This episode of Security Now covers a range of cybersecurity and technology news, including significant government regulatory actions, a critical software vulnerability, and the impact of AI on hardware pricing, alongside the launch of Steve Gibson's new DNS Benchmark tool.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
It's time for Security Now. Steve Gibson
is here with lots of security news.
Apple says no. India says yes.
Scattered Lapsis Hunters has a new name.
RAM prices going through the roof. And
Steve's announcing a new product finally
available for sale as of today. All of
that and the worst [music] code exploit
Podcasts
[music] you love
>> from people you trust.
>> This is Security Now with Steve Gibson.
Episode 155, recorded Tuesday, December
9th, 2025. Reacts perfect 10. It's time
for Security Now, the show we cover your
security, your privacy, and all the exciting
exciting
attacks that are happening [laughter] on
the internet today with this guy right
here. This here is Steve Gibson, my
friends. Hello, Steve.
>> A comprehensive overview of bad news.
>> Well, there's one this week. Holy cow.
>> Yeah, there is some good news, though.
>> Oh, good. the benchmark is done and it's
on sale. So, we will talk about that. Uh
so, uh for episode 1,55
for this uh we're cruising through
December uh episode uh which is titled
Reacts Perfect 10 because Oh
yeah. Um, we'll we'll get into what
React is. A and Perfect 10 was actually
a quote from one of the security people
who said, "Oh, this this is really the
the bad guys are going to be feeding off
this one for quite a while." But we're
going to talk about, of course, a bunch
of other stuff. First, uh, France's
Vanity Fair facing a stiff fine over
what they did with cookies and it they
didn't eat them. uh graphine OS speaking
of France is pulling out of France over
like bad behavior of French authorities
thinking that they can I guess bully
these guys because they're not Apple or
they're not Google so let's get you know
let's pound on the small open-source
guys so they're saying no thanks we're
leaving um [clears throat]
the EU is adding to the pileup uh over
underage social media and I thought you
guys over on Macreak had a great
conversation about all this, Leo. That
was, you know, I mean, we're we're all
pretty much on the same page with all of
this, right? I mean, why wouldn't we be?
Because there's [clears throat]
>> it's kind of there is a right answer.
Uh, also, boy, India was busy and and I
think you guys talked about that a
little bit too. I don't know what has
happened in India, but they they
mandated the tracking of all
smartphones. I heard you guys talking
about GPS, which I didn't pick up on.
Then Apple said no. Then they India
changed their mind and it's just what
what what's the rule today uh over
there. Uh they but apparently and they
haven't backed down. They're also going
to require all encrypted messaging to be
sim tied. So there's another thing we'll
talk about that. Uh Scattered Lapsis
Hunters, the infamous and unfortunately
quite well-known and quite successful
bad guy group. uh they've got an initial
now instead of having having to say
scattered lapses hunters and not
remembering who they are. Um also
nonsecurity related topic AI demand
driving RAM pricing through the roof to
the point where you can there's no fixed
pricing. You got to it's like well what
is the lobster cost today? So, okay. Uh,
I am going to talk a little bit about
the DNS benchmark which, uh, went on
sale on Friday after it was like done.
Uh, and it's I'm so proud of what it
ended up being. Uh, also, we've got a
couple pieces of feedback. Uh, one about
Cisco talking a good game, but they're
still Cisco. also uh browsers, this is
from Chrome, uh going to be asking users
for access to their local networks and
why that's just not going to be
>> I mean it's better than nothing, which
is what we've had so far, but oh boy.
And then finally, we're going to do a
deep dig into uh what is with React and
what happened and what does this mean?
So, I think uh maybe you know we it's
going to be okay.
>> We're working on it. We're getting
better with age. [laughter]
>> 20 years we've been doing this show.
>> Getting the hang of it.
>> All right. We will get to uh you forgot
the picture of the week coming up, too.
I haven't seen it.
>> This one had an unfortunate caption.
This one I struggled for the caption on
this one. I I had to show it cuz it's
such a fantastic picture, but I thought,
how can I like give it some context? I
tried. Will We'll we'll let our
listeners judge how I did
>> and maybe they'll come up with something
when you never know.
>> Oh, maybe. Of course we got.
>> Of course they will.
>> You betcha. [snorts]
>> Uh, our show today brought to you by Oh,
you know this name, one password.
>> It's easy to assume that being small
means flying under the radar. The
reality is small businesses are being
targeted more and more by bad actors.
You thought you were immune, right?
Cyber criminals know that lean teams
often lack the resources to prevent or
respond to a breach. In short, the bad
news is teams of any size can be a
target. The good news is even the
smallest teams can foil cyber crime. One
password provides simple security to
help small teams manage the number one
risk that bad actors exploit, weak passwords.
passwords.
One password provides centralized
management to make sure your company's
login secure. It's a simple turnkey
solution that can be rolled out in hours
whether you have a dedicated IT staff or
not. And however your complex your
security needs may get, one password
will stay with you every step of the
way. A password manager should be the
first security purchase you make for
your team. I really believe that small
businesses need to plan for the worst
case scenario and guard against cyber
attacks right from the start. For small
teams, responsibility for security often
defaults to a single employee. Often one
who's already juggling other business
functions. Yeah. Yeah. Sally down the
hall, she's the one in charge. The most
effective security solutions have to be
intuitive. Uh they also have to be
userfriendly because, you know, if it's
not easy to use, people won't use it.
You want everyone at your company to use
One Password. One Password's enterprise
password manager helps your company
eliminate security headaches and improve
security by identifying weak and
compromised passwords and replacing them
with strong, unique credentials. And
don't let one password's name fool you.
They're not just a password manager. One
password EPM extended password
management lets you securely store and
share developer secrets and other
sensitive data and helps streamline the
transition to passwordless
authentication by transitioning to pass
keys. Love that. With One Passwords
EPM's simple automated workflows, your
team can enforce security compliance and
prevent breaches and potentially
preventing millions of dollars in
losses. It's the single most impactful
investment you can make in your
company's security. And fortunately,
it's not expensive and it's easy to
implement. Take the first step to better
security by securing your team's
credentials. Find out more at onepass.com/security
onepass.com/security
now and start securing every login now.
now. Thank you so much for supporting
Steve and Security Now and picture of
the week time, Steve. Okay, so I gave
this pair of pictures the caption, "Each
year we jump through more hoops to
increase our security. It's become a
lot. How much does all that really help?"
help?"
>> Okay, so that's the caption for two
frames. The frame on the left shows a an
opening with a you know a red
uh rope line rope and the caption Google
when hackers try to hack my account. In
other words, [laughter]
>> okay, not that difficult,
>> right? And then the right one shows it
it is titled Google when I log into a
new device. [laughter] And this one I
didn't see the guard dog with its teeth
out down in the lower right initially.
So this one looks like something that
Maxwell Smart would have confronted
>> uh back in the day. It's got chains and
locks and and slide bars and triple
hinges and a keypad and
>> Meaning, God help you if you have to get
through this door. It's going to take
you an hour to unlock and and deal with
everything. And and of course that the
the the gist of this is something that
we do feel which is you know
accounts are still being hacked,
passwords are being uh obtained
uh people are still getting hacked yet
we're doing all this more stuff. I mean,
I have to say, Leo,
I love the one-time password idea,
>> but it gets a little tiresome after.
It's like, okay, you know, again, yeah,
fine. 326294.
It's like, okay, you know, and then
again, so it's like, so I look for those
check marks. Yes, I trust this device.
Leave me logged in, please. remember
that I've been here so that I so that
you'll believe me next time with less
rigomearroll. And which is not to say I
I believe me, I'm like I like onetime
passwords. All of this is good. One of
the strongest
measures of what one of the strongest improvements
improvements
is they should you be remembered at this
browser because no bad guy
can be remembered as you if they've
never logged in as you before from you
know some foreign country. So, it's it's
really good protection, but yes, it is
annoying Google when I log into a new
device. Google's doing the right thing.
You know, you've we've ne we've never
seen you logging in through this device
before, so we need a blood sample.
That's that's going to be good. Uh but,
you know, you're going to end up being
drained if you do it too often. So,
okay. Uh, we've noted before that
regulations that are not enforced will
often simply be ignored. In fact, I
could probably more strongly say will be
ignored until they're enforced because
it's like, yeah, you know, it's it's the
equivalent of that annoying high school
tough guy whose favorite retort was,
"Oh, yeah, make me." It's like, yeah,
fine. And in the news is that French the
French edition of the Vanityfare website
uh vanity at vanityfair.fr
uh had their bluff called uh to the tune
and it's not it's an expensive call for
a cookie uh €750,000
euros. So that'll get your attention uh
and and you think wow isn't that a
pretty stiff penalty for just like some
problem with cookies. The company Lelay
publications cond
um publishes printed and online
magazines including the Vanity Fair
magazine. Six years ago, okay, six years
ago, way back in December of 2019, the CNL,
CNL,
which is the abbreviation for, you know,
it's in French for France's Data
Protection Agency,
uh received a public complaint. So, the
agency received a complaint from the
association NOB,
which is Europe's Center for Digital
Rights, and it doesn't actually stand
for none of your business, but it's a
great abbreviation for NOB. Um, so, so
NOIB, which does not stand for none of
your business, but it's too bad it
doesn't, uh, complained to CNIL,
French's data protection agency,
about cookies being placed on the
devices of users visiting vanityfair.fr.
Um, this was happening without any user
notification or permission. After
several investigations and discussions
an order to comply in September of 2021.
So first of all
not you know almost two years right
December 19 this began December 2019
this began. September 21
nearly two years later finally fine you
you've got to remove your cookies. fix
your cookies because your cookies are
not working right. And then the
proceedings were closed in July of 2022.
Now, it's not clear whether the
proceedings were closed the next summer
after verification that condandy Nast
and their vanityfair.fr site was doing
the right thing or not would closed a
year later in July and also in November
of 2023. Then again in February of 25,
the CNIL carried out further online
investigations. So it sounds like they
just assumed Condi Nast would take care
of this, get it done following the order
after all these negotiations.
I don't know what you have to negotiate
over a cookie, but okay. Um so they so
CNIL went back and looked and what do
you think they found based on their
findings? the restricted committee as
it's known uh which is the the CNI CNIL
body uh responsible for issuing sanctions
sanctions
considered that the company lay
publications Kandinast had failed to
comply with the obligations of article
82 of the French data protection act and
imposed that fine of I mean €750,000
um the amount of the fine is intended to
take into account the fact that the
company had already been issued with an
order to comply. It couldn't have come
as a surprise after nearly two years of
discussion about whether we're going to
receive an order or not and after which
they did. But apparently they just blew
it off. Uh, as well as the the the other
thing factored into this $750,000
fine is the number of people likely to
have been affected by this misbehavior
of their cookie policy and the various
breaches of the rules protecting users
with regard to said cookies. So, you
know, no one's going to shed a tear here
except some accountant at Vanity Fair.
uh if it wasn't, you know, and again, it
wasn't as if the fine
could have shocked anybody. Um they were
very clearly told what they needed to do
and they apparently just blew off CNIL
saying, "Yeah, you know, everybody else
does it." So, you know, I I would
imagine that someone's going to lose
their job or maybe a team, whoever is in
charge of cookies over at Vanityfare.
are 34 of a million euros. Uh, which
could have been easily prevented. I
mean, what everybody else does is bring
up a little cookie banner and say, "Hey,
we want to store some stuff on your
computer. Just tell us it's okay. Click
here." But apparently either they didn't
do that or they did and they didn't
honor it. Who knows? Um anyway, so
I hope everybody else sees this that
when CNIL says you're in breach of our
regulations, now of course this in
against the backdrop of this whole wacky
model of cookie management getting ready
to change because the GDPR is being
updated. Um, and so we have California
now and the EU both saying browsers need
to accept a setting from their users,
transmit that setting to everywhere they
go, and everywhere they go needs to
honor what the user has said they want.
So, um, but you know, that was 10 years
ago, right, that all that came into
place. And so, it's going to take a
while for for all this to catch up and change.
change. Meanwhile,
Meanwhile,
um, the very nice Android alternative,
and I think you were just talking about
it last week or the week before, Leo,
Graphine OS, which is an Android
compatible API compatible or uh, yeah,
right, Android alternative, API
compatible. Um, they recently posted on
X that they're leaving France due to a
new French law that would mandate
breaking their encryption. Obviously,
no. [laughter] So, they posted, "We no
longer have any active servers in France
and are continuing the process of
leaving OVH."
OVH is a a French cloud hosting company
which they've been using. They said
France is no longer a safe country for
open-source privacy projects. They
expect backdoors in encryption and for
devices too. Secure devices and services
are not going to be allowed in France.
We don't feel safe using OVH for even a
static website with servers in Canada
and the US via their Canada US subsidiaries.
subsidiaries.
We were likely going to release an
experimental Pixel 10 support very soon,
but that's getting disrupted, so that'll
be delayed. They're saying the attacks
on our team with ongoing liel and
harassment, and they're talking from the
French authorities, from French law
enforcement. they're being harassed have
escalated. Raids on our chat rooms have
escalated and more. It's rough right now
and support is appreciated. So, [clears throat]
[clears throat]
it appears that Graphine OS believes
that they may have already been
compromised because they also posted
we'll be rotating our TLS keys and let's
encrypt account keys pinned via account URI.
URI.
DNS sec keys may also be rotated. Our
backups are encrypted and can remain on
OVH for now. So that you know the reason
you rotate keys is you worry that they
could have been compromised that your
keys could be in somebody else's hands
meaning that TLS and your less encrypted
domains and your DNS sec
you know is not as sure as you'd like it
to be. So, they're going to change all
their keys after completely
excommunicating themselves from from any
dependence on on France-based servers.
Uh, in the thread that followed, uh, a
more lengthy which was a more length a
much more lengthy posting on X, which I
I won't bother everybody with, where
they go into all the details of of of
what's going on um, and and the way
they're going to be moving. Uh, someone
named Lars posted, "I'm a lead developer
for a hosting company in Denmark. We do
not have any backdoors or
not illegal for normal FOS. We definitely
definitely
do not ask questions which and this was
posted you know offering the option of
some assistance or an alternative to the
graphine OS guys in the in you know in
reply in in the reply thread to their
posting whereupon the graphine OS guys
said we appreciate it but unfortunately
we'll likely have issues in Denmark too
due to their push to outlaw encryption
without back doors.
We'll hopefully still be able to operate
in the EU in general, but we want to
avoid chat control supporting countries
due to this experience.
Graphine OS is not based in the US and
is a nonprofit open-source project.
We're leaving France because we don't
trust that French law enforcement won't
coersse OVH to do something after a
judge signs off based on falsehoods.
We've been subject to attacks by law
enforcement on graph graphine OS,
including many false claims and also
direct threats.
Gez. So reading between the lines, it
sounds as though authorities with French
law enforcement have demanded that
graphine OS unlock some suspected
criminals handsets and graphine has
tried to explain that they do not have
that capability. They wrote, "It's not
possible for Graphine OS to produce an
update for French law enforcement to
bypass brute force protection since it's
implemented via the secure element." So,
you know, again, that sounds like like
French law enforcement is saying, "You
need to help us brute force open these
locked smartphones that are running your OS."
OS."
They uh graphine said the secure element
also only accepts correctly signed
firmware with a greater version after
the owner user unlocks successfully. So
may may have someone may have been
suggesting a downgrade attack where you
deliberately load older graphine OS
software onto the device in order to
bypass some of the later protections and
they're saying sorry that's been
accounted for in the design of this
can't do it. They wrote we would have no
legal obligation to do it even if we
could but it's not even possible. We
have a list of our official hardware
requirements including secure element
throttling for disk in disk encryption
key derivation. Okay, meaning that the
secure element throttles brute force
attacks making them in impractical and
that's in the hardware and there's
nothing they can do to get around it.
secure element throttling for disk
encryption key derivation combined with
insider attack resistance and and they
wrote and they aren't blaming goo and
they aren't blaming Google for this
design meaning they're saying that
graphine OS is at fault for making it
brute force impossible but it's actually
Google whose engineering
did this properly because users don't
want their smartphones to be hacked Then
they finish saying, "In Canada and the
US, refusing to provide a PIN and
password is protected as part of the
right to avoiding incriminating
yourself. In France, they've
criminalized this part of the right to
remain silent. Since France has
criminalized the refusal to provide a
PIN, why do they need anything from us?"
Which that's some good logic. And of
course, we don't know anything about
what the French authorities believe
might be on a criminal's confiscated
graphine OSbased smartphone, but we
certainly know why a suspect might
choose not to share their password with
the authorities. Right? We talked about
that trade-off ages ago back in the
context of true crypts early whole disk
encryption which was designed by
cryptographers who knew how to
completely and correctly protect a hard
drive's data. It was it was effectively
and practically not brute force
crackable because it was done right.
