This episode of Security Now covers a wide range of cybersecurity and technology news, with a particular focus on the evolving landscape of AI agents, browser security, and the implications of new technologies for user privacy and online interactions.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
It's time for security now. Steve Gibson
is here. Uh FFmpeg says, "You ought to
be using assembly language." Steve says,
"Right on. Why would Chrome, the Chrome
browser, start to offer to fill in your
driver's licenses?" Steve has a theory.
Microsoft discovers a wild way you can
get information out of LLMs. Finally,
Steve takes a look at the fact that
Amazon is suing Perplexity because
they're using their Agentic browser to
buy things on Amazon. What's that all
about? That and a whole lot more coming
up next on Security Now.
>> Podcasts you love
>> from people you trust.
This is Security Now with Steve Gibson.
Episode 151, recorded Tuesday, November
11th, 2025. Amazon sues perplexity.
It's time once again for Security Now,
the show you wait. I wait all week for.
Every Tuesday, we get together with this
guy right here, Mr. Steve Gibson, to
find out what's new in the world of
security. More than a 100,000 people
listen every week, Steve. And I wait for
it as much as they do. What is going to
hap? What is going to happen this week?
>> Well, who knows?
>> Let me guess. Ransomware, uh, security flaws.
flaws.
Actually, you've got a story. Your big
story is a little different than, uh,
the usual, but I'll let you tease what's
coming up.
>> It is because it's sort of the Well, if
you had three feet, it would be the
other shoe. It would be the the it would it
it
>> the shoe after the other shoe. Yes.
>> Yeah. After you run out of your two
feet, there's you're still holding this
shoe and then you dropped it because why
do I have a third shoe? I only have two feet.
feet.
>> The third shoe will drop later in the
show. What else?
>> Yes, it will. Um, we have ne we have not
yet looked at the whole different issue
of agency as regards what our browsers
may do for us. And it turns out that's
different than the robots.ext text file
controversy that we got into with
Cloudflare earlier or the the AI browser
getting confused with text from the
internet versus text from its commander
uh in the prompt injection issue. Uh
this is different. Today's podcast I
just titled and actually Leo, this
started out as just the first topic of
news for the week, but as I fleshed out
all the other news, it stayed big and I
thought, okay, let's just let's focus on
that as our as our main issue. So
today's title is Amazon Soos perplexity,
which is well, first of all, boy, if you
Google that, the your browser explodes
with hits. I mean, the the whole
internet went nuts over this because
everyone recognizes that this is a big
issue. Um, which we're going to get to
uh for our 1111
2025 Veterans Day episode of Security
Now, um, 151. But what we got more stuff
to talk about. We've got FFmpeg
surprising everyone by deciding they
they need to teach people assembly
language in order to get FFmpeg's
performance up where it needs to be. >> Okay.
>> Okay.
>> And they made some claims that that uh
some some notable industry people said,
"What? I don't think that's right." Uh
we we'll talk about that. We've got the
state of Nevada bragging, boasting about
their recovery after not paying any
ransom. Uh, also, oh, a rounding error
netted a very clever attacker
128 plus million dollar in some DeFi.
Who knows what the hell is going on, but
we'll talk about that. Uh, also,
why would Chrome decide to start autofilling
autofilling
driver's license numbers?
>> Oh, yeah,
>> that's an interesting question. don't want
want >> uh
>> uh
uh the UK's six major telecom providers
have decided that they're going to block
number spoofing within the UK. Why
didn't we think of that? Uh XSLT
is a feature that is being removed from
all the browsers, but not tomorrow,
soon. But the question is, will anyone
notice? And if it's something that you
depend upon, well, you need to stop
depending upon it. kind of like Flash
was once upon a time. Um, also Firefox
has decided to introduce paid support
options for organizations. What? Um,
Russia continues to fight against the
run the nonRussian internet. Uh, okay. I
sad for Russian citizens, I guess. Uh,
Google has acquired another internet
security company. We'll talk about that.
The Oh, Leo. The EU
looks like they're gonna fix this whole
cookie popup banner nonsense. We
>> Oh my god. No. Yes. Be still my heart.
>> I know. It's going to go away. You know,
it took them a few what years, many
years to fix it, but it's Yes, it's
coming. Yes. Um, also, more countries
are dropping Microsoft Office uh in
favor of open alternatives. We've got
more countries worrying about
Chinese-made buses phoning home. Uh
Microsoft had came up with a really
interesting At first it looks like what?
Yeah. What? Uh leakage from LLM by
looking at encrypted LLM conversation
TLS packets. But the darn thing actually
works. Uh, and then we're going to look
at what Amazon's lawsuit against
Perplexities agents mean for our next
generation browsers. So, lots of good
stuff to talk about. Uh, I got a little
update. I have a nice bit of feedback
from a from one of our listeners about
Spinright. Uh, an update on my DNS
project at one year. We're done. Uh, and
there was a third thing I don't
remember, but we'll get to it. Uh, and
of course, a great picture of the week.
So, I think maybe, you know, a good podcast.
podcast.
>> Once in a while you you got to, you
know, keep making them. Some of them
will turn out. I'm just joking. They're
always great. And uh we are excited
about the security now. Now, now
security now. Now, now it's it's
security now. Uh but first, it'll be
security in a minute.
So, sort of now. But first
>> now in in security in a minute
>> insecurity temporarily actually this is
a solution you're going to want to know
about if you are worried about
ransomware I often wonder how is it that
these companies don't have some sort of
data uh resiliency plan you know how is
it that they are uh so vulnerable maybe
they haven't heard about theh our
sponsor for this section of security now
when your data goes darkh
turns the lights back on. BH keeps
enterprise businesses running when
digital disruptions like ransomware
strike. How do they do it? By giving
businesses powerful data recovery
options that ensure you have the right
tool for any scenario, even the worst
case scenario. Broad flexible workload
coverage from clouds to containers and
everything in between. That's I think
one of the reasons it's challenging
these days to have data resiliency. Your
data is living in a lot of different
places. With VH, you get full visibility
into the security readiness of every
single part of your data ecosystem.
It's tested. It's documented. And it's
proven. In fact, you're going to use veh
to make provable recovery plans that can
be deployed with the click of a button.
Verified recovery plans. Plans you know
will work. That's why BH is the number
one global market leader in data
resilience. Look, just call them the
global leader in helping you stay calm
under pressure with veh. It's all good.
Keep your business running at veh.com.
And if you know ransomware has brought
your business down and you're and you're
looking at paying millions of dollars in
ransomware, don't look at me. I told you veh.com.
veh.com.
All right, Mr. Gibson. Picture of the
week time.
>> A picture of the week. So,
>> yes, sir.
>> I gave this one the headline, an
important consideration
when you're able to decide where you
should have your emergency.
That is absurd.
Please do not have an emergency at this location.
>> Okay. Again, an important consideration
when you're able to decide
>> where you should have your emergency.
>> Um, okay. So, for those who are not
seeing the video, um, we have a
partially installed emergency phone kiosk,
kiosk,
but only the external framework is
there. the phone equipment has, you
know, I mean, obviously that mechanical
structure has to go in first, then the
phone installers come along and and put
the guts in. So, this has no guts at
this point. So, somebody who didn't want
the the appearance of this bright yellow
emergency kiosk, which is probably
familiar to those in the area from other
similar bright yellow emergency kiosk,
didn't want anyone to believe that they
could actually rely on this to report
their emergency.
>> Don't run over there. No.
>> There. Yeah. Right. There there's a sign
that's posted where the phone equipment
would be handset and keypad and things
saying as as Leo said, emergency phone
not installed. Please do not have an
emergency at this location. >> No.
>> No.
>> So, and many I the mailing went out
yesterday afternoon to our subscribers
about uh 19,261
I think we're at now. Uh, and many of
them noted that there was a strange
droid with a lightsaber in the background.
background. >> And
>> And
>> it's a fire hydrant, folks. Come on.
>> Yeah. And so I guess this must be like a
heavy snow area. Don't you normally have
like those things to indicate where the
curbs are? And in this case, I guess if
if there was a fire and there was a lot
of snow that was covering up the fire
hydrant, which looks kind of stubby.
Actually, this not this is like
>> I'm wondering about this picture. That
looks too much like a droid with a
lightsaber to I'm starting to think this
is there's some a little tongue firmly
planted in. I do think that that is a
that is a pole red a bright red pole
sticking up from a fire hydrant so that
the fire equipment you know people I've
also known as firemen uh are able
>> will know where the buried not very tall
fire hydrant is if it would take about
what two feet about two feet of snowfall
to cover up that hydrant and then you'd
think I know there's we know that
there's no emergency mergency phone
service in this location, but there's
got to be a fire hydrant around here
somewhere. Fortunately, if there's a red
post sticking up out of the snow, you
go, "Ah, that's the the fire droid that
we could use to hook our hoses up to." So,
So, >> yes.
>> yes.
>> Anyway, at this point, we're exhausted
and it's time for another uh sponsor
break. No, just kidding.
>> All right,
>> the news is that assembly language
lives, which of course is a topic near
and dear to me. Last Wednesday on the
5th, the official FFmpeg
X account tweeted, "Feg
makes extensive use of handwritten
assembly code for huge and they have in
Par 10 to 50x
speed increases.
And so we are providing assembly lessons
to teach a new generation of assembly
language programmers.
Learn more here. And they have a link to
a GitHub uh
account and page uh and then a big
picture in in their their tweet ffmpeg
lessons. Um and uh uh it generated a lot
of interest. This was November 4th early
in the morning. Um so okay people who
posted to that thread which this FFmpeg
posting started um questioned that 10 to
50x speed improvement could possibly
arise from coding in assembly versus an
efficient highle language. And much as I
love assembly and choose it for all of
my own work, I agree. Um, what I suspect
must be going on is a very unfair
comparison. All modern processor
instruction sets have extremely powerful
and fast specialurpose
vector and array handling streaming
instructions which are heavily pipelined
and designed to do the kinds of things
that ffmpeg needs to do with audio and
and and video. um and those can be used
when the entire solution has been
deliberately designed around using them.
So by comparison, any sort of more
generic solution that did not use those
super special purpose, you really can't
do anything else with them but this
instructions would be massively
handicapped by comparison. So any naive implementation
implementation
which did accomplish the same function
which was written in a highle language
um but did not also take advantage of
those special purposes you know like
special purpose uh processor
acceleration features would absolutely
not have a chance. But you don't have to
not take advantage of those instructions
if you're using a highle language. You
can use those. you have to sometimes,
you know, drop down briefly and manually
uh request that instruction. But the
current highle languages all allow you
to drop down and handcode some things
because it is recognized that there are
some places where assembly language
still can be the right way to solve a
problem when it isn't explicit you know
like when when there isn't some explicit
special casing that was done in the
highle language for a given processor
architecture. So anyway, I wanted to
share this ex posting from the FFmpeg
group because those tutorials posted
over on GitHub, both of all available in
French, uh, Spanish, and English, might
be of interest to anyone who's curious
about assembly language. Since our
listeners know that assembler is my
preference, I'm often asked by our
listeners and others how they should get
started in pursuing you know some you
know is if nothing else just sort of you
know dipping their toes into the water
of assembly. So it might be that these
ffmpeg assembles would be uh worth
looking at. And they do offer a discord
server for asking and receiving
questions. uh uh that might arise. So
you I have the link there in the show
notes on page at the bottom of page two.
Uh and I just wanted to put it on
everybody's radar.
Uh last May, an employee with the state
of Nevada
made the mistake of clicking on a
malicious search engine ad which
installed a malicious CIS admin tool
from a spoofed website. employee didn't
know any better. And this was back in
May. Three months later, Nevada received
ransomware demands, which it declined to pay,
pay,
having finally recovered in full last
Wednesday. The state's press release
carried the headline, "Nvada completes
28day recovery from statewide cyber
incident, refuses ransom, and releases
afteraction report."
Uh, what they said was the following.
Carson City, Nevada, November 5th, 2025.
The Governor's Technology Office, the
GTO, today released the 2025 statewide
cyber incident afteraction report
detailing Nevada's 28day recovery from
an August ransomware attack. guided by
pre-established incident playbooks and
vendor agreements, the state did not pay
a ransom, restored statewide services
within four weeks. And actually, they
they initially restored much more
quickly. Well, I I want to cover this in
detail because this is there's a
template here that is useful and
actually kind of impressive. And
recovered approximately 90% of impacted
data that the other 20 they're not
trusting yet. So they want to be careful
with that. The remaining items while
still in control of the state were not
required for service restoration and are
undergoing riskbased review with
continued monitoring. The state will
take appropriate notification or
remediation actions if new information emerges.
emerges.
They said, Governor Joe Lombardo said,
quote, "Nevada's teams protected core
services, paid our employees on time,
and recovered quickly without paying
criminals. This is what disciplined
planning, talented public servants, and
strong participants deliver for Neadans."
Neadans."
State CIO Timothy D. Galuzi said, "We
executed then communicated. Our staff
and agency partners worked around the
clock and expert vendors to con with
expert vendors to contain the threat,
rebuild securely and bring services back
online in measured phases. The numbers
are 28 days to full service restoration
across affected platforms
around 90% of impacted data recovered
residual items under riskbased review
with enhanced monitoring. No ransom
paid, response executed under cyber
insurance and pre-negotiated vendor agreements.
agreements. 4,212
4,212
overtime hours by 50 state employees at $210,600,000
I mean uh 210,600
direct overtime wages fully loaded
1.314
million obligate dollars
obligated to specialized partners,
forensic recovery, legal engineering to
accelerate containment and rebuild.
Then they said how Nevada stepped up.
Continuity of operations, payroll
processed on schedule, high impact
public safety and citizen facing systems
were restored in phased order, speed and
discipline. Around the clock, state
teams executed 247 playbooks alongside
partners, enabling a 28-day full
restoration faster than many public
sector timelines for incidents of
similar scope. Fiscal responsibility.
