youtube.

So IT won't been fun to say that name many more times during this reporting only get that once. But nevertheless, this bit of news was too fun and bizarre to pass up. IT seems that russia's accounting, uh, by rushes accounting, google currently owe some large russian media outlets a rather significant sum in fines.

We note that last week that the few millions of dollars that the U. S. S. sec. Had levied in fines against four publicly traded us.

Companies would be unlikely to change those companies of behavior because the fines fell far short of being significant for them. However, that's not the case here with google and these russia media companies, quite the reverse. In fact, here's the story.

As IT was recently reported in the moscow times, under the headline russia finds google two point five dsl, an U. S. Dollars over youtube bans, they wrote.

The rbc news website reported tuesday that google has racked up some two units ilian rubles, which is the equivalent of two point five Dylan us. Dollars worth of fines in russia after use years of refusing to restore the account of programming and and state run media outlets. You know, like like google just said, no, where of kick this off of youtube.

R, bc. Cited an anonymous uce familiar with court rulings against google. According to rbc sources, google began accumulating daily penalties of one hundred thousand rubles in twenty twenty after the pro government media outlets sr grad and R, F, I fan one lawsuits, you know, russian lawsuits against the company for blocking their youtube channels.

Those daily penalties get this have doubled each week. And we know when we're Young, we learn about the power of compound interest, right? So these penalties are doubling each week, leading to the current overall fine of around two und cilician rubles. Now on the sicilian, they explain, is a number equal to one, followed by thirty six zeros, or one trillion, trillion trillion rubles.

Google, whose parent company alphabet, they they report which reported revenue of more than three hundred and seven billion dollars in twenty three, is unlikely, you think, to ever pay the incredibly high fine, as IT far exceeds the total amount of money on earth. A total of seventeen russian T, V channels have filed legal claims against google, according to one of rbc sources. Among them are the state run channel one, the military affiliated ated z venda broadcaster and a company representing rt and to and chief marketer Simonian.

Youtube, they they write, which is oed by google, blocked several russian state run media outlets over their support of the full scale invasion of ukraine. Authorities in moscow retaliated with these fines, but stop short of blocking youtube out. Right on thursday, the kremlin called the find against google symbolic.

I'd been claimed to call IT embarrassing, but okay, a kremlin spokesman, the metro peskov, told reporters at a daily briefing. Quote, although IT is a concretely formulated some, I cannot even pronounce this number. Rather, IT is filled with symbolism.

In fact, it's also filled with zeros. In fact, there should be a reason for google management to pay attention to this and fix the situation. Googles manager doesn't care anyway.

Finally, they said this seems unlikely, given that google russian subsidiary filed for bankrupcy in the summer of twenty twenty two and was officially declared bankrupt last fall, and google had earlier halted all advertising in russia in order to comply with russian sanctions over the war in ukraine. So yes, uh, I find them all. You want dw double every week.

You're going to run out of zero s at some point. Uh and as I also noted at the top of the show, uh this editor in chief s name Margaret soni an a was was mentioned as one of the company, one of the other seventeen companies that have also filed more recent suits against google. Uh, I had noted that he also recently admitted that many of rs you know russian televisions hosts do not exist and are entirely A I generated along with their fake social media accounts because I guess you got, you know, you want to respond to them interactively get all engaged.

They need to have a social media account to allow you to engage with them with their fake A I hosts. Anyway, he predicted that journalism would disappear the near future, you know, already has in russia. So maybe he thinks that's going to spread.

Um unfortunate SHE may be right, will see um a recent posting to the and this is important for all of our listeners, unlike that first one that was just a little bit of junk food, uh a recent posting to the zero patch blog regarding next year's end of windows ten security updates contained a bunch of interesting related news. This included what microsoft plans to charge users who would rat end users who would rather remain on windows ten come next october um or may not be a matter of rather remain. They may have no choice due to what we know are microsoft arbitrary minimal system requirement policies for moving to windows eleven.

So here's what the folks at zero patch recently rote. Um there a blog post headline was long live windows ten with zero patch and their sub head was end of windows ten support looming ing. Don't worry, zero patch will keep you secure for years to come.

So they wrote october twenty five o tober. Twenty twenty five will be a bad month for many windows users. That's what windows ten will receive their last free security update for microsoft.

And the only free they having air quotes way to keep windows using a being used securely will be to upgrade to windows eleven. Many of us don't want to or simply can't up upgrade to windows eleven. They wrote.

We don't want to because we got used to win the windows ten user interface and we have no desire to search for some button where it's been moved and why the APP that we were using everyday is no longer there. While the system we have is already doing everything we need, we don't want to because of increasing, and this is their word in the pod, posting in certification, including blower, are start menu ads in serious privacy issues. We don't want to have an automated integrated screen shot and key logging feature constantly recording our activity on the computer.

We may we may have applications that don't work on windows eleven. We may have medical devices, manufacturing devices, point of sale terminals, special purpose devices, atms that run on windows ten and cannot be easily upgraded. And finally, our hardware may not qualify for an upgrade to windows eleven.

Um canalis estimates that two hundred and forty million computers worldwide, two hundred and forty million computers worldwide are incompatible with windows eleven hardware requirements, lacking trusted platform module. You know tpm version too supported C P U four gig of RAM U F I firm are with secure boot capability or so I supported GPU. So what's gna happen in october twenty twenty five? Nothing spectacular really. They say windows ten computers will receive their last free updates and will, without some additional activity, start a slow decline into an increasingly vulnerable state as new vulnerabilities are discovered, published and exploited that remain indefinitely present on these computers, the risk of compromise will slowly grow over time, and the amount of luck require to remain unharmed will grow accordingly. The same thing happened, they said, to windows seven in january twenty twenty.

Today, a windows seven machine last updated in twenty twenty with no additional security patches would be really easy to compromise as over seventy seven zero publicly known critical vulnerabilities affecting windows 7 have been discovered since leaving a windows ten computer unpatched after october twenty five will likely open IT up to the first critical vulnerability within the first month and to more and more in the following months。 If you plan to do this, at least make sure to make the, to make the computer difficult to access, physically envy the network for everyone else. There are two options to keep windows ten running securely.

Option one, microsoft s extended security updates they wrote, if you qualify, microsoft will happily sell you extended security updates, which means another year or two or even three of security fixes for windows ten, just like they've done before with windows seven, server two thousand eight and server twenty twelve, extended security updates will be available to consumers for one year only until october twenty twenty six. For the Price of thirty dollars, educational organizations will have a cheap just seven dollars for three years, while commercial organizations are looking at spending some serious money, sixty one dollars for the fear first year, one hundred and twenty two, that is to say, twice that for the second year, and two hundred and forty four doubling again for the third year of security updates, totally, four hundred and twenty seven dollars for every windows ten computer across three years. That's, you know, for the enterprise. In other words, to interject here for just a moment, the cost to have microsoft repair the mistakes that IT has previously made in the design and Operation of their own windows software will double for their enterprise users every year, but not for end users who could apparently maybe it's not clear to me. Maybe just pay for one year for thirty dollars and then that's supposed .

to be .

enough of a you pushed off windows ten so they so they continue zero patch says opting for extended security updates will keep you on the familiar monthly update and reboot cycle. And if you have ten thousand computers in your enterprise network, IT will only cost four million dollars. They said, if only there was a way to get more for less, or wait, there is option to zero patch with october twenty twenty five, zero patch.

