Security Now 1055 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here with lots of security news. Apple says no. India says yes. Scattered lapses. Hunters has a new name, ram. Price is going through the roof. And Steve's announcing a new product finally available for sale as of today.

Leo Laporte [00:00:21]:
All of that and the worst code exploit in a long time. Next on Security now.

TWiT.tv [00:00:31]:
Podcasts you love from people you trust.

Leo Laporte [00:00:36]:
This is TWiT.

Leo Laporte [00:00:41]:
This is Security Now with Steve Gibson. Episode 1055 recorded Tuesday, December 9, 2025. React's Perfect 10. It's time for Security Now. The show we cover your security, your privacy and all the exciting.

Leo Laporte [00:01:00]:
Attacks that are happening on the Internet today. With this guy right here. This here is Steve Gibson. My friends. Hello, Steve.

Steve Gibson [00:01:07]:
Comprehensive overview of bad news.

Leo Laporte [00:01:10]:
Well, there's one this week. Holy cow.

Steve Gibson [00:01:13]:
Yeah, there is some good news though.

Leo Laporte [00:01:15]:
Oh good.

Steve Gibson [00:01:16]:
The benchmark is done and it's on sale. So we'll talk about that. So for episode 1055 for This Week in Tech, we're cruising through December episode which is titled Perfect 10 because oh.

Steve Gibson [00:01:37]:
Yeah, we'll, we'll get into what REACT is a. And Perfect 10 was actually a quote from one of the Security people who said oh this, this is really the, the bad guys are going to be feeding off this one for quite. But we're going to talk about of course a bunch of other stuff. First, France's Vanity Fair facing a stiff fine over what they did with cookies and they didn't eat them. Graphene OS, speaking of France, is pulling out of France over like bad behavior of French authorities thinking that they can I guess bully these guys because they're not Apple or they're not Google. So let's get know, let's pound on the small open source guys. So they're saying no thanks, we're leaving.

Steve Gibson [00:02:27]:
The EU is adding to the pileup over underage social media. And I thought you guys over on MacBreak Weekly had a great conversation about all this. Leo, that was, you know, I mean we're, we're all pretty much on the same page with all of this, right? I mean why wouldn't we be? Because it's kind of. There is a right answer. Also, boy, India was busy and, and I think you guys talked about that a little bit too. I don't know what has happened in India but they, they mandated the tracking of all smartphones. I heard you guys talking about GPS which I didn't pick up on. Then Apple said no, then they, India changed their mind and it's just.

Steve Gibson [00:03:08]:
What, what, what's the rule today over there? But apparently and they haven't backed down they're also going to require all encrypted messaging to be SIM tied. So there's another thing we'll talk about that Scattered Lapsus, the infamous and unfortunately quite well-known and quite successful bad guy group. They've got an initial now instead of having to say scattered lapses hunters and not remembering who they are. Also non-Security related topic AI demand driving RAM pricing through the roof to the point where you there's no fixed pricing. You gotta. It's like well what is the lobster cost today? So okay, I I'm going to talk a little bit about the DNS benchmark which went on sale on Friday after it was like done and I'm so proud of what it ended up being. Also we've got a couple pieces of feedback. One about Cisco talking a good game but there's still Cisco also browsers.

Steve Gibson [00:04:20]:
This is from Chrome going to be asking users for access to their local networks and why that's just not going to be. I mean it's better than nothing which is what we've had so far but oh boy. And then finally we're we're going to do a deep dig into what is with REACT and what happened and what does this mean. So I think maybe you know, it's.

Leo Laporte [00:04:49]:
Going to be okay. We're working on it. We're getting better with age. 20 years we've been doing this show.

Steve Gibson [00:04:54]:
Getting the hang of it.

Leo Laporte [00:04:55]:
All right, we will get to. You forgot the picture of the week coming up. Oh no, I haven't seen it.

Steve Gibson [00:05:01]:
This one had an unfortunate caption. This one I struggled for the caption on this one. I, I had to show it because it's such a f. Fantastic picture. But I thought how can I like give it some context. I tried. We'll.

Leo Laporte [00:05:13]:
All right.

Steve Gibson [00:05:14]:
We'll let our listeners judge how I.

Leo Laporte [00:05:16]:
Did and maybe they'll come up with something when you haven't.

Steve Gibson [00:05:19]:
Maybe. Of course.

Leo Laporte [00:05:21]:
Of course they will.

Steve Gibson [00:05:22]:
You betcha.