Surge work was led by state by state
staff. Even using conservative fully
loaded overtime costs, the state avoided
hundreds of thousands of dollars versus
an allcontractor model, meaning they
kept it in in inhouse largely while
retaining institutional knowledge and
tighter change control. Within hours,
Nevada engaged, and I have a timeline
I'll go over in a second, but they wrote
engaged prepositioned experts for
forensics recovery and legal privacy
support, including Mandant, Microsoft,
Dart, Dell, SHI, PaloAlto, uh, Baker
Hostetler, that's their law firm, and
local engineering support from Aerys
under cyber insurance and statewide
contracts. The complete afteraction
report outlines next phase hardening and
modernization including the pursuit of a
centrally managed security operations
center and SOC unified endpoint
detection and response EDR identity
hardening OS and application control and
expanded re workforce training to
sustain resilience against evolving
threats. In other words, they as a
consequence of their direct hands-on
involvement in this rather than just
throwing up their hands and bringing in
outside people, they got a bunch of
takeaways which are informing them how
to do better next time, acknowledging
that these threats are evolving. Um,
I cut out a lot of the gladanding that
was in that announcement. They seem
rather pleased with themselves over
this. Um, I was unable to find any
indication of the size of the ransom
demand they declined. I think it was
never made public. Uh, but given the
reporting of the event at the end of
August, um, I imagine that the demand
was hefty because the the the bad guys
did knock the entire state off its
knees. I mean, they were down. uh the
all of the uh automated services went
offline. I mean, it was a sweeping
attack. The Associated Press's headline
at the time was cyber attack shuts down
Nevada state offices and websites,
Governor's off office says. And Reuters headline
headline
read at the time, Nevada state offices
close after wide ranging quote network
security event. You betcha." Unquote.
So, uh, the most interesting data comes
from their complete 30page afteraction
report, which I'm not going to dig
everyone, you know, drag everyone
through, but among that, there were a
couple interesting tidbits. Uh, we learn
on o on August 24th, 2025, get this, at
1:50 a.m. Pacific Daylight Time,
um, the state of Nevada Governor's
Technology Office identified a system
outage that resulted in multiple virtual
machines going offline. Okay, 150 a.m.
PDT on August 24th. Guess what day of
the week August 24th is? If you said Sunday,
Sunday, >> Saturday,
>> Saturday,
>> yeah, Sunday,
>> Sunday morning, 1:50 a.m. because you
want nobody around. You want to you want
to take you want to to surprise
as much as possible. You want to get as
much dastardly deeds done during as much
time as you have before anybody is able
to, you know, wake up to this. So, you
know, very much like the, you know, New
Year's Eve or Christmas Eve sort of
thing. Um, so they they wrote,
"Initially locked out of the systems,
the GTO team successfully, that's the
governor's technology office team,
successfully regained access using
backup credentials and discovered
encrypted files alongside a ransom note.
They isolated the affected VMs to
prevent further spread of the
ransomware. Legal counsel from Baker
Hothettler LLP was engaged and promptly
brought in Mandant, a leader cyber
security firm under Google Cloud. There
remember we talked about the Google's
purchase of Mand a while ago to conduct
a privileged forensic investigation. The
investigation revealed that the threat
actor had infiltrated the system as
early as May 14th of that year of of
this year, 2025, when a state employee
unknowingly downloaded a malware laced
system admin tool from a spoofed
website. This tool installed a hidden
back door which remained active despite
Semantic Endpoint Protection
quarantining the tool. On June 26th, the
attacker escalated their access by
installing a commercial remote
monitoring software on multiple systems
compromising both standard and
privileged user accounts. By mid August,
the attacker had established encrypted
tunnels and used remote desktop protocol
RDP to move laterally across critical
systems, accessing sensitive
directories, including the password
vault server. On August 24th, the
attacker deleted backup volumes and
deployed ransomware, encrypting VMs, and
disrupting critical services.
And elsewhere, the report says between
August 16th and August 24th, the threat
actor accessed multiple critical
servers, including the password vault
server, and retrieved credentials from
26 accounts. They meticulously cleared
event logs to obscure their activities.
On the day of the ransomware deployment,
the attacker deleted backup volumes and
altered security settings to facilitate
the execution of unauthorized code. At
1:30 a.m. PDT, ransomware was deployed,
encrypting VMs and disrupting critical
services. And as I said, not
surprisingly, August 24th was a Sunday.
So very deliberately at 1:30 a.m. on a
Sunday morning, the attackers unccloaked
and attacked. They relied upon no one
being around and minimal, if any, crew
even later in the morning on a Sunday to
enable their active attack to go
unnoticed for as long as possible.
This report, as I said, pats themselves
on the back frequently, and I've removed
most of that since it's not informative,
and it's frankly somewhat nauseating
because they're like, "Okay, we get it,
guys." But in all fairness, Nevada's IT
response was very impressive. On that
Sunday morning at 1:52 a.m., the VMs
that run the state were encrypted and
went offline, crippling systems statewide.
statewide.
By 7:37 a.m. on that same Sunday
morning, the incident had been escalated
to the CIO and governor's office. Only a
little over two hours later, by 9:51
a.m., the credential lockout was lifted
using backup credentials and access to
the internal systems was obtained.
Encrypted files and that ransom note
then were discovered. Two and a half
hours after that, by 12:37 in the early
Sunday afternoon, the affected VMs had
been isolated to prevent further malware
spread. 4 hours later, by 4:44 p.m.,
Nevada's legal council was added and
they added Google's Mandant Forensive
Group to the effort. And 15 minutes
after that, at 5:03 p.m. on that same
Sunday, recovery protocols were
initiated and post attack recovery had
begun. State government employees took
an unplanned two-day vacation that that
following Monday and Tuesday, by which
time systems were beginning to come back
up and online, and they were able to
return to work on Wednesday. So, we're
talking about a full rallying response
by dinnertime of the day it happened.
Uh, the full recovery did take four
weeks. Uh, it seems as though, you know,
that might have been a bit faster. We
don't know the details of where that
time went, but it does sound like, you
know, they didn't overpower their
response. They didn't bring in outside
people who actually, you know, would
need to be brought up to speed. They
paid, you know, a ton of overtime,
$1.3 million
uh in overtime to their own people in
order to get this, you know, get back up
on an online quickly. But overall,
Nevada is saying they spent $1.5 million
rather than whatever the ransom was. And
you can imagine it was, you know,
>> more than that. Yeah.
>> Oh, yeah. 10 easily $10 million for a
state to be, you know, you know,
decrypted and and uh, you know, the the
decryption keys uh, possessed.
Obviously, Nevada had good backups and
they were offline and they did not get
encrypted because they paid no ransom,
which means they never got any keys from
any bad guys.
>> Good. So uh you know overall I would say
this is quite an impressive response.
This is what you would expect and you'd
have to imagine that they also showed
their cyber security insurance firm that
they were worth insuring that you know
that they were going to be responsible
that they were not going to spend a ton
of money. Uh and so I would say that
Nevada taxpayers should be impressed
with this. Uh, this is the way it I
mean, you'd rather not had that guy
click the link, but as we've said
before, this is now the lowhanging
fruit. Um, I I sent a note out to uh a
bunch of of my actually it's it's a
group I've talked about before, the my
my group of high school buddies that I'm
still in in touch with because RS
Technica had a piece this morning about
a threat that we've discussed several
times already, but it's still so
unknown. And that was RS Technica's
point was this this very little known
they're they're calling it the ClickFix
attack. It's where you are, you believe
you're trying to prove that you're human
through a new a new style of capture.
And of course, captures change from time
to time. And so, you're instructed to to
to press the button to copy something
from your browser onto your clipboard,
then to open the run field down in your
in Windows and paste that command. Well,
again, none of our hopefully no one
listening to this podcast would do this,
but but it turns out this is becoming
extremely effective because it you are
and the way I explained it to to my
group who are non-technical, I said our
contemporary browsers are all about
containment. They are con they are doing
a very good job of containing all of the
horrors and crap and and malicious
intent that is out on the internet
within the browser within the browser's
boundaries. But if you copy something
out of the browser into Windows,
you've violated that content, that
containment, and nothing prevents that
from happening. Unfortunately, at the
moment, if you know, if the the browser
assumes if you that you you want to copy
something that you've seen online, oh,
okay, a URL or or some text,
>> what you're doing. >> Yeah,
>> Yeah,
>> it's your machine. Go ahead. So, so
it's, you know, so what what we're going
to need to have is some sort of of um uh
uh uh
uh um
um
uh I'm I'm blanking on the word.
>> Something. We're going to need
something. That's for sure.
>> Yeah, it's definitely the case. Uh you
copy something to your clipboard.
Clipboard is the word I was looking for.
We're going to need a a clipboard source identification.
identification. >> Yes.
>> Yes.
>> So that if something is pasted from a
browser, it's tagged as as like like
special caution and so that for example,
you just can't drop it into the run
field of Windows and say paste without
all kinds of warning sirens and stuff
going off to prevent this kind of
problem. So, you know, the the the the
the where the clipboard got its contents
is going to start need is we're going to
need to start tracking rather than, as
you said, just assuming that the user
knows what they're doing because uh
>> No. Yeah.
>> No, we clearly that's not
>> asking too much. It's asking way too much.
much.
>> But anyway, you know, props for Nevada.
They uh you know, you don't want to you
don't want to get hit by malware, but if
you do, you want to be able to recover.
You don't want to have to trust bad guys
to uh to to give you your your keys
back. And we've seen that even when you
get the keys from the bad guys, as they
pointed out, and they weren't wrong,
private sector firms still take months
to recover. So look, look at Jaguar. You
know, what a disaster. >> Yeah.
>> Yeah.
>> So good job. Okay. Now, this is really
interesting and
and wow. Okay. Uh, last week, Checkpoint
Research published an incident report
describing an arcane attack on a DeFi, a
decentralized finance platform called Balancer.
Balancer.
And it it occurs to me that saying
arcane attack on a DeFi platform is an
oxymoron. I mean is like or or or or
redundant. I don't I don't know. I mean
because it's like the I mean we have
seen dumb like authentication mistakes
being made where where a a third party
system was attached to the API and so
that that credential got uh abused which
allowed them to to sneak code into the
devs of the DeFi platform. You know, we
talked about all that. That's not this.
I I'm not going to expend any great
amount of effort in either me
understanding the details or expecting
anyone listening to this to my strongest
advice to everyone listening would be
not don't worry about the details. Uh
and after you hear why, I imagine that
you'll agree. But what happened here is
still so very cool, even if it's
borderline incomprehensible,
that I I wanted to share it. Okay, so
Checkpoint titled their report, how an
attacker drained, and I would argue
earned, but we'll see, drained $128 million
million
from Balancer
through a rounding error exploit. Leo,
this is just this is so cool. Okay,
again, I don't even I can't begin to
understand the details, but I'm going to
share them so everyone can not
understand them with me.
Apparently, some attackers did
understand this and they literally
leveraged because this is somehow about
leverage. They leveraged the crap out of
it. So, here's what check
>> technical term I believe. Yes,
>> that's a technical term. Yes.
Checkpoint said on November 3rd, right?
So, this just happened 2025. Checkpoint
researchers blockchain monitoring systems.
systems.
Cool that there even we even have such
things now. Detected a sophisticated
exploit targeting balancer v2s
composable stable pool contracts,
whatever that is. The attacker exploited
arithmetic precision loss in pool
invariant calculations. Well,
>> again, okay,
>> you know, when you're going to have some
uh invariant pool leakage problem there,
I guess
>> that's not good, right? To drain
128.64 $64 million
across six blockchain networks in under
30 minutes.
They wrote, "The attack leveraged a
rounding error vulnerability in the underscoreupscale
underscoreupscale
array function that when combined with
carefully crafted batch swap operations,
allowed the attacker to artificially
suppress BPT, the balancer pool token
prices, and extract value through
repeated arbitrage. cycles.
cycles.
The exploitation
occurred primarily during attacker smart
contract deployment with the constructor
executing 65 micro swaps that compounded
precision loss to devastating effect.
>> Yes, I would.
>> And that was just the overview, folks.
The fact that they even figured this out
is amazing, right?
>> That's why I would say arguably they
earned this money. They earned it like Yeah.
Yeah. >> Okay.
>> Okay.
>> Okay. So, they said Balancer V2, just to
add insult to injury, I'll I'll give you
a little more. Balancer V2 uses a
centralized vault contract that holds
all tokens across all pools. SE of
course separating token storage from
pool logic to reduce gas costs. It's
like what is that a typo? And
>> it's reducing gas costs. That's the
reason that's right. And enable capital
efficiency which you would want. Uh this
shared liquidity design meant a single
vulnerability in pool math could affect
all composable stable pools
simultaneously. of course, which is
exactly what happened in this attack.
Balancer v2's internal balance system
allows users to deposit tokens once and
use them across multiple operations
without repeated ERC20 transfers. Oh, naturally,
naturally,
>> this system,
>> this sounds like the decombobulator
thing. This is crazy.
>> I know. And it's true. This system
became critical to the attack. The
exploit contract accumulated stolen
funds in its internal balance during
deployment, then withdrew them to the
final recipient address in subsequent transactions.
transactions.
Composable stable pools use curves
stable swap invariant formula to
maintain price stability between similar
assets. The invariant D that's capital D
for those who are following along
represents total pool value and BPT
price is calculated as D divided by
total supply. However, the scaling
operations that prepare balances for
invariant calculations introduce
rounding errors. Wouldn't you know the
the mole down function
performs integer division that rounds
down when balances are small in the 8
to9 way range that's we'll get to that
in a second this rounding creates
significant relative errors but relative
is important here up to 10%
precision decision loss per operation.
Okay. Now the term way we is important.
A way is the smallest possible unit of Ethereum.
Ethereum.
One get this one Ethereum
is 10 to the 18th way.
So one way is far less than 1 trillionth
of a cent in value.
So, some super clever individual
realized that by using these incredibly
small balances, the rounding error,
which would normally be utterly insignificant,
insignificant,
would result in up to a 10% precision
loss per operation
I'm sure not giving these people any of
my money. Checkpoint then finishes their
explanation by writing this precision
error propagates to the invariant D
calculation causing abnormal reduction
in the calculated value. Since BPT price
equals D / total supply, the reduced
Directly lowers BPT price, creating
arbitrage opportunities for the
attacker. Individual swaps produce
negligible precision loss. But within a
single batch swap transaction containing
65 operations, these losses compound
dramatically. I'll say the lack of
invariant change validation allowed the
attacker to systematically suppress BPT
price through accumulated precision
errors extracting millions in value per pool.
pool.
>> Okay, I'm as I as I said I'm not sure
that I would call this an attack at all.