The bad guys might very well have
horribly incriminating material stored
on a true crypted drive. So they would
much rather face some charges, whatever
they may be, for not providing their
password than provide the password and
have authorities learn firsthand just
how criminal they were. So I doubt that
law enforcement authorities will ever
accept, you know, ever in the future of
humanity accept the truth of being
unable to unlock an encrypted device or
spy on encrypted communications. They
just, you know, they know the data is
there. They want it. So, you know,
I'm sure they believe that they should
have the right to see inside anything
they choose under the logic of after all
they're the good guys, right? And of
course, we know that the EFF would beg
to differ. So,
so there's that, but it's also happening
in the EU. Uh, and Leo, I know you
talked about this over a Mac break. Here
we are. It is December 9th. We are on
the literal eve of the Australian law to
ban the use of social media, all social
media by anyone younger than 16.
Uh, as we know, this effectively
requires anyone who does wish to
continue using any social media to
arrange to prove that they are at least
16 years old. If that wasn't the
requirement, then somebody who was 14
could say, "Yeah, I'm an adult." Okay.
So, you know, the onus has been placed
unfortunately on the social media
providers to prevent the use of their
systems by anyone younger than 16.
So, we're recording this on December 9th
and tomorrow,
>> of course, it's already it's already
December 10th in Australia. So, >> right,
>> right,
>> it's going on now, I guess.
>> Right. Um, which is always weird. Why?
Why does it turn [laughter]
ne next year in New York
before it turns it? I don't get that,
Leo. But, you know, we're not a flat
earth that we are a spinning globe
>> and you know, it would be weird if it
was midnight
>> in the middle of the day. Yeah. Yeah.
So, that's that that wouldn't work
either. Um, so
what's different here? what's happening
now in Australia
is countrywide
and that's the that's the difference to
you know and and actually saying that
the whole world is watching is not an
exaggeration on Sunday uh today's
Tuesday so two days ago on Sunday the
New York Times piece was titled a grand
social media experiment begins in
Australia with the tag the country is
trying to wean children under 16 off the
likes of Tik Tok, Snapchat, YouTube, and
Instagram with a new law. The teenagers
are skeptical. [laughter] The New York
Times said Saturday, the BBC's headline
was, "Can you ban kids from social
media? Australia is about to, but some
teens are a step ahead." I I read the
BBC piece. kids are still using or are
are I'm sorry are are using still photos
of their parents or VPNs surprise.
UNICEF in Australia just has a piece
titled social media ban is was their
title. Uh and they summarized their
position by writing and this is UNICEF
writing from 10 December 2025 anyone
under 16 in Australia won't be able to
keep or make accounts on social media
apps like Tik Tok, Instagram, YouTube,
Snapchat X, Facebook and more. There's
10 total. The rule doesn't punish young
people or their families.
Instead, social media companies have to
stop under 16s from having accounts or
risk serious fines. And and the fines
are up to 50 million Australian dollars,
about 35 million US. They said the new
law is meant to make things safer
online, but UNICEF Australia believes
the real fix should be improving social
media safety, not just delaying access.
And and then for their part, the
Guardian headlined their piece. Everyone
will miss the socializing, but it's also
a relief. They said five young teens on
Australia's social media ban. And it was
an interesting article uh that they said
Australia's world world first social
media ban for under 16s will begin in
just a few days. This is written la on
the weekend. Malaysia, Denmark and
Norway are to follow suit and the
European Union last week passed a
resolution to adopt similar
restrictions. As the world watches on,
millions of Australian adolescents and
their parents are wondering just what
will actually change come 10 December
and NPR had a piece as well. As I said,
everybody's like, "Okay, the these guys
are going first. What's going to
happen?" So, it's going to be
interesting to see, right, how all this
pans out. Um, as I said, the economic
fine for repeated failure to enforce is
50 million Australian dollars, 35
million US. So that's not nothing. Um,
but there's also, of course,
reputational damage. Anybody who screws
this up is going to be in the news
because everybody's watching. So it's
clear that the 10 affected social media
platforms can't ignore this and do
nothing. Uh and we know that you know
the claim of being old enough that no
longer washes that we were we were all
happily using that for the last 20 years
but no more. So uh you know they're
going to need to adopt what some lame
measure that allows them to avoid
penalties while kids gleefully work
around and you know uh spoof the proof
of age which is pro what's going to be
happening a lot. And you know, I mean,
classrooms will be buzzing. Uh, everyone
will be talking about how they did it.
There was in in the in the BBC piece
that interviewed five teens, uh, one
13-year-old said she just took a picture
of her mom and showed it that and it
said, "Okay, go ahead." So, you know, my
feeling is that there was probably no
way to avoid the present mess that the
world is about to endure. and a mess
it's going to be. As we know, change is
difficult even when everyone is pulling
in the same direction and wants it. But
change when the platforms and their
users all want to leave things the way
they are and only some unseen government
legislators and their regulators want to
force change. It's just bound to be a
mess. I of course hope that some good
technology will eventually step into the
gap to provide privacy respecting age
verification but we don't have that yet
and we don't even appear to be close uh
since the handset the the handset makers
are very much strongly in the we don't
want this to be our problem camp
although I think that's exactly wrong I
I think you know that's the point of
contact between the user and the
technology ology is the handset and I
get it that Apple doesn't want to do
this but they're inching towards it. You
know, we we we've covered various of
those measures u as is Google. So, I
think they probably know that ultimately
they're going to need to be the place
where this decision gets made. It is the
right place. It's the logical place for
it to be. Um, and on the eve of this
first countrywide event, I wanted to
also note that the EU is now making much
the same noise, which one of those
articles talked about. Uh, and also
whereas Australia's human, which is to
say non-cangaroo population, is about 27
a.5 million, the total population of the
EU's current 27 member states is around 450.5
450.5 million.
million.
So, a huge population. The European
Parliament News recently posted a piece
with the headline, "Children should be
at least 16 to access social media say
members of the European Parliament."
Those are members of the European
Parliament. MEP is an acronym, MEPS. Um,
however, things may be better in the EU
from a privacy and accuracy standpoint.
At least we can hope.
A vote was held two weeks ago uh two
weeks ago Wednesday where the members of
the European Parliament, these MEPs, uh
voted to adopt a non-legislative report
by 483 votes in favor, 92 against, and
86 abstensions. The report and their
votes expressed deep concern over the
physical and mental health risks minors
face online and called for stronger
protection against the manipulative
strategies that can increase addiction
and that are detrimental to children's
ability to concentrate and engage
healthily with online content. So here's
the part that caught my eye in that EU's
adopted reporting. They wrote just a
it's a short paragraph expressing
support for the commission's work to
develop an EU age verification app and
the European digital wallet, the EID
wallet. MEPS insist that age assurance
systems must be accurate and preserve
miners privacy, which is to say
everyone's privacy, right? Because
again, you need to assert that you're
not a minor and you'd like your privacy
protected. It's funny how they get that
no one really latches on to that in in
any of this reporting. Such systems do
not relieve platforms of their
responsibility to ensure their products
are safe and age appropriate by design.
they add, but you know, so so these guys
may be moving forward in the in the
right way and with 450 million users and
Stina over there in the EU and it just
not being a hard problem to solve if you
want to solve it. I'm hopeful. So, you
know, the idea that that commission
would be pressing for an EU age
verification app,
that's really good news. um given some
means for establishing an individual's
date of birth which we know that may be
the European digital identity that date
can easily be protected inside the
device while simple assertions of older
than X are then trivial to generate with
total security and anonymity. As I said,
crypto can do this without without
breaking a sweat. So my takeaway here is
that yes, we're about to descend into
some extremely messy chaotic times, but
you know, given the kicking and
screaming by the platforms and their
users, this was inevitable given that
the legislations and the legislators are
just barreling ahead without any
solution to the well, we'll let the
other people solve the problem approach.
So the right people understand the
concepts of accurate privacy preserving
solutions and they know this is
possible. So I doubt that the world's
going to have to wait that long and that
we're eventually going to finally obtain
a good solution. And I know Leo, you
guys were talking about it over Mac
Break Weekly. The the the loss of the
loss of absolute unaccountability
unaccountability
is going to be mourned by some. But um
you know Jason was talking about the
loss of privacy.
That's just interim with we can do this
without any loss of privacy. Yes, you
will have to identify yourself
in order to in order to securely embed
your your date of birth in the device.
But once that's done, all the people
using it, that's the that's the real
difference here. We do not want to have
to be showing a driver's license
individually to every website we visit.
You're going to have to show it once to
your device and then and then be
biometrically locked to that so that it
knows uh you you that you didn't use
your license for a friend's phone uh in
in some fashion. So, you know, it needs
to be done right, but it can be and once
that's done, then that strongly
constrains any any further dissemination
of of privacy loss. That's where we're
going to end up being. So, it'll be fun
to watch it here on this podcast as it
happens. And it'll be fun for me to take
a sip of coffee, Leo.
>> Well, that we can arrange. I don't know
if we can help with the other one, but I
think we can arrange.
>> We can at least be here cheering.
>> Yes. Our show today brought to you by
the Oh, you need to know about the when
your data goes dark. BH turns the lights
back on. Theh keeps enterprise
businesses running. When digital
disruptions like ransomware strike, and
you know, ransomware is just out there
waiting to strike. How? Well, by giving
businesses powerful data recovery
options that ensure you have the right
tool for any scenario. Broad, flexible
workload coverage from clouds to
containers and everything in between.
With BH, you get full visibility into
the security readiness of every part of
your data ecosystem. tested, documented,
and provable recovery plans that you can
deploy with a click of a button. How's
your recovery plan looking? This is why
you need VHIM. If you're out there in
the in the world and you're not
prepared, you need Veh. Veh is the
number one global market leader in data
resilience. That's the term. Just call
them the global leader in helping you
stay calm under pressure. That's the
offer. With VEH, it's all good. Keep
your businesses running at veh.com. vam.com.
All right, [clears throat]
back to Steve. So, [laughter] this is
such a weird
path. Um,
staying with the topic of government
legislators seemingly losing their
multi-deade simultaneously all losing
their multi-deade shyness toward
legislating our use of personal
technology which sort of seems to happen
have happened globally all at once. We
have the news that the government of
India uh intends to verify and record
every smartphone
in use by their citizens.
Uh that was essentially TechCrunch's
headline uh last week uh under which
they wrote the Indian government is
widening the scope of its anti- theft
and cyber security initiative to cover
both new and used smartphones. an effort
aimed at curbing device theft and online
fraud, but a move that's also raising
fresh privacy concerns. Yeah, no
kidding. They wrote, "As part of the
expansion, the Indian Telecom Ministry
is requiring companies that buy or trade
used phones to verify every device
through a central database of IMEI
numbers. This comes in addition to a
recent directive order, get this,
ordering smartphone manufacturers
to pre-install
the government's
car safi app on all new handsets and
push it onto existing devices through a
software update, ordering smartphone
manufacturers to do that. Good luck with
that. Yeah. Uh in other words, India is
now requiring all handset makers both to
pre-install a statemandated
app and also to retroinstall the app
into all existing devices.
Techrunch continues writing Reuters
first reported the news on Monday which
was later confirmed by the ministry in a
public statement. So ministry said,
"Yep, that's right. Got to do that."
Launched in 2023, that Sankar Sathy
portal allows users to block or trace
lost and stolen phones. The system has
blocked I was a little surprised by
these numbers, Leo. The system has
blocked more than 4.2 million devices
and traced 2.6 6 million more devices
per government data.
>> India is a big country and there's
hundreds of millions of cell phones in
use. So
>> yeah. Yeah. Uh the system expanded
earlier this year with the release of a
dedicated SAR safy app in January which
the government says helped recover more
than 700,000 phones including 50,000 in
October alone.
Wow. So, uh, I guess they've got a
smartphone smartphone theft and reuse
problem and they're taking steps. Uh,
TechCrunch said the San Carathy app has
since gained broad adoption. The app has
been downloaded nearly 15 million times
and saw more than 3 million monthly
active users in November, up more than
600% from its launch from its launch
month, which would have been 2023.
According to marketing intelligence firm
sensor tower, web traffic to Sanfar to
Sanchar Sathi has also surged with
monthly unique visitors rising more than
49% year-over-year per sensor tower data
gathered uh shared with TechCrunch. So,
okay. Up to this point, it appears that
the choice to have one's smartphone
protected with this tracing and recovery
app has been the users.
But TechCrunch explains what's changed.
They wrote, "The government's order to pre-install
pre-install
Sanchar Sathy has already drawn
significant backlash from privacy
advocates, civil society groups, and
opposition parties. Critics argue the
move expands state visibility into
personal devices without adequate
safeguards. The Indian government
however says the mandate is intended to
address rising cases of cyber crime such
as IMEI duplication, device cloning,
fraud in the secondhand smartphone
market and identity theft scams.
Responding to the controversy, the
Indian telecommunications minister said
Tuesday that Sanchchar Sathy is quote a
completely voluntary and democratic
system unquote. Okay. And that users can
delete the app if they do not wish to
use it.
Which again sort of flies in face of the
other things that that were previously
said. The directive reviewed by
TechCrunch and circulating on social
media on Monday instructs manufacturers
to ensure the pre-installed app is quote
readily visible and accessible to end
users at the time of first use or device
setup and that its functionalities are
not disabled or restricted," unquote,
raising questions about whether the app
is truly optional in practice.
India's deputy telecom minister said in
media interviews that most major
manufacturers were included in the
government's working group on the
initiative though [clears throat] Apple
did not participate
alongside pushing the Sanchar Saty app.
Two people familiar with the matter told
TechCrunch that the telecom industry is
piloting an additional program
interface, an API that would allow
recommerce and trade-in platforms to
upload customer identities and device
details directly to the government. The
move would mark a significant step
toward creating a nationwide record of
smartphones in circulation.
India's used smartphone segment is
expanding rapidly as rising prices of
new devices and longer replacement
cycles push more customers toward
cheaper alternatives. Indie became the
world's third largest market for
secondhand smartphones last year in 2024.
2024.
But as much as 85% of the secondhand
phone sector remains unorganized,
meaning most transactions occur through
informal channels and through
brickandmortar stores. 85% so only 15%
are being, you know, formalized and and
tracked. The government's move covers
only formal re-ecommerce and trade-in
platforms, leaving much of the broader
used device market outside the scope of
the current measures.
Well, unless manufacturers are going to
be uh back porting, you know, back
installing this thing in any software
updates, which may still be happening on
on remarketed phones. Anyway, Techrunch
said while announcing the
pre-installation of its app, the Indian
government said the move would help
enable quote easy reporting of suspected
misuse of telecom resources unquote.
Privacy advocates say that the growing
data flows could give authorities
unprecedented visibility into device
ownership, raising concerns over how the
information could be used or misused.
The head of programs and partnerships of
the Toronto-based nonprofit
policy lab, Tech Global Institute, told
TechCrunch, quote, "It's a troubling
move to begin with. You're essentially
looking at the potential for every
single device being databased in some
form. And then what uses their database?
Can it be put to at a later date? We
don't know. The Indian government has
not yet detailed how the collected data
will be stored, who will have access to
it or what safeguards will apply as the
system expands. Digital rights groups
say the sheer scale of India's
smartphone base estimated to your point
Leo at some 700 million devices.
>> Yeah. means even administrative changes
can have outsized consequences
potentially setting precedents that
other governments
may study or replicate.
quote, "While the intent behind a
unified platform may be protection,
mandating a single governmentcontrolled
application, risk stifling innovation,
particularly from private players and
startups who have historically driven
secure, scalable digital solutions,"
said the director of the New Delhi based
technology think tank uh Estia Center.
If the government intends to build such
systems, they must be backed by
independent audits, strong data,
government safeguards, and transparent
accountability measures. Otherwise, the
model not not only puts user privacy at
stake, but also removes fair competition
for the ecosystem to contribute and
innovate. Right? If the government's
already got that locked up, then third
parties need not apply. They how can
they compete? Um, the Indian Telecom
Ministry did not respond to TechCrunch's
requests for comment. While the
Sanchchar Saty app is visible on a
user's phone, the broader system it
connects to operates largely out of
sight. the permissions, its data flows
and back-end changes included the
including the planned API integration
may be buried in long terms and
conditions documents that most people
never read or even see. He said as a
result, users may have little practical
understanding of what information is
being collected, how it is shared, with
whom it's shared, or the extent of the
systems reach. quote, "You can't go
about restricting cyber crimes and
device thefts in such a disproportionate
and heavy-handed way." Boy, is that a
common theme. He said, "The government
is basically saying that look, you need
to put my app on every device that's
sold, on every existing device. You have
to install it and in anything that's
being resold as well," unquote.
So, wow. I think they felt the pressure
because uh this is a press release from
the department of telecommunications in
India. They have
>> they gave up.
>> Yes. And in fact, I've got that after I
tell you what Apple said.
>> Yeah. Apple wasn't too happy about it. I
know that. [laughter]
>> So, uh on on a practical side, we know
about the tyranny of the default, right?
