This episode of Security Now covers a range of cybersecurity and technology news, including significant government regulatory actions, a critical software vulnerability, and the impact of AI on hardware pricing, alongside the launch of Steve Gibson's new DNS Benchmark tool.
Mind Map
クリックして展開
クリックしてインタラクティブなマインドマップを確認
It's time for Security Now. Steve Gibson
is here with lots of security news.
Apple says no. India says yes.
Scattered Lapsis Hunters has a new name.
RAM prices going through the roof. And
Steve's announcing a new product finally
available for sale as of today. All of
that and the worst [music] code exploit
Podcasts
[music] you love
>> from people you trust.
>> This is Security Now with Steve Gibson.
Episode 155, recorded Tuesday, December
9th, 2025. Reacts perfect 10. It's time
for Security Now, the show we cover your
security, your privacy, and all the exciting
exciting
attacks that are happening [laughter] on
the internet today with this guy right
here. This here is Steve Gibson, my
friends. Hello, Steve.
>> A comprehensive overview of bad news.
>> Well, there's one this week. Holy cow.
>> Yeah, there is some good news, though.
>> Oh, good. the benchmark is done and it's
on sale. So, we will talk about that. Uh
so, uh for episode 1,55
for this uh we're cruising through
December uh episode uh which is titled
Reacts Perfect 10 because Oh
yeah. Um, we'll we'll get into what
React is. A and Perfect 10 was actually
a quote from one of the security people
who said, "Oh, this this is really the
the bad guys are going to be feeding off
this one for quite a while." But we're
going to talk about, of course, a bunch
of other stuff. First, uh, France's
Vanity Fair facing a stiff fine over
what they did with cookies and it they
didn't eat them. uh graphine OS speaking
of France is pulling out of France over
like bad behavior of French authorities
thinking that they can I guess bully
these guys because they're not Apple or
they're not Google so let's get you know
let's pound on the small open-source
guys so they're saying no thanks we're
leaving um [clears throat]
the EU is adding to the pileup uh over
underage social media and I thought you
guys over on Macreak had a great
conversation about all this, Leo. That
was, you know, I mean, we're we're all
pretty much on the same page with all of
this, right? I mean, why wouldn't we be?
Because there's [clears throat]
>> it's kind of there is a right answer.
Uh, also, boy, India was busy and and I
think you guys talked about that a
little bit too. I don't know what has
happened in India, but they they
mandated the tracking of all
smartphones. I heard you guys talking
about GPS, which I didn't pick up on.
Then Apple said no. Then they India
changed their mind and it's just what
what what's the rule today uh over
there. Uh they but apparently and they
haven't backed down. They're also going
to require all encrypted messaging to be
sim tied. So there's another thing we'll
talk about that. Uh Scattered Lapsis
Hunters, the infamous and unfortunately
quite well-known and quite successful
bad guy group. uh they've got an initial
now instead of having having to say
scattered lapses hunters and not
remembering who they are. Um also
nonsecurity related topic AI demand
driving RAM pricing through the roof to
the point where you can there's no fixed
pricing. You got to it's like well what
is the lobster cost today? So, okay. Uh,
I am going to talk a little bit about
the DNS benchmark which, uh, went on
sale on Friday after it was like done.
Uh, and it's I'm so proud of what it
ended up being. Uh, also, we've got a
couple pieces of feedback. Uh, one about
Cisco talking a good game, but they're
still Cisco. also uh browsers, this is
from Chrome, uh going to be asking users
for access to their local networks and
why that's just not going to be
>> I mean it's better than nothing, which
is what we've had so far, but oh boy.
And then finally, we're going to do a
deep dig into uh what is with React and
what happened and what does this mean?
So, I think uh maybe you know we it's
going to be okay.
>> We're working on it. We're getting
better with age. [laughter]
>> 20 years we've been doing this show.
>> Getting the hang of it.
>> All right. We will get to uh you forgot
the picture of the week coming up, too.
I haven't seen it.
>> This one had an unfortunate caption.
This one I struggled for the caption on
this one. I I had to show it cuz it's
such a fantastic picture, but I thought,
how can I like give it some context? I
tried. Will We'll we'll let our
listeners judge how I did
>> and maybe they'll come up with something
when you never know.
>> Oh, maybe. Of course we got.
>> Of course they will.
>> You betcha. [snorts]
>> Uh, our show today brought to you by Oh,
you know this name, one password.
>> It's easy to assume that being small
means flying under the radar. The
reality is small businesses are being
targeted more and more by bad actors.
You thought you were immune, right?
Cyber criminals know that lean teams
often lack the resources to prevent or
respond to a breach. In short, the bad
news is teams of any size can be a
target. The good news is even the
smallest teams can foil cyber crime. One
password provides simple security to
help small teams manage the number one
risk that bad actors exploit, weak passwords.
passwords.
One password provides centralized
management to make sure your company's
login secure. It's a simple turnkey
solution that can be rolled out in hours
whether you have a dedicated IT staff or
not. And however your complex your
security needs may get, one password
will stay with you every step of the
way. A password manager should be the
first security purchase you make for
your team. I really believe that small
businesses need to plan for the worst
case scenario and guard against cyber
attacks right from the start. For small
teams, responsibility for security often
defaults to a single employee. Often one
who's already juggling other business
functions. Yeah. Yeah. Sally down the
hall, she's the one in charge. The most
effective security solutions have to be
intuitive. Uh they also have to be
userfriendly because, you know, if it's
not easy to use, people won't use it.
You want everyone at your company to use
One Password. One Password's enterprise
password manager helps your company
eliminate security headaches and improve
security by identifying weak and
compromised passwords and replacing them
with strong, unique credentials. And
don't let one password's name fool you.
They're not just a password manager. One
password EPM extended password
management lets you securely store and
share developer secrets and other
sensitive data and helps streamline the
transition to passwordless
authentication by transitioning to pass
keys. Love that. With One Passwords
EPM's simple automated workflows, your
team can enforce security compliance and
prevent breaches and potentially
preventing millions of dollars in
losses. It's the single most impactful
investment you can make in your
company's security. And fortunately,
it's not expensive and it's easy to
implement. Take the first step to better
security by securing your team's
credentials. Find out more at onepass.com/security
onepass.com/security
now and start securing every login now.
now. Thank you so much for supporting
Steve and Security Now and picture of
the week time, Steve. Okay, so I gave
this pair of pictures the caption, "Each
year we jump through more hoops to
increase our security. It's become a
lot. How much does all that really help?"
help?"
>> Okay, so that's the caption for two
frames. The frame on the left shows a an
opening with a you know a red
uh rope line rope and the caption Google
when hackers try to hack my account. In
other words, [laughter]
>> okay, not that difficult,
>> right? And then the right one shows it
it is titled Google when I log into a
new device. [laughter] And this one I
didn't see the guard dog with its teeth
out down in the lower right initially.
So this one looks like something that
Maxwell Smart would have confronted
>> uh back in the day. It's got chains and
locks and and slide bars and triple
hinges and a keypad and
>> Meaning, God help you if you have to get
through this door. It's going to take
you an hour to unlock and and deal with
everything. And and of course that the
the the gist of this is something that
we do feel which is you know
accounts are still being hacked,
passwords are being uh obtained
uh people are still getting hacked yet
we're doing all this more stuff. I mean,
I have to say, Leo,
I love the one-time password idea,
>> but it gets a little tiresome after.
It's like, okay, you know, again, yeah,
fine. 326294.
It's like, okay, you know, and then
again, so it's like, so I look for those
check marks. Yes, I trust this device.
Leave me logged in, please. remember
that I've been here so that I so that
you'll believe me next time with less
rigomearroll. And which is not to say I
I believe me, I'm like I like onetime
passwords. All of this is good. One of
the strongest
measures of what one of the strongest improvements
improvements
is they should you be remembered at this
browser because no bad guy
can be remembered as you if they've
never logged in as you before from you
know some foreign country. So, it's it's
really good protection, but yes, it is
annoying Google when I log into a new
device. Google's doing the right thing.
You know, you've we've ne we've never
seen you logging in through this device
before, so we need a blood sample.
That's that's going to be good. Uh but,
you know, you're going to end up being
drained if you do it too often. So,
okay. Uh, we've noted before that
regulations that are not enforced will
often simply be ignored. In fact, I
could probably more strongly say will be
ignored until they're enforced because
it's like, yeah, you know, it's it's the
equivalent of that annoying high school
tough guy whose favorite retort was,
"Oh, yeah, make me." It's like, yeah,
fine. And in the news is that French the
French edition of the Vanityfare website
uh vanity at vanityfair.fr
uh had their bluff called uh to the tune
and it's not it's an expensive call for
a cookie uh €750,000
euros. So that'll get your attention uh
and and you think wow isn't that a
pretty stiff penalty for just like some
problem with cookies. The company Lelay
publications cond
um publishes printed and online
magazines including the Vanity Fair
magazine. Six years ago, okay, six years
ago, way back in December of 2019, the CNL,
CNL,
which is the abbreviation for, you know,
it's in French for France's Data
Protection Agency,
uh received a public complaint. So, the
agency received a complaint from the
association NOB,
which is Europe's Center for Digital
Rights, and it doesn't actually stand
for none of your business, but it's a
great abbreviation for NOB. Um, so, so
NOIB, which does not stand for none of
your business, but it's too bad it
doesn't, uh, complained to CNIL,
French's data protection agency,
about cookies being placed on the
devices of users visiting vanityfair.fr.
Um, this was happening without any user
notification or permission. After
several investigations and discussions
an order to comply in September of 2021.
So first of all
not you know almost two years right
December 19 this began December 2019
this began. September 21
nearly two years later finally fine you
you've got to remove your cookies. fix
your cookies because your cookies are
not working right. And then the
proceedings were closed in July of 2022.
Now, it's not clear whether the
proceedings were closed the next summer
after verification that condandy Nast
and their vanityfair.fr site was doing
the right thing or not would closed a
year later in July and also in November
of 2023. Then again in February of 25,
the CNIL carried out further online
investigations. So it sounds like they
just assumed Condi Nast would take care
of this, get it done following the order
after all these negotiations.
I don't know what you have to negotiate
over a cookie, but okay. Um so they so
CNIL went back and looked and what do
you think they found based on their
findings? the restricted committee as
it's known uh which is the the CNI CNIL
body uh responsible for issuing sanctions
sanctions
considered that the company lay
publications Kandinast had failed to
comply with the obligations of article
82 of the French data protection act and
imposed that fine of I mean €750,000
um the amount of the fine is intended to
take into account the fact that the
company had already been issued with an
order to comply. It couldn't have come
as a surprise after nearly two years of
discussion about whether we're going to
receive an order or not and after which
they did. But apparently they just blew
it off. Uh, as well as the the the other
thing factored into this $750,000
fine is the number of people likely to
have been affected by this misbehavior
of their cookie policy and the various
breaches of the rules protecting users
with regard to said cookies. So, you
know, no one's going to shed a tear here
except some accountant at Vanity Fair.
uh if it wasn't, you know, and again, it
wasn't as if the fine
could have shocked anybody. Um they were
very clearly told what they needed to do
and they apparently just blew off CNIL
saying, "Yeah, you know, everybody else
does it." So, you know, I I would
imagine that someone's going to lose
their job or maybe a team, whoever is in
charge of cookies over at Vanityfare.
are 34 of a million euros. Uh, which
could have been easily prevented. I
mean, what everybody else does is bring
up a little cookie banner and say, "Hey,
we want to store some stuff on your
computer. Just tell us it's okay. Click
here." But apparently either they didn't
do that or they did and they didn't
honor it. Who knows? Um anyway, so
I hope everybody else sees this that
when CNIL says you're in breach of our
regulations, now of course this in
against the backdrop of this whole wacky
model of cookie management getting ready
to change because the GDPR is being
updated. Um, and so we have California
now and the EU both saying browsers need
to accept a setting from their users,
transmit that setting to everywhere they
go, and everywhere they go needs to
honor what the user has said they want.