I mean technically maybe an extremely
clever bad guy understood enough of the
inner workings of this system and
apparently we're the minority or maybe
not Leo I I wouldn't call us a minority
but there are others obviously
checkpoint has some people who
understand understand this goblygook uh
so okay but this guy understood the
inner workings of the system to design
an exploit
of its inherent rounding error. And I
and doing some other background
research, it turns out this is
understood that the fact that there's
this rounding error down there has been
known for quite a while. No one had
figured out how to exploit it. He
clearly started with a purely
theoretical concept and made it work.
and for his trouble, he's now slightly
more than $128 million richer, whoever
he is and wherever he is. Um, so I'm not
completely certain that he didn't earn
it. What I am certain of is that none of
my money, nor any money belonging to
anyone I care about and have any
influence over, is ever going to get
anywhere near any of that wacky arcane
technology. It all gives me the
heebie-jebies, which is another
technical term. So, no thank you. You
know, I suppose I'm old-fashioned, but I
want to understand where I put my money,
you know, even if it's under a mattress
because wow, you know, where did it go?
We don't know. What do you mean? You
know, what do you mean you don't know?
Well, you know, crazy.
>> It was a rounding error. A rounding
error worth $128 million. Where's my
money? Well, we don't know. It drained
out. It's gone. Some people paid for
some monkey icons or something. And now
Kevin is a lot richer than he used to be.
be.
>> I don't know
what I do know. Leo.
>> Oh, I suspect I know, too.
>> I suspect you do.
>> Oh, you say that. Stay tuned because
after that we're going to find out why
Chrome thinks it's a good idea to begin
autofilling people's driver's license
numbers and states where they obtain them.
them.
>> Nuts. Just nuts.
>> And we know why, don't we?
>> Yes, we do. Do we? I don't know. I'm
going to find out. I don't know if
>> I'm going to find out. It's not good.
>> And I have some good news. Uh Anthony
Nielson came over and and said, "Well,
you got to turn that on." And then now I
can you can see my screen. So, I'll show
you a chart later on. I made Anthony
drive all the way here to flip a switch.
I'm sorry, Anthony, but uh I appreciate
it. And uh I could have sworn I flipped
that switch myself earlier, but anyway,
>> probably the other direction.
>> Yeah, probably.
You know, they need big buttons to say
on and off. Good, bad,
>> good, bad for me and the people work in
the fine state of Nevada government
offices. Actually, here's an ad for
somebody uh who might be in the IT
department in the state of Nevada. There
is something you ought to know about.
Hawk Hunt, our sponsor for this segment.
Security. Now, Hawk Hunt, as a security
leader, your job, you get paid to
protect your company against cyber
attacks. I I know. And you have our
sympathy. I mean, if you listen to the
show, we know it's getting harder and
harder with more cyber attacks than
ever. And here's the real problem. These
fishing emails,
they're generated with AI now and they
are letter perfect. You can't look at
one and say, "Oh, that's a fake. Look at
the English grammar or whatever." No,
they duplicate a real email and they
fool people. Here's the problem. Legacy,
these traditional one-sizefits-all
awareness programs you're probably
using, they don't stand a chance against
today's fishing attacks. At most they're
going to send four kind of generic
trainings every year and most employees
hate them. I mean just ask ask your ask
your team. They ignore them. You know
what they really hate? When somebody
clicks on a you know on a training email
thinking it's oh they fall for it. Then
they're forced into embarrassing
training programs. They feel like
punishment and nobody ever learns from
punishment. That's why more and more
organizations are trying Hawk Hunt. H Ox
Hu N T. Hawk Hunt goes way beyond
traditional security awareness. They
they actually change behaviors by
gamifying it. They reward good clicks.
They coach away the bad clicks. When an
employee suspects an email might be a
scam, Hawk will tell them instantly.
They highlight it. They they they
practically set off bells and whistles
and boom, they you get a a dopamine rush
that gets your people like they they're
happy. They go, "Oh, I did it." to learn
to click to protect your company. This
is the secret is to make it fun. People
learn when they're having fun. As an
admin, I mean, fun's not the right word,
but they they learn when they're
engaged, right? And they're not going to
be engaged when they feel like they're
being spanked. As an admin, you'll love
Hawk Hunt, too. You're not being spanked
either. It makes it easy to
automatically deliver fishing
simulations and not just email but Slack
uh Teams. You can use the same AI the
bad guys are using to mimic the latest
real world attacks. You can make perfect
fishing emails. And and by the way, Hawk
Hunt lets you personalize the
simulations to each employee based on
department, location, things you already
know. So it makes these it makes these,
by the way, the hackers know all this
stuff too, right? It makes these really
effective. And then the instant micro
trainings, little trainings, little fun
things, solidify understanding and drive
lasting safe behaviors. You can trigger
gamified security awareness training
that awards employees with stars and
badges, boosting completion rates and
ensuring compliance. I it it may sound
silly, but think about it. We are all
motivated by that. You feel good when
you're protecting your company. You did
the right thing. You found the the bad
guy. Getting that reward, that
acknowledgement goes a long way. You'll
be able to choose from a huge library of
customizable training packages or as I
said, you can you can use their AI to
generate your own. Hawk, it has
everything you need to run effective
security training in one platform,
meaning it's easy to measurably reduce
your human cyber risk at scale. But you
don't have to take my word for it. There
are over 3,000 user reviews on G2,
making Hawk Hunt the top rated security
training platform for enterprise. Hawk
Hunt's number one and easiest to use,
best results, also recognized as a
customer's choice by Gartner, and it's
used by thousands of companies, big ones
like Qualcomm, AES, Nokia. They're using
it to train millions of employees all
over the globe. It really works. Visit hawkhunt.com/security
hawkhunt.com/security
now right now to learn why modern secure
companies are making the switch to
now. We thank him so much for supporting
the good works Steve does and is doing
here uh at security now. All right,
Steve, on
>> a little blurb from Google about a new
feature in Chrome caught my eye,
>> and not in a good way.
>> Uh, get get a load of this one. Google
wrote, "Chrome now helps you fill in
passport, driver's license, vehicle
information, and more." >> No,
>> No,
>> they said Chrome already saves you, huh?
saves you time every day by securely
filling in your addresses, passwords,
and payment information. Today, we're
making it even more helpful for desktop
users with enhanced autofill enabled.
Chrome can now also fill in your
passport and driver's license number,
vehicle info like license plate or VIN,
and more. It can also better understand
complex forms and varied formatting
requirements, improving accuracy across
the web. We've designed enhanced
autofill to be private and secure. When
you enter relevant info into a form,
Chrome will save this data only with
your permission and protect it through
encryption. And before filling in saved
info on your behalf, Chrome will also
ask you to confirm, keeping you in full
control of your data. Starting today,
these updates are available globally in
all languages, and we plan to support
even more data types over the coming months.
months.
Okay. And then their little sample screenshot
screenshot
shows a form being filled in with fields
for driver's license number and issuing
state. Huh.
Gee, you know, we've all gotten along so
well until now without that. How
>> so much work Steve
>> uh h how often do we see websites asking
us to provide them with our stateisssued
identification such as a driver's
license number and the issuing state.
It does kind of make you wonder why the
Chrome devs might all of a sudden be thinking
thinking
>> that making government identification
data easier to fill out for websites
>> might suddenly be useful and convenient
when it has never come up before.
>> Anyone around here have any sudden need
to prove who they are and how old they are?
are?
There's one other thing about this.
Recall that Google wrote, "We've
designed enhanced autofill to be private
and secure." When you enter relevant
info into a form, Chrome will save this
data only with your permission and
protect it without with through
encryption. And before filling in saved
info on your behalf, Chrome will ask you
to confirm, keeping you in full control
of your data. Now, there's no doubt that
they mean that even if the application
for this information may be a concern,
there's no doubt that Google will do
their best to keep that data from
leaking. The problem is
leaking is what data does. It leaks,
>> right? I mean, that's right. That's
that's what it does.
>> That's what it does. Chrome is a good
browser with excellent security, but
it's still being constantly exploited
and receiving patches to close zeroday
vulnerabilities that have been
discovered being used in the wild. This
is not any criticism of Chrome and its
Chromium engine. Firefox and Safari are
in the same boat. Today's web browsers
have grown so complex and are also never
being left alone. They're being
constantly updated with the latest
features that they can never probably
ever become completely impervious.
So to me, you know, it's a convenience
for my password manager to be able to
fill out my credit card number and
mailing delivery address information.
That comes in handy. But I memorized my
California driver's license number 54
years ago. And
right aside aside from having to add a
zero in front of its most significant
digit when California ran out of
numbers, it has never changed. So, I've
had no problem entering it the perhaps
what maybe five or six times I've ever
needed to provide my identity online,
such as when I froze my credit reporting
at the various agencies or when I signed
up for social security.
Other than that, it doesn't come up very
often. But consider this. We're entering
a very different universe if the world's
most popular web browser designers for
some reason believe that in the future
we're going to be needing to provide our
government identification information
with sufficient regularity that enabling
our web browser to do that for us will
be a benefit.
And here's the other problem. Even if we
trust Google to have done everything
right about keeping that personally
identifiable information secure and to
never leak, how can we possibly trust
all of the many individual websites that
are presumably
all going to be asking for this
information often enough for Google to
have added this feature to Chrome.
We all know that websites cannot keep
secrets. They don't. Just ask Troy
Hunts, "Have I been pawned?" site. And
don't forget that massive database leak,
Leo, you and I, and hundreds of
thousands of others all discovered had
our searchable credit our social
security numbers
>> searchable online. Further demonstration
that websites leak.
>> So, this brings to mind that old adage
about how to keep a secret.
Don't tell anyone.
I don't plan to tell Chrome or Firefox
or Safari or even my trusted password
manager anything more about me than they
really require knowing for my own
convenience. And I don't need to give my
driver's license number out like ever
with a few exceptions. Uh if we get to a
place where we're needing to frequently
provide our driver's license numbers to
random websites, then the internet will
have entered an entirely new era. >> Yeah.
>> Yeah.
>> And not a good one. >> No.
>> No.
So, I don't know what Google knows, but
I hope they're busy implementing,
you know, identity protecting age uh
assertion technologies rather than
storing my driver's license number in an
encrypted secure format so it can be
given off given out more easily because
I don't ever want to be in a position
where that's happening.
>> Yeah. Yeah. Wow. I didn't think of that
till you said it and then I realized oi.
>> Yeah. Why? We haven't needed it until now.
now.
>> No, all of a sudden what's changed?
Well, we know
>> I I turn off all of that uh stuff.
Password autofill, address, even address
autofill and credit card autofill. I
don't I don't think the browser is the
right place for that stuff to be honest.
>> Well, it's you know, and as we know,
it's not multiplatform. It's they they
don't do as you know, they're not all as
focused on it as our password managers
are. And if it's on, then you end up with a collision of the autofill.
with a collision of the autofill. Everybody's trying to fill the thing
Everybody's trying to fill the thing out. It's like, whoa, wait, whoa.
out. It's like, whoa, wait, whoa. >> Right. Hold on there. No. Yeah. And
>> Right. Hold on there. No. Yeah. And that's I I do keep it in bit warden and
that's I I do keep it in bit warden and I keep all that other stuff in Bit
I keep all that other stuff in Bit Warden. I presume that's relatively safe
Warden. I presume that's relatively safe if I need to fill it in. But like you, I
if I need to fill it in. But like you, I never consciously memorize my driver's
never consciously memorize my driver's license number, but you enter it enough
license number, but you enter it enough it sticks.
it sticks. >> I know. I I don't know why, but I I can
>> I know. I I don't know why, but I I can like run through it. I know exactly. Not
like run through it. I know exactly. Not that long for one thing.
that long for one thing. >> No, exactly.
>> No, exactly. >> Yeah.
>> Yeah. >> And my mine kind of has a little rhyme
>> And my mine kind of has a little rhyme to it, so it's good.
to it, so it's good. >> Oh, nice.
>> Oh, nice. >> Okay. So, it's not often
>> Okay. So, it's not often that I find myself envious of life in
that I find myself envious of life in the UK. Not that there's anything wrong
the UK. Not that there's anything wrong with the UK. It's just kind of hard to
with the UK. It's just kind of hard to beat Southern California is all I'm
beat Southern California is all I'm saying.
saying. >> Yeah.