If the app is pre and postinstalled,
a great many more people will end up
using it. Way more than 50 million
recent downloads. There's 700 million
phones in circulation.
>> Most people will not remove it. They'll
just assume, oh, whatever that is, it's,
you know, it's good for me. Um, and it's
not completely clear whether removal
will even be an option since the Indian
government's intention looks to be more
aimed at assuring that all smartphones
participate. And of course, one wonders
what Apple, right, would think about
such a mandate. On the other hand, India
is now producing Apple smartphones. So,
who knows? Well, it turns out Apple does
indeed say no. I I dug around some more
and discovered to no one's surprise
Apple does not plan to abide by India's
order. The India Times headline was
quote Apple to resist DO order um that's
in India's department of telecom to
preload state-run Sankar Sathy app as
policy outcry I'm sorry as political
outcry builds. Um and then we get a
little bit more interesting information
about disabling or removing that makes
somewhat more sense. The India Times
wrote, "Apple does does not plan to
comply with a mandate to preload its
smartphones with a state-owned cyber
safety app and will convey its concerns
to New Delhi." Three sources familiar
with the matter said after the
government's move sparked surveillance
concerns the Indian government has conf
confidentially ordered although it
didn't stay secret of course you can't
those sorts of things confidentially
ordered companies including Apple
and Yami to preload their phones with an
app called Sankar Sathy or which is uh
uh uh in English is communication
partner ner is what that means. Within
90 days, the app is intended to track uh
stolen phones, block them, and prevent
them from being misused. So, that was
news. Block them. So, meaning that the
government can prevent a phone from
operating. Uh I didn't pick up any of
that in the previous reporting. So, you
know, you would call that a biggie. um
that suggests that this communications
partner app would have the ability to
shut down a phone and if that's the
case, it's no wonder that Apple is
saying uh no thanks. The reporting
continues from India Times writing
Reuters was the first to report on
Monday that the government also wants
manufacturers to ensure that the app is
not disabled. Also, for any devices
already in the supply chain,
manufacturers should push the app to
phones via software updates. The telecom
ministry confirmed the move, later
describing it as a security measure to
combat serious endangerment of cyber
security. But Minister Mod's political
opponents and privacy advocates
criticize the move saying it's way it is
a way for the government to gain access
to India's 730
million smartphones. So anyway, uh I'm
going to skip the the balance of this.
Basically, uh uh a bunch of uh opinions
were pulled by Reuters talking about it,
you know, being more than a
sledgehammer. it's more like a
doublebarreled shotgun. Uh uh and
someone saying that there's no way Apple
would ever agree to do this. And in
fact, we know that that's the case. So
following on the heels of that, as you
said, Leo, India decided, okay, uh I
guess that's not going to fly.
uh they backpedalled on their
requirement that their official press
release from the Ministry of
Communications which you had on the
screen proclaims across its top
government removes mandatory
pre-installation of the Sanchar Saty
app. So, it turns out that the
government changed its mind two days
after the announcement following
extensive public criticism of this what
everyone was was concerned was veiled
surveillance. Um, and I decided to keep
that original reporting in place for the
podcast because it's still useful to
understand what's in the air and this is
India may not be done meddling's
communications because the Indian Times
also had a headline, why your WhatsApp
web may now log out every 6 hours.
India's department of telecommunications said
said
uh I'm sorry uh the India times is
quoting them saying in their story due
to a new directive from the department
of telecommunications
WhatsApp web will automatically log out
its users every six hours under the new
rule that the department of
telecommunications requires
messaging apps including WhatsApp,
Telegram and Signal to implement SIM
binding. In other words, linking of the
users of services to the SIM card used
for registration via its IMSI
identifier. If the original SIM is not
present, access to these apps will be
blocked 90 days from the directives
issuance. So there's a 90-day um you
know get up to speed period from the
from the publication of the directive
within 90 days. This technology has to
be in place for all uh text messaging
apps and you know whereupon I think well
you know good luck telling signals
Meredith Whitaker that you're requiring
signal to bind to specific SIM cards.
Uh, as we know, Signal has historically
been bound to a user's phone, but
there's no way that Signal would be
modifying their app if it meant the
slightest reduction in the privacy of
their users. And if this move, you know,
did not represent some enhanced form of
government control, then why would India
be mandating this change at all? Okay,
but there's more. The India Times
explains under the same under the same
directive web versions of these
applications will log their users out periodically
periodically
no later than every six hours and force a reauthentication
a reauthentication via a QR code scan. A user logs into
via a QR code scan. A user logs into WhatsApp web through a browser by
WhatsApp web through a browser by scanning the QR code through the phone
scanning the QR code through the phone application. According to the
application. According to the authorities, this is to curb cyber fraud
authorities, this is to curb cyber fraud by preventing misuse of apps without
by preventing misuse of apps without active SIMs, often by scammers operating
active SIMs, often by scammers operating from abroad.
from abroad. Platforms are required to comply within
Platforms are required to comply within 90 days, and submit reports within four
90 days, and submit reports within four months, potentially by around February
months, potentially by around February of next year. The rules will apply to
of next year. The rules will apply to WhatsApp, Telegram, Signal, Snapchat,
WhatsApp, Telegram, Signal, Snapchat, and other OTT, you know, over-the-top
and other OTT, you know, over-the-top messaging platforms operating in India.
messaging platforms operating in India. Users are likely to face workflow
Users are likely to face workflow disruptions, especially multi-device
disruptions, especially multi-device professionals and travelers and small
professionals and travelers and small businesses that rely on shared devices.
businesses that rely on shared devices. WhatsApp has 500 million Indian users
WhatsApp has 500 million Indian users and a major chunk of its business users
and a major chunk of its business users are also in the country. One user wrote
are also in the country. One user wrote on X, "SIMB binding rule shall be a
on X, "SIMB binding rule shall be a major disruption for professionals and
major disruption for professionals and businesses using web accounts of
businesses using web accounts of WhatsApp, etc. It won't eliminate the
WhatsApp, etc. It won't eliminate the fraud completely as SIM cloning and SIM
fraud completely as SIM cloning and SIM spoofing will still work." While the
spoofing will still work." While the section of the tech industry believes
section of the tech industry believes that the DOT might have breached its
that the DOT might have breached its regulatory mandate, officials clarified
regulatory mandate, officials clarified that the directions issued to the apps
that the directions issued to the apps are within the purview of telecom cyber
are within the purview of telecom cyber security rules. An official told the
security rules. An official told the India Times, quote, it's only for the
India Times, quote, it's only for the entities that use telecommunication
entities that use telecommunication identifiers like a mobile number for
identifiers like a mobile number for their services. if they don't want to do
their services. if they don't want to do the SIM binding, they should not use the
the SIM binding, they should not use the mobile number as an identifier,"
mobile number as an identifier," unquote. Industry representatives also
unquote. Industry representatives also question the effectiveness of SIMB
question the effectiveness of SIMB binding in curbing fraud originating
binding in curbing fraud originating outside India, noting that scam
outside India, noting that scam operators can still obtain Indian SIMs
operators can still obtain Indian SIMs through mules or remote devices while a
through mules or remote devices while a significant volume of fraud originates
significant volume of fraud originates within the country. So,
within the country. So, you know, we really appear to be
you know, we really appear to be entering a period where government
entering a period where government legislators are feeling increasingly
legislators are feeling increasingly empowered, Leo, to dictate the operation
empowered, Leo, to dictate the operation of the personal communications devices
of the personal communications devices operating within their jurisdictions.
operating within their jurisdictions. uh and I found no indication yet that
uh and I found no indication yet that India will be backing down from this
India will be backing down from this latest you know SIM binding deal on on
latest you know SIM binding deal on on messaging app plat or messaging platform
messaging app plat or messaging platform apps.
apps. >> Yeah.
>> Yeah. >> Wow. So so what do you think that's
>> Wow. So so what do you think that's about? I mean that that's just like like
about? I mean that that's just like like um
um tying like no WhatsApp
tying like no WhatsApp >> to be honest
>> to be honest >> WhatsApp is based on your phone number
>> WhatsApp is based on your phone number right because we have
right because we have >> it doesn't have to be anymore. It used
>> it doesn't have to be anymore. It used to be, but it does no longer has to be.
to be, but it does no longer has to be. >> Okay? Because we had that story that we
>> Okay? Because we had that story that we talked about last week where there was
talked about last week where there was no rate limiting on brute forcing
no rate limiting on brute forcing WhatsApp web to look up people's
WhatsApp web to look up people's identities just by trying every possible
identities just by trying every possible phone number,
phone number, >> right?
>> right? I guess you do have to submit a phone
I guess you do have to submit a phone number. Your ID can just be like my ID
number. Your ID can just be like my ID on WhatsApp is Leo Leaport.24.
on WhatsApp is Leo Leaport.24. So that was a change that they
So that was a change that they implemented last a couple of maybe last
implemented last a couple of maybe last year. I guess that's why it's 24. But
year. I guess that's why it's 24. But >> so you can look up by ID or by phone.
>> so you can look up by ID or by phone. Okay.
Okay. >> Yeah. But I don't know if you can look
>> Yeah. But I don't know if you can look up by phone. That's an interesting
up by phone. That's an interesting question uh anymore.
question uh anymore. >> And of course I guess the idea
>> And of course I guess the idea >> you need a phone number to register it.
>> you need a phone number to register it. So yeah, they they have your data.
So yeah, they they have your data. That's right.
That's right. >> Yeah. And I guess the idea also was that
>> Yeah. And I guess the idea also was that WhatsApp could you you would give it
WhatsApp could you you would give it access to your contacts and it would it
access to your contacts and it would it would go through your contacts, take all
would go through your contacts, take all the phone numbers out of your contacts
the phone numbers out of your contacts and cross cross reference that with
and cross cross reference that with WhatsApp users in order to populate your
WhatsApp users in order to populate your WhatsApp contacts.
WhatsApp contacts. >> Right. Oh, I was thinking of Signal. I'm
>> Right. Oh, I was thinking of Signal. I'm not I've You're right. WhatsApp I don't
not I've You're right. WhatsApp I don't know. I don't use WhatsApp. I think it
know. I don't use WhatsApp. I think it is tied to your phone number. You're
is tied to your phone number. You're right. Yeah. Yeah. And of course, every
right. Yeah. Yeah. And of course, every Facebook app asks for access to your
Facebook app asks for access to your contacts, and I always say no.
contacts, and I always say no. >> Yeah.
>> Yeah. >> Because I'm I'm not going to
>> Because I'm I'm not going to >> What good could come of that?
>> What good could come of that? >> I'm not giving out Steve Gibson's phone
>> I'm not giving out Steve Gibson's phone number and home address and email. What
number and home address and email. What good could possibly come of that? If I
good could possibly come of that? If I If you want me to know you're on
If you want me to know you're on WhatsApp, you'll let me know you're on
WhatsApp, you'll let me know you're on WhatsApp, right?
WhatsApp, right? >> Yeah. I you know you you had a a
>> Yeah. I you know you you had a a sentence in here that's uh I think you
sentence in here that's uh I think you could you could shorten
could you could shorten uh where you say that countries are
uh where you say that countries are increasingly uh feeling
increasingly uh feeling >> uh legislators are feeling increasingly
>> uh legislators are feeling increasingly empowered to dictate the operation of
empowered to dictate the operation of the etc just say legislators are feeling
the etc just say legislators are feeling increasingly empowered
increasingly empowered >> period and I think that's really what's
>> period and I think that's really what's happening is that governments worldwide
happening is that governments worldwide are becoming more and more authoritarian
are becoming more and more authoritarian and more and more interested in
and more and more interested in enforcing their worldview on their uh
enforcing their worldview on their uh constituents and I don't think I don't
constituents and I don't think I don't think that's a good trend at all.
think that's a good trend at all. >> No. And unfortunately the technology
>> No. And unfortunately the technology allows that. Right. I mean
allows that. Right. I mean >> well the technology has stimulated it
>> well the technology has stimulated it because they feel like we they've lost
because they feel like we they've lost control of us.
control of us. >> Right. But but but the technology also
>> Right. But but but the technology also is a control mechan it is a control
is a control mechan it is a control mechanism.
mechanism. >> Exactly. So they've discovered that and
>> Exactly. So they've discovered that and they're trying to use it and Yeah. Yeah.
they're trying to use it and Yeah. Yeah. I don't have high hopes for this. It,
I don't have high hopes for this. It, you know, I think what happens, you give
you know, I think what happens, you give people power, they want more power.
people power, they want more power. Yeah. And uh you can do everything you
Yeah. And uh you can do everything you can. John Adams said that. I was
can. John Adams said that. I was watching the great uh Ken Burns uh
watching the great uh Ken Burns uh documentary on the Revolutionary War,
documentary on the Revolutionary War, and John Adams said, you know, we can
and John Adams said, you know, we can make a democracy, but I have I I feel
make a democracy, but I have I I feel like people's greed for money and power
like people's greed for money and power is so great that it's unlikely we can
is so great that it's unlikely we can sustain it. [snorts]
sustain it. [snorts] >> Right. And Washington, you know,
>> Right. And Washington, you know, responds to f famously to that woman who
responds to f famously to that woman who asks after the signing of the
asks after the signing of the Declaration of Independence, what did
Declaration of Independence, what did you just keep it? Yeah. Yeah.
you just keep it? Yeah. Yeah. >> Yes. A democracy if or no, a republic if
>> Yes. A democracy if or no, a republic if you can keep it.
you can keep it. >> You can keep it. Yeah.
>> You can keep it. Yeah. >> I think even in the beginning they knew
>> I think even in the beginning they knew that this was going to be a [laughter]
that this was going to be a [laughter] lot difficult.
lot difficult. >> You know, we all grew up all of us who
>> You know, we all grew up all of us who are
are >> of a certain age.
>> of a certain age. >> Yes. the uh the pigmentation has left
>> Yes. the uh the pigmentation has left our hair. Um [laughter]
our hair. Um [laughter] >> uh
>> uh it's always been the way it is and it's
it's always been the way it is and it's always going to be the way it is and but
always going to be the way it is and but that's not the history of democracies,
that's not the history of democracies, >> right?
>> right? >> They have a they have a period
>> They have a they have a period >> and if it's if it's at all encouraging,
>> and if it's if it's at all encouraging, we've been through bad times in the US
we've been through bad times in the US before. There have been many any
before. There have been many any democratic eras in the United States and
democratic eras in the United States and we've survived
we've survived >> and we have swung back.
>> and we have swung back. >> Yeah.
>> Yeah. >> Yeah. So, let's hope.
>> Yeah. So, let's hope. >> Um, let's take a break. We're at an hour
>> Um, let's take a break. We're at an hour in. We're going to talk about the
in. We're going to talk about the abbreviation of scattered lapses
abbreviation of scattered lapses hunters. It's not an inspired
hunters. It's not an inspired abbreviation, but it helps. Uh, and
abbreviation, but it helps. Uh, and then, uh, a bit about RAM pricing that's
then, uh, a bit about RAM pricing that's gone nuts.
gone nuts. >> Unbelievable what's going on with RAM
>> Unbelievable what's going on with RAM pricing. I'm, you know, I'm I'm glad I'm
pricing. I'm, you know, I'm I'm glad I'm well equipped with computers, but I'm
well equipped with computers, but I'm worried about the future. I don't know.
worried about the future. I don't know. In fact, that that that thing I had to
In fact, that that that thing I had to sign for, I just purchased a machine, my
sign for, I just purchased a machine, my a machine, probably my final computer
a machine, probably my final computer for my new office that I'll be setting
for my new office that I'll be setting up in a month or two.
up in a month or two. >> Desktop, laptop.
>> Desktop, laptop. >> Uh it's a it's a it's a small uh uh what
>> Uh it's a it's a it's a small uh uh what do they call it? Small form factor.
do they call it? Small form factor. >> Oh, like a knuck.
>> Oh, like a knuck. >> Yeah, that kind of thing.
>> Yeah, that kind of thing. >> Yeah. Yeah. I uh I think I'm thinking
>> Yeah. Yeah. I uh I think I'm thinking maybe I I was going to wait till next
maybe I I was going to wait till next year. Apple has a OLED screens coming
year. Apple has a OLED screens coming and I really love OLED screens. So maybe
and I really love OLED screens. So maybe I'll just got a PC instead. They have
I'll just got a PC instead. They have plenty of OLED PCs and
plenty of OLED PCs and >> just put Linux.
>> just put Linux. >> Well, and of course I I I will do uh
>> Well, and of course I I I will do uh what this thing has is is uh three
what this thing has is is uh three display ports on the back because I I am
display ports on the back because I I am a I'm a three screen person. That works
a I'm a three screen person. That works for me. And I made the mistake on the
for me. And I made the mistake on the system I have uh in my place with Lori
system I have uh in my place with Lori of having a that that curved high
of having a that that curved high resolution screen. No. Uh, no. I don't
resolution screen. No. Uh, no. I don't like that. And because I have lower
like that. And because I have lower resolution on the sides and when you
resolution on the sides and when you drag something across the boundary, it
drag something across the boundary, it gets it's all screwed up. So,
gets it's all screwed up. So, >> it's like your peripheral vision on the
>> it's like your peripheral vision on the screen. That's not good.
screen. That's not good. >> Not good.