So, um, but you know, that was 10 years
ago, right, that all that came into
place. And so, it's going to take a
while for for all this to catch up and change.
change. Meanwhile,
Meanwhile,
um, the very nice Android alternative,
and I think you were just talking about
it last week or the week before, Leo,
Graphine OS, which is an Android
compatible API compatible or uh, yeah,
right, Android alternative, API
compatible. Um, they recently posted on
X that they're leaving France due to a
new French law that would mandate
breaking their encryption. Obviously,
no. [laughter] So, they posted, "We no
longer have any active servers in France
and are continuing the process of
leaving OVH."
OVH is a a French cloud hosting company
which they've been using. They said
France is no longer a safe country for
open-source privacy projects. They
expect backdoors in encryption and for
devices too. Secure devices and services
are not going to be allowed in France.
We don't feel safe using OVH for even a
static website with servers in Canada
and the US via their Canada US subsidiaries.
subsidiaries.
We were likely going to release an
experimental Pixel 10 support very soon,
but that's getting disrupted, so that'll
be delayed. They're saying the attacks
on our team with ongoing liel and
harassment, and they're talking from the
French authorities, from French law
enforcement. they're being harassed have
escalated. Raids on our chat rooms have
escalated and more. It's rough right now
and support is appreciated. So, [clears throat]
[clears throat]
it appears that Graphine OS believes
that they may have already been
compromised because they also posted
we'll be rotating our TLS keys and let's
encrypt account keys pinned via account URI.
URI.
DNS sec keys may also be rotated. Our
backups are encrypted and can remain on
OVH for now. So that you know the reason
you rotate keys is you worry that they
could have been compromised that your
keys could be in somebody else's hands
meaning that TLS and your less encrypted
domains and your DNS sec
you know is not as sure as you'd like it
to be. So, they're going to change all
their keys after completely
excommunicating themselves from from any
dependence on on France-based servers.
Uh, in the thread that followed, uh, a
more lengthy which was a more length a
much more lengthy posting on X, which I
I won't bother everybody with, where
they go into all the details of of of
what's going on um, and and the way
they're going to be moving. Uh, someone
named Lars posted, "I'm a lead developer
for a hosting company in Denmark. We do
not have any backdoors or
not illegal for normal FOS. We definitely
definitely
do not ask questions which and this was
posted you know offering the option of
some assistance or an alternative to the
graphine OS guys in the in you know in
reply in in the reply thread to their
posting whereupon the graphine OS guys
said we appreciate it but unfortunately
we'll likely have issues in Denmark too
due to their push to outlaw encryption
without back doors.
We'll hopefully still be able to operate
in the EU in general, but we want to
avoid chat control supporting countries
due to this experience.
Graphine OS is not based in the US and
is a nonprofit open-source project.
We're leaving France because we don't
trust that French law enforcement won't
coersse OVH to do something after a
judge signs off based on falsehoods.
We've been subject to attacks by law
enforcement on graph graphine OS,
including many false claims and also
direct threats.
Gez. So reading between the lines, it
sounds as though authorities with French
law enforcement have demanded that
graphine OS unlock some suspected
criminals handsets and graphine has
tried to explain that they do not have
that capability. They wrote, "It's not
possible for Graphine OS to produce an
update for French law enforcement to
bypass brute force protection since it's
implemented via the secure element." So,
you know, again, that sounds like like
French law enforcement is saying, "You
need to help us brute force open these
locked smartphones that are running your OS."
OS."
They uh graphine said the secure element
also only accepts correctly signed
firmware with a greater version after
the owner user unlocks successfully. So
may may have someone may have been
suggesting a downgrade attack where you
deliberately load older graphine OS
software onto the device in order to
bypass some of the later protections and
they're saying sorry that's been
accounted for in the design of this
can't do it. They wrote we would have no
legal obligation to do it even if we
could but it's not even possible. We
have a list of our official hardware
requirements including secure element
throttling for disk in disk encryption
key derivation. Okay, meaning that the
secure element throttles brute force
attacks making them in impractical and
that's in the hardware and there's
nothing they can do to get around it.
secure element throttling for disk
encryption key derivation combined with
insider attack resistance and and they
wrote and they aren't blaming goo and
they aren't blaming Google for this
design meaning they're saying that
graphine OS is at fault for making it
brute force impossible but it's actually
Google whose engineering
did this properly because users don't
want their smartphones to be hacked Then
they finish saying, "In Canada and the
US, refusing to provide a PIN and
password is protected as part of the
right to avoiding incriminating
yourself. In France, they've
criminalized this part of the right to
remain silent. Since France has
criminalized the refusal to provide a
PIN, why do they need anything from us?"
Which that's some good logic. And of
course, we don't know anything about
what the French authorities believe
might be on a criminal's confiscated
graphine OSbased smartphone, but we
certainly know why a suspect might
choose not to share their password with
the authorities. Right? We talked about
that trade-off ages ago back in the
context of true crypts early whole disk
encryption which was designed by
cryptographers who knew how to
completely and correctly protect a hard
drive's data. It was it was effectively
and practically not brute force
crackable because it was done right.
The bad guys might very well have
horribly incriminating material stored
on a true crypted drive. So they would
much rather face some charges, whatever
they may be, for not providing their
password than provide the password and
have authorities learn firsthand just
how criminal they were. So I doubt that
law enforcement authorities will ever
accept, you know, ever in the future of
humanity accept the truth of being
unable to unlock an encrypted device or
spy on encrypted communications. They
just, you know, they know the data is
there. They want it. So, you know,
I'm sure they believe that they should
have the right to see inside anything
they choose under the logic of after all
they're the good guys, right? And of
course, we know that the EFF would beg
to differ. So,
so there's that, but it's also happening
in the EU. Uh, and Leo, I know you
talked about this over a Mac break. Here
we are. It is December 9th. We are on
the literal eve of the Australian law to
ban the use of social media, all social
media by anyone younger than 16.
Uh, as we know, this effectively
requires anyone who does wish to
continue using any social media to
arrange to prove that they are at least
16 years old. If that wasn't the
requirement, then somebody who was 14
could say, "Yeah, I'm an adult." Okay.
So, you know, the onus has been placed
unfortunately on the social media
providers to prevent the use of their
systems by anyone younger than 16.
So, we're recording this on December 9th
and tomorrow,
>> of course, it's already it's already
December 10th in Australia. So, >> right,
>> right,
>> it's going on now, I guess.
>> Right. Um, which is always weird. Why?
Why does it turn [laughter]
ne next year in New York
before it turns it? I don't get that,
Leo. But, you know, we're not a flat
earth that we are a spinning globe
>> and you know, it would be weird if it
was midnight
>> in the middle of the day. Yeah. Yeah.
So, that's that that wouldn't work
either. Um, so
what's different here? what's happening
now in Australia
is countrywide
and that's the that's the difference to
you know and and actually saying that
the whole world is watching is not an
exaggeration on Sunday uh today's
Tuesday so two days ago on Sunday the
New York Times piece was titled a grand
social media experiment begins in
Australia with the tag the country is
trying to wean children under 16 off the
likes of Tik Tok, Snapchat, YouTube, and
Instagram with a new law. The teenagers
are skeptical. [laughter] The New York
Times said Saturday, the BBC's headline
was, "Can you ban kids from social
media? Australia is about to, but some
teens are a step ahead." I I read the
BBC piece. kids are still using or are
are I'm sorry are are using still photos
of their parents or VPNs surprise.
UNICEF in Australia just has a piece
titled social media ban is was their
title. Uh and they summarized their
position by writing and this is UNICEF
writing from 10 December 2025 anyone
under 16 in Australia won't be able to
keep or make accounts on social media
apps like Tik Tok, Instagram, YouTube,
Snapchat X, Facebook and more. There's
10 total. The rule doesn't punish young
people or their families.
Instead, social media companies have to
stop under 16s from having accounts or
risk serious fines. And and the fines
are up to 50 million Australian dollars,
about 35 million US. They said the new
law is meant to make things safer
online, but UNICEF Australia believes
the real fix should be improving social
media safety, not just delaying access.
And and then for their part, the
Guardian headlined their piece. Everyone
will miss the socializing, but it's also
a relief. They said five young teens on
Australia's social media ban. And it was
an interesting article uh that they said
Australia's world world first social
media ban for under 16s will begin in
just a few days. This is written la on
the weekend. Malaysia, Denmark and
Norway are to follow suit and the
European Union last week passed a
resolution to adopt similar
restrictions. As the world watches on,
millions of Australian adolescents and
their parents are wondering just what
will actually change come 10 December
and NPR had a piece as well. As I said,
everybody's like, "Okay, the these guys
are going first. What's going to
happen?" So, it's going to be
interesting to see, right, how all this
pans out. Um, as I said, the economic
fine for repeated failure to enforce is
50 million Australian dollars, 35
million US. So that's not nothing. Um,
but there's also, of course,
reputational damage. Anybody who screws
this up is going to be in the news
because everybody's watching. So it's
clear that the 10 affected social media
platforms can't ignore this and do
nothing. Uh and we know that you know
the claim of being old enough that no
longer washes that we were we were all
happily using that for the last 20 years
but no more. So uh you know they're
going to need to adopt what some lame
measure that allows them to avoid
penalties while kids gleefully work
around and you know uh spoof the proof
of age which is pro what's going to be
happening a lot. And you know, I mean,
classrooms will be buzzing. Uh, everyone
will be talking about how they did it.
There was in in the in the BBC piece
that interviewed five teens, uh, one
13-year-old said she just took a picture
of her mom and showed it that and it
said, "Okay, go ahead." So, you know, my
feeling is that there was probably no
way to avoid the present mess that the
world is about to endure. and a mess
it's going to be. As we know, change is
difficult even when everyone is pulling
in the same direction and wants it. But
change when the platforms and their
users all want to leave things the way
they are and only some unseen government
legislators and their regulators want to
force change. It's just bound to be a
mess. I of course hope that some good
technology will eventually step into the
gap to provide privacy respecting age
verification but we don't have that yet
and we don't even appear to be close uh
since the handset the the handset makers
are very much strongly in the we don't
want this to be our problem camp
although I think that's exactly wrong I
I think you know that's the point of
contact between the user and the
technology ology is the handset and I
get it that Apple doesn't want to do
this but they're inching towards it. You
know, we we we've covered various of
those measures u as is Google. So, I
think they probably know that ultimately
they're going to need to be the place
where this decision gets made. It is the
right place. It's the logical place for
it to be. Um, and on the eve of this
first countrywide event, I wanted to
also note that the EU is now making much
the same noise, which one of those
articles talked about. Uh, and also
whereas Australia's human, which is to
say non-cangaroo population, is about 27
a.5 million, the total population of the
EU's current 27 member states is around 450.5
450.5 million.
million.