Leo Laporte [00:05:23]:
Our show today brought to you by. Oh, you know this name 1Password. It's easy to assume that being small means flying under the radar. The reality is small businesses are being targeted more and more by bad actors. You thought you were immune, right? Cybercriminals know that lean teams often lack the resources to prevent or respond to a breach. In short, the bad news is teams of any size can be a target. The good news is even the smallest teams can foil cybercrime. 1Password provides simple security to help small teams manage the number one risk that bad actors exploit weak passwords.

Leo Laporte [00:06:04]:
1Password provides centralized management to make sure your company's logins are secure. It's a simple turnkey solution that can be rolled out in hours. Whether you have a dedicated IT staff or not. And however complex your security needs may get, 1Password will stay with you every step of the way. A password manager should be the first security purchase you make for your team. I really believe that small businesses need to plan for the worst case scenario and guard against cyber attacks right from the start. For small teams, responsibility for security often defaults to a single employee, often one who's already juggling other business functions. Yeah, yeah, Sally down the hall.

Leo Laporte [00:06:44]:
She's the one in charge. The most effective security solutions have to be intuitive. They also have to be user friendly because, you know, if it's not easy to use, people won't use it. You want everyone at your company to use 1Password. 1Password's enterprise password manager helps your company eliminate security headaches and improve security by identifying weak and compromised passwords and replacing them with strong, unique credentials. And don't let 1Password's name fool you. They're not just a password manager. 1Password EPM Extended Password Management lets you securely store and share developer secrets and other sensitive data and help streamline the transition to passwordless authentication by transitioning to passkeys.

Leo Laporte [00:07:29]:
Love that. With 1Password's EPM's simple automated workflows, your team can enforce security compliance and prevent breaches and potentially preventing millions of dollars in losses. It's the single most impactful investment you can make in your company's security. Unfortunately, it's not expensive and it's easy to implement. Take the first step to better security by securing your team's credentials. Find out more at 1Password.com Security Now and start securing every login. Now that's 1Password.com Security Now. Thank you so much for supporting Steve and Security Now.

Leo Laporte [00:08:10]:
And picture of the week. Time, Steve.

Steve Gibson [00:08:13]:
Okay, so I gave this pair of pictures. The caption, each year we jump through more hoops to increase our security. It's become a lot. How much does all that really help? Okay, so that's the caption for two frames. The frame on the left shows a. An opening with a, you know, a red.

Steve Gibson [00:08:42]:
Rope line. Rope. And the caption, google when hackers try to hack my account. In other words.

Steve Gibson [00:08:52]:
Okay, not that difficult, right? And then the right one shows it. It is titled Google when I log into a new device. And this one, I didn't see the guard Dog with its teeth out down in the lower right initially. So one looks like something that Maxwell Smart would have confronted back in the day. It's got chains and locks and, and slide bars and triple hinges and a keypad and a thumbprint reader on there.

Steve Gibson [00:09:33]:
Meaning God help you if you have to get through this door. It's going to take you an hour to unlock and deal with everything. And of course.

Steve Gibson [00:09:42]:
The gist of this is something that we do feel which is, you know, accounts are still being hacked, passwords are being obtained, people are still getting hacked, yet we're doing all this more stuff. I mean, I have to say, Leo.

Steve Gibson [00:10:05]:
I love the one time password idea, but it gets a little tiresome after it's like, okay.

Steve Gibson [00:10:15]:
Yeah, fine, 326294. It's like, okay, you know, and then again, again. So it's like, so I look for those check marks. Yes, I trust this device. Leave me logged in. Please remember that I've been here so that I, so that you'll believe me next time with less rigamarole. And which is not to say I, I believe me, I'm like, I like one time passwords. All of this is good.

Steve Gibson [00:10:43]:
One of the strongest measures of, one of the strongest improvements is they should you be remembered at this browser because no bad guy can be remembered as you if they've never logged in as you before from, you know, some foreign country. So it's, it's really good protection. But yes, it is annoying Google when I log into a new device, Google's doing the right thing. You know, you've, we've net, we've never seen you logging in through this device before. So we need a blood sample. That's, that's going to be good. But you know you're going to end up being drained if you do it too often. So.

Steve Gibson [00:11:32]:
Okay, we've noted before that regulations that are not enforced will often simply be ignored. In fact, I could probably more strongly say will be ignored until they're enforced because it's like, yeah, you know, it's the equivalent of that annoying high school tough guy whose favorite retort was, oh yeah, make me. It's like, yeah, fine. And in the Tech News Weekly. Is that French? The French edition of the Vanity Fair website, vanity@vanity.fr.