>> Not good. >> Yeah.
>> Yeah. >> So, I'm going to go three flat screens
>> So, I'm going to go three flat screens all the same resolution and then and and
all the same resolution and then and and >> do you organize it in I'm sorry,
>> do you organize it in I'm sorry, parenthetically. We'll get back to the
parenthetically. We'll get back to the show in a moment, folks. But do you
show in a moment, folks. But do you organize like do you have code in one
organize like do you have code in one window and you do?
window and you do? >> Yes. Yes, I have generally have static
>> Yes. Yes, I have generally have static things in different locations. So like I
things in different locations. So like I always have Windows Explorer open on the
always have Windows Explorer open on the right the right half of the right side
right the right half of the right side and that's just where it lives. It's
and that's just where it lives. It's always there and
always there and >> Yes. It's always there. So
>> Yes. It's always there. So >> that's smart. Yeah. Yeah. You always
>> that's smart. Yeah. Yeah. You always know to go there.
know to go there. >> And and it's interesting because Lori
>> And and it's interesting because Lori and I have very different organizational
and I have very different organizational approaches. Uh, and and she wants like
approaches. Uh, and and she wants like she's an organizer, but she likes to put
she's an organizer, but she likes to put things in bins and I'm a positionbased
things in bins and I'm a positionbased organizer. I know where something is in
organizer. I know where something is in like in location. And so I go right to
like in location. And so I go right to it and but if it's if she organized it,
it and but if it's if she organized it, it's gone. It's gone.
it's gone. It's gone. >> So it's like, "Honey, where did what
>> So it's like, "Honey, where did what happened to the She says, "Oh, I
happened to the She says, "Oh, I organized that." Oh, okay.
organized that." Oh, okay. >> Where where where [laughter]
>> Where where where [laughter] is it now?
is it now? >> I we have that problem in the kitchen. I
>> I we have that problem in the kitchen. I I now know where everything is in the
I now know where everything is in the kitchen, but if if we reorganize, I'm in
kitchen, but if if we reorganize, I'm in deep trouble. In deep trouble. All
deep trouble. In deep trouble. All right, let's take a break. I know where
right, let's take a break. I know where the ad breaks are on this show, and
the ad breaks are on this show, and that's one thing I do know. And it's
that's one thing I do know. And it's time for one. We'll have more with Steve
time for one. We'll have more with Steve in just a bit. But first, a word from
in just a bit. But first, a word from our sponsor, Big ID. They're the next
our sponsor, Big ID. They're the next generation AI powered data security and
generation AI powered data security and compliance solution. Big ID is the first
compliance solution. Big ID is the first and only leading data security and
and only leading data security and compliance solution that can uncover
compliance solution that can uncover dark data through AI classification that
dark data through AI classification that can identify and manage risk that can
can identify and manage risk that can remediate remediate the way you want.
remediate remediate the way you want. You get to choose that can map and
You get to choose that can map and monitor access controls and scale your
monitor access controls and scale your data security strategy along with
data security strategy along with unmatched coverage for cloud and onprem
unmatched coverage for cloud and onprem data sources. And by the way, that's
data sources. And by the way, that's huge. Big ID also seamlessly integrates
huge. Big ID also seamlessly integrates with your existing tech stack, which
with your existing tech stack, which means you can coordinate security and
means you can coordinate security and remediation workflows. You can take
remediation workflows. You can take action on data risks to protect against
action on data risks to protect against breaches. You can annotate, delete, and
breaches. You can annotate, delete, and quarantine and more based on the data
quarantine and more based on the data all while maintaining an audit trail for
all while maintaining an audit trail for compliance. And as I said, it works with
compliance. And as I said, it works with your existing tech stack. Everybody like
your existing tech stack. Everybody like I'll give you an example. Service Now,
I'll give you an example. Service Now, PaloAlto Networks, Microsoft, of course,
PaloAlto Networks, Microsoft, of course, Google, of course, AWS, and on and on
Google, of course, AWS, and on and on and on. That's nice. You don't have to
and on. That's nice. You don't have to adjust how you work to work with Big ID.
adjust how you work to work with Big ID. Big ID's advanced AI models let you
Big ID's advanced AI models let you reduce risk, accelerate time to insight,
reduce risk, accelerate time to insight, and gain visibility and control over all
and gain visibility and control over all your data. This is where I really think
your data. This is where I really think AI shines. when it's got a specific
AI shines. when it's got a specific focused task, it's it can be so useful
focused task, it's it can be so useful and so good. Intuitit named it the
and so good. Intuitit named it the number one platform for data
number one platform for data classification in accuracy, speed, and
classification in accuracy, speed, and scalability. It really works. And some
scalability. It really works. And some of the customers, well, people love Big
of the customers, well, people love Big ID so much they're happy to give it a
ID so much they're happy to give it a testimonial. Like for instance, the US
testimonial. Like for instance, the US Army. Yes, the US Army. Big ID equipped
Army. Yes, the US Army. Big ID equipped the army to illuminate dark data. I can
the army to illuminate dark data. I can imagine that after 250 years they
imagine that after 250 years they probably have quite a bit to accelerate
probably have quite a bit to accelerate their cloud migration which is a big
their cloud migration which is a big priority for the services to minimize
priority for the services to minimize redundancy and to automate data
redundancy and to automate data retention something they have to do for
retention something they have to do for a variety of legal reasons as well. US
a variety of legal reasons as well. US Army Training and Doctrine Command gave
Army Training and Doctrine Command gave them such a great testimony. Let let me
them such a great testimony. Let let me read it to you. This is a direct quote.
read it to you. This is a direct quote. Quote, "The first wow moment with Big
Quote, "The first wow moment with Big ID," they said, came with being able to
ID," they said, came with being able to have that single interface that
have that single interface that inventories a variety of data holdings,
inventories a variety of data holdings, including structured and unstructured
including structured and unstructured data across emails, zip files,
data across emails, zip files, SharePoint, databases, and more. To see
SharePoint, databases, and more. To see that mass and to be able to correlate
that mass and to be able to correlate across those is completely novel. I've
across those is completely novel. I've never seen a capability that brings this
never seen a capability that brings this together like Big ID does. End quote.
together like Big ID does. End quote. That's pretty good. CNBC recognized Big
That's pretty good. CNBC recognized Big ID as one of the top 25 startups for the
ID as one of the top 25 startups for the enterprise. They were named to the Inc.
enterprise. They were named to the Inc. 5000 and Deote 500, not just once, but
5000 and Deote 500, not just once, but four years in a row. The publisher of
four years in a row. The publisher of Cyber Defense magazine says, quote, "Big
Cyber Defense magazine says, quote, "Big ID embodies three major features we
ID embodies three major features we judges look for to become winners.
judges look for to become winners. Understanding tomorrow's threats today,
Understanding tomorrow's threats today, providing a coste effective solution,
providing a coste effective solution, and innovating in unexpected ways that
and innovating in unexpected ways that can help mitigate cyber risk and get one
can help mitigate cyber risk and get one step ahead of the next breach. Start
step ahead of the next breach. Start protecting your sensitive data wherever
protecting your sensitive data wherever your data lives at bigid.com/security
your data lives at bigid.com/security now. Get a free demo and see how Big ID
now. Get a free demo and see how Big ID can help your organization reduce data
can help your organization reduce data risk and accelerate the adoption of
risk and accelerate the adoption of generative AI safely. Again, that's
generative AI safely. Again, that's bigid.com/security
now. Oh, and while you're there, there's a free white paper that provides
a free white paper that provides valuable insights for a new framework
valuable insights for a new framework that's just coming down the pike. It's
that's just coming down the pike. It's called AI Trism. T R I SM. That's AI
called AI Trism. T R I SM. That's AI trust, risk, and security management.
trust, risk, and security management. It'll help you harness the full
It'll help you harness the full potential of AI responsibly. And that
potential of AI responsibly. And that paper is free at bigid.com/security
now. Thank him so much for supporting Steve and security now. Back to you,
Steve and security now. Back to you, Steve.
Steve. So, a random observation uh that I'm
So, a random observation uh that I'm beginning to see the infamous scattered
beginning to see the infamous scattered lapses hunters uh being referred to by
lapses hunters uh being referred to by the abbreviation SLH. I I said no
the abbreviation SLH. I I said no biggie, but SLH uh I don't know if it'll
biggie, but SLH uh I don't know if it'll catch on, but they have been so much in
catch on, but they have been so much in the news that the security industry
the news that the security industry appears to feel that they've become
appears to feel that they've become abbreviation worthy. So, uh the news
abbreviation worthy. So, uh the news blurb that caught my eye referred to
blurb that caught my eye referred to SLH.
SLH. uh it was a note saying that the the
uh it was a note saying that the the security firm believed that they have
security firm believed that they have seen SLH's
seen SLH's focus shifting from Salesforce over to
focus shifting from Salesforce over to Zenesk.
Zenesk. >> Um so SLH appeared to be enamored of the
>> Um so SLH appeared to be enamored of the you know SAS model the software as a
you know SAS model the software as a service exploitation like of customers
service exploitation like of customers of that. Um there was a at this point a
of that. Um there was a at this point a lack of razor sharp attribution for some
lack of razor sharp attribution for some of the very recent Zenesk related
of the very recent Zenesk related attacks but there have been some and the
attacks but there have been some and the suspicion is it is SLH. So we now have
suspicion is it is SLH. So we now have SLH as a as an as a abbreviation for
SLH as a as an as a abbreviation for scattered lapses hunters. Not quite as
scattered lapses hunters. Not quite as fun as scattered lapses hunters but what
fun as scattered lapses hunters but what the hell. Um, and I just completely off
the hell. Um, and I just completely off topic. I suppose we should have seen
topic. I suppose we should have seen this coming. I I this next bit of news
this coming. I I this next bit of news is not security related, [clears throat]
is not security related, [clears throat] but it's tangentially AI related. And I
but it's tangentially AI related. And I thought that our computer centric
thought that our computer centric listeners would find it interesting. the
listeners would find it interesting. the the short blurb that first caught my
the short blurb that first caught my attention and I'd seen something about
attention and I'd seen something about it passed by but hadn't paused uh was
it passed by but hadn't paused uh was Micron exits consumer RAM market and the
Micron exits consumer RAM market and the little blurb said American hardware
little blurb said American hardware vendor Micron will leave the consumer
vendor Micron will leave the consumer RAM market and discontinue its Crucial
RAM market and discontinue its Crucial brand and of course Crucial has been a
brand and of course Crucial has been a has been a well-known uh you know
has been a well-known uh you know consumer RAM memory brand for years.
consumer RAM memory brand for years. They wrote, "The move the move comes as
They wrote, "The move the move comes as the AI boom has led to an explosion in
the AI boom has led to an explosion in prices in RAM and SSDs as AI companies
prices in RAM and SSDs as AI companies build data guzzling data centers and
build data guzzling data centers and have swallowed almost the entire market
have swallowed almost the entire market output for the next few years.
output for the next few years. So, okay, you know, I guess we should
So, okay, you know, I guess we should have seen this coming." Uh, that led me
have seen this coming." Uh, that led me to look for some additional detail which
to look for some additional detail which I thought that our listeners would
I thought that our listeners would appreciate. I found a nice piece over on
appreciate. I found a nice piece over on The Verge whose headline was, "Ram
The Verge whose headline was, "Ram prices are so out of control that stores
prices are so out of control that stores are selling it like lobster."
are selling it like lobster." They wrote, "U Michael Krider's headline
They wrote, "U Michael Krider's headline at PC World today perfectly captures how
at PC World today perfectly captures how ridiculous the PC memory shortage has
ridiculous the PC memory shortage has become. Stores like the San Francisco
become. Stores like the San Francisco Bay Area's Central Computers are
Bay Area's Central Computers are beginning to sell RAM at market prices
beginning to sell RAM at market prices like you'd pay for the catch of the day
like you'd pay for the catch of the day at a seafood restaurant. A message
at a seafood restaurant. A message posted in the store's display case
posted in the store's display case reads, quote, "Costs are fluctuating
reads, quote, "Costs are fluctuating daily as manufacturers and distributors
daily as manufacturers and distributors adjust to limited supply and high
adjust to limited supply and high demand. Because of this, we cannot
demand. Because of this, we cannot display fixed prices at this time."
display fixed prices at this time." MicroEnter is apparently doing the same.
MicroEnter is apparently doing the same. Quote, "Due to market volatility, we ask
Quote, "Due to market volatility, we ask that you please see a sales associate
that you please see a sales associate for pricing." unquote. They wrote, "It's
for pricing." unquote. They wrote, "It's hard to overstate just how quickly the
hard to overstate just how quickly the RAM crunch is changing the affordability
RAM crunch is changing the affordability of computers, and it might soon impact
of computers, and it might soon impact other realms as well, as everything from
other realms as well, as everything from game consoles to smartphones require RAM
game consoles to smartphones require RAM to function. Three months ago yesterday,
to function. Three months ago yesterday, the author said, "I bought 32 gig of
the author said, "I bought 32 gig of memory for my gaming PC. And at the
memory for my gaming PC. And at the price of that exact kit, oh, sorry, and
price of that exact kit, oh, sorry, and the price of that exact kit has more
the price of that exact kit has more than tripled since then, three months
than tripled since then, three months ago." He says it now costs $300 more.
ago." He says it now costs $300 more. Now 440 versus 130, in case you're
Now 440 versus 130, in case you're curious, he said for 32 gig. He said a
curious, he said for 32 gig. He said a more common version of the same kit went
more common version of the same kit went from 105 to 400. Some prices have
from 105 to 400. Some prices have doubled since October. And while you can
doubled since October. And while you can still find some 32 gig kits for as low
still find some 32 gig kits for as low as $230, a 64 gig DDR5 kit can easily
as $230, a 64 gig DDR5 kit can easily run you 700, $800, even $900.
run you 700, $800, even $900. Some high-profile product launches might
Some high-profile product launches might be impacted by the price of memory.
be impacted by the price of memory. Valve pointed to the RAM crunch as one
Valve pointed to the RAM crunch as one of the reasons it could not promise a
of the reasons it could not promise a specific price for its steam machine
specific price for its steam machine just yet. Just as out of control
just yet. Just as out of control um he said oh the author said just as
um he said oh the author said just as outofcontrol GPU prices from earlier
outofcontrol GPU prices from earlier this year have finally settled down,
this year have finally settled down, runaway memory prices might make them
runaway memory prices might make them shoot back up again. Every graphics card
shoot back up again. Every graphics card requires gobs of VRAM. More is better.
requires gobs of VRAM. More is better. And word is that Nvidia and AMD are
And word is that Nvidia and AMD are preparing to raise prices to compensate
preparing to raise prices to compensate for the crunch. Digital Foundry is
for the crunch. Digital Foundry is recommending you buy a GPU at or below
recommending you buy a GPU at or below MSRP while you still can, one with 10
MSRP while you still can, one with 10 gig or more of VRAM. Microsoft may also
gig or more of VRAM. Microsoft may also have to raise Xbox prices yet again to
have to raise Xbox prices yet again to compensate, but Sony has stockpiled
compensate, but Sony has stockpiled enough RAM for the PS5 to last some
enough RAM for the PS5 to last some number of months. Epic CEO Tim Sweeney
number of months. Epic CEO Tim Sweeney says it may take years for high-end
says it may take years for high-end gaming to recover from the RAM crunch
gaming to recover from the RAM crunch because of AI. He says, "Factories are
because of AI. He says, "Factories are diverting leading edge DRAM capacity to
diverting leading edge DRAM capacity to meet AI needs where data centers are
meet AI needs where data centers are bidding far higher than consumer device
bidding far higher than consumer device makers."