So, a huge population. The European
Parliament News recently posted a piece
with the headline, "Children should be
at least 16 to access social media say
members of the European Parliament."
Those are members of the European
Parliament. MEP is an acronym, MEPS. Um,
however, things may be better in the EU
from a privacy and accuracy standpoint.
At least we can hope.
A vote was held two weeks ago uh two
weeks ago Wednesday where the members of
the European Parliament, these MEPs, uh
voted to adopt a non-legislative report
by 483 votes in favor, 92 against, and
86 abstensions. The report and their
votes expressed deep concern over the
physical and mental health risks minors
face online and called for stronger
protection against the manipulative
strategies that can increase addiction
and that are detrimental to children's
ability to concentrate and engage
healthily with online content. So here's
the part that caught my eye in that EU's
adopted reporting. They wrote just a
it's a short paragraph expressing
support for the commission's work to
develop an EU age verification app and
the European digital wallet, the EID
wallet. MEPS insist that age assurance
systems must be accurate and preserve
miners privacy, which is to say
everyone's privacy, right? Because
again, you need to assert that you're
not a minor and you'd like your privacy
protected. It's funny how they get that
no one really latches on to that in in
any of this reporting. Such systems do
not relieve platforms of their
responsibility to ensure their products
are safe and age appropriate by design.
they add, but you know, so so these guys
may be moving forward in the in the
right way and with 450 million users and
Stina over there in the EU and it just
not being a hard problem to solve if you
want to solve it. I'm hopeful. So, you
know, the idea that that commission
would be pressing for an EU age
verification app,
that's really good news. um given some
means for establishing an individual's
date of birth which we know that may be
the European digital identity that date
can easily be protected inside the
device while simple assertions of older
than X are then trivial to generate with
total security and anonymity. As I said,
crypto can do this without without
breaking a sweat. So my takeaway here is
that yes, we're about to descend into
some extremely messy chaotic times, but
you know, given the kicking and
screaming by the platforms and their
users, this was inevitable given that
the legislations and the legislators are
just barreling ahead without any
solution to the well, we'll let the
other people solve the problem approach.
So the right people understand the
concepts of accurate privacy preserving
solutions and they know this is
possible. So I doubt that the world's
going to have to wait that long and that
we're eventually going to finally obtain
a good solution. And I know Leo, you
guys were talking about it over Mac
Break Weekly. The the the loss of the
loss of absolute unaccountability
unaccountability
is going to be mourned by some. But um
you know Jason was talking about the
loss of privacy.
That's just interim with we can do this
without any loss of privacy. Yes, you
will have to identify yourself
in order to in order to securely embed
your your date of birth in the device.
But once that's done, all the people
using it, that's the that's the real
difference here. We do not want to have
to be showing a driver's license
individually to every website we visit.
You're going to have to show it once to
your device and then and then be
biometrically locked to that so that it
knows uh you you that you didn't use
your license for a friend's phone uh in
in some fashion. So, you know, it needs
to be done right, but it can be and once
that's done, then that strongly
constrains any any further dissemination
of of privacy loss. That's where we're
going to end up being. So, it'll be fun
to watch it here on this podcast as it
happens. And it'll be fun for me to take
a sip of coffee, Leo.
>> Well, that we can arrange. I don't know
if we can help with the other one, but I
think we can arrange.
>> We can at least be here cheering.
>> Yes. Our show today brought to you by
the Oh, you need to know about the when
your data goes dark. BH turns the lights
back on. Theh keeps enterprise
businesses running. When digital
disruptions like ransomware strike, and
you know, ransomware is just out there
waiting to strike. How? Well, by giving
businesses powerful data recovery
options that ensure you have the right
tool for any scenario. Broad, flexible
workload coverage from clouds to
containers and everything in between.
With BH, you get full visibility into
the security readiness of every part of
your data ecosystem. tested, documented,
and provable recovery plans that you can
deploy with a click of a button. How's
your recovery plan looking? This is why
you need VHIM. If you're out there in
the in the world and you're not
prepared, you need Veh. Veh is the
number one global market leader in data
resilience. That's the term. Just call
them the global leader in helping you
stay calm under pressure. That's the
offer. With VEH, it's all good. Keep
your businesses running at veh.com. vam.com.
All right, [clears throat]
back to Steve. So, [laughter] this is
such a weird
path. Um,
staying with the topic of government
legislators seemingly losing their
multi-deade simultaneously all losing
their multi-deade shyness toward
legislating our use of personal
technology which sort of seems to happen
have happened globally all at once. We
have the news that the government of
India uh intends to verify and record
every smartphone
in use by their citizens.
Uh that was essentially TechCrunch's
headline uh last week uh under which
they wrote the Indian government is
widening the scope of its anti- theft
and cyber security initiative to cover
both new and used smartphones. an effort
aimed at curbing device theft and online
fraud, but a move that's also raising
fresh privacy concerns. Yeah, no
kidding. They wrote, "As part of the
expansion, the Indian Telecom Ministry
is requiring companies that buy or trade
used phones to verify every device
through a central database of IMEI
numbers. This comes in addition to a
recent directive order, get this,
ordering smartphone manufacturers
to pre-install
the government's
car safi app on all new handsets and
push it onto existing devices through a
software update, ordering smartphone
manufacturers to do that. Good luck with
that. Yeah. Uh in other words, India is
now requiring all handset makers both to
pre-install a statemandated
app and also to retroinstall the app
into all existing devices.
Techrunch continues writing Reuters
first reported the news on Monday which
was later confirmed by the ministry in a
public statement. So ministry said,
"Yep, that's right. Got to do that."
Launched in 2023, that Sankar Sathy
portal allows users to block or trace
lost and stolen phones. The system has
blocked I was a little surprised by
these numbers, Leo. The system has
blocked more than 4.2 million devices
and traced 2.6 6 million more devices
per government data.
>> India is a big country and there's
hundreds of millions of cell phones in
use. So
>> yeah. Yeah. Uh the system expanded
earlier this year with the release of a
dedicated SAR safy app in January which
the government says helped recover more
than 700,000 phones including 50,000 in
October alone.
Wow. So, uh, I guess they've got a
smartphone smartphone theft and reuse
problem and they're taking steps. Uh,
TechCrunch said the San Carathy app has
since gained broad adoption. The app has
been downloaded nearly 15 million times
and saw more than 3 million monthly
active users in November, up more than
600% from its launch from its launch
month, which would have been 2023.
According to marketing intelligence firm
sensor tower, web traffic to Sanfar to
Sanchar Sathi has also surged with
monthly unique visitors rising more than
49% year-over-year per sensor tower data
gathered uh shared with TechCrunch. So,
okay. Up to this point, it appears that
the choice to have one's smartphone
protected with this tracing and recovery
app has been the users.
But TechCrunch explains what's changed.
They wrote, "The government's order to pre-install
pre-install
Sanchar Sathy has already drawn
significant backlash from privacy
advocates, civil society groups, and
opposition parties. Critics argue the
move expands state visibility into
personal devices without adequate
safeguards. The Indian government
however says the mandate is intended to
address rising cases of cyber crime such
as IMEI duplication, device cloning,
fraud in the secondhand smartphone
market and identity theft scams.
Responding to the controversy, the
Indian telecommunications minister said
Tuesday that Sanchchar Sathy is quote a
completely voluntary and democratic
system unquote. Okay. And that users can
delete the app if they do not wish to
use it.
Which again sort of flies in face of the
other things that that were previously
said. The directive reviewed by
TechCrunch and circulating on social
media on Monday instructs manufacturers
to ensure the pre-installed app is quote
readily visible and accessible to end
users at the time of first use or device
setup and that its functionalities are
not disabled or restricted," unquote,
raising questions about whether the app
is truly optional in practice.
India's deputy telecom minister said in
media interviews that most major
manufacturers were included in the
government's working group on the
initiative though [clears throat] Apple
did not participate
alongside pushing the Sanchar Saty app.
Two people familiar with the matter told
TechCrunch that the telecom industry is
piloting an additional program
interface, an API that would allow
recommerce and trade-in platforms to
upload customer identities and device
details directly to the government. The
move would mark a significant step
toward creating a nationwide record of
smartphones in circulation.
India's used smartphone segment is
expanding rapidly as rising prices of
new devices and longer replacement
cycles push more customers toward
cheaper alternatives. Indie became the
world's third largest market for
secondhand smartphones last year in 2024.
2024.
But as much as 85% of the secondhand
phone sector remains unorganized,
meaning most transactions occur through
informal channels and through
brickandmortar stores. 85% so only 15%
are being, you know, formalized and and
tracked. The government's move covers
only formal re-ecommerce and trade-in
platforms, leaving much of the broader
used device market outside the scope of
the current measures.
Well, unless manufacturers are going to
be uh back porting, you know, back
installing this thing in any software
updates, which may still be happening on
on remarketed phones. Anyway, Techrunch
said while announcing the
pre-installation of its app, the Indian
government said the move would help
enable quote easy reporting of suspected
misuse of telecom resources unquote.
Privacy advocates say that the growing
data flows could give authorities
unprecedented visibility into device
ownership, raising concerns over how the
information could be used or misused.
The head of programs and partnerships of
the Toronto-based nonprofit
policy lab, Tech Global Institute, told
TechCrunch, quote, "It's a troubling
move to begin with. You're essentially
looking at the potential for every
single device being databased in some
form. And then what uses their database?
Can it be put to at a later date? We
don't know. The Indian government has
not yet detailed how the collected data
will be stored, who will have access to
it or what safeguards will apply as the
system expands. Digital rights groups
say the sheer scale of India's
smartphone base estimated to your point
Leo at some 700 million devices.
>> Yeah. means even administrative changes
can have outsized consequences
potentially setting precedents that
other governments
may study or replicate.
quote, "While the intent behind a
unified platform may be protection,
mandating a single governmentcontrolled
application, risk stifling innovation,
particularly from private players and
startups who have historically driven
secure, scalable digital solutions,"
said the director of the New Delhi based
technology think tank uh Estia Center.
If the government intends to build such
systems, they must be backed by
independent audits, strong data,
government safeguards, and transparent
accountability measures. Otherwise, the
model not not only puts user privacy at
stake, but also removes fair competition
for the ecosystem to contribute and
innovate. Right? If the government's
already got that locked up, then third
parties need not apply. They how can
they compete? Um, the Indian Telecom
Ministry did not respond to TechCrunch's
requests for comment. While the
Sanchchar Saty app is visible on a
user's phone, the broader system it
connects to operates largely out of
sight. the permissions, its data flows
and back-end changes included the
including the planned API integration
may be buried in long terms and
conditions documents that most people
never read or even see. He said as a
result, users may have little practical
understanding of what information is
being collected, how it is shared, with
whom it's shared, or the extent of the
systems reach. quote, "You can't go
about restricting cyber crimes and
device thefts in such a disproportionate
and heavy-handed way." Boy, is that a
common theme. He said, "The government
is basically saying that look, you need
to put my app on every device that's
sold, on every existing device. You have
to install it and in anything that's
being resold as well," unquote.
So, wow. I think they felt the pressure
because uh this is a press release from
the department of telecommunications in
India. They have
>> they gave up.
>> Yes. And in fact, I've got that after I
tell you what Apple said.