Steve Gibson [00:12:07]:
Had their bluff called to the tune. And it's not, it's of an expensive call for a cookie. €750,000. So that'll get your attention and you think, wow, isn't that a pretty stiff penalty for just like some problem with cookies? The company lay publications. Conde Nast publishes printed and online magazines, including the Vanity Fair magazine. Six years ago. Okay, six years ago, way back in December of 2019, the C N I L, which is the abbreviation for, you know, it's in French for France's data protection agency, received a public complaint. So the agency received a complaint from the association noyb, which is Europe's center for Digital rights.

Steve Gibson [00:13:02]:
And it doesn't actually stand for none of your business, but it's a great abbreviation for nlyba.

Steve Gibson [00:13:10]:
So. So noyb, which does not stand for none of your business, but it's too bad it doesn't. Complained to cnil, French's data protection agency, about cookies being placed on the devices of users visiting vanity fair.fr.

Steve Gibson [00:13:29]:
This was happening without any user notification or permission. After several investigations and discussions with CNIL, Conde Nast, the parent, received an order to comply in September of 2021. So first of all, almost, not, you know, almost two years, right? December 19th, this began December 2019, this began September 21st. Nearly two years later. Finally, fine, you, you've got to remove your cookies, fix your cookies, because your cookies are not working right. And then the proceedings were closed in July of 2022. Now it's not clear whether the proceedings were closed the next summer after verification that Conde Nast and their Vanity Fair FR site was doing the right thing or not, would have closed a year later in July. And also in November of 2023.

Steve Gibson [00:14:30]:
Then again in February of 25, the CNIL carried out further online investigations. So it sounds like they just assumed Conde Nast would take care of this. Get it done. Following the order, after all these negotiations, two years of negotiations. I don't know what you have to negotiate over a cookie, but okay.

Steve Gibson [00:14:52]:
So they, so CNIL went back and looked and what do you think they found? Based on their findings, the Restricted Committee, as it's known, which is the CNIL body responsible for issuing sanctions, considered that the company, Le Publications Conde Nast, had failed to comply with the obligations of Article 82 of the French Data Protection Act and imposed that fine of, I mean, 750,000 euros. The amount of the fine is intended to take into account the fact that the company had already been issued with an order to comply. It couldn't have come as a surprise after nearly two years of discussion about whether we're going to receive an order or not, after which they did, but apparently it just blew it off as well as the, the, the other thing factored into this seven hundred fifty thousand euro fine is the number of people likely to have been affected by this misbehavior of their cookie policy and the various breaches of the rules protecting users with regard to said cookies. So, you know, no one's going to shed a tear here except some accountant at Vanity Fair if it was, you know, and again, it wasn't as if the fine could have shocked anybody.

Steve Gibson [00:16:22]:
They were very clearly told what they needed to do and they apparently just blew off CNIL saying, yeah, you know, everybody else does it. So, you know, I would imagine that someone's going to lose their job or maybe a team, whoever is in charge of cookies over@vanityfair.fr three quarters of a million euros, which could have been easily prevented. I mean, what everybody else does is bring up a little cookie banner and say, hey, we want to store some stuff on your computer. Just tell us it's okay. Click here. But apparently either they didn't do that or they did and they didn't honor it. Who knows? Anyway, so I hope everybody else sees this, that when CNIL says you're in breach of our regulations. Now of course this in against the backdrop of this whole wacky model of cookie management getting ready to change because the GDPR is being updated.

Steve Gibson [00:17:25]:
And so we have California now and the EU both saying browsers need to accept a setting from their users, transmit that setting to everywhere they go and everywhere they go needs to honor what the user has said they want. So.

Steve Gibson [00:17:44]:
But you know, that was 10 years ago, right, that all that, that came into place and so it's going to take a while for all this to catch up and change. Meanwhile.

Steve Gibson [00:17:55]:
The very nice Android alternative, and I think you were just talking about it last week or the week before Leo Graphene OS which is an Android compatible, API compatible or. Yeah, right, Android alternative, API compatible. They recently posted on X that they're leaving France due to a new French law that would mandate breaking their encryption. Obviously, no. So they posted we no longer have any active servers in France and are continuing the process of leaving OVH. OVH is a French cloud hosting company which they've been using. They said France is no longer a safe country for open source privacy projects. They expect backdoors in encryption and for devices too.

Steve Gibson [00:18:54]:
Secure devices and services are not going to be allowed in France. We don't feel safe using OVH for even a static website with servers in Canada and the US via their Canada US subsidiaries. We were likely going to release an experimental Pixel 10 support very soon, but that's getting disrupted so that'll be delayed. They're saying the attacks on our team with ongoing libel and harassment and they're talking from the French authorities from French law enforcement. They're being harassed have escalated. Raids on our chat rooms have escalated and more. It's rough right now and support is appreciated. So it appears that Graphene OS believes that they may have already been compromised because they also posted will be rotating our TLS keys and Let's Encrypt account keys pinned via account URI DNSSEC keys may also be rotated.