makers." Wow. So, I noted um another piece in the
Wow. So, I noted um another piece in the news yesterday that said 200
news yesterday that said 200 environmental groups. You know, first of
environmental groups. You know, first of all, I didn't realize there were 200
all, I didn't realize there were 200 environmental groups. 200 environmental
environmental groups. 200 environmental groups are demanding, I love that choice
groups are demanding, I love that choice of words, a halt to the construction of
of words, a halt to the construction of new US data centers. You know, I guess
new US data centers. You know, I guess just on principle. Um, first of all, you
just on principle. Um, first of all, you know, good luck with that. um uh that
know, good luck with that. um uh that might have stood some chance of
might have stood some chance of happening, you know, if we had a
happening, you know, if we had a bleeding heart Democrat running the
bleeding heart Democrat running the countries at the moment. But, you know,
countries at the moment. But, you know, our President Trump recently again
our President Trump recently again declared that global warming was a hoax
declared that global warming was a hoax and that wind turbines cause cancer. So
and that wind turbines cause cancer. So I would be highly skeptical that any
I would be highly skeptical that any number of environmental groups, doesn't
number of environmental groups, doesn't matter how many you gather together, are
matter how many you gather together, are going to get much traction in the
going to get much traction in the Washington climate at the moment. But
Washington climate at the moment. But what's interesting to me from a
what's interesting to me from a technology standpoint is that it does
technology standpoint is that it does appear that the desire to concentrate
appear that the desire to concentrate an unprecedented
an unprecedented amount of computational capacity uh
amount of computational capacity uh within a comparatively small physical
within a comparatively small physical area is truly causing trouble. Right? If
area is truly causing trouble. Right? If nothing else, we know that just getting
nothing else, we know that just getting that much electrical power service to a
that much electrical power service to a single location is not something that
single location is not something that the existing power grid was originally
the existing power grid was originally set up to deliver, nor does it
set up to deliver, nor does it accommodate much variation without a lot
accommodate much variation without a lot of lead time.
of lead time. And when you step back to think about
And when you step back to think about it, the only reason to want or to
it, the only reason to want or to arguably, you know, make a case for
arguably, you know, make a case for needing that much computation in such a
needing that much computation in such a small physical space has to be economies
small physical space has to be economies of scale. Um, what I mean by that is it
of scale. Um, what I mean by that is it what's being built is not a single
what's being built is not a single humongous brain. It's a very large
humongous brain. It's a very large number of individual small brains and
number of individual small brains and they don't actually all need to be under
they don't actually all need to be under the same roof or even in the same state
the same roof or even in the same state for that matter. It's just more
for that matter. It's just more convenient and more coste effective if
convenient and more coste effective if they're all grouped together in one
they're all grouped together in one place. That way they can all share staff
place. That way they can all share staff and utilities and walls and security and
and utilities and walls and security and cooling and a parking lot and so on. You
cooling and a parking lot and so on. You know, and this sort of suggests that a
know, and this sort of suggests that a reasonable compromise might be to limit
reasonable compromise might be to limit the total size of individual AI data
the total size of individual AI data centers, have more of them, and spread
centers, have more of them, and spread them around more. You know, and that
them around more. You know, and that said, I you know, I certainly get the
said, I you know, I certainly get the coolness factor of having a massive AI
coolness factor of having a massive AI de data center. I mean, I understand
de data center. I mean, I understand that that, you know, appeals to the tech
that that, you know, appeals to the tech bros. Um, and you know, if AI actually
bros. Um, and you know, if AI actually made money and could pay for itself,
made money and could pay for itself, then you'd have a potentially viable
then you'd have a potentially viable business model. So, I guess you have to
business model. So, I guess you have to save as much money as you can on
save as much money as you can on facilities hoping that you know you're
facilities hoping that you know you're saving money everywhere you can because
saving money everywhere you can because none of this yet makes economic sense.
none of this yet makes economic sense. >> You know, Leo, what does make economic
>> You know, Leo, what does make economic sense?
sense? >> Is it that time again?
>> Is it that time again? >> No.
>> No. >> Oh,
>> Oh, >> what makes economic sense?
>> what makes economic sense? >> What makes economic sense is GRC's new
>> What makes economic sense is GRC's new DNS BENCHMARK.
DNS BENCHMARK. >> OH, I CAN'T WAIT. THIS IS OH, WE'VE been
>> OH, I CAN'T WAIT. THIS IS OH, WE'VE been wait How long How long you been? Well,
wait How long How long you been? Well, first of all, you wrote it once before.
first of all, you wrote it once before. >> Yes. Um, I actually had and somebody
>> Yes. Um, I actually had and somebody found in a directory of theirs
found in a directory of theirs a the beginnings of a DNS
a the beginnings of a DNS speed test in 2002.
speed test in 2002. So,
So, yeah, long time ago. And I distinctly
yeah, long time ago. And I distinctly remember in ' 08 um in in in 2008
remember in ' 08 um in in in 2008 writing the first version one of the DNS
writing the first version one of the DNS benchmark at Starbucks. I I had I had a
benchmark at Starbucks. I I had I had a little a little like road show where you
little a little like road show where you know because I have to have a clanky
know because I have to have a clanky keyboard, right? And so I had a I had a
keyboard, right? And so I had a I had a >> Who's that guy with that clanky keyboard
>> Who's that guy with that clanky keyboard again?
again? >> Well, and of course Starbucks the
>> Well, and of course Starbucks the Starbucks I was going to was across from
Starbucks I was going to was across from UCI, so it's all students. Irvine. Yeah.
UCI, so it's all students. Irvine. Yeah. >> And they're and they're they all have,
>> And they're and they're they all have, you know, spongy quiet Apple keyboards.
you know, spongy quiet Apple keyboards. And I'm over in the corner going
And I'm over in the corner going clankity clanky clank clank clankity
clankity clanky clank clank clankity clank, [laughter] you know.
clank, [laughter] you know. >> And I would I would get there. They
>> And I would I would get there. They opened at 4:30. So I would get there
opened at 4:30. So I would get there because I had to have
because I had to have >> Yeah. 4:30 a.m.
>> Yeah. 4:30 a.m. >> Yeah. Okay. And so and I would I had to
>> Yeah. Okay. And so and I would I had to have my corner, right? So I would be the
have my corner, right? So I would be the first person there. I would unlock you
first person there. I would unlock you were
were >> I would unlock the door because they
>> I would unlock the door because they they hired you university students who
they hired you university students who were short and they couldn't reach the
were short and they couldn't reach the the the door's upper lock
the the door's upper lock >> because the guy with the clanky keyboard
>> because the guy with the clanky keyboard he's going to
he's going to >> having me there having me there I they
>> having me there having me there I they wouldn't have
wouldn't have >> still get up at 4:30 a.m. No, Lord. No.
>> still get up at 4:30 a.m. No, Lord. No. >> Oh, this is a long time ago.
>> Oh, this is a long time ago. >> This was in I happen to know that it was
>> This was in I happen to know that it was in 2008 when I wrote the benchmark.
in 2008 when I wrote the benchmark. Okay.
Okay. >> Yeah. And so I just sat there and and
>> Yeah. And so I just sat there and and then you and then I was part of a group
then you and then I was part of a group of of regulars. And so around 6:30 some
of of regulars. And so around 6:30 some of the regulars would start showing up
of the regulars would start showing up and so I'd pause and you know talk to
and so I'd pause and you know talk to them and then and then they'd wander off
them and then and then they'd wander off and I'd go back to work. Now I
and I'd go back to work. Now I understand why you go to Starbucks
understand why you go to Starbucks because
because >> I wouldn't want to be in a crowded
>> I wouldn't want to be in a crowded coffee shop trying to focus, but at 4:30
coffee shop trying to focus, but at 4:30 a.m. it's you got the place to yourself
a.m. it's you got the place to yourself >> and lots of coffee to boot.
>> and lots of coffee to boot. >> So that's good. I could see you get
>> So that's good. I could see you get those two hours of solid work there.
those two hours of solid work there. Yeah.
Yeah. >> Yes. And and I would leave at a little
>> Yes. And and I would leave at a little after 4. So I would spend about a full
after 4. So I would spend about a full 12 hours
12 hours in a single stint and then I'd go find
in a single stint and then I'd go find some dinner.
some dinner. >> Holy cow. That was my routine. And I I
>> Holy cow. That was my routine. And I I also perfected the putting the sponge
also perfected the putting the sponge ear foam things deep into my ear canal
ear foam things deep into my ear canal and then putting these Bose sound
and then putting these Bose sound blockers on top of that. So, you know, I
blockers on top of that. So, you know, I would just see people's mouths moving,
would just see people's mouths moving, but I'd just be in my zone for about 12
but I'd just be in my zone for about 12 hours a day writing the benchmark.
hours a day writing the benchmark. >> And And you did this at Starbucks. Why?
>> And And you did this at Starbucks. Why? >> Because it was better than being home
>> Because it was better than being home alone.
alone. >> Okay. Okay. I mean, you know, a little
>> Okay. Okay. I mean, you know, a little socializing
socializing >> people around. Yeah. Yeah.
>> people around. Yeah. Yeah. >> Yeah. And I I didn't have to walk far to
>> Yeah. And I I didn't have to walk far to get more coffee, so [laughter]
get more coffee, so [laughter] it was good.
it was good. >> Anyway, so
>> Anyway, so >> I did not I've known you for so long. I
>> I did not I've known you for so long. I had no idea that's what you were doing.
had no idea that's what you were doing. Wow.
Wow. >> Yeah.
>> Yeah. >> Okay. So, you're in a sprint to write
>> Okay. So, you're in a sprint to write this.
this. >> This would have been 08. This was during
>> This would have been 08. This was during the podcast.
the podcast. >> Yeah.
>> Yeah. >> Yeah.
>> Yeah. >> Like I said, I I had no idea. [laughter]
>> Like I said, I I had no idea. [laughter] >> Okay. Anyway, so um uh put this on GRC,
>> Okay. Anyway, so um uh put this on GRC, made it available, and
made it available, and as I've mentioned before, for many,
as I've mentioned before, for many, many, many years, it was seeing more
many, many years, it was seeing more than a thousand downloads a day.
than a thousand downloads a day. >> I used it all the time. I still do.
>> I used it all the time. I still do. Yeah,
Yeah, >> we have more than 9.7, I think it is, or
>> we have more than 9.7, I think it is, or maybe 8 million total downloads. And I
maybe 8 million total downloads. And I just And I And it had gotten to be 16
just And I And it had gotten to be 16 years old. And so it was a year ago uh
years old. And so it was a year ago uh it was in December of 2024 that I I had
it was in December of 2024 that I I had finished with Spinright 61. That was
finished with Spinright 61. That was finished. Put it to bed. It's like okay
finished. Put it to bed. It's like okay I've made I've made my commitment to
I've made I've made my commitment to give everybody a free update to
give everybody a free update to Spinright even after 20 years. Um and I
Spinright even after 20 years. Um and I thought okay I want to see what I can do
thought okay I want to see what I can do with like bringing the DNS benchmark
with like bringing the DNS benchmark back up to speed. Um, uh, anyway, so I
back up to speed. Um, uh, anyway, so I spent a year working with a bunch of
spent a year working with a bunch of neat guys in the, uh, and and and Leila,
neat guys in the, uh, and and and Leila, who may be our one female in the in the
who may be our one female in the in the GRC, uh, DNS.dev group, uh, you know,
GRC, uh, DNS.dev group, uh, you know, our our our news group, old SC old
our our our news group, old SC old school N&TP servers. Um,
school N&TP servers. Um, and for a while I remember I talked on
and for a while I remember I talked on the podcast about having imagining
the podcast about having imagining having well so the idea was to to do
having well so the idea was to to do something GRC has never done before
something GRC has never done before which is to have an inexpensive
which is to have an inexpensive um an inexpensive commercial product.
um an inexpensive commercial product. You know, I the only thing I ever had
You know, I the only thing I ever had was Spinright uh at $89 and I wanted to
was Spinright uh at $89 and I wanted to try doing a, you know, under $10, well,
try doing a, you know, under $10, well, a little bit under $10, $9.95.
a little bit under $10, $9.95. Um, fill it with features, bring it up
Um, fill it with features, bring it up to date, uh, and offer something that I
to date, uh, and offer something that I thought was a a a good value for a good
thought was a a a good value for a good price. So, um, that it happened on
price. So, um, that it happened on Friday was that it it we know it we had
Friday was that it it we know it we had a couple almost finished things that
a couple almost finished things that needed to get fixed and and changed. As
needed to get fixed and and changed. As everybody knows, the original benchmark
everybody knows, the original benchmark um, uh, only did was only able to
um, uh, only did was only able to benchmark IPv4 servers, which is all
benchmark IPv4 servers, which is all there almost was back at the time. So
there almost was back at the time. So the big change was I needed to add IPv6
the big change was I needed to add IPv6 support. But then of course the none of
support. But then of course the none of the of of the UDP resolution is
the of of the UDP resolution is encrypted. So it's not authenticated.
encrypted. So it's not authenticated. It's not encrypted. So we have DO and
It's not encrypted. So we have DO and DOT.
DOT. Uh Android devices support DOT natively.
Uh Android devices support DOT natively. All of our browsers support DOH
All of our browsers support DOH natively. So, uh, and in fact, in the
natively. So, uh, and in fact, in the picture there, Leo, you can see the IPv6
picture there, Leo, you can see the IPv6 addresses being lots of little digits in
addresses being lots of little digits in two in two rows.
two in two rows. >> Uh, they're huge.
>> Uh, they're huge. >> And fourth from the bottom is a DNS over
>> And fourth from the bottom is a DNS over TLS server
TLS server that's also in the list. Um anyway, the
that's also in the list. Um anyway, the um essentially what's happened is over
um essentially what's happened is over the course of these 16 years, the
the course of these 16 years, the internet has changed a lot.
internet has changed a lot. >> Oh yeah. And um the the big problem I
>> Oh yeah. And um the the big problem I had was that
had was that I had a bunch of false starts trying to
I had a bunch of false starts trying to figure out how to get this thing to do
figure out how to get this thing to do IPv6 and TLS connections because
IPv6 and TLS connections because uh IPv4 addresses fit in 32bits and I
uh IPv4 addresses fit in 32bits and I was working in a 32bit architecture. So
was working in a 32bit architecture. So it was, you know, so I, so resolver
it was, you know, so I, so resolver addresses were like like they fit in
addresses were like like they fit in registers. Well, not in the future they
registers. Well, not in the future they didn't. So that all had to get changed.
didn't. So that all had to get changed. But the biggest thing that has really
But the biggest thing that has really changed is that version one prioritized
changed is that version one prioritized cached lookups over all else.
cached lookups over all else. And that's changed um
And that's changed um when you know we've been talking about
when you know we've been talking about things like Ublock Origin and other
things like Ublock Origin and other content control utilities. We've noted
content control utilities. We've noted that the content of today's websites are
that the content of today's websites are now being pulled from scores of
now being pulled from scores of different places, you know, from all
different places, you know, from all over the internet. libraries and ads and
over the internet. libraries and ads and trackers and like like uh like uh chat
trackers and like like uh like uh chat add-ons and and AI popups and all this
add-ons and and AI popups and all this junk that are now on web pages. Well,
junk that are now on web pages. Well, those all require DNS lookups. So what's
those all require DNS lookups. So what's changed is that whereas a server's
changed is that whereas a server's caching performance was probably most
caching performance was probably most important back in 2008 when I wrote
important back in 2008 when I wrote version one, that's no longer true.
version one, that's no longer true. So what what the original DNS benchmark
So what what the original DNS benchmark has done and the the I mean has always
has done and the the I mean has always done and and still does
done and and still does at version one is it first sorts the the
at version one is it first sorts the the resolver performance by their cached
resolver performance by their cached performance. Um that completely
performance. Um that completely dominated by design all of its resolver
dominated by design all of its resolver ranking. Cache performance, you know,
ranking. Cache performance, you know, was, as we know, would be the amount of
was, as we know, would be the amount of time that a resolver would need to reply
time that a resolver would need to reply to a query for a domain's IP that it
to a query for a domain's IP that it already knew that it that it had already
already knew that it that it had already cached locally from some someone you
cached locally from some someone you maybe or someone previously asking for
maybe or someone previously asking for it and it not having yet expired because
it and it not having yet expired because IPs, you know, all of the records that
IPs, you know, all of the records that DNS caching resolvers cache has an
DNS caching resolvers cache has an expiration time and which allows the
expiration time and which allows the internet to update itself for for
internet to update itself for for changing IPs. Um, it turns out that
changing IPs. Um, it turns out that internet transit times completely
internet transit times completely dominate
dominate that measure. Whatever it is we're
that measure. Whatever it is we're measuring when we measure cache
measuring when we measure cache performance, all of that time is the
performance, all of that time is the time it takes the query to get to and
time it takes the query to get to and back from the resolver. So it is
back from the resolver. So it is essentially equal to just pinging the
essentially equal to just pinging the resolver. That's you know we we we have
resolver. That's you know we we we have we've tested that. It's about the same.
we've tested that. It's about the same. Um you know and and while it may not
Um you know and and while it may not seem very useful to know what a
seem very useful to know what a resolver's p essentially its ping time
resolver's p essentially its ping time is um it turns out that DNS performance
is um it turns out that DNS performance is all about connectivity. how well are
is all about connectivity. how well are you connected to the the resolver that
you connected to the the resolver that you are asking for IP addresses from.