>> Yeah. Apple wasn't too happy about it. I
know that. [laughter]
>> So, uh on on a practical side, we know
about the tyranny of the default, right?
If the app is pre and postinstalled,
a great many more people will end up
using it. Way more than 50 million
recent downloads. There's 700 million
phones in circulation.
>> Most people will not remove it. They'll
just assume, oh, whatever that is, it's,
you know, it's good for me. Um, and it's
not completely clear whether removal
will even be an option since the Indian
government's intention looks to be more
aimed at assuring that all smartphones
participate. And of course, one wonders
what Apple, right, would think about
such a mandate. On the other hand, India
is now producing Apple smartphones. So,
who knows? Well, it turns out Apple does
indeed say no. I I dug around some more
and discovered to no one's surprise
Apple does not plan to abide by India's
order. The India Times headline was
quote Apple to resist DO order um that's
in India's department of telecom to
preload state-run Sankar Sathy app as
policy outcry I'm sorry as political
outcry builds. Um and then we get a
little bit more interesting information
about disabling or removing that makes
somewhat more sense. The India Times
wrote, "Apple does does not plan to
comply with a mandate to preload its
smartphones with a state-owned cyber
safety app and will convey its concerns
to New Delhi." Three sources familiar
with the matter said after the
government's move sparked surveillance
concerns the Indian government has conf
confidentially ordered although it
didn't stay secret of course you can't
those sorts of things confidentially
ordered companies including Apple
and Yami to preload their phones with an
app called Sankar Sathy or which is uh
uh uh in English is communication
partner ner is what that means. Within
90 days, the app is intended to track uh
stolen phones, block them, and prevent
them from being misused. So, that was
news. Block them. So, meaning that the
government can prevent a phone from
operating. Uh I didn't pick up any of
that in the previous reporting. So, you
know, you would call that a biggie. um
that suggests that this communications
partner app would have the ability to
shut down a phone and if that's the
case, it's no wonder that Apple is
saying uh no thanks. The reporting
continues from India Times writing
Reuters was the first to report on
Monday that the government also wants
manufacturers to ensure that the app is
not disabled. Also, for any devices
already in the supply chain,
manufacturers should push the app to
phones via software updates. The telecom
ministry confirmed the move, later
describing it as a security measure to
combat serious endangerment of cyber
security. But Minister Mod's political
opponents and privacy advocates
criticize the move saying it's way it is
a way for the government to gain access
to India's 730
million smartphones. So anyway, uh I'm
going to skip the the balance of this.
Basically, uh uh a bunch of uh opinions
were pulled by Reuters talking about it,
you know, being more than a
sledgehammer. it's more like a
doublebarreled shotgun. Uh uh and
someone saying that there's no way Apple
would ever agree to do this. And in
fact, we know that that's the case. So
following on the heels of that, as you
said, Leo, India decided, okay, uh I
guess that's not going to fly.
uh they backpedalled on their
requirement that their official press
release from the Ministry of
Communications which you had on the
screen proclaims across its top
government removes mandatory
pre-installation of the Sanchar Saty
app. So, it turns out that the
government changed its mind two days
after the announcement following
extensive public criticism of this what
everyone was was concerned was veiled
surveillance. Um, and I decided to keep
that original reporting in place for the
podcast because it's still useful to
understand what's in the air and this is
India may not be done meddling's
communications because the Indian Times
also had a headline, why your WhatsApp
web may now log out every 6 hours.
India's department of telecommunications said
said
uh I'm sorry uh the India times is
quoting them saying in their story due
to a new directive from the department
of telecommunications
WhatsApp web will automatically log out
its users every six hours under the new
rule that the department of
telecommunications requires
messaging apps including WhatsApp,
Telegram and Signal to implement SIM
binding. In other words, linking of the
users of services to the SIM card used
for registration via its IMSI
identifier. If the original SIM is not
present, access to these apps will be
blocked 90 days from the directives
issuance. So there's a 90-day um you
know get up to speed period from the
from the publication of the directive
within 90 days. This technology has to
be in place for all uh text messaging
apps and you know whereupon I think well
you know good luck telling signals
Meredith Whitaker that you're requiring
signal to bind to specific SIM cards.
Uh, as we know, Signal has historically
been bound to a user's phone, but
there's no way that Signal would be
modifying their app if it meant the
slightest reduction in the privacy of
their users. And if this move, you know,
did not represent some enhanced form of
government control, then why would India
be mandating this change at all? Okay,
but there's more. The India Times
explains under the same under the same
directive web versions of these
applications will log their users out periodically
periodically
no later than every six hours and force a reauthentication
a reauthentication via a QR code scan. A user logs into
via a QR code scan. A user logs into WhatsApp web through a browser by
WhatsApp web through a browser by scanning the QR code through the phone
scanning the QR code through the phone application. According to the
application. According to the authorities, this is to curb cyber fraud
authorities, this is to curb cyber fraud by preventing misuse of apps without
by preventing misuse of apps without active SIMs, often by scammers operating
active SIMs, often by scammers operating from abroad.
from abroad. Platforms are required to comply within
Platforms are required to comply within 90 days, and submit reports within four
90 days, and submit reports within four months, potentially by around February
months, potentially by around February of next year. The rules will apply to
of next year. The rules will apply to WhatsApp, Telegram, Signal, Snapchat,
WhatsApp, Telegram, Signal, Snapchat, and other OTT, you know, over-the-top
and other OTT, you know, over-the-top messaging platforms operating in India.
messaging platforms operating in India. Users are likely to face workflow
Users are likely to face workflow disruptions, especially multi-device
disruptions, especially multi-device professionals and travelers and small
professionals and travelers and small businesses that rely on shared devices.
businesses that rely on shared devices. WhatsApp has 500 million Indian users
WhatsApp has 500 million Indian users and a major chunk of its business users
and a major chunk of its business users are also in the country. One user wrote
are also in the country. One user wrote on X, "SIMB binding rule shall be a
on X, "SIMB binding rule shall be a major disruption for professionals and
major disruption for professionals and businesses using web accounts of
businesses using web accounts of WhatsApp, etc. It won't eliminate the
WhatsApp, etc. It won't eliminate the fraud completely as SIM cloning and SIM
fraud completely as SIM cloning and SIM spoofing will still work." While the
spoofing will still work." While the section of the tech industry believes
section of the tech industry believes that the DOT might have breached its
that the DOT might have breached its regulatory mandate, officials clarified
regulatory mandate, officials clarified that the directions issued to the apps
that the directions issued to the apps are within the purview of telecom cyber
are within the purview of telecom cyber security rules. An official told the
security rules. An official told the India Times, quote, it's only for the
India Times, quote, it's only for the entities that use telecommunication
entities that use telecommunication identifiers like a mobile number for
identifiers like a mobile number for their services. if they don't want to do
their services. if they don't want to do the SIM binding, they should not use the
the SIM binding, they should not use the mobile number as an identifier,"
mobile number as an identifier," unquote. Industry representatives also
unquote. Industry representatives also question the effectiveness of SIMB
question the effectiveness of SIMB binding in curbing fraud originating
binding in curbing fraud originating outside India, noting that scam
outside India, noting that scam operators can still obtain Indian SIMs
operators can still obtain Indian SIMs through mules or remote devices while a
through mules or remote devices while a significant volume of fraud originates
significant volume of fraud originates within the country. So,
within the country. So, you know, we really appear to be
you know, we really appear to be entering a period where government
entering a period where government legislators are feeling increasingly
legislators are feeling increasingly empowered, Leo, to dictate the operation
empowered, Leo, to dictate the operation of the personal communications devices
of the personal communications devices operating within their jurisdictions.
operating within their jurisdictions. uh and I found no indication yet that
uh and I found no indication yet that India will be backing down from this
India will be backing down from this latest you know SIM binding deal on on
latest you know SIM binding deal on on messaging app plat or messaging platform
messaging app plat or messaging platform apps.
apps. >> Yeah.
>> Yeah. >> Wow. So so what do you think that's
>> Wow. So so what do you think that's about? I mean that that's just like like
about? I mean that that's just like like um
um tying like no WhatsApp
tying like no WhatsApp >> to be honest
>> to be honest >> WhatsApp is based on your phone number
>> WhatsApp is based on your phone number right because we have
right because we have >> it doesn't have to be anymore. It used
>> it doesn't have to be anymore. It used to be, but it does no longer has to be.
to be, but it does no longer has to be. >> Okay? Because we had that story that we
>> Okay? Because we had that story that we talked about last week where there was
talked about last week where there was no rate limiting on brute forcing
no rate limiting on brute forcing WhatsApp web to look up people's
WhatsApp web to look up people's identities just by trying every possible
identities just by trying every possible phone number,
phone number, >> right?
>> right? I guess you do have to submit a phone
I guess you do have to submit a phone number. Your ID can just be like my ID
number. Your ID can just be like my ID on WhatsApp is Leo Leaport.24.
on WhatsApp is Leo Leaport.24. So that was a change that they
So that was a change that they implemented last a couple of maybe last
implemented last a couple of maybe last year. I guess that's why it's 24. But
year. I guess that's why it's 24. But >> so you can look up by ID or by phone.
>> so you can look up by ID or by phone. Okay.
Okay. >> Yeah. But I don't know if you can look
>> Yeah. But I don't know if you can look up by phone. That's an interesting
up by phone. That's an interesting question uh anymore.
question uh anymore. >> And of course I guess the idea
>> And of course I guess the idea >> you need a phone number to register it.
>> you need a phone number to register it. So yeah, they they have your data.
So yeah, they they have your data. That's right.
That's right. >> Yeah. And I guess the idea also was that
>> Yeah. And I guess the idea also was that WhatsApp could you you would give it
WhatsApp could you you would give it access to your contacts and it would it
access to your contacts and it would it would go through your contacts, take all
would go through your contacts, take all the phone numbers out of your contacts
the phone numbers out of your contacts and cross cross reference that with
and cross cross reference that with WhatsApp users in order to populate your
WhatsApp users in order to populate your WhatsApp contacts.
WhatsApp contacts. >> Right. Oh, I was thinking of Signal. I'm
>> Right. Oh, I was thinking of Signal. I'm not I've You're right. WhatsApp I don't
not I've You're right. WhatsApp I don't know. I don't use WhatsApp. I think it
know. I don't use WhatsApp. I think it is tied to your phone number. You're
is tied to your phone number. You're right. Yeah. Yeah. And of course, every
right. Yeah. Yeah. And of course, every Facebook app asks for access to your
Facebook app asks for access to your contacts, and I always say no.
contacts, and I always say no. >> Yeah.
>> Yeah. >> Because I'm I'm not going to
>> Because I'm I'm not going to >> What good could come of that?
>> What good could come of that? >> I'm not giving out Steve Gibson's phone
>> I'm not giving out Steve Gibson's phone number and home address and email. What
number and home address and email. What good could possibly come of that? If I
good could possibly come of that? If I If you want me to know you're on
If you want me to know you're on WhatsApp, you'll let me know you're on
WhatsApp, you'll let me know you're on WhatsApp, right?