Will security adopt their phrase, windows ten version twenty two h two, the final release of windows, and provide critical security patches for IT for at least five more years, longer if there is a demand in the market, they wrote, were the only provider of unofficial security patches for windows. And we've done this many times before after security adopting windows seven and windows server twenty two thousand eight. In january twenty twenty, we successfully took care of six versions of windows ten as their official support ended.

Security adopted windows eleven twenty one eight two to keep users who got stuck their secure to care of windows server twenty twelve in october twenty twenty three and adopted two popular office versions twenty ten and twenty thirteen when they were abandoned by microsoft. We're still providing security patches for all of these. With zero patch, you will be receiving security micropore ches for critical, likely to be exploited vulnerabilities that get discovered after october fourteen s twenty twenty five.

These patches will be really small, typically just a couple of CPU instructions, hence the name, and will be applied to running processes in memory without modifying a single bite of original microsoft binary files. There will be no rebooting the computer after a patch is downloaded, because applying the patch in memory is done by briefly pausing the application, patching IT and then allowing IT to resume, users won't even notice that their computer was patched while they were writing a document. In the same way that servers protected by my, by zero patch get patch without any downtime at all.

And just as quickly and easily, our micro patches can be unapplied if they're suspected of causing a problem. Again, no rebuilding or application we launching zero patch brings. Zero day won't fix a non microsoft security patches with zero patch. You will you won't only get patches for known vulnerabilities that are getting patched on still supported windows versions. You will also get zero day patches, which are they explain patches for vulnerabilities that have become known and are possibly already exploit, but for which no official vender, that is to say, microsoft patches are available yet.

We've fixed many such zero days in the past, for example, for lena, thirteen days before microsoft dog walk, sixty three days before microsoft microsoft access force authentication, sixty six days before microsoft and event log treasure, more than one hundred days before microsoft, on average, are zero day patches become available, forty nine days before official vender patches for the same vulnerability become available. Then there's won't fix patches, patches for vulnerabilities that the vendor began. Microsoft has decided not to fix for some reason.

The majority of these patches currently fall into the N T L M, you know N T landman coerce authentication category. Anti landman protocol is more prone to abuse than curbs, and microsoft has decided that any security issues related to N T L M should be fixed by organizations abandoning their use of N T L M. Microsoft therefore doesn't patch these types of vulnerabilities, but many windows networks can't just give up on N T L M for various reasons, and our world fixed patches are there to prevent known attacks in this category at this time.

Our won't fix patches are available for the following known N T L M covers, authentic ation vulnerabilities, dfs covers, printer bug, slash pool sample and petite porter. And finally, non microsoft patches. They wrote with most of our patches, while most of our patches is of a microsoft code, occasionally, a vulnerability in a non microsoft product also needs to be patched when some vulnerable version is widely used or the vender doesn't produce a patch in a timely manner.

Patch products include the java run time, adobe reader, foxy reader, seven zip, win raw, zoom for windows, dropbox, APP in nitro, P D F. So you're probably reading this article because you're interested in keeping windows ten secure. You should know that these patches are also available for the supported versions of windows, such as eleven and windows server twenty twenty two, and we keep up getting them is needed.

Currently, about forty percent of our customers are using zero patch on supported windows versions as an additional layer of defense or for preventing known N T. Landmen attacks that microsoft doesn't have patches for. So what about the cost? Our windows ten patches will be included in two paid plans, zero patch pro suitable for small businesses and individuals, management on the computer only single admin account currently Priced at twenty four ninety five euros plus tax per computer for a early subscription.

Zero patch enterprise suitable for medium and large and organizations include central management, multiple users and roles, computer groups in group based patching policies, single sign on a seta currently Priced at thirty four ninety five year s plus tax per computer for a usually subscription. They write and they conclude the Prices may be adJusting in the future. But if when that happens, anyone having an active subscription on current Prices will be able to keep these Prices on existing subscriptions for two more years.

okay. So this was obviously a sales pitch, but that does IT make this any less true or relevant. We know from our many years of covering zero patch, these guys are the real deal and that they really do present a viable alternative to microsoft, doubling every year extortion for the enterprise.

So in this instance, I don't mind this sales pitch because it's easy to endorse what they're selling. Microsoft has clearly made a strategic gamble to deliberately abandon its users to its bugging and vulnerability written software as a clear means of scaring them in the migrating to fully supported Operating system that most users would rather avoid. Even when what that really means is that there will still be a constant flow of new vulnerabilities always being introduced to this new Operating system while older problems are still being resolved.

And let's not even get started on the fact that microsoft replay is an issue for windows eleven users. So considering that remaining on a platform that works and that you love into which microsoft will no longer be continually introducing new vulnerabilities and which will nevertheless continue receiving updates for any newly discovered critical security vulnerabilities, this is the niche zero patch has decided to fill. And I think that for just twenty five years was per year, which at the moment is around twenty seven us dollars per year, extending the security coverage of that beloved platform for a minimum of another five years starting in october twenty twenty five makes a great deal of sense.

And to top at all off, they are on the fly RAM based code patching system is significantly more user friendly than microsoft nagging reboot and weight system windows ten users still have a year ago. Before that final windows ten twenty twenty, a version twenty two h two will need either third party or extended microsoft update help. This podcast will be somewhere around episode ten forty five at that point. And among the other things, we should know a lot more about recall by then. So anyway, I just wanted to to let everybody, yes, I have some .

questions. So first of all, how zero patch ched IT sounds like is patching in memory on the drive.

Yes, you can patch on the drive because that would break the signature of the files, right? And so they would never load.

So you have something running all the time that the zero patch tool that just loads in patches as needed.

Yes, there's there's a zero patch agent OK, which is small and runs. And what we've talked about this in the past, the patches are literally twenty three bites. I mean, they're like there there a few instructions where they just fix the problem. no.

So all of the patches of their own, they are, how do they get so microsoft releasing security patches and zero patches duplicating those patches, do they reverse .

engineering them? How do they know, just like the bad guys do, in the same way that the bad guys do a delta on on the .

pre post patch code?

Yeah you just find the thing that microsoft changed. And so they like just what .

IT is IT yeah okay. That's it's an interesting business actually I .

think gets a great business. And and I mean, they've been around for a long time. If if you look if if you search grc transcripts for .

we've talking about in three years.

yes, for zero patch because they often jump in before microsoft has an update and and and they don't charge you anything if you for an update which is not yet beneficially patched. So where they're filling IT had meet as just as a public service where where they're they're filling an emergency need that microsoft has not filled for something being exported in the wild. You can get that from them for free. I mean, there are like cloud flare in just having this feeling of being really good people.