Steve Gibson [00:20:02]:
Our backups are encrypted and can remain on OVH for now. So that you know the reason you rotate keys is you worry that they could have been compromised that your keys could be in somebody else's hands meaning that TLS and your lesson crypt domains and your D DNS sec security you know is not as sure as you'd like it to be. So they're going to change all their keys after completely excommunicating themselves from from any dependence on on France based servers. In the thread that followed a more lengthy which was a more link a much more lengthy posting on X which I I won't bother everybody with where all the details of of of what's going on.

Steve Gibson [00:20:54]:
And the way they're going to be moving someone named Lars posted I'm a lead developer for a hosting company in Denmark. We do not have any backdoors or.

Steve Gibson [00:21:09]:
Influence.

Steve Gibson [00:21:15]:
Ask questions. That's not illegal for normal foss. We definitely do not ask questions which and this was posted you know offering the option of some assistance or an alternative to the Graphene OS guys in the in you know in reply in in the reply thread to their posting whereupon the Graphene OS guys said we appreciate it but unfortunately we'll likely have issues in Denmark too due to their push to outlaw encryption without backdoors. We'll hopefully still be able to operate in the EU in general, but we want to avoid chat control supporting countries due to this experience. GrapheneOS is not based in the US and is a non profit open source project. We're leaving France because we don't trust that French law enforcement won't coerce OVH to do something after a judge signs off based on falsehoods. We've been subject to attacks by law enforcement on Graphene OS including many false claims and also direct threats.

Leo Laporte [00:22:32]:
Geez.

Steve Gibson [00:22:33]:
So reading between the lines it sounds as though authorities with French law enforcement have demanded that GrapheneOS unlock some suspected criminals handsets and Graphene has tried to explain that they do not have that capability. They wrote it's not possible for GrapheneOS to produce an update for French law enforcement to bypass brute force protection since it's implemented via the secure element. So you know, again, that sounds like like French law enforcement is saying you need to help us brute force open these locked smartphones that are running your OS. They Graphene said the secure element also only accepts correctly signed firmware with a greater version after the owner user unlocked successfully. So may someone may have been suggesting a downgrade attack where you deliberately load older Graphene OS software onto the device in order to bypass some of the later protections. And they're saying sorry, that's been accounted for in the design of this. Can't do it. They wrote we would have no legal obligation to do it even if we could.

Steve Gibson [00:23:56]:
But it's not even possible. We have a list of our official hardware requirements including secure element throttling for disk encryption key derivation. Okay, meaning that the secure element throttles brute force attacks making them impractical and that's in the hardware and there's nothing they can do to get around it. Secure element throttling for disk encryption key derivation combined with insider attack resistance. And they wrote and they aren't blaming Google for this design. Meaning they're saying that Graphene OS is at fault for making it brute force impossible. But it's actually Google whose engineering did this properly because users don't want their smartphones to be hacked. Then they finish saying in Canada and the U.S.

Steve Gibson [00:24:54]:
refusing to provide a PIN and password is protected as part of the right to avoid incriminating yourself. In France they've criminalized this part of the right to remain silent. Since France is criminalized the refusal to provide a pin. Why do they need anything from us? Which that's some good logic. And of course we don't know anything about what the French authorities believe might be on a criminal's confiscated Graphene OS based smartphone. But we certainly know why a suspect might choose not to share their password with the authorities. Right, we talked about that trade off ages ago, back in the context of TrueCrypt's early whole disk encryption, which was designed by cryptographers who knew how to completely and correctly protect a hard drive's data. It was effectively and practically not brute force crackable because it was done right.

Steve Gibson [00:26:04]:
The bad guys might very well have horribly incriminating material stored on a TrueCrypted drive, so they would much rather face some charges, whatever they may be for not providing their password than provide the password and have authorities learn firsthand just how criminal they were. So I doubt that law enforcement authorities will ever accept, you know, ever in the future of humanity, accept the truth of being unable to unlock an encrypted device or spy on encrypted communications. They just, you know, they know the data is there, they want it. So, you know.

Steve Gibson [00:26:53]:
I'm sure they believe that they should have the right to see inside anything they choose under the logic of, after all the, they're the good guys. Right. Of course, we know that the EFF would beg to differ. So.

Steve Gibson [00:27:08]:
So there's that, but it's also happening in the eu.