WhatsApp, right? >> Yeah. I you know you you had a a
>> Yeah. I you know you you had a a sentence in here that's uh I think you
sentence in here that's uh I think you could you could shorten
could you could shorten uh where you say that countries are
uh where you say that countries are increasingly uh feeling
increasingly uh feeling >> uh legislators are feeling increasingly
>> uh legislators are feeling increasingly empowered to dictate the operation of
empowered to dictate the operation of the etc just say legislators are feeling
the etc just say legislators are feeling increasingly empowered
increasingly empowered >> period and I think that's really what's
>> period and I think that's really what's happening is that governments worldwide
happening is that governments worldwide are becoming more and more authoritarian
are becoming more and more authoritarian and more and more interested in
and more and more interested in enforcing their worldview on their uh
enforcing their worldview on their uh constituents and I don't think I don't
constituents and I don't think I don't think that's a good trend at all.
think that's a good trend at all. >> No. And unfortunately the technology
>> No. And unfortunately the technology allows that. Right. I mean
allows that. Right. I mean >> well the technology has stimulated it
>> well the technology has stimulated it because they feel like we they've lost
because they feel like we they've lost control of us.
control of us. >> Right. But but but the technology also
>> Right. But but but the technology also is a control mechan it is a control
is a control mechan it is a control mechanism.
mechanism. >> Exactly. So they've discovered that and
>> Exactly. So they've discovered that and they're trying to use it and Yeah. Yeah.
they're trying to use it and Yeah. Yeah. I don't have high hopes for this. It,
I don't have high hopes for this. It, you know, I think what happens, you give
you know, I think what happens, you give people power, they want more power.
people power, they want more power. Yeah. And uh you can do everything you
Yeah. And uh you can do everything you can. John Adams said that. I was
can. John Adams said that. I was watching the great uh Ken Burns uh
watching the great uh Ken Burns uh documentary on the Revolutionary War,
documentary on the Revolutionary War, and John Adams said, you know, we can
and John Adams said, you know, we can make a democracy, but I have I I feel
make a democracy, but I have I I feel like people's greed for money and power
like people's greed for money and power is so great that it's unlikely we can
is so great that it's unlikely we can sustain it. [snorts]
sustain it. [snorts] >> Right. And Washington, you know,
>> Right. And Washington, you know, responds to f famously to that woman who
responds to f famously to that woman who asks after the signing of the
asks after the signing of the Declaration of Independence, what did
Declaration of Independence, what did you just keep it? Yeah. Yeah.
you just keep it? Yeah. Yeah. >> Yes. A democracy if or no, a republic if
>> Yes. A democracy if or no, a republic if you can keep it.
you can keep it. >> You can keep it. Yeah.
>> You can keep it. Yeah. >> I think even in the beginning they knew
>> I think even in the beginning they knew that this was going to be a [laughter]
that this was going to be a [laughter] lot difficult.
lot difficult. >> You know, we all grew up all of us who
>> You know, we all grew up all of us who are
are >> of a certain age.
>> of a certain age. >> Yes. the uh the pigmentation has left
>> Yes. the uh the pigmentation has left our hair. Um [laughter]
our hair. Um [laughter] >> uh
>> uh it's always been the way it is and it's
it's always been the way it is and it's always going to be the way it is and but
always going to be the way it is and but that's not the history of democracies,
that's not the history of democracies, >> right?
>> right? >> They have a they have a period
>> They have a they have a period >> and if it's if it's at all encouraging,
>> and if it's if it's at all encouraging, we've been through bad times in the US
we've been through bad times in the US before. There have been many any
before. There have been many any democratic eras in the United States and
democratic eras in the United States and we've survived
we've survived >> and we have swung back.
>> and we have swung back. >> Yeah.
>> Yeah. >> Yeah. So, let's hope.
>> Yeah. So, let's hope. >> Um, let's take a break. We're at an hour
>> Um, let's take a break. We're at an hour in. We're going to talk about the
in. We're going to talk about the abbreviation of scattered lapses
abbreviation of scattered lapses hunters. It's not an inspired
hunters. It's not an inspired abbreviation, but it helps. Uh, and
abbreviation, but it helps. Uh, and then, uh, a bit about RAM pricing that's
then, uh, a bit about RAM pricing that's gone nuts.
gone nuts. >> Unbelievable what's going on with RAM
>> Unbelievable what's going on with RAM pricing. I'm, you know, I'm I'm glad I'm
pricing. I'm, you know, I'm I'm glad I'm well equipped with computers, but I'm
well equipped with computers, but I'm worried about the future. I don't know.
worried about the future. I don't know. In fact, that that that thing I had to
In fact, that that that thing I had to sign for, I just purchased a machine, my
sign for, I just purchased a machine, my a machine, probably my final computer
a machine, probably my final computer for my new office that I'll be setting
for my new office that I'll be setting up in a month or two.
up in a month or two. >> Desktop, laptop.
>> Desktop, laptop. >> Uh it's a it's a it's a small uh uh what
>> Uh it's a it's a it's a small uh uh what do they call it? Small form factor.
do they call it? Small form factor. >> Oh, like a knuck.
>> Oh, like a knuck. >> Yeah, that kind of thing.
>> Yeah, that kind of thing. >> Yeah. Yeah. I uh I think I'm thinking
>> Yeah. Yeah. I uh I think I'm thinking maybe I I was going to wait till next
maybe I I was going to wait till next year. Apple has a OLED screens coming
year. Apple has a OLED screens coming and I really love OLED screens. So maybe
and I really love OLED screens. So maybe I'll just got a PC instead. They have
I'll just got a PC instead. They have plenty of OLED PCs and
plenty of OLED PCs and >> just put Linux.
>> just put Linux. >> Well, and of course I I I will do uh
>> Well, and of course I I I will do uh what this thing has is is uh three
what this thing has is is uh three display ports on the back because I I am
display ports on the back because I I am a I'm a three screen person. That works
a I'm a three screen person. That works for me. And I made the mistake on the
for me. And I made the mistake on the system I have uh in my place with Lori
system I have uh in my place with Lori of having a that that curved high
of having a that that curved high resolution screen. No. Uh, no. I don't
resolution screen. No. Uh, no. I don't like that. And because I have lower
like that. And because I have lower resolution on the sides and when you
resolution on the sides and when you drag something across the boundary, it
drag something across the boundary, it gets it's all screwed up. So,
gets it's all screwed up. So, >> it's like your peripheral vision on the
>> it's like your peripheral vision on the screen. That's not good.
screen. That's not good. >> Not good.
>> Not good. >> Yeah.
>> Yeah. >> So, I'm going to go three flat screens
>> So, I'm going to go three flat screens all the same resolution and then and and
all the same resolution and then and and >> do you organize it in I'm sorry,
>> do you organize it in I'm sorry, parenthetically. We'll get back to the
parenthetically. We'll get back to the show in a moment, folks. But do you
show in a moment, folks. But do you organize like do you have code in one
organize like do you have code in one window and you do?
window and you do? >> Yes. Yes, I have generally have static
>> Yes. Yes, I have generally have static things in different locations. So like I
things in different locations. So like I always have Windows Explorer open on the
always have Windows Explorer open on the right the right half of the right side
right the right half of the right side and that's just where it lives. It's
and that's just where it lives. It's always there and
always there and >> Yes. It's always there. So
>> Yes. It's always there. So >> that's smart. Yeah. Yeah. You always
>> that's smart. Yeah. Yeah. You always know to go there.
know to go there. >> And and it's interesting because Lori
>> And and it's interesting because Lori and I have very different organizational
and I have very different organizational approaches. Uh, and and she wants like
approaches. Uh, and and she wants like she's an organizer, but she likes to put
she's an organizer, but she likes to put things in bins and I'm a positionbased
things in bins and I'm a positionbased organizer. I know where something is in
organizer. I know where something is in like in location. And so I go right to
like in location. And so I go right to it and but if it's if she organized it,
it and but if it's if she organized it, it's gone. It's gone.
it's gone. It's gone. >> So it's like, "Honey, where did what
>> So it's like, "Honey, where did what happened to the She says, "Oh, I
happened to the She says, "Oh, I organized that." Oh, okay.
organized that." Oh, okay. >> Where where where [laughter]
>> Where where where [laughter] is it now?
is it now? >> I we have that problem in the kitchen. I
>> I we have that problem in the kitchen. I I now know where everything is in the
I now know where everything is in the kitchen, but if if we reorganize, I'm in
kitchen, but if if we reorganize, I'm in deep trouble. In deep trouble. All
deep trouble. In deep trouble. All right, let's take a break. I know where
right, let's take a break. I know where the ad breaks are on this show, and
the ad breaks are on this show, and that's one thing I do know. And it's
that's one thing I do know. And it's time for one. We'll have more with Steve
time for one. We'll have more with Steve in just a bit. But first, a word from
in just a bit. But first, a word from our sponsor, Big ID. They're the next
our sponsor, Big ID. They're the next generation AI powered data security and
generation AI powered data security and compliance solution. Big ID is the first
compliance solution. Big ID is the first and only leading data security and
and only leading data security and compliance solution that can uncover
compliance solution that can uncover dark data through AI classification that
dark data through AI classification that can identify and manage risk that can
can identify and manage risk that can remediate remediate the way you want.
remediate remediate the way you want. You get to choose that can map and
You get to choose that can map and monitor access controls and scale your
monitor access controls and scale your data security strategy along with
data security strategy along with unmatched coverage for cloud and onprem
unmatched coverage for cloud and onprem data sources. And by the way, that's
data sources. And by the way, that's huge. Big ID also seamlessly integrates
huge. Big ID also seamlessly integrates with your existing tech stack, which
with your existing tech stack, which means you can coordinate security and
means you can coordinate security and remediation workflows. You can take
remediation workflows. You can take action on data risks to protect against
action on data risks to protect against breaches. You can annotate, delete, and
breaches. You can annotate, delete, and quarantine and more based on the data
quarantine and more based on the data all while maintaining an audit trail for
all while maintaining an audit trail for compliance. And as I said, it works with
compliance. And as I said, it works with your existing tech stack. Everybody like
your existing tech stack. Everybody like I'll give you an example. Service Now,
I'll give you an example. Service Now, PaloAlto Networks, Microsoft, of course,
PaloAlto Networks, Microsoft, of course, Google, of course, AWS, and on and on
Google, of course, AWS, and on and on and on. That's nice. You don't have to
and on. That's nice. You don't have to adjust how you work to work with Big ID.
adjust how you work to work with Big ID. Big ID's advanced AI models let you
Big ID's advanced AI models let you reduce risk, accelerate time to insight,
reduce risk, accelerate time to insight, and gain visibility and control over all
and gain visibility and control over all your data. This is where I really think
your data. This is where I really think AI shines. when it's got a specific
AI shines. when it's got a specific focused task, it's it can be so useful
focused task, it's it can be so useful and so good. Intuitit named it the
and so good. Intuitit named it the number one platform for data
number one platform for data classification in accuracy, speed, and
classification in accuracy, speed, and scalability. It really works. And some
scalability. It really works. And some of the customers, well, people love Big
of the customers, well, people love Big ID so much they're happy to give it a
ID so much they're happy to give it a testimonial. Like for instance, the US
testimonial. Like for instance, the US Army. Yes, the US Army. Big ID equipped
Army. Yes, the US Army. Big ID equipped the army to illuminate dark data. I can
the army to illuminate dark data. I can imagine that after 250 years they
imagine that after 250 years they probably have quite a bit to accelerate
probably have quite a bit to accelerate their cloud migration which is a big
their cloud migration which is a big priority for the services to minimize
priority for the services to minimize redundancy and to automate data
redundancy and to automate data retention something they have to do for
retention something they have to do for a variety of legal reasons as well. US
a variety of legal reasons as well. US Army Training and Doctrine Command gave
Army Training and Doctrine Command gave them such a great testimony. Let let me
them such a great testimony. Let let me read it to you. This is a direct quote.