Well, they are not gonna sell IT down the road, which is good. That's fine. no.

Twenty four years for a year of protection. Many people would rather do that, then be forced to use windows eleven.

Are you running and have you run IT?

No, no, because I don't believe any. This nonsense about you can't run. All versions of windows are running windows. I'm just fine.

Those seventy vulnerabilities to bother you.

No, I just don't go to bad places. No, my site doesn't have any. And and and i've got up to date browsers. Browsers are the big vector, the web, what the wait stuff gets in and all, boy, leo, wait to you see one of the ways a new way of the people are being, let's take a break.

And they we're going to talk about what happens a case in point of good extensions going bad in chrome OK, I recommend zero patch. I I think everybody who's listings should take a look at IT. If that if if the idea appeals to them, I don't see a downside.

And I mean, IT keeps you running for as long as your apps continue to be secure. I mean, ultimately, that's what breaks IT. Is the browsers no longer supporting when does ten or something like that?

right? yeah.

And very interesting. All right. Let's talk about our response or for the hour. I name you, i'm sure, are very familiar with one password.

You remember that we used to do an add for a captain called collide with A K company. I really liked one password, require them. And theyve used collide in conjuncture with their own technology to create something they call one password. Extended access management and IT is a very clever idea.

If let me ask you a question, I think I know the answer to, if you're at IT department or in your business or insecurity, do your end users always work on company owned devices and IT approved deaths? Of course they do, right? They never bring their own phone or laptop in.

They never run IT out of date, Operating system, browser or animal plus server on your companies and network, right? Of course they do so. So in that world of B Y O D, how do you keep your company's data safe? When is sitting on all those unmanaged apps and devices? One password has figured out a very clever solution, extended access management.

It's more than a password manager. One password extended access management helps to secure every sign in for every APP on every device because IT solves the problems, traditional iam and m dm two cannot touch. Imagine your company security like the quality of a college campus.

You got nice brick path leading between the perfect Green lawn from iv covered building, the ivy covered building. Those are the. Company owned devices, the IT approved apps, the managed employee identities, it's all perfect.

But as with every college, quite Frankly, there are then the past people actually use the muddy. Those shortcuts warn through the grass that are actually the state test line from building a to building b. You've got that on your network.

Those unmanned devices, right? The shadow itt, the non employ identities like contractors. People bring in their own tools because they work Better, right? They're the shortcuts. But the problem is most of the security tools only work on the happy brick path, and most of the security problems take place in the little money shirt cuts.

That's why you need one password extended access management, the first security solution that takes all those unmanaged devices and apps on that end these and puts them under your control. IT assures that every user credential is strong and protected, but then that goes an extra step, making sure that every device is known and healthy and every APP is visible. Is security for the way we we really work today, not the fancy ed, perhaps for everything.

We're perfect way that some security companies wanted to be. It's it's down that gets down there on those muddy paths. Now it's generally available to companies that use octo a or microsoft entry for authority.

They are in beta for google workspace customers, and it's a great wait up your security check IT out at one password dog com slash security now the number one pa sword doc slash security now I know every knows and trusts one password. I think you've very interested in what they've done with this really cool product. One password extended access management find out more at one password duck com slash security.

Now we thank them for their support, new support. Stephen is good work too, by using that addressing. Know you saw here one password dot com slash security now.

Steve back. So we have another example of a popular goal crime extension with more than one hundred thousand daily users suddenly becoming malicious. The extension, known as hide youtube shorts, has been found to be performing a fillip fraud, collecting and transmitting the browsing history of every one of its users.

finding youtube shorts.

Hi, youtube short. I do shorts, right? okay. And apparently that's a thing anyway, out of second. So security researchers say that the extension appears to have turned malicious. Not surprisingly, we talk about this a lot. After IT was transferred to a new developer, I went over to the google play store to check that out.

Now it's unclear to me why seven would want or need to hide youtube shorts, but it's clearly a thing since there were many other similar extensions listed as alternatives whose names similarly suggest that they do that also. But any event, in response to questions, the extensions new owner defends the overreach of the extensions privileges by saying that in in the future, there might be the need for more attitude. The brief fried up from the, from the researcher who took the time to dig into this was interesting.

He wrote, what initially peaked. My suspicions were the strange search suggestions on youtube, completely unrelated and disconnected from the context of my searches, sometimes in foreign languages. However, after analyzing the traffic in the browser tab and developer console, I didn't notice any suspicious activity. IT was only after I started debugging the extension, but I noted suspicious network activity and requests being sent to an unknown external service containing the addresses of all visited sites and unique identifier.

The extension does what he says he will do, but in the background, IT collects and sends information about all visited pages to an external server hosted on AWS the information that the extension collects and sense includes a unique user identification number, installation number, authority, token, language, time stamp, and full URL with path and arguments and parameters, which allows reading the information in the address bar, including, for example, for example, search history and search terms. Some users in the reviews on the extension page in the chrome web store also indicated the possibility of redirecting that is being redirected to fishing pages due to the malicious nature of this extension. I do not know what other information IT could have collected before, but due to the wide permissions, the browser x of the browser extension IT should be assumed that you could also read information transmitted in forms including credentials, logging, passwords, personal and sensitive data.

Such data can be used for a wide range of attacks. yeah. So anyone who has used such an extension should assume that all data viewed and transmitted via the browser has been compromised and take immediate precautionary.

And again, one hundred thousand users per day. The extension was originally developed, he wrote by a single developer who maintained the source code on github. However, the github repository was archived on september twelve, twenty, twenty two, i'm sorry, twenty, twenty three. And the pluggin was acquired or maybe sold to another developer, he said. I have not analyzed everything to the extent I would like, especially earlier versions to find out when the malicious change was made.

Although IT seems that the first developer, for some reason decided to use the all pages reading model when the extension was just entered website, when the extension was just entering the google web store, he wrote, I analyzed its behavior and did not see similar problems with IT. So indeed, this did happen downstream. At some point he finishes, I have no doubt about the intentional nature of the current developers actions, and as his responses to comments about the extensions permissions being too broad clearly demonstrate his intent.

So once again, the caution would be, you know, I take away from this would be to attempt to minimize the use of browser extensions. We know that by, you know, by far for the most part, extensions developers are well meaning and of active above board. But we also have in control and incontrovertible evidence that there are also malicious actors swimming these waters without the ability to fully analyze and vet every extension.

IT becomes a numbers game where statistically, the greater number of of extensions being used, the greater the chance that one of them might be malicious. And I I just haven't had any time to dig in to you block origin further. But i've got this nagging sense that, for example, if you wanted to block youtube shorts, you block extension a you block origin would just do that by turning on by using the dropper and clicking on like something they in youtube shorts and they would just go away because i've i've had anegay reports of that in feedback front from our listeners.

So you probably don't even need a more special purpose extensions. You probably just need to Better utilize u block origin. At some point. I'm going to make time .

to to do that for a css div. Probably that you could if you knew the name of that.

you could just block IT automated ally, exactly that. Yeah, yeah. yes. And in fact, that little, the little dropper thing finds .

that for you the dive.