you are asking for IP addresses from. So as I said the problem was that's all
So as I said the problem was that's all that version one of the benchmark took
that version one of the benchmark took into consideration. If a resolver close
into consideration. If a resolver close by you could beat out other resolvers
by you could beat out other resolvers then version one of the benchmark gave
then version one of the benchmark gave it the highest rating. It was at the top
it the highest rating. It was at the top of the list but o and it was only in the
of the list but o and it was only in the case of a tie in cached performance
case of a tie in cached performance within its 1 millisecond resolution that
within its 1 millisecond resolution that the uncashed lookup performance would be
the uncashed lookup performance would be considered as the second sort key.
considered as the second sort key. Essentially, it was like a multi-key
Essentially, it was like a multi-key sort where where where where the first
sort where where where where the first key um you know does the gross
key um you know does the gross arrangement and the second sort key does
arrangement and the second sort key does the the the finer grain arrangement
the the the finer grain arrangement within the grossly arranged first key.
within the grossly arranged first key. So the problem with that was that a
So the problem with that was that a resolver might reply to cached queries
resolver might reply to cached queries in five milliseconds but then take 10
in five milliseconds but then take 10 times as long like 50 milliseconds to
times as long like 50 milliseconds to perform a lookup for something it didn't
perform a lookup for something it didn't already have in its cache. Whereas
already have in its cache. Whereas another resolver might take only 1
another resolver might take only 1 millisecond more, 6 milliseconds to
millisecond more, 6 milliseconds to reply to a cached query, but be much
reply to a cached query, but be much faster for looking up uncashed data like
faster for looking up uncashed data like 10 milliseconds. So you'd much rather be
10 milliseconds. So you'd much rather be using that second resolver.
using that second resolver. Unfortunately, you know, well, again, in
Unfortunately, you know, well, again, in ' 08, cached performance dominated
' 08, cached performance dominated because most of the material was coming
because most of the material was coming from the the the the domain you were
from the the the the domain you were browsing to. Most servers were providing
browsing to. Most servers were providing you all of the content. Now, that's no
you all of the content. Now, that's no longer the case. So,
longer the case. So, um, the the other little confounding
um, the the other little confounding thing is that 16 years ago in 2008, no
thing is that 16 years ago in 2008, no one had local border routers that were
one had local border routers that were also serving as caching resolvers. You
also serving as caching resolvers. You know, we hadNNAT back then, but those
know, we hadNNAT back then, but those early NAT routers were not doing DNS
early NAT routers were not doing DNS lookups for their NAT clients as they
lookups for their NAT clients as they are now. So that matters because the
are now. So that matters because the original version of the benchmark would
original version of the benchmark would be seriously overimpressed by the
be seriously overimpressed by the performance of that local caching DNS
performance of that local caching DNS router or resolver sitting right there
router or resolver sitting right there on our LAN. How could any remote DNS
on our LAN. How could any remote DNS resolver know how ma no matter how fast
resolver know how ma no matter how fast it might be possibly compete with a
it might be possibly compete with a caching resolver that was sitting right
caching resolver that was sitting right next to the user on their own LAN. So,
next to the user on their own LAN. So, you know, just try pinging your LAN's
you know, just try pinging your LAN's gateway and you'll see how quickly it
gateway and you'll see how quickly it responds. No, no other DNS resolver out
responds. No, no other DNS resolver out on the internet can compete. And again,
on the internet can compete. And again, the the version one of the benchmark was
the the version one of the benchmark was was only looking at cached performance.
was only looking at cached performance. So, what does the new version two do? It
So, what does the new version two do? It takes the average of all three types of
takes the average of all three types of DNS queries, cached, uncashed, and com
DNS queries, cached, uncashed, and com resolution. It's got four sorting
resolution. It's got four sorting options. The original cached first sort
options. The original cached first sort if there's still, you know, it's still
if there's still, you know, it's still there for anyone who might want it for
there for anyone who might want it for some reason. But the new default is best
some reason. But the new default is best performance which averages all three
performance which averages all three types. So anyway, uh I I've I've spoken
types. So anyway, uh I I've I've spoken before about all the features that are
before about all the features that are in there. uh we we learned that we were
in there. uh we we learned that we were not getting much benchmarktobenchmark
not getting much benchmarktobenchmark consistency. It turns out that even
consistency. It turns out that even asking 50 different domains for for
asking 50 different domains for for their IPs for each of your resolver,
their IPs for each of your resolver, there's enough jitter in the internet
there's enough jitter in the internet because the internet's gotten busier and
because the internet's gotten busier and it's gotten bigger than it used to be.
it's gotten bigger than it used to be. It turns out that we need to do more
It turns out that we need to do more asking in order to get a in order to get
asking in order to get a in order to get statistical significance from the the
statistical significance from the the data that we're collecting. So this
data that we're collecting. So this thing allows you by default to run
thing allows you by default to run essentially five rounds of the benchmark
essentially five rounds of the benchmark and aggregate all the data. But you can
and aggregate all the data. But you can also go for 10, 20, 50, and 100 if you
also go for 10, 20, 50, and 100 if you really if you don't mind waiting like
really if you don't mind waiting like four hours for a a 100x benchmark. And
four hours for a a 100x benchmark. And what's interesting is that you see all
what's interesting is that you see all of the sorting stabilizing after a while
of the sorting stabilizing after a while because initially they're the the the
because initially they're the the the the
the ranking is jumping around because of
ranking is jumping around because of internet jitter and it take it actually
internet jitter and it take it actually takes a lot more looking. Anyway, short
takes a lot more looking. Anyway, short version is I'm done with the benchmark.
version is I'm done with the benchmark. Uh anyone can have it for $9.95.
Uh anyone can have it for $9.95. Um, I appreciated what Andy was said or
Um, I appreciated what Andy was said or uh what um not Andy uh uh um
security awareness and actually changes behaviors by gamifying the process,
behaviors by gamifying the process, rewarding good clicks, coaching away the
rewarding good clicks, coaching away the bad. Your your your users will never
bad. Your your your users will never feel embarrassed. They'll they'll be
feel embarrassed. They'll they'll be engaged. They'll be having fun. They'll
engaged. They'll be having fun. They'll be learning. I'll give you an example.
be learning. I'll give you an example. When when a so employee sees an email
When when a so employee sees an email and suspects it might be a scam, Pox
and suspects it might be a scam, Pox will tell them immediately and and if it
will tell them immediately and and if it is, you know, your test email, they're
is, you know, your test email, they're going to get that dopamine rush, you got
going to get that dopamine rush, you got it. That gets them to click, learn, and
it. That gets them to click, learn, and protect your company. And a as an admin
protect your company. And a as an admin for you, Hawk makes it really easy to
for you, Hawk makes it really easy to automatically deliver fishing
automatically deliver fishing simulations and not just email Slack
simulations and not just email Slack Teams using AI to mimic the latest real
Teams using AI to mimic the latest real world attacks. The simulations are also
world attacks. The simulations are also personalized if you want to each
personalized if you want to each employee. You can have information about
employee. You can have information about department, location, and more. And then
department, location, and more. And then instead of these big generic quarterly
instead of these big generic quarterly trainings, you get instant micro
trainings, you get instant micro trainings to solidify understanding and
trainings to solidify understanding and drive lasting safe behaviors. You could
drive lasting safe behaviors. You could trigger gamified security awareness
trigger gamified security awareness training that awards employees stars and
training that awards employees stars and badges. I know that sounds dumb, but
badges. I know that sounds dumb, but they love it. It's like you would love
they love it. It's like you would love it. It's like, "Yeah, I did good." Ah,
it. It's like, "Yeah, I did good." Ah, boosting completion rates, ensuring
boosting completion rates, ensuring compliance, and really the bottom line
compliance, and really the bottom line is helping them learn how to protect
is helping them learn how to protect your company. You could choose from a
your company. You could choose from a huge library of customizable training
huge library of customizable training packages or they have AI you can
packages or they have AI you can generate your own make them really you
generate your own make them really you know effective these simulations. Hawk
know effective these simulations. Hawk has everything you need to run effective
has everything you need to run effective security training all in one platform.
security training all in one platform. It's easy to measurably reduce your
It's easy to measurably reduce your human cyber risk at scale. And you don't
human cyber risk at scale. And you don't have to take my word for it. There are
have to take my word for it. There are over 3,000 user reviews on Hawk on G2
over 3,000 user reviews on Hawk on G2 which make Hawk Hunt the top rated
which make Hawk Hunt the top rated security training platform for the
security training platform for the enterprise including easiest to use and
enterprise including easiest to use and best results. This is easy for you, best
best results. This is easy for you, best results for your company. It's also
results for your company. It's also recognized as customers choice by
recognized as customers choice by Gartner and it's used by thousands of
Gartner and it's used by thousands of companies worldwide. Companies like
companies worldwide. Companies like Qualcomm, AES, Nokia. They use it to
Qualcomm, AES, Nokia. They use it to train millions of employees all over the
train millions of employees all over the globe. Visit hawkhunt.com/security
globe. Visit hawkhunt.com/security now right now to learn why modern secure
now right now to learn why modern secure companies are making the switch to
companies are making the switch to hawkhunt. That's hawkhunt.com/security.
We thank them so much for supporting Steve and security now and doing a great
Steve and security now and doing a great job and and as an employee. I'm both an
job and and as an employee. I'm both an employee and a boss. As an employee, I
employee and a boss. As an employee, I really appreciate it when it's fun to
really appreciate it when it's fun to learn, you know, not to click on fishing
learn, you know, not to click on fishing attacks. I look forward to them. All
attacks. I look forward to them. All right, Steve. Now, on we go.
right, Steve. Now, on we go. >> So,
>> So, as I said, by this time, from everything
as I said, by this time, from everything we've seen and shared on this podcast
we've seen and shared on this podcast through the years,
through the years, we can probably all define what a what a
we can probably all define what a what a worstcase vulnerability looks like. It
worstcase vulnerability looks like. It would [snorts] affect any popular,
would [snorts] affect any popular, widely present internetfacing server. It
widely present internetfacing server. It would not require the remote attacker to
would not require the remote attacker to be in any way authenticated on that
be in any way authenticated on that server.
server. It would allow said attacker to remotely
It would allow said attacker to remotely supply whatever code they would wish any
supply whatever code they would wish any such server to execute on their behalf.
such server to execute on their behalf. And the attack would have a low
And the attack would have a low complexity so [snorts] that no rocket
complexity so [snorts] that no rocket science is needed. Taken together in the
science is needed. Taken together in the parliament of the day, we would term
parliament of the day, we would term this as a critical unauthenticated low
this as a critical unauthenticated low complexity remote code execution
complexity remote code execution vulnerability.
vulnerability. A shorter though less descriptive
A shorter though less descriptive summary might also be CVS 10.0. Yeah,
summary might also be CVS 10.0. Yeah, because you know most of what we see is
because you know most of what we see is they're trying to get there. They're a
they're trying to get there. They're a 9.8, eight, but they're not really
9.8, eight, but they're not really completely just unbelievably bad
completely just unbelievably bad >> underachievers. Obviously,
>> underachievers. Obviously, >> this Yeah, they were [laughter]
>> this Yeah, they were [laughter] this is a 10.0. The headline given to
this is a 10.0. The headline given to Dan Guten's reporting of just such a
Dan Guten's reporting of just such a vulnerability last Wednesday uh so not
vulnerability last Wednesday uh so not even a week ago in ours Technica was
even a week ago in ours Technica was admins and defenders gird themselves
admins and defenders gird themselves against maximum severity server vom in
against maximum severity server vom in the subhead uh in the subhead it says
the subhead uh in the subhead it says open-source react executes malicious
open-source react executes malicious code with malformed HTML
code with malformed HTML No authentication needed. So there's a
No authentication needed. So there's a lot to cover here. Let's begin with
lot to cover here. Let's begin with Dan's description in ours Technica. He
Dan's description in ours Technica. He says, "Security defenders are gerting
says, "Security defenders are gerting themselves in response to the disclosure
themselves in response to the disclosure of a maximum severity vulnerability
of a maximum severity vulnerability disclosed Wednesday in React Server, an
disclosed Wednesday in React Server, an open-source package that's widely used
open-source package that's widely used by websites and in cloud environments.
by websites and in cloud environments. The vulnerability is easy to exploit and
The vulnerability is easy to exploit and allows hackers to execute malicious code
allows hackers to execute malicious code on servers that run it. Exploit code is
on servers that run it. Exploit code is now publicly available.
now publicly available. React is embedded into web apps running
React is embedded into web apps running on servers so that remote devices render
on servers so that remote devices render JavaScript and content more quickly with
JavaScript and content more quickly with fewer resources required. React is used
fewer resources required. React is used by an estimated 6% of all websites and
by an estimated 6% of all websites and 39% of cloud environments. When end
39% of cloud environments. When end users reload a page, React allows
users reload a page, React allows servers to rerender only parts that have
servers to rerender only parts that have changed, a feature that drastically
changed, a feature that drastically speeds up performance and lowers the
speeds up performance and lowers the computing resources required by the
computing resources required by the server.
server. Security firm Whiz said exploitation
Security firm Whiz said exploitation requires only a single HTTP request and
requires only a single HTTP request and had near 100% reliability in its
had near 100% reliability in its testing. Multiple software frameworks
testing. Multiple software frameworks and libraries embed React
and libraries embed React implementations by default. As a result,
implementations by default. As a result, even when apps don't explicitly make use
even when apps don't explicitly make use of React functionality, they can still
of React functionality, they can still be vulnerable since the integration
be vulnerable since the integration layer itself invokes the buggy code. In
layer itself invokes the buggy code. In that sense, this is a little bit like
that sense, this is a little bit like log forj, right? Which we recall,
log forj, right? Which we recall, although that wasn't bad as it turned
although that wasn't bad as it turned out. This is turn has already turned out
out. This is turn has already turned out to be bad. The combination of the
to be bad. The combination of the widespread use of React, particularly in
widespread use of React, particularly in cloud environments, the ease of
cloud environments, the ease of exploitation, and the ability to execute
exploitation, and the ability to execute code that gives attackers control of
code that gives attackers control of servers
servers has earned the vulnerability a severity
has earned the vulnerability a severity rating of 10, the highest score
rating of 10, the highest score possible, writes Dan. On social media,
possible, writes Dan. On social media, security defenders and software
security defenders and software engineers urged anyone responsible for
engineers urged anyone responsible for React related apps to immediately
React related apps to immediately install an update released Wednesday.
install an update released Wednesday. One researcher wrote, "I usually don't
One researcher wrote, "I usually don't say this, but patch right freaking now.
say this, but patch right freaking now. The React CVE listing and that's CVE
The React CVE listing and that's CVE 2025 55182
2025 55182 is a perfect 10.
is a perfect 10. React versions 1901,
React versions 1901, 1912 or 1921
1912 or 1921 contain the vulnerable code. So that's
contain the vulnerable code. So that's worth noting. It's only this year's
worth noting. It's only this year's Reacts. So this happens this year. If if
Reacts. So this happens this year. If if I I hope you're not running an older one
I I hope you're not running an older one because that would be worse. But you
because that would be worse. But you know so update again the third party
know so update again the third party components writes Dan known to be
components writes Dan known to be affected. So these are third-party
affected. So these are third-party things that that have react in them
things that that have react in them include vite rsc plugin parcel rsc
include vite rsc plugin parcel rsc plugin react router rsc preview
plugin react router rsc preview SDK wa and next.js JS that being a
SDK wa and next.js JS that being a biggie of course according to whiz and
biggie of course according to whiz and fellow security firm Aikido the
fellow security firm Aikido the vulnerability tracked as I said 2025
vulnerability tracked as I said 2025 555182
555182 resides in flight a protocol found in
resides in flight a protocol found in the react server components next.js JS
the react server components next.js JS has assigned the designation
has assigned the designation uh he they have a different uh CVE 6 uh
uh he they have a different uh CVE 6 uh 66478
66478 to track the vulnerability in its
to track the vulnerability in its package.
package. And then Dan hits us with the nature of
And then Dan hits us with the nature of the vulnerability, which will also come
the vulnerability, which will also come as no surprise to our longtime listeners
as no surprise to our longtime listeners since this podcast long ago identified
since this podcast long ago identified interpreters as a particularly a
interpreters as a particularly a particularly tough problem for secure
particularly tough problem for secure systems. Dan writes, "The vulnerability
systems. Dan writes, "The vulnerability stems from unsafe deserialization,
stems from unsafe deserialization, the coding process of converting
the coding process of converting strings, byte streams, and other
strings, byte streams, and other serialized formats back into objects or
serialized formats back into objects or data structures in code. Hackers can
data structures in code. Hackers can exploit the insecure deserialization
exploit the insecure deserialization using payloads that execute malicious
using payloads that execute malicious code on the server. Patched React
code on the server. Patched React versions include stricter validation and
versions include stricter validation and hardened deserialization behavior. In
hardened deserialization behavior. In other words, they fixed a bug in the
other words, they fixed a bug in the deserializing interpreter which
deserializing interpreter which interprets the serialized stream and
interprets the serialized stream and makes a mistake. Whiz explained, quote,
makes a mistake. Whiz explained, quote, when a server receives a specially
when a server receives a specially crafted malformed payload, it fails to
crafted malformed payload, it fails to validate the structure correctly. This
validate the structure correctly. This allows attacker controlled data to
allows attacker controlled data to influence serverside execution logic
influence serverside execution logic resulting in the execution of privileged
resulting in the execution of privileged JavaScript code. They added in our
JavaScript code. They added in our [snorts] experimentation exploitation of
[snorts] experimentation exploitation of this vulnerability had high fidelity
this vulnerability had high fidelity with a near 100% success rate and can be
with a near 100% success rate and can be leveraged into a full remote code
leveraged into a full remote code execution. The attack vector is
execution. The attack vector is unauthenticated and remote requiring
unauthenticated and remote requiring only a single specially crafted HTTP
only a single specially crafted HTTP request to the target server. It affects
request to the target server. It affects the default configuration of many
the default configuration of many popular frameworks.