read it to you. This is a direct quote. Quote, "The first wow moment with Big
Quote, "The first wow moment with Big ID," they said, came with being able to
ID," they said, came with being able to have that single interface that
have that single interface that inventories a variety of data holdings,
inventories a variety of data holdings, including structured and unstructured
including structured and unstructured data across emails, zip files,
data across emails, zip files, SharePoint, databases, and more. To see
SharePoint, databases, and more. To see that mass and to be able to correlate
that mass and to be able to correlate across those is completely novel. I've
across those is completely novel. I've never seen a capability that brings this
never seen a capability that brings this together like Big ID does. End quote.
together like Big ID does. End quote. That's pretty good. CNBC recognized Big
That's pretty good. CNBC recognized Big ID as one of the top 25 startups for the
ID as one of the top 25 startups for the enterprise. They were named to the Inc.
enterprise. They were named to the Inc. 5000 and Deote 500, not just once, but
5000 and Deote 500, not just once, but four years in a row. The publisher of
four years in a row. The publisher of Cyber Defense magazine says, quote, "Big
Cyber Defense magazine says, quote, "Big ID embodies three major features we
ID embodies three major features we judges look for to become winners.
judges look for to become winners. Understanding tomorrow's threats today,
Understanding tomorrow's threats today, providing a coste effective solution,
providing a coste effective solution, and innovating in unexpected ways that
and innovating in unexpected ways that can help mitigate cyber risk and get one
can help mitigate cyber risk and get one step ahead of the next breach. Start
step ahead of the next breach. Start protecting your sensitive data wherever
protecting your sensitive data wherever your data lives at bigid.com/security
your data lives at bigid.com/security now. Get a free demo and see how Big ID
now. Get a free demo and see how Big ID can help your organization reduce data
can help your organization reduce data risk and accelerate the adoption of
risk and accelerate the adoption of generative AI safely. Again, that's
generative AI safely. Again, that's bigid.com/security
now. Oh, and while you're there, there's a free white paper that provides
a free white paper that provides valuable insights for a new framework
valuable insights for a new framework that's just coming down the pike. It's
that's just coming down the pike. It's called AI Trism. T R I SM. That's AI
called AI Trism. T R I SM. That's AI trust, risk, and security management.
trust, risk, and security management. It'll help you harness the full
It'll help you harness the full potential of AI responsibly. And that
potential of AI responsibly. And that paper is free at bigid.com/security
now. Thank him so much for supporting Steve and security now. Back to you,
Steve and security now. Back to you, Steve.
Steve. So, a random observation uh that I'm
So, a random observation uh that I'm beginning to see the infamous scattered
beginning to see the infamous scattered lapses hunters uh being referred to by
lapses hunters uh being referred to by the abbreviation SLH. I I said no
the abbreviation SLH. I I said no biggie, but SLH uh I don't know if it'll
biggie, but SLH uh I don't know if it'll catch on, but they have been so much in
catch on, but they have been so much in the news that the security industry
the news that the security industry appears to feel that they've become
appears to feel that they've become abbreviation worthy. So, uh the news
abbreviation worthy. So, uh the news blurb that caught my eye referred to
blurb that caught my eye referred to SLH.
SLH. uh it was a note saying that the the
uh it was a note saying that the the security firm believed that they have
security firm believed that they have seen SLH's
seen SLH's focus shifting from Salesforce over to
focus shifting from Salesforce over to Zenesk.
Zenesk. >> Um so SLH appeared to be enamored of the
>> Um so SLH appeared to be enamored of the you know SAS model the software as a
you know SAS model the software as a service exploitation like of customers
service exploitation like of customers of that. Um there was a at this point a
of that. Um there was a at this point a lack of razor sharp attribution for some
lack of razor sharp attribution for some of the very recent Zenesk related
of the very recent Zenesk related attacks but there have been some and the
attacks but there have been some and the suspicion is it is SLH. So we now have
suspicion is it is SLH. So we now have SLH as a as an as a abbreviation for
SLH as a as an as a abbreviation for scattered lapses hunters. Not quite as
scattered lapses hunters. Not quite as fun as scattered lapses hunters but what
fun as scattered lapses hunters but what the hell. Um, and I just completely off
the hell. Um, and I just completely off topic. I suppose we should have seen
topic. I suppose we should have seen this coming. I I this next bit of news
this coming. I I this next bit of news is not security related, [clears throat]
is not security related, [clears throat] but it's tangentially AI related. And I
but it's tangentially AI related. And I thought that our computer centric
thought that our computer centric listeners would find it interesting. the
listeners would find it interesting. the the short blurb that first caught my
the short blurb that first caught my attention and I'd seen something about
attention and I'd seen something about it passed by but hadn't paused uh was
it passed by but hadn't paused uh was Micron exits consumer RAM market and the
Micron exits consumer RAM market and the little blurb said American hardware
little blurb said American hardware vendor Micron will leave the consumer
vendor Micron will leave the consumer RAM market and discontinue its Crucial
RAM market and discontinue its Crucial brand and of course Crucial has been a
brand and of course Crucial has been a has been a well-known uh you know
has been a well-known uh you know consumer RAM memory brand for years.
consumer RAM memory brand for years. They wrote, "The move the move comes as
They wrote, "The move the move comes as the AI boom has led to an explosion in
the AI boom has led to an explosion in prices in RAM and SSDs as AI companies
prices in RAM and SSDs as AI companies build data guzzling data centers and
build data guzzling data centers and have swallowed almost the entire market
have swallowed almost the entire market output for the next few years.
output for the next few years. So, okay, you know, I guess we should
So, okay, you know, I guess we should have seen this coming." Uh, that led me
have seen this coming." Uh, that led me to look for some additional detail which
to look for some additional detail which I thought that our listeners would
I thought that our listeners would appreciate. I found a nice piece over on
appreciate. I found a nice piece over on The Verge whose headline was, "Ram
The Verge whose headline was, "Ram prices are so out of control that stores
prices are so out of control that stores are selling it like lobster."
are selling it like lobster." They wrote, "U Michael Krider's headline
They wrote, "U Michael Krider's headline at PC World today perfectly captures how
at PC World today perfectly captures how ridiculous the PC memory shortage has
ridiculous the PC memory shortage has become. Stores like the San Francisco
become. Stores like the San Francisco Bay Area's Central Computers are
Bay Area's Central Computers are beginning to sell RAM at market prices
beginning to sell RAM at market prices like you'd pay for the catch of the day
like you'd pay for the catch of the day at a seafood restaurant. A message
at a seafood restaurant. A message posted in the store's display case
posted in the store's display case reads, quote, "Costs are fluctuating
reads, quote, "Costs are fluctuating daily as manufacturers and distributors
daily as manufacturers and distributors adjust to limited supply and high
adjust to limited supply and high demand. Because of this, we cannot
demand. Because of this, we cannot display fixed prices at this time."
display fixed prices at this time." MicroEnter is apparently doing the same.
MicroEnter is apparently doing the same. Quote, "Due to market volatility, we ask
Quote, "Due to market volatility, we ask that you please see a sales associate
that you please see a sales associate for pricing." unquote. They wrote, "It's
for pricing." unquote. They wrote, "It's hard to overstate just how quickly the
hard to overstate just how quickly the RAM crunch is changing the affordability
RAM crunch is changing the affordability of computers, and it might soon impact
of computers, and it might soon impact other realms as well, as everything from
other realms as well, as everything from game consoles to smartphones require RAM
game consoles to smartphones require RAM to function. Three months ago yesterday,
to function. Three months ago yesterday, the author said, "I bought 32 gig of
the author said, "I bought 32 gig of memory for my gaming PC. And at the
memory for my gaming PC. And at the price of that exact kit, oh, sorry, and
price of that exact kit, oh, sorry, and the price of that exact kit has more
the price of that exact kit has more than tripled since then, three months
than tripled since then, three months ago." He says it now costs $300 more.
ago." He says it now costs $300 more. Now 440 versus 130, in case you're
Now 440 versus 130, in case you're curious, he said for 32 gig. He said a
curious, he said for 32 gig. He said a more common version of the same kit went
more common version of the same kit went from 105 to 400. Some prices have
from 105 to 400. Some prices have doubled since October. And while you can
doubled since October. And while you can still find some 32 gig kits for as low
still find some 32 gig kits for as low as $230, a 64 gig DDR5 kit can easily
as $230, a 64 gig DDR5 kit can easily run you 700, $800, even $900.
run you 700, $800, even $900. Some high-profile product launches might
Some high-profile product launches might be impacted by the price of memory.
be impacted by the price of memory. Valve pointed to the RAM crunch as one
Valve pointed to the RAM crunch as one of the reasons it could not promise a
of the reasons it could not promise a specific price for its steam machine
specific price for its steam machine just yet. Just as out of control
just yet. Just as out of control um he said oh the author said just as
um he said oh the author said just as outofcontrol GPU prices from earlier
outofcontrol GPU prices from earlier this year have finally settled down,
this year have finally settled down, runaway memory prices might make them
runaway memory prices might make them shoot back up again. Every graphics card
shoot back up again. Every graphics card requires gobs of VRAM. More is better.
requires gobs of VRAM. More is better. And word is that Nvidia and AMD are
And word is that Nvidia and AMD are preparing to raise prices to compensate
preparing to raise prices to compensate for the crunch. Digital Foundry is
for the crunch. Digital Foundry is recommending you buy a GPU at or below
recommending you buy a GPU at or below MSRP while you still can, one with 10
MSRP while you still can, one with 10 gig or more of VRAM. Microsoft may also
gig or more of VRAM. Microsoft may also have to raise Xbox prices yet again to
have to raise Xbox prices yet again to compensate, but Sony has stockpiled
compensate, but Sony has stockpiled enough RAM for the PS5 to last some
enough RAM for the PS5 to last some number of months. Epic CEO Tim Sweeney
number of months. Epic CEO Tim Sweeney says it may take years for high-end
says it may take years for high-end gaming to recover from the RAM crunch
gaming to recover from the RAM crunch because of AI. He says, "Factories are
because of AI. He says, "Factories are diverting leading edge DRAM capacity to
diverting leading edge DRAM capacity to meet AI needs where data centers are
meet AI needs where data centers are bidding far higher than consumer device
bidding far higher than consumer device makers."