Steve Gibson [00:27:14]:
And Leo, I know you talked about this over a MacBreak. Here we are. It is December 9. We are on the literal eve of the Australian law to ban the use of social media, or all social media by anyone younger than 16.

Steve Gibson [00:27:34]:
As we know, this effectively requires anyone who does wish to continue using any social media to arrange to prove that they are at least 16 years old. If that wasn't the requirement, then somebody who was 14 could say, yeah, I'm an adult. Okay, so, you know, the onus has been placed unfortunately, on the social media providers to prevent the use of their systems by anyone younger than 16. So we're recording this on December 9th.

Leo Laporte [00:28:05]:
And tomorrow, of course, sorry, it's already December 10th in Australia, so. Right. It's going on now, I guess.

Steve Gibson [00:28:11]:
Right. Which is always weird. Why, why does it turn.

Steve Gibson [00:28:16]:
Next year in New York.

Steve Gibson [00:28:20]:
Before it turns it. I don't get that, Leo. But, you know, we're not a flat earth. We are a spinning globe. And, you know, it would be weird if it was midnight in the middle of the day. Yeah. Yeah, so that's that. That wouldn't work either.

Steve Gibson [00:28:36]:
So.

Steve Gibson [00:28:38]:
What’s different here? What’s happening now in Australia.

Steve Gibson [00:28:43]:
On Sunday. Today's Tuesday. So two days ago on Sunday, the New York Times piece was titled, A grand social media experiment begins in Australia with the tag, the country is trying to wean children under 16 off the likes of TikTok, Snapchat, YouTube and Instagram.

Steve Gibson [00:29:32]:
I. I read the BBC piece. Kids are still using. Or, Or. Or. I'm sorry, are are using still photos of their parents or VPNs. Surprise. UNICEF in Australia just has a piece titled Social media ban is was their title and they summarize their position by writing and this is unicef writing from 10th December 2025.

Steve Gibson [00:30:00]:
Anyone under 16 in Australia won't be able to keep or make accounts on social media apps like TikTok, Instagram, YouTube, Snapchat X, Facebook and more. There's 10 total. The rule doesn't punish young people or their families. Instead, social media companies have to stop under 16s from having accounts or risk serious fines. And the fines are up to 50 million Australian dollars to about 35 million U.S. dollars. They said the new law is meant to make things safer online. But UNICEF Australia believes the real fix should be improving social media safety, not just delaying access. And then for their part, the Guardian headlined their piece Everyone will miss the socializing but it's also a relief, they said five young teens on Australia's social media ban.

Steve Gibson [00:31:03]:
And it was an interesting article that they said Australia's world, world first social media ban for under 16s will begin in just a few days. This was written on the weekend. Malaysia, Denmark and Norway are to follow suit. And the European Union last week passed a resolution to adopt similar restrictions. As the world watches on, millions of Australian adolescents and their parents are wondering just what will actually change come the 10th of December. And NPR had a piece as well. As I said, everybody's like, okay, these guys are going first, what's going to happen? So it's going to be interesting to see, right, how all this pans out. As I said, the economic fine for repeated failure to enforce is 50 million Australian dollars, 35 million U.

Steve Gibson [00:32:01]:
S. So that's not nothing. But there's also of course reputational damage. Anybody who screws this up is going to be in the news because everybody's watching. So it's clear that the 10 affected social media platforms can't ignore this and do nothing. And we know that, you know, the claim of being old enough no longer washes, that we were, we were all happily using that for the last 20 years, but no more. So, you know, they're going to need to adopt some lame measure that allows them to avoid penalties while kids gleefully work around and, you know, spoof the proof of age, which is what's going to be happening a lot. And you know, I mean, classrooms will be buzzing, everyone will be talking about how they did it.

Steve Gibson [00:32:52]:
There was in, in the, in the BBC piece that interviewed five teens one 13 year old said she just took a picture of her mom and showed it that and it said okay, go ahead. So you know, my feeling is that there was probably no way to avoid the present mess that the world is about to endure, and a mess it's going to be. As we know, change is difficult even when everyone is pulling in the same direction and wants it. But change, when the platforms and their users all want to leave things the way they are and only some unseen government, legislators and their regulators want to force change, it's just bound to be a mess. I of course hope that some good technology will eventually step into the gap to provide privacy respecting age verification, but we don't have that yet and we don't even appear to be close since the handset. The the handset makers are very much strongly in the we don't want this to be our problem camp. Although I think that's exactly wrong. I I think, you know, that's the point of contact between the user and the technology is the handset.