Just, yes, exactly. And just does that and creates a rule. Yeah, so anyway, the fewer the Better when IT comes to extensions. Okay, this is one oval boy.

We all know the trouble windows has had over and over and over over something as simple as dot ln k linked files. I mean that they on you, you were recovering these before the security now cast on on your weekend show. Anything you double .

that does something is always risky, right?

Uh, so the exploits of those have been epic, and we've lost count of the number of times they've been fixed in air quotes, only to rear up again. You know, some design, some some design concepts are just bad and are notoriously proud abuse. And leo, you just sum that up.

Anything you can double click, that's a problem. So that's what I was put in mind of what I read. Yeah, that is possible for a windows dot R D P file to reconfigure and launch a remote desktop session.

It's like microsoft never learned anything from the past. And as we know, those who do not learn from the past are destined to repeat IT. Okay, so the generic take press reporting on this just said microsoft says that a notorious russian cyber sinon's group is using a clever, okay, clever new technique to compromise victims and deploy malware on their systems.

The technique involves sending malicious R D P configuration files to victims via email. If executed, the files connect a victims PC to a remote R D P server. The connection allows the russian group to to steal data and deploy malware under the .

compromise device, but it's .

convenient. Microsoft has attributed the Operation to midnight blizzard. Remember, they're the people who got their email also, they don't like the midnight blazer. People know a cyber unit inside russia S, V R, foreign l ligon service.

The group has used the new technique since october twenty second and has targeted individuals in government, academia, defense and ngos across the U. S. In europe.

This is the same campaign that was also, there was spotted by A W, S. insert. U. A. okay. Now, since the inherent insecurity of this entire design was just too much to believe, I went to the source where microsoft themselves explain.

They said, on october twenty second twenty twenty four, microsoft identified a spearfishing campaign in which midnight blizz sent fishing emails to thousands of users in over one hundred organizations. These emails were highly targeted using social engineering lors relating to microsoft amazon web services and the concept of zero trust. The emails contained a remote desktop protocol R D P configuration file signed with a let's encysted certificate.

Because get those for free. yeah. Rdp configuration. You know that rdp files they wrote summarize automatic settings and resource mappings that are established when a successful connection to an R D P server occurs.

Imagine that. Let's make that easy. Let's make IT one click. These configurations extend features and resources of the local system to a remote server controlled by the actor where we insert what could possibly go wrong.

I'm just my .

q okay. Will have a few more by the time we're done good in this campaign. The malicious ous dot rdp attachment contain several sensitive settings that would need a light let's map the sea drive that would lead to significant information exposure once the target system was compromised.

IT connected to the actor controlled server. And by the way, where they say was compromised, they're been quite kind by that. They mean when the user receive the email containing the dot R D P extension and click IT, that now that qualifies as you've just compromised your computer, baby, because I was done a file that your email wasn't trained to block.

Notice that you can't send email, you can send x es anymore. Those die, I mean, those die, immediate death. If you try to email somebody and nexi, this is no hope. But R, D, B, 耶。

submit that your computer was compromised the minute you enabled rdp, that's.

well, it's it's enabled by default, and that's another one of those. Here we go. What could possibly you go on?

I miss that one.

okay. So they say once the target system was compromised, meaning the user clicked on something in email, which is all that takes to compromise windows these days.

IT connected to the actor controlled server and by directionally mapped, this is microsoft, and by directionally mapped the targeted users, local devices, resources, meaning hard drives to the server by directly mapped means, not only can and right, that right resources sent to the server may include, but are not limited to, this is microsoft sadness. All logical hard disks, clipboard contents, printers, connected peripheral devices, audio and authentic features and facilities of the windows Operating system, including smart cards. Basically, you've just given them your access to your entire system.

Yeah they a microsoft route. This access could enable the threat actor. Okay, the only way IT wood is if they were literally asleep when this mapping occurred.

Otherwise oh uh could enable the threat actor to install melted on the targets local drives. Actually it's probably automated and then so they can be asleep, but it'll happen in their sleep. And mapped network shares, particularly in autos, start folders.

Oh, so they have those two. Or install additional tools such as remote access trojans to maintain access when the R D P session is closed. The process of establishing an R D P connection to the actor control system may also expose the credentials of the signed in user to the target system.

This again microsoft writing, when the target user opened the R D P attachment and R D P connection was established to an actor control system. The configuration of the R D P connection that allowed the actor control system to discover and use information about the target system, including files, directories, connected network drives, connected profile, including smart cards, printings and microphones. Web authentic using windows hello, right, protected by recall, don't worry, you're safe, right? Windows allow not safe pass keys or security keys, clippard data point of service, also known a point of sale or P O S devices.

And they go on and on and on in their blog posting. Microsoft goes in the detail about the attacks and provides pages and pages of I O C S indications of compromise under their mitigation section. They have pages of things that that can be done to keep this from happening.

I have an idea. And how about never building this inherently incredibly dangerous and abuse prone facility into windows in the first place, which is, I think, the the first thing you suggested on here and go yeah if it's not there, there's nothing to abuse. Seriously, is that necessary to have an R D P file type that causes a machine to configure to a maximum insecure state and connect to a previously unknown remote server I use already?

It's like a remote is support.

right? I use rdp extensively. And yes, rdp saves its connection profile settings into individual R D P files, and that can be useful. But when those files are given the capability to initiate a connection on their own, this becomes an extremely dangerous design pattern.

If they're going to exist at all, such files should be tightly bound to the machine that created them, not something that can be received in the mail and then clicked on by an unwitting user. Microsoft loves storing things in the registry, so rdp settings for the local machine could be retained there instead of an individual rdp files. And then this problem would not exist.

Handy, as IT inarguably, is there's just no safe way to send somebody, anybody. A file that went executed causes their machine to connect to any foreign unknown machine with all of its local resources shared. There just isn't.

There's no safe way to do that. You know, at the very least, this facility should be firmly disabled by default for everyone. yeah. And then only those few people who actually need to do this should then be forced to jump through some hoops to enable IT on their machine only, and even then, possibly only for some self limited time.

And if that were the case, russia would have never bothered to create this, because IT would be off for ninety nine point nine nine nine nine nine percent of the people in the world. I hope everyone knows to never click on anything received in an email, even if IT appears to have been sent from someone you know and trust. We can now add another to the longer growing list of email based exploits. Email attachments are too useful to ban out, right? And unfortunately, clever bad guys keep finding new ways to abuse this useful capability.

But man arty feeling is so powerful. Now I don't allow port one thirty nine on my road, and most people probably don't. But I guess because it's an outbound request.

your family wasn't matter. Stop IT and IT runs on sixty eight hundred or if IT runs on a high port number OK, as I recall also but .

doesn't matter because you're outgoing .

saying but was insert of IT come on, you can bet that russia has their port listing for anybody to connect. And leo, this started on october twenty second meeting that and and thousands of emails went out to hundreds of companies, highly targeted looking, legitimate people clicked on them and they got themselves immediately compromised. That's how bad guys then get a foot hold inside an enterprise and talk about a foot hold.