popular frameworks. Both companies, writes Dan, are advising
Both companies, writes Dan, are advising admins and developers, meaning React uh
admins and developers, meaning React uh and Nex.js.
and Nex.js. Both companies are advising admins and
Both companies are advising admins and developers to upgrade React and any
developers to upgrade React and any dependencies that rely on it. Users of
dependencies that rely on it. Users of any of the remote enabled frameworks and
any of the remote enabled frameworks and plugins mentioned above should check
plugins mentioned above should check with their maintainers for guidance.
with their maintainers for guidance. Aikido also suggests admins and
Aikido also suggests admins and developers scan their code bases and
developers scan their code bases and repositories for any use of React.
repositories for any use of React. Meaning, you might have included it as a
Meaning, you might have included it as a dependency in some build structure and
dependency in some build structure and not even know it's in there. But React
not even know it's in there. But React is still accepting that stream when it
is still accepting that stream when it comes to it and could then trip over its
comes to it and could then trip over its own feet and execute bad code in your
own feet and execute bad code in your system. Dan's article quickly generated
system. Dan's article quickly generated 79 comments uh from which the RS staff
79 comments uh from which the RS staff chose one which reads just ask Grock for
chose one which reads just ask Grock for a proof of concept. Basically, the
a proof of concept. Basically, the deserializer can be made to execute any
deserializer can be made to execute any arbitrary code by encoding a nested
arbitrary code by encoding a nested object with an eval expression into base
object with an eval expression into base 64 bytes. Shockingly easy to do, he
64 bytes. Shockingly easy to do, he wrote. Okay, so now let's step back a
wrote. Okay, so now let's step back a bit to answer the question.
bit to answer the question. What is it? Wikipedia sums it up nicely.
What is it? Wikipedia sums it up nicely. Writing React, also known as React.js JS
Writing React, also known as React.js JS or ReactJS is a free and open-source
or ReactJS is a free and open-source front-end JavaScript library that aims
front-end JavaScript library that aims to make building user interfaces based
to make building user interfaces based on components more seamless. It's
on components more seamless. It's maintained by Meta and a community of
maintained by Meta and a community of individual developers and companies.
individual developers and companies. According to the Stack Overflow
According to the Stack Overflow developer survey, React is one of the
developer survey, React is one of the most commonly used web technologies
most commonly used web technologies today. React can be used to develop
today. React can be used to develop single page mobile or server rendered
single page mobile or server rendered applications with frameworks like
applications with frameworks like next.js and React Router. Because React
next.js and React Router. Because React is only concerned with the user
is only concerned with the user interface and rendering components to
interface and rendering components to the DOM, React applications often rely
the DOM, React applications often rely on libraries for routing and other
on libraries for routing and other clientside functionality. A key
clientside functionality. A key advantage of React is that it only
advantage of React is that it only rerenders those parts of the page that
rerenders those parts of the page that have changed, avoiding unnecessary
have changed, avoiding unnecessary rerendering of unchanged DOM elements.
rerendering of unchanged DOM elements. React is used by an estimated 6% of all
React is used by an estimated 6% of all websites. Okay, so now we have some
websites. Okay, so now we have some sense for what React is. How widespread
sense for what React is. How widespread is its use? The platform security
is its use? The platform security company Ox titled their reporting of
company Ox titled their reporting of this Wednesday,
this Wednesday, millions of servers vulnerable to rce in
millions of servers vulnerable to rce in React components.
React components. They wrote a critical vulnerability in
They wrote a critical vulnerability in React and Next.js allows attackers to
React and Next.js allows attackers to execute code on vulnerable servers
execute code on vulnerable servers without any authentication, potentially
without any authentication, potentially exposing millions of applications to
exposing millions of applications to immediate risk. React is one of the most
immediate risk. React is one of the most popular JavaScript libraries for
popular JavaScript libraries for building user interfaces created by
building user interfaces created by Facebook Meta with over [clears throat]
Facebook Meta with over [clears throat] 1.97
1.97 billion total downloads. One point
billion total downloads. One point almost two billion downloads.
almost two billion downloads. >> That's a lot of downloads.
>> That's a lot of downloads. >> That is a lot of downloads.
>> That is a lot of downloads. Discovered today, Wednesday. This
Discovered today, Wednesday. This vulnerability affects the React and
vulnerability affects the React and Nex.js JS ecosystems which power over 10
Nex.js JS ecosystems which power over 10 million active websites globally
million active websites globally including major platforms built with
including major platforms built with React such as Instagram, Netflix, Airbnb
React such as Instagram, Netflix, Airbnb that serve billions of users daily.
that serve billions of users daily. With React downloaded over 20 million
With React downloaded over 20 million times weekly, new vulnerable
times weekly, new vulnerable applications are being deployed
applications are being deployed continuously.
continuously. The potential exposure is massive,
The potential exposure is massive, spanning e-commerce platforms, financial
spanning e-commerce platforms, financial services, health care applications, and
services, health care applications, and enterprise systems worldwide. Okay, so
enterprise systems worldwide. Okay, so you know the bad guys are going to be
you know the bad guys are going to be just salivating.
just salivating. They wrote what we know. React CVEes and
They wrote what we know. React CVEes and that's the 55182 and Nex.js's
that's the 55182 and Nex.js's CVE 66478
CVE 66478 contain a critical rce vulnerability
contain a critical rce vulnerability enabling the attacker to execute
enabling the attacker to execute arbitrary privileged JavaScript code on
arbitrary privileged JavaScript code on the vulnerable server. While the core
the vulnerable server. While the core issue stems from the React
issue stems from the React vulnerability, the Nex.js JS
vulnerability, the Nex.js JS vulnerability exists only because it
vulnerability exists only because it directly used a vulnerable version of
directly used a vulnerable version of the React framework itself. The attack
the React framework itself. The attack doesn't require any kind of
doesn't require any kind of authentication from the attacker or a
authentication from the attacker or a valid running session for the rce to
valid running session for the rce to work. Who's affected? Any server running
work. Who's affected? Any server running an unpatched version of React or next.js
an unpatched version of React or next.js or any package based on a vulnerable
or any package based on a vulnerable React component. Using Showdan, we found
React component. Using Showdan, we found that there are over 571
that there are over 571 two 571,249
public servers using React components and 444,43
using Nex.js. So together more than a million. While
So together more than a million. While we don't know the versions of each of
we don't know the versions of each of those servers, it would be safe to
those servers, it would be safe to assume that even if a small number of
assume that even if a small number of them of them are inside the vulnerable
them of them are inside the vulnerable versions range, the impact on a is on a
versions range, the impact on a is on a high scale and should be addressed
high scale and should be addressed immediately. Since this issue impacts
immediately. Since this issue impacts any server online running React or
any server online running React or next.js, JS which are highly popular
next.js, JS which are highly popular JavaScriptbased packages. This means
JavaScriptbased packages. This means that attackers could now scan and
that attackers could now scan and directly exploit those servers. This
directly exploit those servers. This potentially could harm millions of
potentially could harm millions of servers around the world causing
servers around the world causing information leakage, secret extraction,
information leakage, secret extraction, and more. All right, so it's not good.
and more. All right, so it's not good. Did anyone notice? Ha, you betcha. Two
Did anyone notice? Ha, you betcha. Two days later, Friday, December 5th, Ox
days later, Friday, December 5th, Ox followed up with their report of active
followed up with their report of active exploitation under their headline,
exploitation under their headline, Reacts CVE205182
is now actively exploitable. Verified P. They wrote, "Hacker Maple 3142
They wrote, "Hacker Maple 3142 published a working proof of concept for
published a working proof of concept for 55182,
55182, which we successfully verified. Just 2
which we successfully verified. Just 2 days after we published our initial
days after we published our initial analysis of the React Next.js serverside
analysis of the React Next.js serverside rce vulnerability, a fully functional
rce vulnerability, a fully functional exploit has been released publicly. The
exploit has been released publicly. The proof of concept works exactly as
proof of concept works exactly as expected and results in unauthenticated
expected and results in unauthenticated remote code execution on vulnerable
remote code execution on vulnerable servers. The exploit abuses reacts blah
servers. The exploit abuses reacts blah blah blah. We all know about that. So
blah blah. We all know about that. So then they get into details of the attack
then they get into details of the attack and congratulate the exploit's author,
and congratulate the exploit's author, this Maple 3142, calling it great work.
this Maple 3142, calling it great work. They also provide a link to Maple's
They also provide a link to Maple's exploit demo on GitHub and I have a link
exploit demo on GitHub and I have a link at the bottom of page 20 in the show
at the bottom of page 20 in the show notes for anyone who's interested. To no
notes for anyone who's interested. To no one's surprise, the industry has jumped
one's surprise, the industry has jumped to get this resolved. This is an
to get this resolved. This is an emergency and there were apparently a
emergency and there were apparently a few hiccups along the way. Cloudflare
few hiccups along the way. Cloudflare notably suffered a 25inute
notably suffered a 25inute oopsie outage while working to protect
oopsie outage while working to protect all of the servers behind them from the
all of the servers behind them from the abuse of the vulnerability. Network
abuse of the vulnerability. Network World reported under their headline
World reported under their headline Cloudflare Firewall reacts, you know,
Cloudflare Firewall reacts, you know, pun there badly to React exploit
pun there badly to React exploit mitigation with the subhead in
mitigation with the subhead in attempting to fix one problem.
attempting to fix one problem. Cloudflare caused another. They wrote,
Cloudflare caused another. They wrote, "Cloudflare's network suffered a brief
"Cloudflare's network suffered a brief but widespread outage Friday after an
but widespread outage Friday after an update to its web application firewall.
update to its web application firewall. you know, a WAF to mitigate a
you know, a WAF to mitigate a vulnerability in React server components
vulnerability in React server components went wrong. At 9:09 a.m. UTC, the
went wrong. At 9:09 a.m. UTC, the company reported that it was
company reported that it was investigating issues with the Cloudflare
investigating issues with the Cloudflare dashboard and related APIs, warning that
dashboard and related APIs, warning that customers might see requests fail or
customers might see requests fail or errors displayed. Just 10 minutes later,
errors displayed. Just 10 minutes later, they had deployed a fix. And actually,
they had deployed a fix. And actually, it looks more like it was a 25-minute
it looks more like it was a 25-minute outage. So maybe it was 15 minutes into
outage. So maybe it was 15 minutes into it, then 20, then 10 minutes after that
it, then 20, then 10 minutes after that they had a fix. So a total of 25.
they had a fix. So a total of 25. They wrote, "But not before a flood of
They wrote, "But not before a flood of reports of problems with Cloudflare and
reports of problems with Cloudflare and its customers poured into uptime
its customers poured into uptime tracking sites such as downdetector.com.
tracking sites such as downdetector.com. During the same window, down detector
During the same window, down detector saw a spike in problem reports for
saw a spike in problem reports for enterprise services, including Shopify,
enterprise services, including Shopify, Zoom, Claude AI, and Amazon Web
Zoom, Claude AI, and Amazon Web Services, and a host of consumer
Services, and a host of consumer services from games to dating apps.
services from games to dating apps. Cloudflare explained the outage on its
Cloudflare explained the outage on its service status page, writing, "A change
service status page, writing, "A change made to how Cloudflare's web application
made to how Cloudflare's web application firewall parses requests caused
firewall parses requests caused Cloudflare's network to be unavailable
Cloudflare's network to be unavailable for several minutes this morning. This
for several minutes this morning. This was not an attack. The change was
was not an attack. The change was deployed by our team to help mitigate
deployed by our team to help mitigate the industrywide vulnerability disclosed
the industrywide vulnerability disclosed this week in React server components,"
this week in React server components," unquote.
unquote. Um the the OX report said Cloudflare was
Um the the OX report said Cloudflare was no about was no doubt attempting to
no about was no doubt attempting to protect those of its customers who've
protect those of its customers who've not yet had an opportunity to patch the
not yet had an opportunity to patch the vulnerability in the two days since it
vulnerability in the two days since it was revealed. The wobble in Cloudflare
was revealed. The wobble in Cloudflare services comes just two weeks after a
services comes just two weeks after a much bigger one rendered its customers
much bigger one rendered its customers websites inaccessible and so forth blah
websites inaccessible and so forth blah blah blah. So anyway, I appreciated how
blah blah. So anyway, I appreciated how these guys at Network World concluded
these guys at Network World concluded the their posting. They wrote, "There
the their posting. They wrote, "There are some advantages in relying on single
are some advantages in relying on single service providers such as Cloudflare or
service providers such as Cloudflare or AWS for these tasks, including economies
AWS for these tasks, including economies of scale and service consistency,
of scale and service consistency, but it also makes them single points of
but it also makes them single points of failure. When they go down, everything
failure. When they go down, everything goes down with them." This is what we
goes down with them." This is what we were just talking about two weeks ago.
were just talking about two weeks ago. In such a monoculture, the alternatives
In such a monoculture, the alternatives that might be able to take up the slack
that might be able to take up the slack have already been weeded out, meaning
have already been weeded out, meaning acquired or put out of business or
acquired or put out of business or they're just not available for whatever
they're just not available for whatever reason. So, I think that gets it exactly
reason. So, I think that gets it exactly right. Cloudflare's own posting about
right. Cloudflare's own posting about this noted that their logs did not
this noted that their logs did not capture any evidence of successful
capture any evidence of successful exploitation of this vulnerability
exploitation of this vulnerability against any of their free or commercial
against any of their free or commercial customers. And by the way, both were
customers. And by the way, both were were protected by this. Cloudflare's
were protected by this. Cloudflare's WFT, their web application firewall
WFT, their web application firewall update also protected uh anybody uh on
update also protected uh anybody uh on the free plan. Uh they never said
the free plan. Uh they never said explicitly uh that their apparently
explicitly uh that their apparently uh WFT change service outage was a
uh WFT change service outage was a mistake, but it certainly seems like it
mistake, but it certainly seems like it had to be. you know, they're continually
had to be. you know, they're continually updating their web application firewall
updating their web application firewall patterns with new detections and blocks
patterns with new detections and blocks and their customers are not experiencing
and their customers are not experiencing systemwide outages on an ongoing basis.
systemwide outages on an ongoing basis. So, I think they they, you know, fumble
So, I think they they, you know, fumble fingered it, you know, something
fingered it, you know, something somewhere. Of course, AWS and Fastly and
somewhere. Of course, AWS and Fastly and other CDNs also quickly deployed their
other CDNs also quickly deployed their own network protections for their
own network protections for their customers. So, everybody pretty quickly
customers. So, everybody pretty quickly got protected. I should also mention
got protected. I should also mention that two China based threat actors were
that two China based threat actors were seen to immediately jump onto this
seen to immediately jump onto this exploit with attacks beginning within
exploit with attacks beginning within hours of the vulnerabilities public
hours of the vulnerabilities public disclosure. Well, remember that was
disclosure. Well, remember that was Wednesday and the the CDN protections
Wednesday and the the CDN protections didn't snap into place for a full 48
didn't snap into place for a full 48 hours. So there was likely some serious
hours. So there was likely some serious damage done during this window from
damage done during this window from disclosure to fix which sort of suggests
disclosure to fix which sort of suggests that this could have been done better.
that this could have been done better. There's no reason, for example, that the
There's no reason, for example, that the major CDN's at least could not have been
major CDN's at least could not have been brought into a a loop, you know, on the
brought into a a loop, you know, on the DL and allowed to have their their
DL and allowed to have their their application
application uh firewalls updated. So, they would
uh firewalls updated. So, they would have been protected before the
have been protected before the disclosure.