Steve Gibson [00:34:08]:
And I get it that Apple doesn't want to do this, but they're inching towards it. As you know, we've covered various of those measures, as is Google. So I think they probably know that ultimately they're going to need to be the place where this decision gets made. It is the right place, it's the logical place for it to be. And on the eve of this first countrywide event, I wanted to also note that the EU is now making much the same noise which one of those articles talked about. And also whereas Australia's human, which is to say non-kangaroo population is about 27 and a half million, the total population of the EU's current 27 member states is around 450.5 million. So a huge population. The European Parliament news recently posted a piece with the headline Children should be at least 16 to access social media, say Members of the European Parliament.

Steve Gibson [00:35:15]:
Those are members of the European Parliament. MEP is an acronym for Members of the European Parliament. However, things may be better in the EU from a privacy and accuracy standpoint. At least we can hope. A vote was held 2 weeks ago, 2 weeks ago Wednesday, where the Members of the European Parliament, these MEPs voted to adopt a non-legislative report by 483 votes in favor, 92 against and 86 abstentions. The report and their votes expressed deep concern over the physical and mental health risks minors face online and called for stronger protection against the manipulative strategies that can increase addiction and that are detrimental to children's ability to concentrate and engage healthily with online content. So here's the part that caught my eye. In that EU's adopted report, they wrote just, it's a short paragraph expressing support for the Commission's work to develop an EU age verification app and the European digital wallet, the EID wallet.

Steve Gibson [00:36:31]:
MEPs insist that age assurance systems must be accurate and preserve minors' privacy, which is to say everyone's privacy right, because again, you need to assert that you're not a minor and you'd like your privacy protected. It's funny how they get that no one really latches onto that in any of this reporting. Such systems do not relieve platforms of their responsibility to ensure their products are safe and age-appropriate by design, they add. But you know, so, so these guys may be moving forward in the right way with 450 million users in the EU and it just not being a hard problem to solve if you want to solve it. I'm hopeful. So, you know, the idea that that Commission would be pressing for an EU age verification app, that's really good news. Given some means for establishing an individual's date of birth, which we know that may be the European digital identity, that date can easily be protected inside the device. While simple assertions of older than X are then trivial to generate with total security and anonymity.

Steve Gibson [00:37:54]:
As I said, crypto can do this without breaking a sweat. So my takeaway here is that yes, we're about to descend into some extremely messy, chaotic times. But you know, given the kicking and screaming by the platforms and their users, this was inevitable given that the legislations and the legislators are just barreling ahead without any solution to the well, we'll let other people solve the problem approach. So the right people understand the concepts of accurate privacy-preserving solutions and they know this is possible. So I doubt that the world's gonna have to wait that long and that we're eventually going to finally obtain a good solution. And I know Leo, you guys were talking about it over MacBreak Weekly. The loss of absolute unaccountability is going to be mourned by some. But you know, Jason was talking about the loss of privacy.

Steve Gibson [00:38:57]:
That's just interim. We can do this without any loss of privacy. Yes, you will have to identify yourself in order to securely embed your date of birth in the device. But once that's done, all the people using it, that's the real difference here. We do not want to have to be showing a driver's license individually to every website we visit. You're going to have to show it once to your device and then, and then be biometrically locked to that so that it knows you didn't use your license for a friend's phone in some fashion. So, you know, it needs to be done right, but it can be. And once that's done, then that strongly constrains any further dissemination of privacy loss.

Steve Gibson [00:39:54]:
That's where we're going to end up being. So it'd be fun to watch it here on this podcast as it happens, and it'll be fun for me to take a sip of coffee. Leo.

Leo Laporte [00:40:04]:
Well, that we can arrange. I don't know if we can help with the other one, but I think we can arrange.

Steve Gibson [00:40:08]:
That was essentially TechCrunch's headline last week, under which they wrote, the Indian government is widening the scope of its anti theft and cybersecurity initiative to cover both new and used smartphones, an effort aimed at curbing device theft and online fraud, but a move that's also raising fresh privacy concerns. Yeah, no kidding, they wrote. As part of the expansion, the Indian Telecom Ministry is requiring companies that buy or trade used phones to verify every device through a central database of IMEI numbers. This comes in addition to a recent directive order, get this, ordering smartphone manufacturers to pre install the government's Sankar Sathi app on all new handsets and push it onto existing devices through a software update, ordering smartphone manufacturers to do that. Good luck with that.