I mean, this thing, this is a body body hole. Yeah, you owe IT. yes. Well, and speaking of owning IT, leo, let's give our listeners a chance to own something, and then we will continue.

You not anxious to get to some other? I have .

the TV on here, Steve.

You're not missing anything that's not fair.

The notes are closing .

on the east coast and. This is the fastest pace show we've ever done. O OK. Keep up.

okay? We will have some more great stuff coming from Steve. As always, Steve is amazing with the quality of the information you get here.

And we thank our sponsors for making a possible like big ID you know about big I D. I've talked about him before. They are the leading data security posture management solution dsp m.

Have you ever heard that it's the only dsp m solution? They can uncover dark data. They can identify and manage risk, can remediate the way you want, and scale your data security strategy through unmatched data source coverage.

Big I D seamlessly integrates with your existing text tech, which is nice because you can then use IT to coordinate security and remediation workflows, take action on data risks, all the actions you know, and take delete quarantine more based on the data. And of course, IT maintains an audit trail. So every action is recorded.

The partners that IT works with are every to say everybody. But I i'll mention a few service now, pal, alto networks, microsoft, google, AWS and on one with big ideas, advanced AI models, you can reduce risk, accelerate time to insight, and gain visibility and control over on your data. Big ID is so good at finding this dark data that they equipped an organization that probably has more data and more little highty holes than any other.

The united states army, the U. S. Army, used big ID to find that dark data to accelerate cloud migration, to minimize redundancy and to automate data retention.

Listen to the quote, this is from U. S. Army training and doctoring command. This amazing quote. The first well moment with big ID came was just being able to have that single interface, the inventories, a variety of data holdings. Now remember, this is the army.

Think of what kinds of data, I mean, they said, including structured and unstructured data across emails, zip files, share point data bases and more. To see that mass and to be able to corporate across those is completely novel. Again, quoting the U.

S. Army training in doctrine. I've never seen a capability that brings us together like big ID does. That's a pretty nice endorsement.

When they told me that, I said, can I please read that because that's if the army says that and is willing for you to hear that. That's a pretty big endorsement. Cnbc recognized big ideas.

What of the top twenty five startups for the enterprise? They were named to the inc. Five thousand and deloitte hundred two years in a row. They are the leading modern data security venture in the market today. Alright, I got have to give you one more.

This is from the publisher of cyber defense magazine, quote, big idea bodies, three major features we judges to look for to become winners, understanding to mars threats today, providing a cost effective solution and innovating in unexpected ways that can help mitigate cyberia sk and get one step ahead of the next breach. That's big ID start protecting your sensitive data wherever your data lives a big ID that come slash security now. And by the way, the army and and cnbc and all the rests to scratch the surface.

Go to the website. You will see all of the accolades, all of the people who give big idea thugs up, all the references. It's pretty different impression sive big ID that comes like security.

Now you can also why you there get a free demoniacal of big ID can help your organization reduce data risk. And by the way, finding all that data, knowing that that data is and where IT is, is part of the process of accelerating the adoption of generative A I right? Because you don't.

I mean, I think about the army, there's stuff there that's top secret, right? You have to put that in the AI. So being able to see at all, nowhere at all is in control. That is so important. Big ID dot com bg ID dot com slash security now.

And speaking of eye, there's a new for there have lots of reports, lots of White papers, but I know there's one that will give you insights and key trans on AI adoption chAllenges and the overall impact of jai across organizations coursing all about that big idea, that calm slash security. Now, thank you, big ID. Thank you very much for the job you do.

thanks. I guess I should say thank you for your service and thank you for supporting security. Now we really appreciate that big idea that come slash security now save.

okay, we ve got a new firefox. We're now at one thirty two, uh, IT. Add some new features and security fixes.

The biggest new feature in one thirty two is support for a post quantum key exchange mechanism under T L S. One point three. And they also block fave icons if they are loaded v HTTP.

Um back when we were looking at firefox's third party cookie handling, there is a great deal of confusion since firefox is U I. We talking about at the time on the podcast, firefox is U. I, and its behavior is actual demonstrated.

The demonstrated behavior appeared to be at odds with one another. So among the improvements that we ve got in one thirty two, I was pleased to see the sentence quote. Firefox now blocks third party cookie access when enhanced tracking protections, strict mode is enabled.

So that's what everyone thought I was doing but we saw that IT wasn't IT is now so as we suspected you know, g rcs cookie forensic system showed what was happening and that's been fixed in a firefox one thirty two, which everybody probably has. Um as I mentioned, the top of the show under the sad but understandable category of we don't trust camera equipped black boxes made in china. We have the news really yeah okay we have the news that the you know we talked about D G I drones as one example of a of a camera equipped black boxes.

We have a news that the U. K. Government now says that over fifty percent of all chinese made security cameras have been removed from sensitive sites such as government buildings and military bases.

The government says he expects removal to be completed by April of next year twenty twenty five, despite the fact that the removal was initially ordered well back in november of twenty twenty two as recovered at the time. And I was seeing, wow, you know, IT took them until now to get rid of half of them. But then I thought, okay, there's probably a long procurement cycle for such things.

So I took some time to get the replacement cameras in the pipeline. And as we know, U. K, officials ordered all sensitive sites in the U.

K. To remove all chinese made cameras, citing national security concerns, because anything is possible and basically that's IT, right? No edit but anything possible. So yeah, I think is certainly first for sensitive installations that makes sense.

I'm not sure would .

announce we've removed half of him. Yeah, yeah, it's going used the other half.

Good news. Half of them.

We're gone, right? Okay, now, leo, okay. And I know that our listeners are savy. Yeah, I was first attempted to call this the there's a sucker born every minute attack in on a repeat, barnum. But upon further reflection, I think that would be too harsh because this is actually a rather clever and a horrific form. I think I .

would far footfall for this. I hate to say .

IT again, I I can see people like like I know lots of people who would definitely a very clever form of social engineering attack. And I I think I might instar many non suckers. So it's not the success born every minute. It's that, you know, maybe it's a little more than do you have a polls, but still not much. Okay, IT.

IT leverages the fact, the true fact, that most people who are using the internet and pcs today have never really been, and probably never will be completely certain or confident about how any of this magical hook s pocus stuff works. Mostly, right? They just follow the instructions and do what's asked of them and hope for the best.

And that's why I can understand why this new and rather blindly obvious to check's exploit is actually succeeding out in the wild. And it's hh horrifying to contemplate. Okay, IT begins with a fake capture pop up which was were all in now. So you know IT starts, you get something you expect to see, right? Like, okay, i'm going to have to prove that i'm not a robot .

even in this rec action which is legit.

right? right? So in this case someone, in this case I was used where somebody wishes to watch a video.

They need to click on the capture button to start authenticating that they are human. okay? But this click that the user makes actually runs is created by java script.

And IT runs a bit of java script, which places a dangerous power shell executable string under their windows clipboard. And oh my god, java script is able to read and write the clipboard. So when you click on this, IT puts this power shell script onto your clipboard, and IT uses an encrypted command tail.