disclosure. No reason for that not to happen. So,
No reason for that not to happen. So, maybe somebody will be thinking about
maybe somebody will be thinking about that. Um the AWS security team linked
that. Um the AWS security team linked the attacks that they saw to two groups
the attacks that they saw to two groups tracked as Earth Lamina Earth Lamia and
tracked as Earth Lamina Earth Lamia and Jackpot Panda. Uh AWS wrote Earth Lamia
Jackpot Panda. Uh AWS wrote Earth Lamia is a China Nexus cyber threat actor
is a China Nexus cyber threat actor known for exploiting web application
known for exploiting web application vulnerabilities to target organizations
vulnerabilities to target organizations across Latin America, the Middle East,
across Latin America, the Middle East, and Southeast Asia. The group has
and Southeast Asia. The group has historically targeted sectors across
historically targeted sectors across financial services, logistics, retail,
financial services, logistics, retail, IT companies, universities, and
IT companies, universities, and government and or government
government and or government organizations. And Jackpot Panda, they
organizations. And Jackpot Panda, they wrote, is a China Nexus cyber threat
wrote, is a China Nexus cyber threat actor primarily targeting entities in
actor primarily targeting entities in East and Southeast Asia. The activity
East and Southeast Asia. The activity likely aligns to collection priorities
likely aligns to collection priorities pertaining to domestic security and
pertaining to domestic security and corruption concerns.
corruption concerns. Well, that whatever that means. So,
Well, that whatever that means. So, Amazon says the attackers used
Amazon says the attackers used anonymizing proxies to hide their
anonymizing proxies to hide their infrastructure. So, requests were being
infrastructure. So, requests were being bounced through other systems and also
bounced through other systems and also deployed exploits um for other
deployed exploits um for other vulnerabilities using the uh these as
vulnerabilities using the uh these as the as the back doors uh to to get in.
the as the back doors uh to to get in. Interestingly, both groups use their own
Interestingly, both groups use their own homegrown exploit implementations.
homegrown exploit implementations. remember the the the proof of concept
remember the the the proof of concept even that took two days before it went
even that took two days before it went public. But this thing was so dead
public. But this thing was so dead simple to do that it no one waited. You
simple to do that it no one waited. You didn't have to wait two days. These
didn't have to wait two days. These things the attack started within hours
things the attack started within hours of the of of the disclosure that there
of the of of the disclosure that there was a problem and they rolled their own
was a problem and they rolled their own exploits because it was so easy to do.
exploits because it was so easy to do. Um, so then, uh, later multiple public
Um, so then, uh, later multiple public proof of concept exploits were released,
proof of concept exploits were released, including one from, uh, Lacklin
including one from, uh, Lacklin Davidson, a security reacher we've
Davidson, a security reacher we've talked about before. Uh, he was the guy
talked about before. Uh, he was the guy who initially found and reported this
who initially found and reported this devastating vulnerability. So, it's
devastating vulnerability. So, it's likely not an exaggeration to say uh
likely not an exaggeration to say uh that this vulnerability is probably
that this vulnerability is probably going to haunt the developer ecosystem
going to haunt the developer ecosystem for some time due to its ease of
for some time due to its ease of exploitation, widely available proofs of
exploitation, widely available proofs of concept, its low complexity versus its
concept, its low complexity versus its power, as well as React's popularity.
power, as well as React's popularity. Next.js is currently considered to be
Next.js is currently considered to be the best web technology available for
the best web technology available for producing very SEOfriendly content. If a
producing very SEOfriendly content. If a technology was, you know, ever expected
technology was, you know, ever expected to replace WordPress,
to replace WordPress, those, you know, people in the know
those, you know, people in the know argue that it would be next.js that
argue that it would be next.js that would be the replacement for WordPress.
would be the replacement for WordPress. PaloAlto Networks wrote, "Ultimately,
PaloAlto Networks wrote, "Ultimately, this incident underscores the inherent
this incident underscores the inherent friction between performance and
friction between performance and security in modern architecture. While
security in modern architecture. While React server components optimize data
React server components optimize data fetching and search engine optimization
fetching and search engine optimization by moving logic closer to the source,
by moving logic closer to the source, they simultaneously move the attack
they simultaneously move the attack surface closer to organizations most
surface closer to organizations most sensitive and valuable data. So I which
sensitive and valuable data. So I which I think that's a terrific perspective.
I think that's a terrific perspective. So anyway, uh I wouldn't say we dodged a
So anyway, uh I wouldn't say we dodged a bullet. I would say that a bunch of
bullet. I would say that a bunch of people probably got hit
people probably got hit >> and uh over time we may get some more
>> and uh over time we may get some more news like by next week of you know what
news like by next week of you know what organizations are in trouble as a result
organizations are in trouble as a result of this. we could see that the that
of this. we could see that the that those who weren't immediately reactive
those who weren't immediately reactive so to speak uh are uh are going to be in
so to speak uh are uh are going to be in trouble and we'll start getting you know
trouble and we'll start getting you know extortion notices and data exfiltration
extortion notices and data exfiltration all of the all of the followon
all of the all of the followon you know badness that comes a a after a
you know badness that comes a a after a network is penetrated.
network is penetrated. >> Yeah. Wow. Um and so it's been patched.
>> Yeah. Wow. Um and so it's been patched. >> Yes. And are does does React work to uh
>> Yes. And are does does React work to uh automatically update itself or do you
automatically update itself or do you have to explicitly uh
have to explicitly uh >> No, there's no you need to get the the
>> No, there's no you need to get the the updated stuff. Yes. And I should mention
updated stuff. Yes. And I should mention that the benchmark that is now uh
that the benchmark that is now uh available does have uh automatically
available does have uh automatically check for updates enabled. Good.
check for updates enabled. Good. >> And it will al it will alert its user
>> And it will al it will alert its user every time they use it. All I do is send
every time they use it. All I do is send a short DNS query to GRC. I'm using DNS
a short DNS query to GRC. I'm using DNS in order to clever
in order to clever >> in order to send back the the the most
>> in order to send back the the the most recent release number. And so it checks
recent release number. And so it checks that against its own release and it lets
that against its own release and it lets you know if there's something better and
you know if there's something better and and also gives you the link to update
and also gives you the link to update and puts your transaction code from your
and puts your transaction code from your purchase into notepad, I mean into the
purchase into notepad, I mean into the clipboard so you can paste it directly
clipboard so you can paste it directly into the form and get the download link
into the form and get the download link for the new one. We had thanks to a year
for the new one. We had thanks to a year of development, we had lots of time to
of development, we had lots of time to polish the the whole update delivery
polish the the whole update delivery system.
system. >> Feedback's great. That's really great.
>> Feedback's great. That's really great. >> Well, good. Everybody should go to
>> Well, good. Everybody should go to grc.com and get your copy of the DNS
grc.com and get your copy of the DNS benchmark pro. You're not calling pro,
benchmark pro. You're not calling pro, you're calling it version two.
you're calling it version two. >> V2 version two. Uh, buy it once, own it
>> V2 version two. Uh, buy it once, own it forever, and own its entire future.
forever, and own its entire future. >> Nice. That was that. Now, did you send
>> Nice. That was that. Now, did you send out the email
out the email >> to the list?
>> to the list? >> No. Um, I I need I want to do a
>> No. Um, I I need I want to do a walkthrough video. I need to get the the
walkthrough video. I need to get the the documentations I the documentation pages
documentations I the documentation pages need to be updated. There are still all
need to be updated. There are still all talking about version one.
talking about version one. >> So, I'm not ready to do that. But I
>> So, I'm not ready to do that. But I still have no spam being reported by
still have no spam being reported by Google. So, all of those changes I made
Google. So, all of those changes I made to my email system have taken hold.
to my email system have taken hold. >> And it'll probably be a couple weeks and
>> And it'll probably be a couple weeks and then I will do that. I will notify that
then I will do that. I will notify that the the that main mailing list is now up
the the that main mailing list is now up to 153,000 subscribers. So, wow. It'll
to 153,000 subscribers. So, wow. It'll be that'll be fun to let them know.
be that'll be fun to let them know. >> Well, I'll tell you what, you can kill
>> Well, I'll tell you what, you can kill two birds uh with one stone if you go to
two birds uh with one stone if you go to grc.com/email.
Uh the idea here is you uh you enter your email address and then Steve will
your email address and then Steve will know that you're you and not some
know that you're you and not some spammer and that means you can email him
spammer and that means you can email him from then on. And you'll also see the
from then on. And you'll also see the two additional subscriber lists. I
two additional subscriber lists. I always say there's a there's a check
always say there's a there's a check mark, but uh but I don't see a check
mark, but uh but I don't see a check mark. You just
mark. You just >> you get one when So
>> you get one when So >> Oh, it's in the email. Ah,
>> Oh, it's in the email. Ah, >> yeah. Well, yeah. Well, you you you you
>> yeah. Well, yeah. Well, you you you you fill that out. Then I send you a link
fill that out. Then I send you a link for managing your account. When you
for managing your account. When you click that, that brings up your own page
click that, that brings up your own page where you can subscribe and and
where you can subscribe and and unsubscribe from from whatever,
unsubscribe from from whatever, >> right?
>> right? >> So, yeah. And there there isn't a banner
>> So, yeah. And there there isn't a banner on this page to uh buy uh to upgrade.
on this page to uh buy uh to upgrade. >> There there it is.
>> There there it is. >> It's on this page though. It's just not
>> It's on this page though. It's just not on the email page. So Steve, you you
on the email page. So Steve, you you might want to add that to the email
might want to add that to the email page. [laughter]
page. [laughter] >> Like I said, I mean the the uh the site
>> Like I said, I mean the the uh the site has only ever the only thing I've ever
has only ever the only thing I've ever had for sale was Spinright. So the site
had for sale was Spinright. So the site is spinright salesoriented.
is spinright salesoriented. Yeah. And for for example, Spinright is
Yeah. And for for example, Spinright is there in the top level menu, but there's
there in the top level menu, but there's no mention of the benchmark in in the
no mention of the benchmark in in the menu. I do have it under under freeware
menu. I do have it under under freeware utilities, but it's not really a
utilities, but it's not really a freeware utility. Although, for what
freeware utility. Although, for what it's worth, version one is still
it's worth, version one is still available. If for whatever reason
available. If for whatever reason somebody doesn't can't spend $9.95,
somebody doesn't can't spend $9.95, uh I understand I still want them to
uh I understand I still want them to have what I have available, which is
have what I have available, which is version one. And so, you're still
version one. And so, you're still welcome to that.
welcome to that. >> Good. grc.com. It does misrank your
>> Good. grc.com. It does misrank your resolvers. Unfortunately, I did the best
resolvers. Unfortunately, I did the best job I could back then, but I know how to
job I could back then, but I know how to do it now because the world's changed in
do it now because the world's changed in in 16 years.
in 16 years. >> Changed a lot. It absolutely has. Uh if
>> Changed a lot. It absolutely has. Uh if you go to grc.com, you can also get the
you go to grc.com, you can also get the show there. Well, there a lot of places
show there. Well, there a lot of places to get the show, but that's one of the
to get the show, but that's one of the places. Uh there are some unique
places. Uh there are some unique versions there though I want to tell you
versions there though I want to tell you about. There's a 16 kilobit audio
about. There's a 16 kilobit audio version for the bandwidth impaired.
version for the bandwidth impaired. There's a 64 kilobit audio version
There's a 64 kilobit audio version that's full full fidelity. There are the
that's full full fidelity. There are the transcripts written by an actual
transcripts written by an actual [clears throat] human being, not AI
[clears throat] human being, not AI generated, but Ela Ferris does those.
generated, but Ela Ferris does those. Those take as a result a couple of days
Those take as a result a couple of days to get up on the site. And there's the
to get up on the site. And there's the show notes. By the way, the show notes
show notes. By the way, the show notes are one of the mailing lists Steve
are one of the mailing lists Steve offers. So, if you sign up for those
offers. So, if you sign up for those mailing lists, there is one for show
mailing lists, there is one for show notes. So, you'll get that
notes. So, you'll get that automatically. Otherwise, you can go to
automatically. Otherwise, you can go to grc.com and and download it. Get
grc.com and and download it. Get yourself a copy of the DNS benchmark
yourself a copy of the DNS benchmark spin. give me your email, sign up for
spin. give me your email, sign up for the newsletters, and then anything
the newsletters, and then anything that's your assignment. Anything else is
that's your assignment. Anything else is on you. There's a lot of other fun
on you. There's a lot of other fun things you can do at grc.com.
things you can do at grc.com. And one of them is his uh whole vitamin
And one of them is his uh whole vitamin D story under I think it's under
D story under I think it's under research. Um it might be interesting uh
research. Um it might be interesting uh for you to know that we are going to
for you to know that we are going to repeat that very famous Yeah. under
repeat that very famous Yeah. under health that very famous uh vitamin D
health that very famous uh vitamin D episode from I think 2009. It's that
episode from I think 2009. It's that old. Uh, and that will be our New Year's
old. Uh, and that will be our New Year's Eve show. New Year's Eve Eve show. The
Eve show. New Year's Eve Eve show. The penultimate day of 2025 show.
penultimate day of 2025 show. >> We're going to update it a little bit
>> We're going to update it a little bit also.
also. >> Yeah, we'll have to update it. Uh, the
>> Yeah, we'll have to update it. Uh, the other thing is because it was audio back
other thing is because it was audio back in those days, there was no video. Uh,
in those days, there was no video. Uh, Anthony Nielson has created a very nice
Anthony Nielson has created a very nice kind of ule loggy thing you can run in
kind of ule loggy thing you can run in the background. You can you'll see when
the background. You can you'll see when you do you're listening to the show,
you do you're listening to the show, there is a little bit of video
there is a little bit of video associated with it. uh that Anthony did
associated with it. uh that Anthony did a nice job with that. So, grc.com to get
a nice job with that. So, grc.com to get all of that stuff. You can also, of
all of that stuff. You can also, of course, uh get the uh the uh
course, uh get the uh the uh podcast. I almost called it a radio
podcast. I almost called it a radio show. Get the podcast at our website,
show. Get the podcast at our website, twitch.tvsn.
twitch.tvsn. There's audio there and video, 128
There's audio there and video, 128 kilobit audio and video. There's video
kilobit audio and video. There's video at the YouTube channel dedicated uh to
at the YouTube channel dedicated uh to you uh to uh Security Now. In fact,
you uh to uh Security Now. In fact, you'll find that YouTube link on our
you'll find that YouTube link on our website, twitch.tv. TV/sn as well as a
website, twitch.tv. TV/sn as well as a link to a number of podcast clients or
link to a number of podcast clients or you can use your favorite. If you
you can use your favorite. If you subscribe in the podcast client, then
subscribe in the podcast client, then you get it automatically. You don't have
you get it automatically. You don't have to think about it. And yes, you have the
to think about it. And yes, you have the choice between audio and video versions
choice between audio and video versions of the show. We'd also like to invite
of the show. We'd also like to invite you to join the club. This is the time
you to join the club. This is the time of year where I am being very grateful
of year where I am being very grateful for all of our wonderful club members
for all of our wonderful club members who make all of this possible. You pay
who make all of this possible. You pay for a quarter of all of our costs now.
for a quarter of all of our costs now. It makes a big difference to us. And I'd
It makes a big difference to us. And I'd like to get that even more to 50%
like to get that even more to 50% because ad sales are pretty slow for
because ad sales are pretty slow for next year. Uh, and I think that this
next year. Uh, and I think that this might be a time that you could help us
might be a time that you could help us help you. Go to GR GRC. It's in my my
help you. Go to GR GRC. It's in my my head now. Go to twit.tv/clubt
head now. Go to twit.tv/clubt twit. [snorts] Uh 10 bucks a month, $120
twit. [snorts] Uh 10 bucks a month, $120 a year. There's a 10% off coupon for the
a year. There's a 10% off coupon for the yearly uh subscription that is available
yearly uh subscription that is available only now through December 25th. So get
only now through December 25th. So get that for yourself or as a gift for
that for yourself or as a gift for somebody. You'll get ad free versions of
somebody. You'll get ad free versions of all the shows. You'll get access to our
all the shows. You'll get access to our club Twit Discord, all the special
club Twit Discord, all the special programming we do. There's a lot of
programming we do. There's a lot of great stuff uh as a thank you really for
great stuff uh as a thank you really for your support of Twit. Well, I think that
your support of Twit. Well, I think that is every Oh, yeah. One more thing. We do
is every Oh, yeah. One more thing. We do record the show on Tuesdays right after
record the show on Tuesdays right after Mac break weekly. That's round about
Mac break weekly. That's round about 1:30 Pacific, 4:30 Eastern, 21:30 UTC.
1:30 Pacific, 4:30 Eastern, 21:30 UTC. And you can watch that live if you're in
And you can watch that live if you're in the club in the Discord, but there's
the club in the Discord, but there's also YouTube, uh, Twitch, x.com,
also YouTube, uh, Twitch, x.com, Facebook, LinkedIn, and [music] Kick.
Facebook, LinkedIn, and [music] Kick. So, there's other places you can watch
So, there's other places you can watch live, chat with us live as you're
live, chat with us live as you're watching. Now, I am finished. Steve will
watching. Now, I am finished. Steve will see you next week on Security Now. Bye.
see you next week on Security Now. Bye. [music]
[music] Security now.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