Leo Laporte [00:40:10]:
CHEERING yes, our show today, brought to you by Veeam. Oh, you need to know about Veeam. When your data goes dark, Veeam turns the lights back on. Veeam keeps enterprise businesses running when digital disruptions like ransomware strike. And you know ransomware is just out there waiting to strike. How? Well, by giving businesses powerful data recovery options that ensure you have the right tool for any scenario, broad, flexible workload coverage, from clouds to containers and everything in between, with Veeam, you get full visibility into the security readiness of every part of your data ecosystem tested, documented and provable recovery plans that you can deploy with a click of a button. How's your recovery plan looking? This is why you need Veeam. If you're out there in the world and you're not prepared, you need Veeam.

Leo Laporte [00:41:07]:
Veeam is the number one global market leader in data resilience. That's the term. Just call them the global leader in helping you stay calm under pressure. That's the offer with Veeam. It's all good. Keep your businesses running@veeam.com V E E A M.com all right, back to Leo.

Steve Gibson [00:41:30]:
So this is such a weird path.

Steve Gibson [00:41:37]:
Staying with the topic of government legislators seemingly losing their multi decade simultaneously all losing their multi decade shyness toward legislating our use of personal technology, which sort of seems to happen, have happened globally all at once. We have the news that the government of India intends to verify and record every smartphone in use by their citizens.

Steve Gibson [00:42:10]:
That was essentially TechCrunch's headline last week, under which they wrote, the Indian government is widening the scope of its anti theft and cybersecurity initiative to cover both new and used smartphones, an effort aimed at curbing device theft and online fraud, but a move that's also raising fresh privacy concerns. Yeah, no kidding, they wrote. As part of the expansion, the Indian Telecom Ministry is requiring companies that buy or trade used phones to verify every device through a central database of IMEI numbers. This comes in addition to a recent directive order, get this, ordering smartphone manufacturers to pre install the government's San Car Safi app on all new handsets and push it onto existing devices through a software update, ordering smartphone manufacturers to do that. Good luck with that.

Leo Laporte [00:43:17]:
Yeah.

Steve Gibson [00:43:19]:
In other words, India is now requiring all handset makers both to pre install a state mandated app and also to retro install the app into all existing devices. TechCrunch continues writing. Reuters first reported the news on Monday, which was later confirmed by the ministry in a public statement. So ministry said yep, that's right. Got to do that. Launched in 2023, that Sankar Sathi portal allows users to block or trace lost and stolen phones the system has blocked. I was a little surprised by these numbers, Leo. The system has blocked more than 4.2 million devices and traced 2.6 million more devices per government data.

Leo Laporte [00:44:14]:
India is a big country and there's hundreds of millions of cell phones in use.

Steve Gibson [00:44:18]:
So yeah, yeah. The system expanded earlier this year with the release of a dedicated Sanchar Sathi app in January, which the government says helped recover more than 700,000 phones, including 50,000 in October alone.

Steve Gibson [00:44:39]:
Wow. So I guess they've got a smartphone theft and reuse problem and they're taking steps, TechCrunch said. The Sanchar Sathi app has since gained broad adoption. The app has been downloaded nearly 15 million times and saw more than 3 million monthly active users in November, up more than 600% from its launch month, which would have been 2023, according to Marketing intelligence firm Sensor Tower. Web traffic to Sanchar Sathi has also surged, with monthly unique visitors rising more than 49% year over year, per Sensor Tower. Data gathered shared with TechCrunch. So okay, up to this point, it appears that the choice to have one's smartphone protected with this tracing and recovery app has been the users. But TechCrunch explains what's changed.

Steve Gibson [00:45:41]:
They wrote the government's order to pre-install Sanchar Sathi has already drawn significant backlash from privacy advocates, civil society groups, and opposition parties. Critics argue the move expands state visibility into personal devices without adequate safeguards. The Indian government, however, says the mandate is intended to address rising cases of cybercrime such as IMEI duplication, device cloning, fraud in the secondhand smartphone market, and identity theft scams. Responding to the controversy, the Indian telecommunications minister said Tuesday that Sanchar Sathi is, quote, a completely voluntary and democratic system, unquote, okay, and that users can delete the app if they do not wish to use it, which again, sort of flies in the face of the other things that were previously said. The directive reviewed by TechCrunch and circulating on social media on Monday, instructs manufacturers to ensure the pre-installed app is, quote, readily visible and accessible to end users at the time of first use or device setup and that its functionalities are not disabled or restricted, unquote, raising questions about whether the app is truly optional in practice. India's deputy telecom minister said in media interviews that most major manufacturers were included in the government's working group on the initiative, though Apple did not participate.