makers." Wow. So, I noted um another piece in the
Wow. So, I noted um another piece in the news yesterday that said 200
news yesterday that said 200 environmental groups. You know, first of
environmental groups. You know, first of all, I didn't realize there were 200
all, I didn't realize there were 200 environmental groups. 200 environmental
environmental groups. 200 environmental groups are demanding, I love that choice
groups are demanding, I love that choice of words, a halt to the construction of
of words, a halt to the construction of new US data centers. You know, I guess
new US data centers. You know, I guess just on principle. Um, first of all, you
just on principle. Um, first of all, you know, good luck with that. um uh that
know, good luck with that. um uh that might have stood some chance of
might have stood some chance of happening, you know, if we had a
happening, you know, if we had a bleeding heart Democrat running the
bleeding heart Democrat running the countries at the moment. But, you know,
countries at the moment. But, you know, our President Trump recently again
our President Trump recently again declared that global warming was a hoax
declared that global warming was a hoax and that wind turbines cause cancer. So
and that wind turbines cause cancer. So I would be highly skeptical that any
I would be highly skeptical that any number of environmental groups, doesn't
number of environmental groups, doesn't matter how many you gather together, are
matter how many you gather together, are going to get much traction in the
going to get much traction in the Washington climate at the moment. But
Washington climate at the moment. But what's interesting to me from a
what's interesting to me from a technology standpoint is that it does
technology standpoint is that it does appear that the desire to concentrate
appear that the desire to concentrate an unprecedented
an unprecedented amount of computational capacity uh
amount of computational capacity uh within a comparatively small physical
within a comparatively small physical area is truly causing trouble. Right? If
area is truly causing trouble. Right? If nothing else, we know that just getting
nothing else, we know that just getting that much electrical power service to a
that much electrical power service to a single location is not something that
single location is not something that the existing power grid was originally
the existing power grid was originally set up to deliver, nor does it
set up to deliver, nor does it accommodate much variation without a lot
accommodate much variation without a lot of lead time.
of lead time. And when you step back to think about
And when you step back to think about it, the only reason to want or to
it, the only reason to want or to arguably, you know, make a case for
arguably, you know, make a case for needing that much computation in such a
needing that much computation in such a small physical space has to be economies
small physical space has to be economies of scale. Um, what I mean by that is it
of scale. Um, what I mean by that is it what's being built is not a single
what's being built is not a single humongous brain. It's a very large
humongous brain. It's a very large number of individual small brains and
number of individual small brains and they don't actually all need to be under
they don't actually all need to be under the same roof or even in the same state
the same roof or even in the same state for that matter. It's just more
for that matter. It's just more convenient and more coste effective if
convenient and more coste effective if they're all grouped together in one
they're all grouped together in one place. That way they can all share staff
place. That way they can all share staff and utilities and walls and security and
and utilities and walls and security and cooling and a parking lot and so on. You
cooling and a parking lot and so on. You know, and this sort of suggests that a
know, and this sort of suggests that a reasonable compromise might be to limit
reasonable compromise might be to limit the total size of individual AI data
the total size of individual AI data centers, have more of them, and spread
centers, have more of them, and spread them around more. You know, and that
them around more. You know, and that said, I you know, I certainly get the
said, I you know, I certainly get the coolness factor of having a massive AI
coolness factor of having a massive AI de data center. I mean, I understand
de data center. I mean, I understand that that, you know, appeals to the tech
that that, you know, appeals to the tech bros. Um, and you know, if AI actually
bros. Um, and you know, if AI actually made money and could pay for itself,
made money and could pay for itself, then you'd have a potentially viable
then you'd have a potentially viable business model. So, I guess you have to
business model. So, I guess you have to save as much money as you can on
save as much money as you can on facilities hoping that you know you're
facilities hoping that you know you're saving money everywhere you can because
saving money everywhere you can because none of this yet makes economic sense.
none of this yet makes economic sense. >> You know, Leo, what does make economic
>> You know, Leo, what does make economic sense?
sense? >> Is it that time again?
>> Is it that time again? >> No.
>> No. >> Oh,
>> Oh, >> what makes economic sense?
>> what makes economic sense? >> What makes economic sense is GRC's new
>> What makes economic sense is GRC's new DNS BENCHMARK.
DNS BENCHMARK. >> OH, I CAN'T WAIT. THIS IS OH, WE'VE been
>> OH, I CAN'T WAIT. THIS IS OH, WE'VE been wait How long How long you been? Well,
wait How long How long you been? Well, first of all, you wrote it once before.
first of all, you wrote it once before. >> Yes. Um, I actually had and somebody
>> Yes. Um, I actually had and somebody found in a directory of theirs
found in a directory of theirs a the beginnings of a DNS
a the beginnings of a DNS speed test in 2002.
speed test in 2002. So,
So, yeah, long time ago. And I distinctly
yeah, long time ago. And I distinctly remember in ' 08 um in in in 2008
remember in ' 08 um in in in 2008 writing the first version one of the DNS
writing the first version one of the DNS benchmark at Starbucks. I I had I had a
benchmark at Starbucks. I I had I had a little a little like road show where you
little a little like road show where you know because I have to have a clanky
know because I have to have a clanky keyboard, right? And so I had a I had a
keyboard, right? And so I had a I had a >> Who's that guy with that clanky keyboard
>> Who's that guy with that clanky keyboard again?
again? >> Well, and of course Starbucks the
>> Well, and of course Starbucks the Starbucks I was going to was across from
Starbucks I was going to was across from UCI, so it's all students. Irvine. Yeah.
UCI, so it's all students. Irvine. Yeah. >> And they're and they're they all have,
>> And they're and they're they all have, you know, spongy quiet Apple keyboards.
you know, spongy quiet Apple keyboards. And I'm over in the corner going
And I'm over in the corner going clankity clanky clank clank clankity
clankity clanky clank clank clankity clank, [laughter] you know.
clank, [laughter] you know. >> And I would I would get there. They
>> And I would I would get there. They opened at 4:30. So I would get there
opened at 4:30. So I would get there because I had to have
because I had to have >> Yeah. 4:30 a.m.
>> Yeah. 4:30 a.m. >> Yeah. Okay. And so and I would I had to
>> Yeah. Okay. And so and I would I had to have my corner, right? So I would be the
have my corner, right? So I would be the first person there. I would unlock you
first person there. I would unlock you were
were >> I would unlock the door because they
>> I would unlock the door because they they hired you university students who
they hired you university students who were short and they couldn't reach the
were short and they couldn't reach the the the door's upper lock
the the door's upper lock >> because the guy with the clanky keyboard
>> because the guy with the clanky keyboard he's going to
he's going to >> having me there having me there I they
>> having me there having me there I they wouldn't have
wouldn't have >> still get up at 4:30 a.m. No, Lord. No.
>> still get up at 4:30 a.m. No, Lord. No. >> Oh, this is a long time ago.
>> Oh, this is a long time ago. >> This was in I happen to know that it was
>> This was in I happen to know that it was in 2008 when I wrote the benchmark.
in 2008 when I wrote the benchmark. Okay.
Okay. >> Yeah. And so I just sat there and and
>> Yeah. And so I just sat there and and then you and then I was part of a group
then you and then I was part of a group of of regulars. And so around 6:30 some
of of regulars. And so around 6:30 some of the regulars would start showing up
of the regulars would start showing up and so I'd pause and you know talk to
and so I'd pause and you know talk to them and then and then they'd wander off
them and then and then they'd wander off and I'd go back to work. Now I
and I'd go back to work. Now I understand why you go to Starbucks
understand why you go to Starbucks because
because >> I wouldn't want to be in a crowded
>> I wouldn't want to be in a crowded coffee shop trying to focus, but at 4:30
coffee shop trying to focus, but at 4:30 a.m. it's you got the place to yourself
a.m. it's you got the place to yourself >> and lots of coffee to boot.
>> and lots of coffee to boot. >> So that's good. I could see you get
>> So that's good. I could see you get those two hours of solid work there.
those two hours of solid work there. Yeah.
Yeah. >> Yes. And and I would leave at a little
>> Yes. And and I would leave at a little after 4. So I would spend about a full
after 4. So I would spend about a full 12 hours
12 hours in a single stint and then I'd go find
in a single stint and then I'd go find some dinner.
some dinner. >> Holy cow. That was my routine. And I I
>> Holy cow. That was my routine. And I I also perfected the putting the sponge
also perfected the putting the sponge ear foam things deep into my ear canal
ear foam things deep into my ear canal and then putting these Bose sound
and then putting these Bose sound blockers on top of that. So, you know, I
blockers on top of that. So, you know, I would just see people's mouths moving,
would just see people's mouths moving, but I'd just be in my zone for about 12
but I'd just be in my zone for about 12 hours a day writing the benchmark.
hours a day writing the benchmark. >> And And you did this at Starbucks. Why?
>> And And you did this at Starbucks. Why? >> Because it was better than being home
>> Because it was better than being home alone.
alone. >> Okay. Okay. I mean, you know, a little
>> Okay. Okay. I mean, you know, a little socializing
socializing >> people around. Yeah. Yeah.
>> people around. Yeah. Yeah. >> Yeah. And I I didn't have to walk far to
>> Yeah. And I I didn't have to walk far to get more coffee, so [laughter]
get more coffee, so [laughter] it was good.
it was good. >> Anyway, so
>> Anyway, so >> I did not I've known you for so long. I
>> I did not I've known you for so long. I had no idea that's what you were doing.
had no idea that's what you were doing. Wow.
Wow. >> Yeah.
>> Yeah. >> Okay. So, you're in a sprint to write
>> Okay. So, you're in a sprint to write this.
this. >> This would have been 08. This was during
>> This would have been 08. This was during the podcast.
the podcast. >> Yeah.
>> Yeah. >> Yeah.
>> Yeah. >> Like I said, I I had no idea. [laughter]
>> Like I said, I I had no idea. [laughter] >> Okay. Anyway, so um uh put this on GRC,
>> Okay. Anyway, so um uh put this on GRC, made it available, and
made it available, and as I've mentioned before, for many,
as I've mentioned before, for many, many, many years, it was seeing more
many, many years, it was seeing more than a thousand downloads a day.
than a thousand downloads a day. >> I used it all the time. I still do.
>> I used it all the time. I still do. Yeah,
Yeah, >> we have more than 9.7, I think it is, or
>> we have more than 9.7, I think it is, or maybe 8 million total downloads. And I
maybe 8 million total downloads. And I just And I And it had gotten to be 16
just And I And it had gotten to be 16 years old. And so it was a year ago uh
years old. And so it was a year ago uh it was in December of 2024 that I I had
it was in December of 2024 that I I had finished with Spinright 61. That was
finished with Spinright 61. That was finished. Put it to bed. It's like okay
finished. Put it to bed. It's like okay I've made I've made my commitment to
I've made I've made my commitment to give everybody a free update to
give everybody a free update to Spinright even after 20 years. Um and I
Spinright even after 20 years. Um and I thought okay I want to see what I can do
thought okay I want to see what I can do with like bringing the DNS benchmark
with like bringing the DNS benchmark back up to speed. Um, uh, anyway, so I
back up to speed. Um, uh, anyway, so I spent a year working with a bunch of
spent a year working with a bunch of neat guys in the, uh, and and and Leila,
neat guys in the, uh, and and and Leila, who may be our one female in the in the
who may be our one female in the in the GRC, uh, DNS.dev group, uh, you know,
GRC, uh, DNS.dev group, uh, you know, our our our news group, old SC old
our our our news group, old SC old school N&TP servers. Um,
school N&TP servers. Um, and for a while I remember I talked on
and for a while I remember I talked on the podcast about having imagining
the podcast about having imagining having well so the idea was to to do
having well so the idea was to to do something GRC has never done before
something GRC has never done before which is to have an inexpensive
which is to have an inexpensive um an inexpensive commercial product.
um an inexpensive commercial product. You know, I the only thing I ever had
You know, I the only thing I ever had was Spinright uh at $89 and I wanted to
was Spinright uh at $89 and I wanted to try doing a, you know, under $10, well,
try doing a, you know, under $10, well, a little bit under $10, $9.95.
a little bit under $10, $9.95. Um, fill it with features, bring it up
Um, fill it with features, bring it up to date, uh, and offer something that I
to date, uh, and offer something that I thought was a a a good value for a good
thought was a a a good value for a good price. So, um, that it happened on
price. So, um, that it happened on Friday was that it it we know it we had
Friday was that it it we know it we had a couple almost finished things that
a couple almost finished things that needed to get fixed and and changed. As
needed to get fixed and and changed. As everybody knows, the original benchmark
everybody knows, the original benchmark um, uh, only did was only able to
um, uh, only did was only able to benchmark IPv4 servers, which is all
benchmark IPv4 servers, which is all there almost was back at the time. So
there almost was back at the time. So the big change was I needed to add IPv6
the big change was I needed to add IPv6 support. But then of course the none of
support. But then of course the none of the of of the UDP resolution is
the of of the UDP resolution is encrypted. So it's not authenticated.
encrypted. So it's not authenticated. It's not encrypted. So we have DO and
It's not encrypted. So we have DO and DOT.