The power shell will equipped so, so IT just looks like gobi gu k like, okay, whatever, okay. After pasting this trojan invoking power shell script under their clipboard, IT then displays the remaining instructions they must follow to extensively proof they are humanity. okay? Well, they're definitely about to prove their humanity, but not in the way that they intend that get this. The pop up reads verification steps, press windows button, and then that shows you that little windows, you know, for window pain icon plus R I wouldn't .

fall for this part.

I know again, okay, but but we know what people who would, right?

Because most people don't know what .

windows are and control any clue what any of this is about right now. Step number two, press control v step number three, press enter.

Step number four, what could possibly.

So windows plus r brings up the windows run dialogue with its you know what would you like me to run field highlighted control v paste this horrendous power shell xe command into the system s clipboard from the system clipboard into that run field so that the run field now contains the executive power shall script to download and stalled and run trojan malware on their computer.

And then this all culminates when they followed the file instruction of pressing enter to, as per card would say, make IT. So, uh, again, as I observed, none of us would none of us would do this. But again, most people don't know what any of this is. So they're just following the steps to because they want to see the video, you know, they want the carrot. And so wow.

fortunately windows key r does nothing on a aminta's. So i'm safe.

You're safe. Oh, you in the minority.

the minorities growing for and it's because of things like this, i'm convinced. But OK.

wow. Ah yeah. So anyway, I don't know what to tell our our listers. I know none of our listers would fall for this, but I know they know people who were, you know, wow.

It's bad enough to be forced to click things, like forced to click things in your browser when IT could be a spoofed window. Our browsers are designed to try to minimize the damage, but it's possible for java s script to put something on our clipboard. And then these instructions basically say, oh, thank you.

Here's what we want you to do now and IT IT involves getting that thing to run, which those key strokes will do. wow. okay. um. I said last week that I wanted to announce, uh, the next thing, the next big thing i'm working on, oh boy, I recently finished the work on rc's email system and actually I have a cavet to that now, as I said, because IT turns out that outlook is doing link following to protect people from initial links and in the process of subscribing people from their the uh there a mAiling list so I got i'll fix that the next day um and then it's on to what comes next also uh oh oh and I forgot to mentioned last week, one of these systems of the email systems originally missing features was the capability to allow its users to easily update and migrate their email addresses at any time they may want to.

My original thought was that since an email account didn't have anything other than zero, one or two subscriptions associated with IT, anyone could simply delete their old account under their old email and then create another one under their new email, so not really a need to explicitly name their existing account. But after I saw very high spam complaint rates, when initially mAiling to spin rights owners from twenty years ago who were like what that is this, I migrated spin rights purchase data into the email system, which allowed me to send email, which opened with the line back in two thousand. Five, someone named josh mou at this email address purchase spin right um and it's as I imagined at the time that had a profound effect upon the spam complaint rates suddenly ever was like, oh yeah, I ever remember that anyway uh now the email system is able to handle uh, updates.

The email system knows about spin right owners. So there is more actual data contained in an account, and i'd like to keep IT there. So i've added a simple rename field to the the email, a management page, which any of our listeners will see next time they go there.

Like to resubscribe to the security now podcast which they were just mistakenly unsubscribed from so I wanted let everyone know that since I last visited the email management page editing has been added um once that was done, I was unable to address the final remaining lucent of the spin right six one documentation offering which was to create a video walk through demonstration of showing spin right in action. Since booting doss and using a textual user interfaces becoming increasingly foreign, I wanted a way to allow someone who might be considering whether the purchase been right to get a quick and clear sense for what that looks like, what is running. So that now exists.

I posted IT on my youtube channel. I posted IT over on G. R.

C. So it's it's hard not to find IT. And if anyone is curious, there you go.

And that brings me to the announcement of its last week, as I mentioned a number of times, G R C S, number one by far, I mean far nine point three million downloads. Uh, so far, most popular software of all time is the DNS benchmark. I have been astounded by its popularity when I was putting the show notes together.

I guess IT was sunday uh there IT had been download of nine million three hundred and thirteen thousand six hundred and forty two times and around sixteen hundred downloads per day. Um the benchmark pages um have a page that solicitors feedback and I am constantly receiving requests for new features. Um mostly people are wondering how the speed of encrypted and private privacy protecting DNS using encryption D O H D O T or DNS script compares with regular plain text DNS is IT slower, is IT faster what?

Um and despite the glass, the glacial progress of I P V six, as we talked about last week, many people are requesting that I add support for ipv sc to the benchmark. And actually I think that makes sense because when I P V six is available, our systems use IT preferentially so you may be using on I P V six DNF server, which the benchmark won't benchmark. So uh other great ideas have been to allow the benchmark to verify the domain filtering being done to services like but like buy services like next DNS and others have been wishing to avoid local domain name blackouts where the DNS services they're using don't let them access sites they want to.

So the benchmark could be used to help them local servers that would allow them to get access to those sites. So anyway, the other thing I hear more generally is that people would like to have a way of supporting my continuing work here, you know, on all things grc, you know, news groups, forum wheels up, dn s possibility tests, all the freeway that I write and unable to offer, and everything else. So i've decided that my next project, before I create beyond recall, uh for you know super fast, super secure data deletion, which will proceed the development of spin, right seven for windows.

We'll be to revisit the D N S benchmark and to give you a major version two point o update. There will still and always be a free release available like IT is now. But I would like you to be able to support itself. And if I, if I can, and I think I should be able to, based upon its observed popularity. So I planned to offer all those new features for nine dollars and ninety five cents in a plus edition and also for the real D N S pro guys, a proem tion for nineteen ninety five, which will do a whole bunch more uh, run as a service background login, lots of long term charting and a bunch of our other stuff. So and that's .

the available well.

and that's my hope, is that i'm going because it's it's an update to an existing product. We're not not going to be a long time coming since I hate the model of subscription software with a passion despite the fact that the rest of world appears to be going that way.

The agreement i'll be making with the purchasers of the benchmark is that they only ever pay once and they own IT and its future of that addition forever without ever any additional cost. So if IT succeeds as IT might, IT would create a revenue stream that would justify its ongoing improvement over time and continuing ing development, you know, as new DNS related technologies arrive. So anyway, I, I, I will have a substantial new a pair of you, an upgrade to the to the freeway.

You'll still be available. And then for people who want more, you know for less than ten box, while not much less nine ninety five, you can you can get that and owe IT forever and its entire future. So um that's my starts to have .

the nine ninety five and then the next one up because I know that everybody looking at that's gonna well for ten box I can get pro but I want the super duper edition for twenty box because .

twenty bucks is and actually I got that thought from john to fork who who are uh he and I talked like just sort of yeah he wrote he wrote to me be and then we ended up having a couple hour conversation because he wanted what to know, what email system I was using because he was leaving um monkey mee. Whatever that thing is called the meal. Anyway, and and and and the the point he made was he said, you know, don't put a cap on what people can pay you because they .

might want to pay more well with my dad. good. All right.

okay. So let's take our last break and then we're going to talk about ai application in security vulnerability discovery. Um and I I have A A episode nine, nine, nine sort of editorial to lead lead in on that with okay, so good, good stuff.