>> Yeah. >> But but this next
>> But but this next >> Believe me, they envy you. I'm just
>> Believe me, they envy you. I'm just going to say
going to say >> this next bit of news would certainly be
>> this next bit of news would certainly be welcomed by our UKbased listeners and I
welcomed by our UKbased listeners and I wouldn't mind having some of it myself
wouldn't mind having some of it myself to go along with Southern California's
to go along with Southern California's sunshine. Last Wednesday, the official
sunshine. Last Wednesday, the official gov.uk website posted this update under
gov.uk website posted this update under the headline spoofed numbers blocked in
the headline spoofed numbers blocked in crackdown on scammers.
crackdown on scammers. The govern the the the UK government
The govern the the the UK government wrote, "Scammers hiding behind fake
wrote, "Scammers hiding behind fake numbers will be unmasked under a new
numbers will be unmasked under a new partnership with Britain's biggest
partnership with Britain's biggest there's six of them, phone companies to
there's six of them, phone companies to protect the public from fraud. A
protect the public from fraud. A landmark new agreement between
landmark new agreement between government and industry signed at the BT
government and industry signed at the BT tower today will see a raft of new
tower today will see a raft of new measures to safeguard the UK's mobile
measures to safeguard the UK's mobile network from fraud. It will make it
network from fraud. It will make it harder than ever for criminals to trick
harder than ever for criminals to trick people through scam calls using
people through scam calls using cuttingedge technology to expose
cuttingedge technology to expose fraudsters and bring them to justice.
fraudsters and bring them to justice. Scam calls and texts are a daily
Scam calls and texts are a daily frustration from many for many with
frustration from many for many with criminals based abroad often
criminals based abroad often impersonating trusted organizations like
impersonating trusted organizations like banks and government departments to
banks and government departments to deceive people to steal money or
deceive people to steal money or personal information. Britain's six
personal information. Britain's six largest mobile networks have committed
largest mobile networks have committed to upgrade their network within the next
to upgrade their network within the next year to eliminate the ability for
year to eliminate the ability for foreign call centers to spoof UK numbers
foreign call centers to spoof UK numbers making it clear that calls are
making it clear that calls are originating from abroad exposing
originating from abroad exposing scammers lies. Data shows that 96% of
scammers lies. Data shows that 96% of mobile users decide whether to answer a
mobile users decide whether to answer a call based on the number displayed on
call based on the number displayed on their screen with 3/4 unlikely to pick
their screen with 3/4 unlikely to pick up if it's from an unknown international
up if it's from an unknown international number. Advanced call tracing technology
number. Advanced call tracing technology will also be rolled out across mobile
will also be rolled out across mobile networks to give police the intelligence
networks to give police the intelligence to track down scammers operating across
to track down scammers operating across the country and dismantle their
the country and dismantle their operations. New commitments to boost
operations. New commitments to boost data sharing with the police will shine
data sharing with the police will shine a light on the mobile networks that let
a light on the mobile networks that let scam calls slip through their net,
scam calls slip through their net, empowering customers and making it
empowering customers and making it harder for scams to go undetected.
harder for scams to go undetected. So in this regard, I could easily wish
So in this regard, I could easily wish that the US would be as proactive as the
that the US would be as proactive as the UK. When you think about it, this is
UK. When you think about it, this is such a simple solution. Simply examine
such a simple solution. Simply examine the telephone calls entering the UK.
the telephone calls entering the UK. Just watch your national borders. It's
Just watch your national borders. It's trivial to know when a call coming in
trivial to know when a call coming in from outside the UK is carrying a
from outside the UK is carrying a spoofed originating UK phone number. UK
spoofed originating UK phone number. UK citizens traveling abroad who actually
citizens traveling abroad who actually do have valid UK originating numbers
do have valid UK originating numbers will need to be admitted, but the
will need to be admitted, but the agreement specifically talked about
agreement specifically talked about foreign call centers spoofing known UK
foreign call centers spoofing known UK numbers. So presumably there's some way
numbers. So presumably there's some way to handle them separately and yay to the
to handle them separately and yay to the UK. I you know this would be something
UK. I you know this would be something we could all use. Lord,
we could all use. Lord, >> we've said this, you've said this for
>> we've said this, you've said this for years, uh, with regard to ISPs, but if
years, uh, with regard to ISPs, but if the phone companies did the same thing.
the phone companies did the same thing. >> Yes. It's exactly like ISPs who are
>> Yes. It's exactly like ISPs who are saying, "Wait a minute, you know, these
saying, "Wait a minute, you know, these packets do not have our IP and they're
packets do not have our IP and they're saying that they do, so let's drop
saying that they do, so let's drop them."
them." >> Yeah.
>> Yeah. >> Like what's how hard is that?
>> Like what's how hard is that? >> And the phone company should do that.
>> And the phone company should do that. These this phone call is pretending to
These this phone call is pretending to come from 707 area code, but it's not. I
come from 707 area code, but it's not. I shouldn't Why should I
shouldn't Why should I allow it? But because they make money is
allow it? But because they make money is why I'm sure.
why I'm sure. >> Yes, I know.
>> Yes, I know. >> Yes. Well,
>> Yes. Well, it's good that they stepped up.
it's good that they stepped up. >> Yeah.
>> Yeah. >> Okay. So, this is really interesting.
>> Okay. So, this is really interesting. Um,
Um, something that makes a lot of sense is
something that makes a lot of sense is pruning old and aging technologies from
pruning old and aging technologies from our web browsers. Browser bloat is a
our web browsers. Browser bloat is a very real thing. Not every idea that the
very real thing. Not every idea that the internet community comes up with gains
internet community comes up with gains or maintains a solid foothold. But
or maintains a solid foothold. But unless I mean, think Flash, right?
unless I mean, think Flash, right? >> Yeah.
>> Yeah. >> But unless proactive measures are taken
>> But unless proactive measures are taken to deliberately scrape the dead bits out
to deliberately scrape the dead bits out of our browsers, they just don't go away
of our browsers, they just don't go away on their own. And the last thing anyone
on their own. And the last thing anyone wants is having zombie code taking up
wants is having zombie code taking up space and polluting browsers with old,
space and polluting browsers with old, unmaintained, and potentially
unmaintained, and potentially exploitable code.
exploitable code. So, it was in that spirit that Google
So, it was in that spirit that Google recently announced the planned
recently announced the planned deprecation and eventual total removal
deprecation and eventual total removal of a feature that hopefully no one
of a feature that hopefully no one listening to this podcast is using and
listening to this podcast is using and needs nor knows anyone who is or does.
needs nor knows anyone who is or does. And if you or your enterprise do you
And if you or your enterprise do you have at most one year to replace it with
have at most one year to replace it with some other solution because it is going
some other solution because it is going away and I should mention that moving to
away and I should mention that moving to Firefox or Safari probably won't help
Firefox or Safari probably won't help because both of them are hopeful that
because both of them are hopeful that Google will succeed in this.
Google will succeed in this. Okay. So what's going away?
Okay. So what's going away? something that I suspect matters so
something that I suspect matters so little that most people listening have
little that most people listening have never even heard of it. It's called XSLT
never even heard of it. It's called XSLT which is the official abbreviation for
which is the official abbreviation for extensible stylesheet language
extensible stylesheet language transformations.
transformations. XSLT
XSLT is a declarative template-based language
is a declarative template-based language that's used for transforming
that's used for transforming convenient to code but difficult to view
convenient to code but difficult to view XML formatted data into other forms such
XML formatted data into other forms such as HTML.
as HTML. Here's what Mosilla posted about this
Here's what Mosilla posted about this just a few months ago back in August.
just a few months ago back in August. Misilla wrote, "Our position is that it
Misilla wrote, "Our position is that it would be good for the long-term health
would be good for the long-term health of the web platform and good for user
of the web platform and good for user security to remove XSLT."
security to remove XSLT." And we support Chromium's effort to find
And we support Chromium's effort to find out if it would be web compatible to
out if it would be web compatible to remove support, which is an interesting
remove support, which is an interesting way to phrase it. If it would be web
way to phrase it. If it would be web compatible to remove support, meaning I
compatible to remove support, meaning I think if it break how badly it breaks
think if it break how badly it breaks things. If it turns out that it's not
things. If it turns out that it's not possible to remove support, then we
possible to remove support, then we think browsers should make an effort to
think browsers should make an effort to improve the fundamental security
improve the fundamental security properties of XSLT
properties of XSLT even at the cost of performance.
even at the cost of performance. While it's important to not break
While it's important to not break existing web content, it's also
existing web content, it's also important to prevent security
important to prevent security vulnerabilities. Thank you. XSLT they
vulnerabilities. Thank you. XSLT they wrote has been in maintenance mode in
wrote has been in maintenance mode in browsers and has been an ongoing source
browsers and has been an ongoing source of security issues. Features and
of security issues. Features and technology are sometimes removed from
technology are sometimes removed from browsers for this reason even when doing
browsers for this reason even when doing so breaks some existing content.
so breaks some existing content. Examples include mutation events
Examples include mutation events window.show modal dialogue function
window.show modal dialogue function keygen and plugins. The usage of XSLT is
keygen and plugins. The usage of XSLT is lower than that of mutation events at
lower than that of mutation events at the time of their removal and flash was
the time of their removal and flash was very commonly used. If it turns out not
very commonly used. If it turns out not to be possible to remove the feature,
to be possible to remove the feature, we'd like to replace our current
we'd like to replace our current implementation, says Mosilla. The main
implementation, says Mosilla. The main requirements would be compatibility with
requirements would be compatibility with existing web content, addressing memory
existing web content, addressing memory safety security issues, and not
safety security issues, and not regressing performance on nonXSLT
regressing performance on nonXSLT content. We've seen some interest in
content. We've seen some interest in sandboxing live XSLT
sandboxing live XSLT and if something with that shape
and if something with that shape satisfied our our normal production
satisfied our our normal production requirements, we would ship it. Okay, so
requirements, we would ship it. Okay, so that was August.
that was August. Wednesday before last, Google's Chrome
Wednesday before last, Google's Chrome group posted the headline, removing XSLT
group posted the headline, removing XSLT for a more secure browser.
for a more secure browser. and they wrote, "Chrome intends to
and they wrote, "Chrome intends to deprecate and remove XSLT from the
deprecate and remove XSLT from the browser. This document details how you
browser. This document details how you can migrate your code before the removal
can migrate your code before the removal in late 2026." In other words, we're
in late 2026." In other words, we're currently in late 2025. So, you got a
currently in late 2025. So, you got a year. Actually, things start getting all
year. Actually, things start getting all dicey in March, as we'll see. They
dicey in March, as we'll see. They wrote, "Chromium has officially
wrote, "Chromium has officially deprecated XS slt. Chromium has XSLT
deprecated XS slt. Chromium has XSLT including the XS slt processor,
including the XS slt processor, JavaScript API, and the XML stylesheet
JavaScript API, and the XML stylesheet processing instruction. We intend to
processing instruction. We intend to remove support from version 155, that's
remove support from version 155, that's of Chrome, November 17th, 2026.
of Chrome, November 17th, 2026. a year. The Firefox and WebKit projects
a year. The Firefox and WebKit projects have also indicated their plans to
have also indicated their plans to remove XSLT from their browser engines.
remove XSLT from their browser engines. This document provides some history,
This document provides some history, context, explains how we're removing
context, explains how we're removing XSLT to make Chrome safer, and provides
XSLT to make Chrome safer, and provides a path for migrating before these
a path for migrating before these features are removed from the browser.
features are removed from the browser. Okay. Okay. Then Google then provides a
Okay. Okay. Then Google then provides a timeline for this removal where starting
timeline for this removal where starting next March
next March they cautiously tiptoe forward disabling
they cautiously tiptoe forward disabling first by default but not fully removing
first by default but not fully removing it yet increasing portions of Chrome's
it yet increasing portions of Chrome's XLT XSLT support. But the more
XLT XSLT support. But the more interesting part of this event, since I
interesting part of this event, since I really hope no one cares about the loss
really hope no one cares about the loss of XSLT itself, is what we learn about
of XSLT itself, is what we learn about the feature and code support evolution
the feature and code support evolution of the web through the lens of this
of the web through the lens of this event. Here's what Google shared about
event. Here's what Google shared about the past and present of XSLT
the past and present of XSLT since we now pretty much know its
since we now pretty much know its future. They wrote, "XSLT was
future. They wrote, "XSLT was recommended by the Worldwide Web
recommended by the Worldwide Web Consortium, RW3C,
Consortium, RW3C, on November 16th." Funny how these these
on November 16th." Funny how these these November timelines line up. So around
November timelines line up. So around the same time, 1999,
the same time, 1999, end of the year 1999, so 26 years ago,
end of the year 1999, so 26 years ago, as a language for transforming
as a language for transforming XML documents into other formats, most
XML documents into other formats, most commonly HTML for display in web
commonly HTML for display in web browsers. In other words, it would be
browsers. In other words, it would be possible for a website
possible for a website to l for a web browser to retrieve
to l for a web browser to retrieve an undisable
an undisable XML
XML format document
format document and and for the for the code in the
and and for the for the code in the browser to have XSLT
browser to have XSLT which is like like a temp a declarative
which is like like a temp a declarative nonprocedural
nonprocedural nonexplicitly
nonexplicitly executed
executed um template oriented language kind of
um template oriented language kind of like s you know um CSS is to to to
like s you know um CSS is to to to declaratively translate an XML document
declaratively translate an XML document into HTML which you would then stick
into HTML which you would then stick into the DOM the document object model
into the DOM the document object model and render on the screen for the user.
and render on the screen for the user. So that's a thing for 26 years.
So that's a thing for 26 years. Um before the official 1.0
Um before the official 1.0 recommendation, Microsoft took an early
recommendation, Microsoft took an early initiative by shipping a proprietary
initiative by shipping a proprietary implementation based on the W3C working
implementation based on the W3C working draft in get this Internet Explorer 5.
draft in get this Internet Explorer 5. So yeah, released in March of 1999.
So yeah, released in March of 1999. Following the official standard, Mozilla
Following the official standard, Mozilla implemented native XSLT 1.0 support in
implemented native XSLT 1.0 support in Netscape 6 before we had Firefox.
Netscape 6 before we had Firefox. Netscape 6 in late 2000. Other major
Netscape 6 in late 2000. Other major browsers including Safari, Opera, and
browsers including Safari, Opera, and later Chrome also incorporated native
later Chrome also incorporated native XSLT
XSLT 1.0 0 processors making clientside
1.0 0 processors making clientside XML to HTML
XML to HTML transformations
transformations a viable web technology
a viable web technology in the early 2000s. So W3 the the W3C
in the early 2000s. So W3 the the W3C standardized on it, produced a
standardized on it, produced a specification and by the early 2000s all
specification and by the early 2000s all the browser community had it. Meaning
the browser community had it. Meaning anybody could reasonably
anybody could reasonably use it for presentation of information
use it for presentation of information through a web browser where the source
through a web browser where the source of that was an XML document which is
of that was an XML document which is anything but presentable.
anything but presentable. Google said the XSLT language itself
Google said the XSLT language itself continued to evolve with the release of
continued to evolve with the release of XSLT 2.0 in 2007 and XLT
XSLT 2.0 in 2007 and XLT 3.0 in 2017.
3.0 in 2017. These updates introduced powerful
These updates introduced powerful features like
features like regular expressions, improved data
regular expressions, improved data types, and the ability to process JSON,
types, and the ability to process JSON, not just XML browser support. However,
not just XML browser support. However, this is interesting, never followed.
this is interesting, never followed. Today, today, all major browser engines
Today, today, all major browser engines only provide native support for the
only provide native support for the original XSLT 1.0 from 1999,
original XSLT 1.0 from 1999, 26 years ago. In other words, it wasn't
26 years ago. In other words, it wasn't important enough for them even to go to
important enough for them even to go to 2.0 in ' 07 or 3.0 in 2017.
2.0 in ' 07 or 3.0 in 2017. Stayed at 1.0.