DOT. Uh Android devices support DOT natively.
Uh Android devices support DOT natively. All of our browsers support DOH
All of our browsers support DOH natively. So, uh, and in fact, in the
natively. So, uh, and in fact, in the picture there, Leo, you can see the IPv6
picture there, Leo, you can see the IPv6 addresses being lots of little digits in
addresses being lots of little digits in two in two rows.
two in two rows. >> Uh, they're huge.
>> Uh, they're huge. >> And fourth from the bottom is a DNS over
>> And fourth from the bottom is a DNS over TLS server
TLS server that's also in the list. Um anyway, the
that's also in the list. Um anyway, the um essentially what's happened is over
um essentially what's happened is over the course of these 16 years, the
the course of these 16 years, the internet has changed a lot.
internet has changed a lot. >> Oh yeah. And um the the big problem I
>> Oh yeah. And um the the big problem I had was that
had was that I had a bunch of false starts trying to
I had a bunch of false starts trying to figure out how to get this thing to do
figure out how to get this thing to do IPv6 and TLS connections because
IPv6 and TLS connections because uh IPv4 addresses fit in 32bits and I
uh IPv4 addresses fit in 32bits and I was working in a 32bit architecture. So
was working in a 32bit architecture. So it was, you know, so I, so resolver
it was, you know, so I, so resolver addresses were like like they fit in
addresses were like like they fit in registers. Well, not in the future they
registers. Well, not in the future they didn't. So that all had to get changed.
didn't. So that all had to get changed. But the biggest thing that has really
But the biggest thing that has really changed is that version one prioritized
changed is that version one prioritized cached lookups over all else.
cached lookups over all else. And that's changed um
And that's changed um when you know we've been talking about
when you know we've been talking about things like Ublock Origin and other
things like Ublock Origin and other content control utilities. We've noted
content control utilities. We've noted that the content of today's websites are
that the content of today's websites are now being pulled from scores of
now being pulled from scores of different places, you know, from all
different places, you know, from all over the internet. libraries and ads and
over the internet. libraries and ads and trackers and like like uh like uh chat
trackers and like like uh like uh chat add-ons and and AI popups and all this
add-ons and and AI popups and all this junk that are now on web pages. Well,
junk that are now on web pages. Well, those all require DNS lookups. So what's
those all require DNS lookups. So what's changed is that whereas a server's
changed is that whereas a server's caching performance was probably most
caching performance was probably most important back in 2008 when I wrote
important back in 2008 when I wrote version one, that's no longer true.
version one, that's no longer true. So what what the original DNS benchmark
So what what the original DNS benchmark has done and the the I mean has always
has done and the the I mean has always done and and still does
done and and still does at version one is it first sorts the the
at version one is it first sorts the the resolver performance by their cached
resolver performance by their cached performance. Um that completely
performance. Um that completely dominated by design all of its resolver
dominated by design all of its resolver ranking. Cache performance, you know,
ranking. Cache performance, you know, was, as we know, would be the amount of
was, as we know, would be the amount of time that a resolver would need to reply
time that a resolver would need to reply to a query for a domain's IP that it
to a query for a domain's IP that it already knew that it that it had already
already knew that it that it had already cached locally from some someone you
cached locally from some someone you maybe or someone previously asking for
maybe or someone previously asking for it and it not having yet expired because
it and it not having yet expired because IPs, you know, all of the records that
IPs, you know, all of the records that DNS caching resolvers cache has an
DNS caching resolvers cache has an expiration time and which allows the
expiration time and which allows the internet to update itself for for
internet to update itself for for changing IPs. Um, it turns out that
changing IPs. Um, it turns out that internet transit times completely
internet transit times completely dominate
dominate that measure. Whatever it is we're
that measure. Whatever it is we're measuring when we measure cache
measuring when we measure cache performance, all of that time is the
performance, all of that time is the time it takes the query to get to and
time it takes the query to get to and back from the resolver. So it is
back from the resolver. So it is essentially equal to just pinging the
essentially equal to just pinging the resolver. That's you know we we we have
resolver. That's you know we we we have we've tested that. It's about the same.
we've tested that. It's about the same. Um you know and and while it may not
Um you know and and while it may not seem very useful to know what a
seem very useful to know what a resolver's p essentially its ping time
resolver's p essentially its ping time is um it turns out that DNS performance
is um it turns out that DNS performance is all about connectivity. how well are
is all about connectivity. how well are you connected to the the resolver that
you connected to the the resolver that you are asking for IP addresses from.
you are asking for IP addresses from. So as I said the problem was that's all
So as I said the problem was that's all that version one of the benchmark took
that version one of the benchmark took into consideration. If a resolver close
into consideration. If a resolver close by you could beat out other resolvers
by you could beat out other resolvers then version one of the benchmark gave
then version one of the benchmark gave it the highest rating. It was at the top
it the highest rating. It was at the top of the list but o and it was only in the
of the list but o and it was only in the case of a tie in cached performance
case of a tie in cached performance within its 1 millisecond resolution that
within its 1 millisecond resolution that the uncashed lookup performance would be
the uncashed lookup performance would be considered as the second sort key.
considered as the second sort key. Essentially, it was like a multi-key
Essentially, it was like a multi-key sort where where where where the first
sort where where where where the first key um you know does the gross
key um you know does the gross arrangement and the second sort key does
arrangement and the second sort key does the the the finer grain arrangement
the the the finer grain arrangement within the grossly arranged first key.
within the grossly arranged first key. So the problem with that was that a
So the problem with that was that a resolver might reply to cached queries
resolver might reply to cached queries in five milliseconds but then take 10
in five milliseconds but then take 10 times as long like 50 milliseconds to
times as long like 50 milliseconds to perform a lookup for something it didn't
perform a lookup for something it didn't already have in its cache. Whereas
already have in its cache. Whereas another resolver might take only 1
another resolver might take only 1 millisecond more, 6 milliseconds to
millisecond more, 6 milliseconds to reply to a cached query, but be much
reply to a cached query, but be much faster for looking up uncashed data like
faster for looking up uncashed data like 10 milliseconds. So you'd much rather be
10 milliseconds. So you'd much rather be using that second resolver.
using that second resolver. Unfortunately, you know, well, again, in
Unfortunately, you know, well, again, in ' 08, cached performance dominated
' 08, cached performance dominated because most of the material was coming
because most of the material was coming from the the the the domain you were
from the the the the domain you were browsing to. Most servers were providing
browsing to. Most servers were providing you all of the content. Now, that's no
you all of the content. Now, that's no longer the case. So,
longer the case. So, um, the the other little confounding
um, the the other little confounding thing is that 16 years ago in 2008, no
thing is that 16 years ago in 2008, no one had local border routers that were
one had local border routers that were also serving as caching resolvers. You
also serving as caching resolvers. You know, we hadNNAT back then, but those
know, we hadNNAT back then, but those early NAT routers were not doing DNS
early NAT routers were not doing DNS lookups for their NAT clients as they
lookups for their NAT clients as they are now. So that matters because the
are now. So that matters because the original version of the benchmark would
original version of the benchmark would be seriously overimpressed by the
be seriously overimpressed by the performance of that local caching DNS
performance of that local caching DNS router or resolver sitting right there
router or resolver sitting right there on our LAN. How could any remote DNS
on our LAN. How could any remote DNS resolver know how ma no matter how fast
resolver know how ma no matter how fast it might be possibly compete with a
it might be possibly compete with a caching resolver that was sitting right
caching resolver that was sitting right next to the user on their own LAN. So,
next to the user on their own LAN. So, you know, just try pinging your LAN's
you know, just try pinging your LAN's gateway and you'll see how quickly it
gateway and you'll see how quickly it responds. No, no other DNS resolver out
responds. No, no other DNS resolver out on the internet can compete. And again,
on the internet can compete. And again, the the version one of the benchmark was
the the version one of the benchmark was was only looking at cached performance.
was only looking at cached performance. So, what does the new version two do? It
So, what does the new version two do? It takes the average of all three types of
takes the average of all three types of DNS queries, cached, uncashed, and com
DNS queries, cached, uncashed, and com resolution. It's got four sorting
resolution. It's got four sorting options. The original cached first sort
options. The original cached first sort if there's still, you know, it's still
if there's still, you know, it's still there for anyone who might want it for
there for anyone who might want it for some reason. But the new default is best
some reason. But the new default is best performance which averages all three
performance which averages all three types. So anyway, uh I I've I've spoken
types. So anyway, uh I I've I've spoken before about all the features that are
before about all the features that are in there. uh we we learned that we were
in there. uh we we learned that we were not getting much benchmarktobenchmark
not getting much benchmarktobenchmark consistency. It turns out that even
consistency. It turns out that even asking 50 different domains for for
asking 50 different domains for for their IPs for each of your resolver,
their IPs for each of your resolver, there's enough jitter in the internet
there's enough jitter in the internet because the internet's gotten busier and
because the internet's gotten busier and it's gotten bigger than it used to be.
it's gotten bigger than it used to be. It turns out that we need to do more
It turns out that we need to do more asking in order to get a in order to get
asking in order to get a in order to get statistical significance from the the
statistical significance from the the data that we're collecting. So this
data that we're collecting. So this thing allows you by default to run
thing allows you by default to run essentially five rounds of the benchmark
essentially five rounds of the benchmark and aggregate all the data. But you can
and aggregate all the data. But you can also go for 10, 20, 50, and 100 if you
also go for 10, 20, 50, and 100 if you really if you don't mind waiting like
really if you don't mind waiting like four hours for a a 100x benchmark. And
four hours for a a 100x benchmark. And what's interesting is that you see all
what's interesting is that you see all of the sorting stabilizing after a while
of the sorting stabilizing after a while because initially they're the the the
because initially they're the the the the
the ranking is jumping around because of
ranking is jumping around because of internet jitter and it take it actually
internet jitter and it take it actually takes a lot more looking. Anyway, short
takes a lot more looking. Anyway, short version is I'm done with the benchmark.
version is I'm done with the benchmark. Uh anyone can have it for $9.95.
Uh anyone can have it for $9.95. Um, I appreciated what Andy was said or
Um, I appreciated what Andy was said or uh what um not Andy uh uh um