The good news is nine, nine, nine, not the last indeed not next week for episode one. Or are you going to do IT in hacks? I don't know what he's going to.

Would that be? I don't. I even know our show today brought you my molise a this much.

I know they have been the trusted data quality expert since nineteen eighty five longer than we've been doing this show, that's for sure. With malicious debut in the stripe APP marketplace. This is really cool.

Stripe customers now have access to the same data quality services leveraged by large global enterprises every day. Key features. And this is just one of many millicent integrations.

But let's talk about the stripe integration. Key features include address validation. The APP validates global addresses of both the customer and invoice levels. That's all within strike without leaving stripe auto completion capabilities reduced the number of key struck required, of course, eliminate fumbled finger errors, only valid addresses, end of the database, your database use your friendly, you bad, of course, that is, users can easily can figure the APP with a few steps of support for both customer accounts and invoice level validation.

The APP offer smooth management of a keys and subscriptions, facilitating transitions from free to paid services, and of course, is Melissa, you get comprehensive support and quality assurance. Users have direct access to millis experts, ensuring high quality service and support, but this is amazing, enhancing Operational efficiency, boosting customer satisfaction and maintaining overall financial health. Those should be strategies for any forward thinking business.

And if you're a business that relies on stripe, you know, exception and now you have an ever expanding tool set at the ready with Melissa molests is amazing. Malicious services, by the way, understand compliance like no other. That's important, right?

You want to make sure that your data safe with Melissa, you get secure encryption for all file transfers and an information security ecosystem built on the IO twenty seven O O. One framework at hearings to GDP r policies suck two complaints. Course they do IT right.

Gets started today with one thousand records cleaned for free at mollia that comes slash to IT. We love Melissa with this for a long time. We're glad to see they've become along in twenty twenty five as well.

Melissa, that com slash to IT. Thank you, millican for supporting security now and thank you, security now. I listener in viewers for us supporting us by going to that address and that address alone. So they know here a list that come flash twit. Okay, Steve vulnerabilities on the .

occasion of episode nine, nine, nine of this security now podcast. I want to take a minute before we talk about something. Google recently announced where A I was used to discover an important vulnerability in a widely used piece of software.

To put A I into a broader context, by now, i'm sure our listers have correctly determined that i'm one of those in the camp who is overall quite bullish on A I. All of the evidence i've seen and witness the first hand informs me that we are indeed on the verge of something truly transformative. And i'm very glad i'm still, Frankly, alive to watch this happen seriously. No, my parents.

very science fiction. Fun isn't IT.

and it's happening now. And my parents and a budget, my close friends who had have been, who would have been fascinated by this, are no longer here to see this happen. And that's a shame, I think, because I believe this is going to be that big.

I believe A I is gonna be something that changes the entire world. Well, like, like most of those in the baby boomer generation during my lifetime and my awareness, i've watched vacuum tubes give way to transistors, and transistors give way to many generations of integrated circuits. Digital memory moved from release and then to magnetic cores, to insanely dense electro magnetic and electro static storage.

Computers evolved from what was essentially an automated calculator many times more expensive than people's homes at the time, to incredibly powerful devices that we now discard without a second thought. And the internet happened during the second half of baby boomers lifetimes. We've had the privilege of watching this incredible global network interlink the computers we are all now casually Carry around in our pockets.

We are truly living through what was science fiction near the start of our lives. And now those of us who are still here are going to have the privilege of watching A I happen. Given everything i've already watched unfold during my nearly seventy years on this planet, and given what i've seen of IT so far, I believe that ai's impact upon our lives is destined to be bigger than anything that has preceded IT, more significant than everything that has come before.

For the longest time, the technologies that appeared to have the most impact where those, that facility communication, the printing press, changed the world. And that was followed by the telegraph, which was followed by radio and the telephone, which was similarly transformative. The reason the internet has changed everything again is that IT, too, is about communication.

IT could be argued that that automotive of transportation is also a form of communication. Communication has been so univerSally transformative because IT, because it's been about linking the thoughts and intentions of people. By comparison, I believe that A I is going to ugly eclipse the transformative power of communication, because IT is the thoughts and intentions of people.

A, I is the currency of people. And sure, it's easy for cynics and skeptics to find fault. T there's always fault to find in the beginning of anything new where big claims about the future are being made.

That's just the nature of new. New is the start of the journey, not the end. Personal computers were initially a joke, as were the first logical laptops, but no one's laughing.

Now, back at the start of bitcoin, in the invention of gypt to a currency, there were many skeptics, but I sure wish I had not installed windows over my fifty bitcoin. My point is, what A I is today is not what is going to be tomorrow. IT never is.

And I believe we're only at the start of what is going to be more significant than the invention of anything that has come before because A I is, as I said, potentially the currency of people, and there's never been anything like that before. I'm glad we're all gonna be here to witness IT together. okay.

So what happened with A I and google? Google has a long posting in their project zero blog, but the hacker news assembled a very nice summary. That's what I want to share. Here's what they wrote, they said. Google said IT discovered a zero day vulnerability in the equal light open source database engine using its large language model assisted framework called big sleep, formally project nap time.

The tech giant described the development as the quote, first real world vulnerability uncovered using the artificial intelligence agent, the big sleep teams said in a blog post quote, we believe this is the first public example of an A I agent finding a previously unknown exploitable memory safety issue in widely used real world software unquote. The hacker news said the vulnerability in question is a stack buffer overflow in secure light, which occurs when a piece of software references and memory location prior to the beginning of the memory buffer, thereby resulting in a crash or arbitrary code execution. This typically occurs when a pointer or its index is detrimental to a position before the buffer, when point to a rithmetic results in a position before the beginning of a valid memory location, or when a negative index is used following responsible disclosure.

The shortcoming was addressed in early october twenty twenty four. It's worth noting that the flaw was discovered in a development branch of the library, meaning IT was flagged before IT made into antiviral release. And i'll also note that that made, you know, IT was flat.

IT was a newly introduce bug that this thing immediately found, they said project nep time was first detailed by google in june of twenty and twenty four as a technical framework to improve automated vulnerability discovery approaches. IT has since developed into big sleep as part of a broader collaboration between google project zero yeah and google deep mind with big sleep. The idea is to leverage an A I agent simulate human behavior when identifying and demonstrating security vulnerabilities by taking advantage of a large language models, code comprehensive and reasoning abilities.

This entails using a sweet of specialized tools that allow the agent to navigate through target through the target code base, run python scripts in a sandbox environment to generate inputs for fuzzing, debug the programme and observe results. Google said, quote, we think that this work has tremendous defensive potential. Finding vulnerabilities in software before its released means that there is no scope for attackers to complete.