Stayed at 1.0. Google wrote, "This lack of advancement
Google wrote, "This lack of advancement coupled with the rise of the use of JSON
coupled with the rise of the use of JSON as a on the-wire format and JavaScript
as a on the-wire format and JavaScript libraries and frameworks like jQuery,
libraries and frameworks like jQuery, React, and Vue.js that offer more
React, and Vue.js that offer more flexible and powerful doc document
flexible and powerful doc document object model manipulation and templating
object model manipulation and templating has led to a significant decline in the
has led to a significant decline in the use of clientside XSLT.
use of clientside XSLT. Its role within the web browser has been
Its role within the web browser has been largely superseded by these
largely superseded by these JavaScriptbased technologies.
JavaScriptbased technologies. So why does XS slt need to be removed?
So why does XS slt need to be removed? The continued inclusion of XSLT 1.0 in
The continued inclusion of XSLT 1.0 in web browsers presents a significant and
web browsers presents a significant and unnecessary security risk. The
unnecessary security risk. The underlying libraries that process these
underlying libraries that process these transformations, such as Live XSLT used
transformations, such as Live XSLT used by Chromium browsers and Firefox, are
by Chromium browsers and Firefox, are complex, aging C, C++ code bases. This
complex, aging C, C++ code bases. This type of code is notoriously susceptible
type of code is notoriously susceptible to memory safety vulnerabilities like
to memory safety vulnerabilities like buffer overflows, which can lead to
buffer overflows, which can lead to arbitrary code execution. For example,
arbitrary code execution. For example, security audits and bug trackers have
security audits and bug trackers have repeatedly identified high high severity
repeatedly identified high high severity vulnerabilities in these parsers and
vulnerabilities in these parsers and they site two CVEes 2025 7425
they site two CVEes 2025 7425 and 2022
and 2022 uh 22834
uh 22834 both in live XSLT. And I just misspoke
both in live XSLT. And I just misspoke by the way a moment ago. As far as I
by the way a moment ago. As far as I know, Mozilla does not use the live.
know, Mozilla does not use the live. They implemented their own native code
They implemented their own native code back in the early days back in Netscape
back in the early days back in Netscape 6. So because client side XSLT is now a
6. So because client side XSLT is now a niche rarely used feature, these
niche rarely used feature, these libraries, this is Google saying,
libraries, this is Google saying, receive far less maintenance and
receive far less maintenance and security scrutiny than the core
security scrutiny than the core JavaScript engines. Yet they represent a
JavaScript engines. Yet they represent a direct potent attack surface for
direct potent attack surface for processing untrusted web content.
processing untrusted web content. Indeed, XSLT is is the source of several
Indeed, XSLT is is the source of several recent high-profile security exploits
recent high-profile security exploits that continue to put browser users at
that continue to put browser users at risk. The security risks of maintaining
risk. The security risks of maintaining this brittle legacy functionality far
this brittle legacy functionality far outweighs its limited modern utility.
outweighs its limited modern utility. Furthermore,
Furthermore, the original purpose of clientside XSLT,
the original purpose of clientside XSLT, transforming data into renderable HTML,
transforming data into renderable HTML, has been superseded by safer, more
has been superseded by safer, more ergonomic, and better maintained
ergonomic, and better maintained JavaScript APIs. Modern web development
JavaScript APIs. Modern web development relies on things like the fetch API to
relies on things like the fetch API to retrieve data, typically JSON, and the
retrieve data, typically JSON, and the DOM parser API to safely parse XML or
DOM parser API to safely parse XML or HTML strings into DOM structure within
HTML strings into DOM structure within the browser's secure JavaScript sandbox.
the browser's secure JavaScript sandbox. Frameworks like React, Vue, and Spelt
Frameworks like React, Vue, and Spelt then manage the rendering of this data
then manage the rendering of this data efficiently and securely. This modern
efficiently and securely. This modern tool chain is actively developed,
tool chain is actively developed, benefits from the massive security
benefits from the massive security investment in JavaScript engines, and is
investment in JavaScript engines, and is what virtually all web developers use
what virtually all web developers use today. Indeed, only about 0.02%
of web page loads today actually use XSLT at all with less than 0.001% 0001%
XSLT at all with less than 0.001% 0001% using SX XSLT processing instructions.
using SX XSLT processing instructions. Okay. So, okay. To me,
Okay. So, okay. To me, it sure sounds like they're doing an
it sure sounds like they're doing an awful lot of apologizing for something
awful lot of apologizing for something that really just needs to die. On the
that really just needs to die. On the other hand,
other hand, even the end of the horrific Flash
even the end of the horrific Flash plugin, remember those nightmares, Leo?
plugin, remember those nightmares, Leo? I mean, we we dined out on Flash so
I mean, we we dined out on Flash so often on this podcast. Oh my lord. I
often on this podcast. Oh my lord. I mean, it was just such a problem. And
mean, it was just such a problem. And and even that, it took forever to
and even that, it took forever to finally say goodbye. Uh which was
finally say goodbye. Uh which was painful. Uh, and it's true that for
painful. Uh, and it's true that for those vanishingly rare websites that
those vanishingly rare websites that that are built in some fashion around
that are built in some fashion around XSLT
XSLT and who will stop functioning without
and who will stop functioning without it, XSLT's complete disappearance from
it, XSLT's complete disappearance from the web could prove to be a significant
the web could prove to be a significant inconvenience.
inconvenience. So Google continued apologizing by
So Google continued apologizing by writing, "This is not a Chrome or
writing, "This is not a Chrome or Chromium only action. The other two
Chromium only action. The other two major browser engines also support the
major browser engines also support the removal of XSLT from from from the web
removal of XSLT from from from the web platform, WebKit and Gecko. For these
platform, WebKit and Gecko. For these reasons, deprecating and removing XSLT
reasons, deprecating and removing XSLT reduce the browser's attack surface for
reduce the browser's attack surface for all users, simplify the web platform,
all users, simplify the web platform, and allow engineering resources to be
and allow engineering resources to be focused on securing the technologies
focused on securing the technologies that actually power the modern web with
that actually power the modern web with no practical loss of capability for
no practical loss of capability for developers.
developers. So, what I love about this as a lesson
So, what I love about this as a lesson is it's a perfect textbook example of
is it's a perfect textbook example of the way all this should work. The web
the way all this should work. The web ecosystem needs to evolve to meet the
ecosystem needs to evolve to meet the evolving uses to which our web browsers
evolving uses to which our web browsers are being put. But evolution doesn't
are being put. But evolution doesn't only mean continually tacking on new
only mean continually tacking on new feature after new feature without end.
feature after new feature without end. It necessarily also means trimming off
It necessarily also means trimming off the dead limbs so that the organism as a
the dead limbs so that the organism as a whole can remain as healthy as possible.
whole can remain as healthy as possible. This is never an easy thing to do
This is never an easy thing to do because someone somewhere is going to
because someone somewhere is going to see their website die through no fault
see their website die through no fault of theirs. They will have been early
of theirs. They will have been early adopters of an interesting technology
adopters of an interesting technology that all browsers at the time built in
that all browsers at the time built in and have supported ever since.
and have supported ever since. Unfortunately, their use of that
Unfortunately, their use of that technology has left them be being such a
technology has left them be being such a minuscule minority of the world that the
minuscule minority of the world that the sane decision on the part of the web
sane decision on the part of the web browsers is to discontinue their support
browsers is to discontinue their support and to say they're sincerely sorry,
and to say they're sincerely sorry, which Google clearly is. If XSLT could
which Google clearly is. If XSLT could be left in there without compromising
be left in there without compromising all internet users, it would be left in
all internet users, it would be left in there. It would be left alone. But this
there. It would be left alone. But this old code, which still requires
old code, which still requires maintenance, sees so little use that it
maintenance, sees so little use that it makes much more sense to just remove it
makes much more sense to just remove it than it does to expose everyone to its
than it does to expose everyone to its dangers, which require continual repair
dangers, which require continual repair to deal with. So that's the way the web
to deal with. So that's the way the web ecosystem goes. And you know it is the
ecosystem goes. And you know it is the way it should go.
way it should go. >> Yeah.
>> Yeah. >> And speaking of the way it should go,
>> And speaking of the way it should go, Leo, the way I think this podcast should
Leo, the way I think this podcast should go.
go. >> Yes.
>> Yes. >> Is for me to have a sip of coffee while
>> Is for me to have a sip of coffee while we take a break.
we take a break. >> Uh,
>> Uh, >> you know, coffee doesn't keep you up at
>> you know, coffee doesn't keep you up at night. like I don't drink it late in the
night. like I don't drink it late in the day and I drink espresso I drink okay
day and I drink espresso I drink okay that doesn't keep me up no and I do
that doesn't keep me up no and I do drink espresso which has a strong flavor
drink espresso which has a strong flavor but it's the caffeine is burned off by
but it's the caffeine is burned off by the additional roasting
the additional roasting >> right
>> right I don't know I can't I have one cup in
I don't know I can't I have one cup in the morning and if I have another one I
the morning and if I have another one I won't sleep well and I'm just jealous
won't sleep well and I'm just jealous because I would love to drink coffee all
because I would love to drink coffee all day maybe I'll get some decaf
day maybe I'll get some decaf although that seems like it should be
although that seems like it should be anathema But anyway, we will get back to
anathema But anyway, we will get back to the highly caffeinated Steve G.
the highly caffeinated Steve G. >> I like the I like the caffeine bite.
>> I like the I like the caffeine bite. There is a
There is a >> Yeah, I know you do. Yeah.
>> Yeah, I know you do. Yeah. >> Yeah. Is that from the caffeine?
>> Yeah. Is that from the caffeine? >> Yeah.
>> Yeah. >> Oh, so decaf doesn't have that. Huh?
>> Oh, so decaf doesn't have that. Huh? >> No.
>> No. >> Oh well. Oh well. This portion of
>> Oh well. Oh well. This portion of security now brought to you by Zcaler,
security now brought to you by Zcaler, the world's largest cloud security
the world's largest cloud security platform. The potential rewards of of
platform. The potential rewards of of AI,
AI, I don't know if they outweigh the risks.
I don't know if they outweigh the risks. They're both right. The rewards are
They're both right. The rewards are probably too good to ignore, but you
probably too good to ignore, but you can't ignore the risks. A loss of
can't ignore the risks. A loss of sensitive data, attacks against
sensitive data, attacks against enterprise managed AI, and of course,
enterprise managed AI, and of course, generative AI helps threat actors,
generative AI helps threat actors, helping them to, you know, create, we
helping them to, you know, create, we just were talking about fishing lures to
just were talking about fishing lures to write malicious code to automate data
write malicious code to automate data extraction. AI is a double-edged sword.
extraction. AI is a double-edged sword. That's pretty clear. There were 1.3
That's pretty clear. There were 1.3 million instances of social security
million instances of social security numbers leaked. Well, we know that, you
numbers leaked. Well, we know that, you know, they leaked for a variety of
know, they leaked for a variety of reasons, but 1.3 million instances of
reasons, but 1.3 million instances of them be leaked to AI applications.
them be leaked to AI applications. People using AI
People using AI and giving that information to AI. Chat
and giving that information to AI. Chat GPT and Microsoft Copilot alone saw
GPT and Microsoft Copilot alone saw nearly 3.2 million data violations. I
nearly 3.2 million data violations. I think, you know, it's a variety of
think, you know, it's a variety of reasons. Employees use these, you know,
reasons. Employees use these, you know, SAS AI apps kind of without thinking.
SAS AI apps kind of without thinking. Um, maybe you're giving it access
Um, maybe you're giving it access without your knowledge to data on your
without your knowledge to data on your system. Maybe it's time to rethink for
system. Maybe it's time to rethink for all of us your organization's safe use
all of us your organization's safe use of public and private AI.
of public and private AI. Just talked to Jeff Simon. He's senior
Just talked to Jeff Simon. He's senior vice president and chief security
vice president and chief security officer at T-Mobile. What a job. They
officer at T-Mobile. What a job. They use Zcaler. He said, quote, "Zcaler's
use Zcaler. He said, quote, "Zcaler's fundamental difference in the
fundamental difference in the technologies and SAS space is it was
technologies and SAS space is it was built from the ground up to be a
built from the ground up to be a zerorust network access solution, which
zerorust network access solution, which is the main outcome we were looking to
is the main outcome we were looking to drive." End quote. With Zcaler zero
drive." End quote. With Zcaler zero trust plus AI, you could safely adopt
trust plus AI, you could safely adopt generative AI and private AI to boost
generative AI and private AI to boost productivity across the business without
productivity across the business without risking exfiltrating private data.
risking exfiltrating private data. Zcaler's zero trust architecture plus AI
Zcaler's zero trust architecture plus AI helps you reduce the risks of AI related
helps you reduce the risks of AI related data loss. Protects against AI attacks.
data loss. Protects against AI attacks. It does both to guarantee greater
It does both to guarantee greater productivity and compliance. Maybe you
productivity and compliance. Maybe you want to learn more about Zscaler at
want to learn more about Zscaler at zscaler.com/security.
Thank you Zscaler for the work you do and for supporting Steve and the work he
and for supporting Steve and the work he does. now fully caffeinated. I give you
does. now fully caffeinated. I give you Steve Gibson.
Steve Gibson. Okay, so while we're on the subject of
Okay, so while we're on the subject of web browsers, uh which we will be
web browsers, uh which we will be looking at again for today's main topic,
looking at again for today's main topic, uh I wanted to share Mozilla's posting
uh I wanted to share Mozilla's posting last Friday, which carried the headline,
last Friday, which carried the headline, "Introducing early access for Firefox
"Introducing early access for Firefox support for organizations."
support for organizations." Uh the pointer to this announcement
Uh the pointer to this announcement described it as paid Firefox support for
described it as paid Firefox support for corporate customers which made me
corporate customers which made me curious. Uh so this is what Mozilla
curious. Uh so this is what Mozilla said. They said uh increasingly
said. They said uh increasingly businesses, schools and government
businesses, schools and government institutions deploy Firefox at scale for
institutions deploy Firefox at scale for meaning everywhere for security
meaning everywhere for security resilience and data sovereignty.
resilience and data sovereignty. Organizations have fine-grained
Organizations have fine-grained administrative and orchestration control
administrative and orchestration control of the browser's behavior using policies
of the browser's behavior using policies with Firefox and the extended support
with Firefox and the extended support release. Today, we're opening early
release. Today, we're opening early access to Firefox support for
access to Firefox support for organizations. That's its official
organizations. That's its official title. A new program that begins
title. A new program that begins operation in January of 2026. So, in a
operation in January of 2026. So, in a month
month or a month and a half. what Firefox
or a month and a half. what Firefox support for organizations offers. They
support for organizations offers. They said support for organizations is a
said support for organizations is a dedicated offering for teams who need
dedicated offering for teams who need private issue triage and escalation,
private issue triage and escalation, defined response times, custom
defined response times, custom deployment options, and close
deployment options, and close collaboration with Mozilla's engineering
collaboration with Mozilla's engineering and product teams. So they said private
and product teams. So they said private support channel accesses a dedicated
support channel accesses a dedicated support system where you can open
support system where you can open private help tickets directly with
private help tickets directly with expert support engineers. Issues are
expert support engineers. Issues are triaged at by severity level with
triaged at by severity level with defined response times and clear
defined response times and clear escalation paths to ensure timely
escalation paths to ensure timely resolution.
resolution. Discounts on custom deployment. Paid
Discounts on custom deployment. Paid support customers get discounts on
support customers get discounts on custom deployment work for integration
custom deployment work for integration projects, compatibility testing, or
projects, compatibility testing, or environment specific needs. With custom
environment specific needs. With custom development as a paid add-on to support
development as a paid add-on to support plans, Firefox can adapt with your
plans, Firefox can adapt with your infrastructure and third-party updates.
infrastructure and third-party updates. And finally, strategic collaboration.
And finally, strategic collaboration. gain early insight into upcoming
gain early insight into upcoming development and help shape the Firefox
development and help shape the Firefox enterprise roadmap through direct
enterprise roadmap through direct collaboration with Mozilla's team. So,
collaboration with Mozilla's team. So, some opportunity to steer Firefox's
some opportunity to steer Firefox's future. They said support for
future. They said support for organizations adds a new layer for of
organizations adds a new layer for of help for teams and businesses that need
help for teams and businesses that need confidential, reliable, and customized
confidential, reliable, and customized levels of support. All Firefox users
levels of support. All Firefox users will continue to have full access to
will continue to have full access to existing public resources, including
existing public resources, including documentation, the knowledge base, and
documentation, the knowledge base, and community forums. So, they're saying
community forums. So, they're saying none of that's changing, and we'll keep
none of that's changing, and we'll keep improving those for everyone in the
improving those for everyone in the future. Support plans will help us
future. Support plans will help us better serve users who rely on Firefox
better serve users who rely on Firefox for business critical and sensitive
for business critical and sensitive operations. If these levels of support
operations. If these levels of support are interesting for your organization,
are interesting for your organization, get in touch using our inquiry form and
get in touch using our inquiry form and we'll get back to you with more
we'll get back to you with more information.
information. So, that's new and and interesting. To
So, that's new and and interesting. To me, at first blush, this sounded like a
me, at first blush, this sounded like a bit of the result of a brainstorming
bit of the result of a brainstorming meeting whose goal was to cook up new
meeting whose goal was to cook up new sources of revenue for Mozilla to, you
sources of revenue for Mozilla to, you know, help support Firefox. But I can
know, help support Firefox. But I can also easily imagine that there has
also easily imagine that there has probably been some true demand for these
probably been some true demand for these services for which Mosilla had no such
services for which Mosilla had no such program. So organizations that wish to
program. So organizations that wish to be able to depend upon Firefox and
be able to depend upon Firefox and Mosilla will now have a way of being
Mosilla will now have a way of being assured that they can do so while paying
assured that they can do so while paying for the privilege. Um I dropped a link
for the privilege. Um I dropped a link to this announcement into the show
to this announcement into the show notes. It's here in the middle of page
notes. It's here in the middle of page 12 and for anyone who's interested and
12 and for anyone who's interested and that blog posting contains links that
that blog posting contains links that allow you to follow up and get your
allow you to follow up and get your organization listed. So, you know, it's
organization listed. So, you know, it's Firefox has been just, you know, free
Firefox has been just, you know, free and open source and it will continue to
and open source and it will continue to be so. But you know if there are
be so. But you know if there are organizations that have decided that
organizations that have decided that they want to go fully Firefox, I can
they want to go fully Firefox, I can imagine if the price is right saying,
imagine if the price is right saying, "Yeah, you know, we'd like to have
"Yeah, you know, we'd like to have access to Firefox's developers on a
access to Firefox's developers on a shorter leash so that we're able to get
shorter leash so that we're able to get attention where we need it, where and
attention where we need it, where and when we need it." Uh so I can see that
when we need it." Uh so I can see that that makes sense. Um,
that makes sense. Um, meanwhile,
meanwhile, Russia's policy uh
Russia's policy uh continues to starve their own citizens
continues to starve their own citizens of Western services. Now, Akami has
of Western services. Now, Akami has reported service disruptions throughout
reported service disruptions throughout Russia after the Russian government
Russia after the Russian government started filtering Okami's traffic. This
started filtering Okami's traffic. This has led to disruptions for some Russian
has led to disruptions for some Russian Okami customers. Okami says, "Yeah, it's
Okami customers. Okami says, "Yeah, it's aware of the government's actions, but
aware of the government's actions, but it's unable to do anything about it."
it's unable to do anything about it." Right? It's I mean, it's, you know, the
Right? It's I mean, it's, you know, the it's r it's Russian bandwidth on Russian
it's r it's Russian bandwidth on Russian wires, and so if they, you know, Aami
wires, and so if they, you know, Aami has a known block of of IP presence. So,
has a known block of of IP presence. So, if Russia wants to say no, Aami, they
if Russia wants to say no, Aami, they can. uh you know this may just be you
can. uh you know this may just be you know Russia issuing a we're serious
know Russia issuing a we're serious about this warning because
about this warning because um they have not yet implemented a full
um they have not yet implemented a full blanket block and Russia now requires
blanket block and Russia now requires foreign cloud providers among which
foreign cloud providers among which would be Okami to open local offices in
would be Okami to open local offices in country and register themselves with the
country and register themselves with the state. So that may just be like, you
state. So that may just be like, you know, a little bit of saber rattling on
know, a little bit of saber rattling on Russia's part, saying, "Hey, you know,
Russia's part, saying, "Hey, you know, we told you if you want to be bringing
we told you if you want to be bringing bandwidth into Russia, you've got to
bandwidth into Russia, you've got to have a local office." And so far, most
have a local office." And so far, most organizations are saying, "We don't
organizations are saying, "We don't think we want to do it that much." And
think we want to do it that much." And in some cases, if if if if there if the
in some cases, if if if if there if the West is um is sanctioning, then it may
West is um is sanctioning, then it may not be legally possible for uh Western
not be legally possible for uh Western corporations to be running offices in in
corporations to be running offices in in Russia. And we know there's been a a
Russia. And we know there's been a a great exodus of that so far.
great exodus of that so far. Um, a number of times in the past year,
Um, a number of times in the past year, we've looked at the fine security work
we've looked at the fine security work being performed by a company called
being performed by a company called Whiz. And I've been forced to say, you
Whiz. And I've been forced to say, you know, WIS as in Wizard. Uh, just to be
know, WIS as in Wizard. Uh, just to be clear, uh, uh, another security firm,
clear, uh, uh, another security firm, Mandant, was also once independent, and
Mandant, was also once independent, and we often covered their work. Uh they
we often covered their work. Uh they were then gobbled up by Google to become
were then gobbled up by Google to become a division of that ever growing
a division of that ever growing behemoth. So it's now time to report
behemoth. So it's now time to report that Google's $ 32 billion acquisition
that Google's $ 32 billion acquisition of Whiz Security just passed US
of Whiz Security just passed US regulatory approval. Although there are
regulatory approval. Although there are some other jurisdictions in which
some other jurisdictions in which approval is still pending, it appears
approval is still pending, it appears certain that Whiz will be joining
certain that Whiz will be joining Mandant as a Google as a new Google
Mandant as a Google as a new Google property, you know, an alphabet
property, you know, an alphabet property. Uh and uh so Google increases
property. Uh and uh so Google increases their internet security uh offering
their internet security uh offering group and you know, Mandid's still doing
group and you know, Mandid's still doing great work. I imagine Whiz will be too.
great work. I imagine Whiz will be too. It's just uh you know, Google has so
It's just uh you know, Google has so much money they're just they're spending
much money they're just they're spending some of it.
some of it. and Leo.
and Leo. >> Yes,
>> Yes, >> believe it or not.
>> believe it or not. >> Please, please.
>> Please, please. >> I know. Please
>> I know. Please >> tell me it's true.
>> tell me it's true. >> Re a recently obtained leaked copy of
>> Re a recently obtained leaked copy of proposed changes to the EU's comically
proposed changes to the EU's comically horrific GDPR
horrific GDPR regulation, which forced, among other
regulation, which forced, among other things, all websites everywhere to
things, all websites everywhere to constantly request their visitors cookie
constantly request their visitors cookie preferences. will finally change the
preferences. will finally change the requirements to work. Oh my god, the way
requirements to work. Oh my god, the way they always should have. It's hard to
they always should have. It's hard to believe. I've read the language. The new
believe. I've read the language. The new regulations allow web browser users to
regulations allow web browser users to configure their browsers, their browsers
configure their browsers, their browsers once and for all to subsequently
once and for all to subsequently transmit their cookie tracking and
transmit their cookie tracking and direct marketing preferences
direct marketing preferences to every website they visit. OMG.
to every website they visit. OMG. This would this would be a formalized
This would this would be a formalized variant of the DNT do not track header
variant of the DNT do not track header or the GPC, the global privacy control
or the GPC, the global privacy control signal header, but it would be done by,
signal header, but it would be done by, you know, uh, by GDPR regulations
you know, uh, by GDPR regulations EUwide, which as we know has a has a
EUwide, which as we know has a has a global effect because I'm in Southern
global effect because I'm in Southern California and I'm still getting cookie
California and I'm still getting cookie banners. Thank you very much. Um
banners. Thank you very much. Um the regulations
the regulations uh also legally require every website to
uh also legally require every website to which is the part that matters to
which is the part that matters to silently comply with and obey any such
silently comply with and obey any such preference transmission from a browser's
preference transmission from a browser's headers. Once adopted and following a
headers. Once adopted and following a six-month implementation grace period to
six-month implementation grace period to give websites a chance to comp to get up
give websites a chance to comp to get up to speed, these amended requirements
to speed, these amended requirements would be backed by the full weight force
would be backed by the full weight force and effect of the EU's GDPR, which as we
and effect of the EU's GDPR, which as we know originally was involved in these
know originally was involved in these cookie popups on the entire world. So,
cookie popups on the entire world. So, the constantly annoying cookie request
the constantly annoying cookie request banners would finally disappear, and
banners would finally disappear, and users who care will be able to set and
users who care will be able to set and forget their preference in their
forget their preference in their browsers once and for all.
browsers once and for all. >> Huh. Of course, I just use Block Origin
>> Huh. Of course, I just use Block Origin to block them, but still.
to block them, but still. >> Yeah. Yeah,
>> Yeah. Yeah, >> it'd be nice.
>> it'd be nice. >> This will be Well, I mean, but and this
>> This will be Well, I mean, but and this will be built into the browser, so much
will be built into the browser, so much higher traction we could expect over
higher traction we could expect over time,
time, >> right?
>> right? >> Um, you know, and I'll do things like,
>> Um, you know, and I'll do things like, you know, have GRC display a banner when
you know, have GRC display a banner when people don't have these set just to let
people don't have these set just to let them know, hey, you know, uh, you've got
them know, hey, you know, uh, you've got a browser that supports this. Maybe you
a browser that supports this. Maybe you want to think about turning it on.
want to think about turning it on. >> You bet.
>> You bet. Uh last week we also saw another pair of
Uh last week we also saw another pair of migrations away from dependence upon
migrations away from dependence upon Microsoft's closed proprietary
Microsoft's closed proprietary solutions. The International Criminal
solutions. The International Criminal Court. I got a kick out of this one.
Court. I got a kick out of this one. Leo, they dropped their use of Microsoft
Leo, they dropped their use of Microsoft Office in favor of Openesk in response
Office in favor of Openesk in response to the US sanctioning some of its
to the US sanctioning some of its judges. So, the US sanctioned some
judges. So, the US sanctioned some judges over something that we didn't
judges over something that we didn't like uh that the U the International
like uh that the U the International Criminal Court did. I I saw it go by at
Criminal Court did. I I saw it go by at the time. I don't remember now what it
the time. I don't remember now what it was. And so, the the ICC said, "Okay,
was. And so, the the ICC said, "Okay, we're going to switch over to Open Desk.
we're going to switch over to Open Desk. Thanks very much." Also, oh yeah,
lawyers wrote, quote, Perplexity's misconduct must end. Perplexity is not
misconduct must end. Perplexity is not allowed to go where it has been
allowed to go where it has been expressly told it cannot. That
expressly told it cannot. That Perplexity's trespass involves code
Perplexity's trespass involves code rather than a lockpick makes it no less
rather than a lockpick makes it no less unlawful." Whoa. Okay. So
unlawful." Whoa. Okay. So expressly told it cannot certainly
expressly told it cannot certainly sounds as though someone has been caught
sounds as though someone has been caught ignoring and bypassing those pesky
ignoring and bypassing those pesky robots.ext files again.
robots.ext files again. But this time we don't have some bridge
But this time we don't have some bridge tollgate analogy. This time we're
tollgate analogy. This time we're talking about the content owner becoming
talking about the content owner becoming very upset where the Guardian continues,
very upset where the Guardian continues, "Perplexity, which has grown rapidly
"Perplexity, which has grown rapidly amid the boom in AI assistance, has
amid the boom in AI assistance, has previously rejected the US shopping
previously rejected the US shopping company's claims, accusing Amazon of
company's claims, accusing Amazon of using its market dominance to stifle
using its market dominance to stifle competition." Perplexity wrote in their
competition." Perplexity wrote in their blog post, "Bullying is when large
blog post, "Bullying is when large corporations use legal threats and
corporations use legal threats and intimidation to block innovation and
intimidation to block innovation and make life worse for people."