The vulnerabilities are fixed before attackers have a chance to use them unquote in the hacker news finishes. The company, however, also emphasized that these are still experimental results, adding the quote. The position of the big sleeve team is that at the at present, it's likely that a target specific fuzz would be at least as effective at finding vulnerabilities unquote.

okay. So well, this may be just the first time A I has been deployed for this. My own intuition is screaming ing that A I driven code verification and vulnerability detection is going to be huge to me. IT feels as though this is dead center in A S bail wic and that IT may be that A I is what finally comes to our rescue.

In the seemingly never ending and apparently intractable fight against both the continuous introduction of new vulnerabilities and the discovery and Erica of old ones, microsoft must be hard at work figuring out how to use A I in this way. Imagine a day when patch tuesday is, sorry, nothing to fix here. No new known vulnerabilities have been found, reported or known to be under exploitation.

Now you're just fanatic zing.

That would be something yeah, yeah and IT really to me, it's it's in it's impossible for us to reach if we don't do something like this. Yes, with A I IT does not seem that far fetched, you know, IT IT may be that today's large language model training style doesn't really apply for this that that's my feeling.

I don't think that's a way to attack this um but i'm not nearly close enough to AI to know but i'm sure there are people who are of course you know this won't solve all of our problems since there will always be people who are opening dangerous service ports to the internet or following instructions in a believable looking capture, telling them to just bend over just happy place and you even even when. There, U. S.

A, I cautions them not to do that. So, you know, i'm not worried that A, I is going to put this podcast out of business any time soon. As always, there are users, and users can always be counted on to do dumb things.

But I think that was cornel something like that, right? He was famous for citing that. But but code, code is pure, is why I love you.

So it's just coming eti al math and it's fully deterministic. So IT really seems to me as though code verification would be a natural habitat for ai. And lord knows, we need IT.

If I were a Younger man, that might be where I might aim my own focus. And i'm serious about this. We often get listeners who are just starting out and who are looking for and asking for some direction.

So here's some IT feels to me as though A I could have incredible traction in the field of code behavior verification and software vulnerability discovery. And these days, it's possible to borrow big compute resources from cloud providers, which makes basement or garage development not only possible but practical. And if such technology were created, IT feels like the sort of thing that would be snapped up by any of the big tech giants in a heartbeat.

So think about that if you're Young and well full of future and you're looking for something to sink your teeth into, I have no idea how you would do IT. But I, I, I guarantee you that in a decade, and i'll still be here watching this stuff happening, I will guarantee you this is gonna change. A I, I think is gonna be what solves our and an encysted problem, as I said last week, because it's gonna give governments the the the warm and fuzzy that, you know, abuse of children can no longer get past the AI monitoring their device locally. And I think you, I think A I is gonna the thing that solves our soft are like our endless software vulnerability problems is a big problem. But you know what fun?

Hey, if I can do that, there's probably a lot of other things that I will be up to as well.

I think it's going to revolutionize medicine, leo. It's GTA revolutionize drug discovery, I mean, and is going to change the world here.

And by the way, this is, I loved how you started because I think this is exactly what you and I have watched. Many changes in our lifetime are hoping for one last big one, and this could be the big one. This could be the one that changes humanity and watches us into an entirely new realm.

Um I I can't agree with you so i'm i'm excited to that. Steve gifts in G R C 的 com。 He's got a new product coming now time frame, you don't like to do that.

I can't guess a couple months probably i'm hoping a couple .

months put me down for for one of those twenty dollars subs description. I would this because i'll be the first and lying .

to get I can see I I can't wait to find out how encrypted DNS compares to you. I have no idea .

yeah you'll have fun of this or or IP v six or what open the next DNS is doing things like that .

this this will be really uh yeah and because the proverb so there's plus at nine ninety five and that has all the features except the the probe can run as a service because it's because it's all written in assembler. It's a couple of hundred k.

It's not this ridiculous hundreds .

of makes sitting in your machine but but to be able to look at at graphs and charts of long term DNS server performance can be very cool.

It's can be very, very interesting. And that's what we hope for.

I forgot, built possibility testing too. So so you can check the spoon ability of the servers without having to do IT generally over grc. So nice. Yeah lots of stuff yeah.

I run a network analysis program in the background almost all the time to keep an iron, you know, our band with and so forth frame. And I think this will be equally useful running in the background. I definitely you look forward to IT.

mr. j. IT did IT again, nine ninety nine. Now, one last chance this could be the last episode of for all time is up to you.

The counter. We've remember when we were Young, the digital clocks people had where they, they were tumblers. yes. And I would just sit there and wait for you to get to be, you know, well, the pay off was nine, fifty nine, right? Because you'd get to see all three going at once or in .

your car when the autometer hit one hundred thousand miles ninety nine, nine, nine, nine to one hundred. That was exciting. But this is even more exciting.

Here we are, ladies gentleman, switching from nine, nine, nine to one thousand. And against Steve, I need you think of yourself, is in the exit row. You could jump out that window, or you could continue on with the flight. You want to continue on with a flight?

Yeah.

right. yeah. Look forward to next week. Episode one thousand, same bad time, bad channel. We are every tuesday right after mat break weekly trying to make IT one thirty, but no later than two pm pacific, that's five pms east to twenty two hundred UTC stream live on eight platforms.

Now, account aid, of course, our club members get discord, which is, which is wonderful. But our youtube, now, I going to be careful with my fingers here because I did the wrong finger on sunday. Youtube, youtube, twitch, facebook, link in extra com, tiktok and kick.

Those are all the places you can watch as live. But you don't have to watch live. You can watch after the fact on the website, twitter, that TV slash sn. You can. We have audio and video.

Steve has several unique versions of the show is got, of course, the audio at gr c outcome, but he also has sixteen killed a bit on the, which is a small file, you give up a little quality, but it's a quick download. He also has transcripts written by a lane fair, not an a ice. They're great, real, genuine transcripts that capture the flavor of the show.

And of course, his show notes, which really are fantastic. He does Better shown us anybody, any podcast out there, all of that at gr C2Come whi le you the re. You have to remember right now, there's one way Steve makes money and that's what spin, right, the world's best mass storage, performance maintenance and recovery utility.

If you've got mass storage, you need spin right? Go get IT A G R C to come. Currently, version six point one. There's lots of free stuff.

There's two Steve goes away, lots of great valuable information, even software like as an example, valid drive or chips. You test the USB key. You got an amazon to make sure really does hold all that data by itself that would be with Price of admission.

Um we are a twitter TV slash. We also have a youtube channel dedicated, caring out. Great way to shirt clips.

This is one show I know a lot of people listen to. They go that that Q R code. I know my dad is gonna click that, send that clip to him from the youtube channel.

So because everybody can watch a youtube video and that i'll bring IT home to him, okay, things like that. And of course, the best way to get subscribed IT in your favorite podcast player, audio or video, you get automatically since were done. In that way, you have a complete collection of all nine hundred episodes.

security. Now, Steve, have a great week. Don't get aggravated, will be, I know, testing back and forth.

Gr, I A gummy waiting. If I need, I might have to go to bed. Thank you. Still.

we'll see the next time I see you for episode one thousand. Security now.