make life worse for people." The class highlights an emerging debate,
The class highlights an emerging debate, and it is a debate over regulation of
and it is a debate over regulation of the growing use of AI agents, autonomous
the growing use of AI agents, autonomous digital secretaries powered by AI, and
digital secretaries powered by AI, and their interaction with websites. In the
their interaction with websites. In the lawsuit, Amazon accused Perplexity of
lawsuit, Amazon accused Perplexity of covertly accessing private Amazon
covertly accessing private Amazon customer accounts through its Comet
customer accounts through its Comet browser, an associated AI agent, and of
browser, an associated AI agent, and of disguising automated activity as human
disguising automated activity as human browsing. Perplexity's system posed
browsing. Perplexity's system posed security risk to consumer data, Amazon
security risk to consumer data, Amazon alleged, and the startup had ignored
alleged, and the startup had ignored repeated requests to stop. Amazon said,
repeated requests to stop. Amazon said, "Rather than being transparent,
"Rather than being transparent, Perplexity has purposely configured its
Perplexity has purposely configured its Comet AI software to not identify the
Comet AI software to not identify the Comet AI agents activities in the Amazon
Comet AI agents activities in the Amazon store." Well, imagine that. In the
store." Well, imagine that. In the complaint, Amazon accused Perplexity's
complaint, Amazon accused Perplexity's Comet AI agent of degrading customers
Comet AI agent of degrading customers shopping experience and interfering with
shopping experience and interfering with its ability to ensure customers who use
its ability to ensure customers who use the agent benefit from the tailored
the agent benefit from the tailored shopping experience Amazon curated over
shopping experience Amazon curated over decades. Third-party apps making
decades. Third-party apps making purchases for users should operate
purchases for users should operate openly and respect business's decisions
openly and respect business's decisions on whether to participate. Amazon said
on whether to participate. Amazon said in an earlier statement, Perplexity
in an earlier statement, Perplexity earlier said it had received a legal
earlier said it had received a legal threat from Amazon demanding that it
threat from Amazon demanding that it blocked the Comet AI agent from shopping
blocked the Comet AI agent from shopping on the platform, calling the move a
on the platform, calling the move a broader threat to user choice and the
broader threat to user choice and the future of AI assistance. Perplexity is
future of AI assistance. Perplexity is among many AI startups seeking to
among many AI startups seeking to reorient the web browser around
reorient the web browser around artificial intelligence, aiming to make
artificial intelligence, aiming to make it more autonomous and capable of
it more autonomous and capable of handing handling everyday online
handing handling everyday online activities from drafting emails to
activities from drafting emails to completing purchases. Amazon is also
completing purchases. Amazon is also developing similar tools such as Buy for
developing similar tools such as Buy for Me, which lets users shop across brands
Me, which lets users shop across brands within its app, and Rufus, an AI
within its app, and Rufus, an AI assistant to recommend items and manage
assistant to recommend items and manage carts. The AI agent on Perplexity's
carts. The AI agent on Perplexity's comment browser acts as an as an
comment browser acts as an as an assistant that can make purchases and
assistant that can make purchases and comparisons for users. The startup said
comparisons for users. The startup said user credentials remain stored locally
user credentials remain stored locally just like they do on for us now and
just like they do on for us now and never on its servers. The startup said
never on its servers. The startup said users had the right to choose their own
users had the right to choose their own AI assistance, portraying Amazon's move
AI assistance, portraying Amazon's move as an attempt to protect its business
as an attempt to protect its business model. Perplexity added, "Easier
model. Perplexity added, "Easier shopping means more transactions and
shopping means more transactions and happier customers, but Amazon doesn't
happier customers, but Amazon doesn't care. They're more interested in serving
care. They're more interested in serving you ads." I think that's true. I hate to
you ads." I think that's true. I hate to say it.
say it. >> I do too, Leo. The reason we were just
>> I do too, Leo. The reason we were just saying last week the reason we're not
saying last week the reason we're not using Alexa and us. Yes, I'm I just said
using Alexa and us. Yes, I'm I just said the A word the the the word
the A word the the the word >> or the Fire TV or the Fire tablets or
>> or the Fire TV or the Fire tablets or any of the Amazon stuff. It's that
any of the Amazon stuff. It's that they're ads. It's all ads. it and I was
they're ads. It's all ads. it and I was going to I was going to do that
going to I was going to do that initially because I in researching it's
initially because I in researching it's it looked like it had the best voice
it looked like it had the best voice recognition technology available and I
recognition technology available and I want that. The good news is Apple is
want that. The good news is Apple is really gung-ho on HomeKit and and
really gung-ho on HomeKit and and pushing forward into that market in the
pushing forward into that market in the future and I trust Apple more than any
future and I trust Apple more than any other organization in the world uh to to
other organization in the world uh to to do the right thing and we're you know
do the right thing and we're you know we're an Apple shop except for Windows.
we're an Apple shop except for Windows. So yeah,
So yeah, >> Amazon makes more money on advertising
>> Amazon makes more money on advertising than it does on product sales. That's
than it does on product sales. That's the fact.
the fact. >> Yeah. Yeah. So guess what? You know, not
>> Yeah. Yeah. So guess what? You know, not Google and not Amazon. Thank you very
Google and not Amazon. Thank you very much. So using the Comet AI browser to
much. So using the Comet AI browser to shop is a much more pleasant experience
shop is a much more pleasant experience for its user because they won't be
for its user because they won't be exposed to Amazon's constant visual
exposed to Amazon's constant visual bullying and repeated appeals to
bullying and repeated appeals to purchase stuff. I'm a heavy Amazon user
purchase stuff. I'm a heavy Amazon user and I'm quite familiar with the need to
and I'm quite familiar with the need to often decline their multiple comes along
often decline their multiple comes along the way to the final purchase
the way to the final purchase conclusion. I mean what about this and
conclusion. I mean what about this and how about that and oh you left this and
how about that and oh you left this and and you were looking at this before what
and you were looking at this before what about that it's like I ju like just let
about that it's like I ju like just let me have the am I am I done yet button
me have the am I am I done yet button please so this question of the agency of
please so this question of the agency of AI agents I think is very interesting
AI agents I think is very interesting and it's not at all cut and dried for
and it's not at all cut and dried for example
example what if rather than using perplexity's
what if rather than using perplexity's comet AI browser we used an AI Chrome
comet AI browser we used an AI Chrome browser extension
browser extension to do the same thing. In that scenario,
to do the same thing. In that scenario, we would be using an authentic Chrome
we would be using an authentic Chrome browser, but an add-on AI agent would be
browser, but an add-on AI agent would be viewing the pages and clicking the links
viewing the pages and clicking the links and pressing the buttons on our behalf.
and pressing the buttons on our behalf. So, Amazon is attempting to tell the
So, Amazon is attempting to tell the world that we're unable to make our
world that we're unable to make our lives better and easier while purchasing
lives better and easier while purchasing stuff from them. You know, they
stuff from them. You know, they certainly wouldn't like that scenario,
certainly wouldn't like that scenario, the Chrome AI add-on, because it's going
the Chrome AI add-on, because it's going to do the same thing that Perplexity's
to do the same thing that Perplexity's Comet AI has built in
Comet AI has built in since the entire internet pretty much
since the entire internet pretty much blew up over this new battle last week.
blew up over this new battle last week. I mean, it was something just to to to
I mean, it was something just to to to to see the the coverage of this. And
to see the the coverage of this. And since the rights and roles of AI agents
since the rights and roles of AI agents promises to be one of the critically
promises to be one of the critically important issues of our near future,
important issues of our near future, I want to spend a bit more time on it
I want to spend a bit more time on it today before we move on. TechCrunch
today before we move on. TechCrunch weighed in on this with their coverage
weighed in on this with their coverage last week titled Amazon sends legal
last week titled Amazon sends legal threats to Perplexity over agentic
threats to Perplexity over agentic browsing. Here's what TechCrunch
browsing. Here's what TechCrunch reported. They said Amazon has told
reported. They said Amazon has told Perplexity to get its agentic browser
Perplexity to get its agentic browser out of its online store. The companies
out of its online store. The companies both confirmed publicly on Tuesday after
both confirmed publicly on Tuesday after warning Perplexity multiple times that
warning Perplexity multiple times that Comet, its AI powered shopping
Comet, its AI powered shopping assistant, was violating Amazon's terms
assistant, was violating Amazon's terms of service by not identifying itself as
of service by not identifying itself as an agent. The ecommerce giant sent the
an agent. The ecommerce giant sent the AI search engine startup a sternly
AI search engine startup a sternly worded cease and desist letter.
worded cease and desist letter. Perplexity wrote in a blog post ented
Perplexity wrote in a blog post ented titled bullying is not innovation.
titled bullying is not innovation. Perplexity lamented in the blog post
Perplexity lamented in the blog post quote this week Perplexity received an
quote this week Perplexity received an aggressive legal threat from Amazon
aggressive legal threat from Amazon demanding we prohibit comment users from
demanding we prohibit comment users from using their AI assistance on Amazon.
using their AI assistance on Amazon. This is Amazon's first legal salvo
This is Amazon's first legal salvo against an AI company and it is a threat
against an AI company and it is a threat to all internet users. And I of course I
to all internet users. And I of course I completely agree this is important. As I
completely agree this is important. As I noted above the AI add-on to Chrome
noted above the AI add-on to Chrome thought experiment demonstrates that
thought experiment demonstrates that this is a question with a very soft
this is a question with a very soft border. Where exactly does the AI agency
border. Where exactly does the AI agency begin and end? Does Amazon like refuse
begin and end? Does Amazon like refuse to allow us to do anything? TechCrunch
to allow us to do anything? TechCrunch continues, "Perplexity's argument is
continues, "Perplexity's argument is that since its agent is acting on behalf
that since its agent is acting on behalf of a human user's direction, the agent
of a human user's direction, the agent automatically has the same permissions
automatically has the same permissions as the human user. The implication is
as the human user. The implication is that it doesn't have to identify itself
that it doesn't have to identify itself as an agent."
as an agent." Amazon's response points out that other
Amazon's response points out that other third-party agents working at the behest
third-party agents working at the behest of human users do identify themselves.
of human users do identify themselves. Amazon statement explains, quote, "It's
Amazon statement explains, quote, "It's how others operate, including food
how others operate, including food delivery apps and the restaurants they
delivery apps and the restaurants they take orders for, delivery service apps
take orders for, delivery service apps and the stores they shop from, and
and the stores they shop from, and online travel agencies and the airlines
online travel agencies and the airlines they book tickets with for customers.
they book tickets with for customers. If Amazon is to be believed, then
If Amazon is to be believed, then Perplexity could simply identify its
Perplexity could simply identify its agent and start shopping. Of course, the
agent and start shopping. Of course, the risk is that Amazon, which has its own
risk is that Amazon, which has its own shopping bot called Rufus, could block
shopping bot called Rufus, could block Comet or any other third party agentic
Comet or any other third party agentic shopper from its site. Amazon suggests
shopper from its site. Amazon suggests as much in its statement, which also
as much in its statement, which also says, quote, "We we think it's fairly
says, quote, "We we think it's fairly straightforward that third-party
straightforward that third-party applications that offer to make
applications that offer to make purchases on behalf of customers from
purchases on behalf of customers from other businesses should operate openly
other businesses should operate openly and respect service provider decisions
and respect service provider decisions whether or not to participate," unquote.
whether or not to participate," unquote. Perplexity claims that Amazon would
Perplexity claims that Amazon would block the shopping bot, and I'm sure
block the shopping bot, and I'm sure they would because am I mean, they
they would because am I mean, they already said he cease and desist. Amazon
already said he cease and desist. Amazon wants to sell advertising and product
wants to sell advertising and product placements. Unlike human shoppers, a bot
placements. Unlike human shoppers, a bot tasked with buying a new laundry basket
tasked with buying a new laundry basket presumably wouldn't find itself buying a
presumably wouldn't find itself buying a more expensive one or getting lured into
more expensive one or getting lured into buying the latest Brandon Sanderson
buying the latest Brandon Sanderson novel and a new set of earphones on
novel and a new set of earphones on sale. If all this sounds a bit familiar,
sale. If all this sounds a bit familiar, that's because it is. A few months ago,
that's because it is. A few months ago, Cloudflare published research accusing
Cloudflare published research accusing Perplexity of scraping websites while
Perplexity of scraping websites while specifically defying requests from
specifically defying requests from websites blocking AI bots.
websites blocking AI bots. Interestingly, many people came to
Interestingly, many people came to Perplexity's defense that time because
Perplexity's defense that time because this wasn't a clear-cut case of webcwler
this wasn't a clear-cut case of webcwler bad behavior. Cloudflare documented how
bad behavior. Cloudflare documented how the AI was accessing a specific public
the AI was accessing a specific public website when its user asked about that
website when its user asked about that specific website. Perplexity fans argued
specific website. Perplexity fans argued that this is exactly what every human
that this is exactly what every human operated web browser does. On the other
operated web browser does. On the other hand, Perplexity was using some
hand, Perplexity was using some questionable methods to do that
questionable methods to do that accessing when a website opted out of
accessing when a website opted out of bots hiding like hiding its identity. As
bots hiding like hiding its identity. As TechCrunch reported at the time, the
TechCrunch reported at the time, the Cloudflare incident foreshadowed the
Cloudflare incident foreshadowed the challenges to come. If the agentic world
challenges to come. If the agentic world materializes as Silicon Valley predicts
materializes as Silicon Valley predicts it will. If consumers and companies
it will. If consumers and companies outsource their shopping, travel
outsource their shopping, travel bookings, and restaurant reservations to
bookings, and restaurant reservations to bots. Will it be in the best interest of
bots. Will it be in the best interest of websites to block bots entirely? How
websites to block bots entirely? How will they allow and work with them?
will they allow and work with them? Perplexity may be right in that Amazon
Perplexity may be right in that Amazon is selling is setting a precedent as the
is selling is setting a precedent as the 800 pound gorilla in e-commerce. Amazon
800 pound gorilla in e-commerce. Amazon is clearly saying that the way this
is clearly saying that the way this should work is for an agent to identify
should work is for an agent to identify itself and let the website decide.
itself and let the website decide. So
So I think that what makes this such an
I think that what makes this such an interesting debate is that the issue is
interesting debate is that the issue is anything but black and white. What has
anything but black and white. What has evolved is being called the attention
evolved is being called the attention economy. But the commandeering of our
economy. But the commandeering of our attention comes at a cost to us. A cost
attention comes at a cost to us. A cost that we often have no control over and
that we often have no control over and might prefer not to pay. So, one reading
might prefer not to pay. So, one reading of what is happening is that new AI
of what is happening is that new AI agency tools are appearing which promise
agency tools are appearing which promise to return to us some of the control
to return to us some of the control that's been deliberately taken away.
that's been deliberately taken away. When we visit a web page, we're its
When we visit a web page, we're its captive audience. We're subjected to
captive audience. We're subjected to whatever it wishes to do to us. It's
whatever it wishes to do to us. It's true that we could leave. Nothing is
true that we could leave. Nothing is forcing us to remain, but there might be
forcing us to remain, but there might be something there we want. If we would be
something there we want. If we would be I if it would be possible to avoid the
I if it would be possible to avoid the nonsense and get only the bits we want,
nonsense and get only the bits we want, that seems like a clearly pro-user
that seems like a clearly pro-user thing. It's no wonder that the agent
thing. It's no wonder that the agent concept is appealing to people. I
concept is appealing to people. I believe that this is critically
believe that this is critically important because the way this shakes
important because the way this shakes out will determine the shape of our
out will determine the shape of our future. My feeling is that user rights
future. My feeling is that user rights will ultimately prevail and that Amazon
will ultimately prevail and that Amazon and others will be forced to grin and
and others will be forced to grin and bear it much as websites have had to
bear it much as websites have had to tolerate the presence of ad blockers.
tolerate the presence of ad blockers. I mean should a website be able to say
I mean should a website be able to say uh you can't use this browser to visit
uh you can't use this browser to visit me?
me? >> No. No. I mean they technically they can
>> No. No. I mean they technically they can they could but should they be I mean it
they could but should they be I mean it seems unreasonable.
seems unreasonable. Uh, and then the next step is should a
Uh, and then the next step is should a website be able to say you can visit us
website be able to say you can visit us but not with an ad blocker. Websites do
but not with an ad blocker. Websites do that all the time.
that all the time. >> Yeah.
>> Yeah. >> Um, you would think Amazon would want if
>> Um, you would think Amazon would want if I go to Amazon using a Gent browser to
I go to Amazon using a Gent browser to buy something, you would think Amazon
buy something, you would think Amazon would want me as a customer,
would want me as a customer, >> but apparently not. And as you said, if
>> but apparently not. And as you said, if they're actually generating more revenue
they're actually generating more revenue from advertising than sales and what
from advertising than sales and what >> they're not quite yet, but I but I I
>> they're not quite yet, but I but I I suspect that that's I mean they made
suspect that that's I mean they made there's ad sales went up 24% last
there's ad sales went up 24% last quarter. I mean they're they're making a
quarter. I mean they're they're making a lot of money in ad sales.
lot of money in ad sales. >> Uh
>> Uh >> and it it it's it's product placement,
>> and it it it's it's product placement, right? It's like I'm searching for this.
right? It's like I'm searching for this. Exactly. And and there there there's
Exactly. And and there there there's four other things in front of the thing
four other things in front of the thing I want.
I want. >> Yeah. It's the Amazon pick. It's the
>> Yeah. It's the Amazon pick. It's the >> what Google used to do. Remember when
>> what Google used to do. Remember when Google's page came up and it was a
Google's page came up and it was a beautiful white page with 10 links that
beautiful white page with 10 links that were actually all good
were actually all good >> and that's all that was there and now
>> and that's all that was there and now it's all sponsored crap.
it's all sponsored crap. >> Yeah.
>> Yeah. Uh and so that's why people want and the
Uh and so that's why people want and the other reason people use an agentic
other reason people use an agentic browser is I know what I want just go
browser is I know what I want just go get it and look for the best price for
get it and look for the best price for me.
me. >> It's just it automates something that
>> It's just it automates something that they you know could do by themselves but
they you know could do by themselves but it's a lot easier.
it's a lot easier. And Amazon's also worried because when I
And Amazon's also worried because when I wanted to get that inexpensive Samsung
wanted to get that inexpensive Samsung phone, I ended up buying it from Best
phone, I ended up buying it from Best Buy where I never go. But if I told an
Buy where I never go. But if I told an agent that I'm looking for this Samsung,
agent that I'm looking for this Samsung, whatever it is, get me the best price
whatever it is, get me the best price because that's all I care about, right?
because that's all I care about, right? >> My my default is Amazon. And it broke it
>> My my default is Amazon. And it broke it would have broken that default.
would have broken that default. >> Yeah. Yeah. Isn't that interesting? and
>> Yeah. Yeah. Isn't that interesting? and suddenly created competition for where
suddenly created competition for where there wasn't any for Amazon.
there wasn't any for Amazon. >> Right.
>> Right. It's a fascinating story. I'm glad you
It's a fascinating story. I'm glad you brought it up and I Yeah, I'm still kind
brought it up and I Yeah, I'm still kind of It's We're in a It's such a different
of It's We're in a It's such a different world that we're living in and our
world that we're living in and our rules, our our value systems don't
rules, our our value systems don't really uh extend to this kind of new
really uh extend to this kind of new world we're living in and we're not sure
world we're living in and we're not sure >> talking about, you know, automating much
>> talking about, you know, automating much of what the user does. Um there was a
of what the user does. Um there was a beautiful article in Vox this morning.
beautiful article in Vox this morning. Oh. Um,
Oh. Um, uh, I don't have it on the tip of my
uh, I don't have it on the tip of my tongue, but it was it was basically it
tongue, but it was it was basically it was it was well written and fun, uh,
was it was well written and fun, uh, about the probable form of the coming AI
about the probable form of the coming AI apocalypse. And, uh, uh, but ba
apocalypse. And, uh, uh, but ba basically, you know, we're going to have
basically, you know, we're going to have our experience with computers automated
our experience with computers automated for us. And I'm sorry, Amazon, but
for us. And I'm sorry, Amazon, but you're a target. You know, you have been
you're a target. You know, you have been living off of human eyeballs and humans
living off of human eyeballs and humans are deciding they want to sub that out.
are deciding they want to sub that out. >> Yeah. And you kind of you kind of made
>> Yeah. And you kind of you kind of made it that way by making it so unpleasant.
it that way by making it so unpleasant. >> Yes. Exactly. Exactly. We Yeah. We were
>> Yes. Exactly. Exactly. We Yeah. We were a captive audience
a captive audience >> and now we found out a way we found a
>> and now we found out a way we found a way to get
way to get >> and you've become dependent upon our
>> and you've become dependent upon our captivity.
captivity. >> Yep. Yep. That's what Corey Doctor has
>> Yep. Yep. That's what Corey Doctor has been writing about. Mr. Gibson, you're
been writing about. Mr. Gibson, you're amazing. Thank you so much for doing
amazing. Thank you so much for doing what you do. We really appreciate it.
what you do. We really appreciate it. Steve's here every Tuesday. That's when
Steve's here every Tuesday. That's when we do Security Now right after Mac Break
we do Security Now right after Mac Break Weekly. Uh supposed to be and usually is
Weekly. Uh supposed to be and usually is around 1:30 p.m. Pacific, 4:30 Eastern,
around 1:30 p.m. Pacific, 4:30 Eastern, 21:30 UTC. We stream live on YouTube,
21:30 UTC. We stream live on YouTube, Twitch x.com, Facebook, LinkedIn, and
Twitch x.com, Facebook, LinkedIn, and Kick. Uh we also stream live in the Club
Kick. Uh we also stream live in the Club Twit Discord. So if you're a club
Twit Discord. So if you're a club member, you get special behind the rope
member, you get special behind the rope access. Uh, and please do become a club
access. Uh, and please do become a club Twip member. That helps us out a lot.
Twip member. That helps us out a lot. It's becoming more and more important.
It's becoming more and more important. But now one quarter of our operating
But now one quarter of our operating expenses are paid by the club. And I
expenses are paid by the club. And I think that number is going to go up a
think that number is going to go up a lot in the next year. Um, I'm just
lot in the next year. Um, I'm just guessing, but I think it will. So,
guessing, but I think it will. So, please uh, you know, join the club. 10
please uh, you know, join the club. 10 bucks a month. You get ad free versions
bucks a month. You get ad free versions of this show and all the other shows we
of this show and all the other shows we do. You get access to the Discord. Uh,
do. You get access to the Discord. Uh, you get all the special stuff we do like
you get all the special stuff we do like the AI user group. And coming up uh
the AI user group. And coming up uh Friday, it's our photo time segment with
Friday, it's our photo time segment with Chris Markwart. Next week, Micah's
Chris Markwart. Next week, Micah's Crafting Corner.
Crafting Corner. twit.tv/club
twit.tv/club twit. After the fact, you can get this
twit. After the fact, you can get this show in a variety of places. Go to
show in a variety of places. Go to Steve's site, grc.com. He has uh three
Steve's site, grc.com. He has uh three or four unique versions of the show. He
or four unique versions of the show. He has a 16 kilobit audio version,
has a 16 kilobit audio version, >> the impoverished audio version
>> the impoverished audio version >> for people with no bandwidth. None at
>> for people with no bandwidth. None at all. He also has a 64 kilobit audio
all. He also has a 64 kilobit audio version. That's just fine. He has the
version. That's just fine. He has the show notes which he really crafts
show notes which he really crafts beautifully. The best show notes I've
beautifully. The best show notes I've ever seen. It's what how many pages? 18
ever seen. It's what how many pages? 18 pages. I don't know what it is.
pages. I don't know what it is. >> 22 today.
>> 22 today. >> 22. So it's a book you get every for
>> 22. So it's a book you get every for free every week. Um and uh he also has
free every week. Um and uh he also has transcripts written by Elaine Ferris. Uh
transcripts written by Elaine Ferris. Uh that takes a few days after the show.
that takes a few days after the show. Great way to search, great way to uh
Great way to search, great way to uh read along as you listen or just read if
read along as you listen or just read if sometimes you know it's easier to
sometimes you know it's easier to understand if you read it. That's fine
understand if you read it. That's fine too. grc.com. Now, while you're there,
too. grc.com. Now, while you're there, pick up a copy of Spin, right?
pick up a copy of Spin, right? You never know. When somebody's going to
You never know. When somebody's going to set your NAS for RAID zero, you got to
set your NAS for RAID zero, you got to have Spin. Why? I don't know. Wh Why do
have Spin. Why? I don't know. Wh Why do we have five discs in there? Oh, that
we have five discs in there? Oh, that way they're faster, right? Um spin
way they're faster, right? Um spin grc.com. Another thing you can do, uh
grc.com. Another thing you can do, uh this whole we were talking about this
this whole we were talking about this whole spam thing is because Steve has a
whole spam thing is because Steve has a newsletter. He has sends out the show
newsletter. He has sends out the show notes every week. So, you don't even
notes every week. So, you don't even have to go to the website to get those.
have to go to the website to get those. You could just go to grc.com/email.
You could just go to grc.com/email. Provide your email address. The primary
Provide your email address. The primary reason for that is to whitelist it so
reason for that is to whitelist it so you can correspond with Steve. Send him
you can correspond with Steve. Send him your picture of the week, your comments,
your picture of the week, your comments, your suggestions, your questions, that
your suggestions, your questions, that kind of thing. But there are two boxes
kind of thing. But there are two boxes below it unchecked. One for the show
below it unchecked. One for the show notes and one that you're going to want
notes and one that you're going to want to subscribe to. He's only sent out one
to subscribe to. He's only sent out one email in the entire the entire time this
email in the entire the entire time this has existed. Uh, but he promises he he
has existed. Uh, but he promises he he will only use it when there is a new
will only use it when there is a new product to announce. And I think we're
product to announce. And I think we're getting close. Sounds like we're getting
getting close. Sounds like we're getting close to the DNS benchmark. If you've
close to the DNS benchmark. If you've done what is it, 62 versions,
done what is it, 62 versions, >> 62 releases over the course of a year.
>> 62 releases over the course of a year. >> That's a lot of testing. It's going to
>> That's a lot of testing. It's going to work. That's Steve's, you know, his
work. That's Steve's, you know, his motto is it's going to it's going to
motto is it's going to it's going to ship without bugs.
ship without bugs. >> Uh, but if you and it's going to be
>> Uh, but if you and it's going to be soon, I think. So, if you want to know,
soon, I think. So, if you want to know, sub check both those boxes and you'll
sub check both those boxes and you'll get those emails. Uh, I'm a little
get those emails. Uh, I'm a little annoyed, too. It's a little over 200k
annoyed, too. It's a little over 200k now. So,
now. So, >> how will we ever survive?
>> how will we ever survive? >> I I I haven't made a I haven't made a
>> I I I haven't made a I haven't made a picture that's less than 200 megabytes.
picture that's less than 200 megabytes. I don't know what you're talking about.
I don't know what you're talking about. >> That is the one gift of assembler is. I
>> That is the one gift of assembler is. I mean, it is it astonishes me how how
mean, it is it astonishes me how how compact.
compact. >> You can't get smaller than that. You
>> You can't get smaller than that. You can't.
can't. >> No,
>> No, >> that's the that's literally the smallest
>> that's the that's literally the smallest way you can make a program.
way you can make a program. Um,
Um, what else? Uh, oh, you can go to our
what else? Uh, oh, you can go to our website and get the show twit.tvsn.
website and get the show twit.tvsn. We have our own unique versions 128
We have our own unique versions 128 kilobit audio. Don't ask. We also have
kilobit audio. Don't ask. We also have video there. Uh, there's a YouTube
video there. Uh, there's a YouTube channel dedicated to Security Now.
channel dedicated to Security Now. You'll find a link at twit.tv/sn.
You'll find a link at twit.tv/sn. There's also, of course, your favorite
There's also, of course, your favorite podcast client. If you subscribe in
podcast client. If you subscribe in that, you can get it automatically the
that, you can get it automatically the minute it's available, audio or video or
minute it's available, audio or video or both. Uh, I encourage you to do that.
both. Uh, I encourage you to do that. That's the best way to keep up on what's
That's the best way to keep up on what's going on with security. Now, uh, happy
going on with security. Now, uh, happy Veterans Day, Steve. Uh, and and a thank
Veterans Day, Steve. Uh, and and a thank you to all the veterans in our audience.
you to all the veterans in our audience. There quite a few. We appreciate your
There quite a few. We appreciate your service to our country. Uh, we'll see
service to our country. Uh, we'll see everyone back here on the 18th. The
everyone back here on the 18th. The 18th. Thanks, Steve. Take care. Bye.
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