Steve Gibson [00:47:28]:
Alongside pushing the Sanchar Sathi app, two people familiar with the matter told TechCrunch that the telecom industry is piloting an additional program interface, an API that would allow re-commerce and trading platforms to upload customer identities and device details directly to the government. The move would mark a significant step toward creating a nationwide record of smartphones in circulation. India's used smartphone segment is expanding rapidly as rising prices of new devices and longer replacement cycles push more customers toward cheaper alternatives. India became the world's third largest market for second-hand smartphones last year in 2024. But as much as 85% of the secondhand phone sector remains unorganized, meaning most transactions occur through informal channels and through brick-and-mortar stores. 85% so only 15% are being formalized and tracked. The government's move covers only formal re-commerce and trading platforms, leaving much of the broader used device market outside the scope of the current measures. Well, unless manufacturers are going to be.

Steve Gibson [00:48:53]:
Back-porting, you know, back installing this thing in any software updates which may still be happening on remarketed phones anyway, TechCrunch said. While announcing the pre-installation of its app, the Indian government said the move would help enable, quote, easy reporting of suspected misuse of telecom resources, unquote. Privacy advocates say that the growing data flows could give authorities unprecedented visibility into device ownership, raising concerns over how the information could be used or misused. The head of programs and partnerships of the Toronto-based nonprofit policy lab Tech Global Institute told TechCrunch, quote, It's a troubling move to begin with. You're essentially looking at the potential for every single device being database in some form and then what uses their database, can it be put to at a later date? We don't know. The Indian government has not yet detailed how the collected data will be stored, who will have access to it, or what safeguards will apply as the system expands. Digital rights groups say the sheer scale of India's smartphone base, estimated to your point, Leo, at some 700 million devices.

Leo Laporte [00:50:19]:
Yeah.

Steve Gibson [00:50:20]:
Means even administrative changes can have outsized consequences, potentially setting precedents that other governments may study or replicate. Quote While the intent behind a unified platform may be protection, mandating a single government-controlled application risks stifling innovation, particularly from private players and startups who have historically driven secure, scalable digital solutions, said the director of the New Delhi based technology think tank Esjes Center. If the government intends to build such systems, they must be backed by independent audits, strong data governance safeguards, and transparent accountability measures. Otherwise, the model not only puts user privacy at stake, but also removes fair competition for the ecosystem to contribute and innovate. Right. If the government's already got that locked up, then third parties need not apply. How could they compete? The Indian Telecom Ministry did not respond to TechCrunch's requests for comment.

Steve Gibson [00:51:31]:
While the Sanchar Sathi app is visible on a user's phone, the broader system it connects to operates largely out of sight. The permissions, its data flows and back-end changes, including the planned API integration, may be buried in long terms and conditions, documents that most people never read or even see, he said. As a result, users may have little practical understanding of what information is being collected, how it is shared, with whom it's shared, or the extent of the system's reach. Quote you can't go about restricting cybercrimes and device thefts in such a disproportionate and heavy-handed way. Boy, is that a common theme, he said. The government is basically saying that look, you need to put my app on every device that's sold, on every existing device you have to install it and in anything that's being resold as well, unquote. So wow.

Leo Laporte [00:52:34]:
I think they felt the pressure because this is a press release from the Department of Telecommunications in India.

Steve Gibson [00:52:39]:
They have.

Leo Laporte [00:52:40]:
They gave up.

Steve Gibson [00:52:42]:
Yes. And in fact I've got that after I tell you what Apple said.

Leo Laporte [00:52:45]:
Yeah, Apple wasn't too happy about it, I know that.

Steve Gibson [00:52:50]:
So.

Steve Gibson [00:52:52]:
On a practical side, we know about the tyranny of the default, right? If the app is pre and post-installed, a great many more people will end up using it way more than 50 million recent downloads. There's 700 million phones in circulation. Most people will not remove it. They'll just assume, oh, whatever that is. It's, you know, it's good for me. And it's not completely clear whether removal will even be an option since the Indian government's intention looks to be more aimed at assuring that all smartphones participate. And of course one wonders what Apple, right, would think about such a mandate. On the other hand, India is now producing Apple smartphones, so who knows? Well, it turns out Apple does indeed say no.

Steve Gibson [00:53:42]:
I dug around some more and discovered to no one's surprise, Apple does not plan to abide by India's order. The India Times headline was "Apple to resist order that's in India's department of Telecom to preload state run Sancar Sathi app as political outcry builds and we get a little bit more interesting information about disabling or removing. That makes somewhat more sense, the India Times wrote. Apple does not plan to comply with a mandate to preload its smartphones with a state owned cyber safety app and will convey its concerns to New Delhi, three sources familiar with the matter said after the government's move sparked surveillance concerns the Indian government has confidentially ordered, although it didn't stay secret, of course you can't those sorts of things. Confidentially ordered companies including Apple, Samsung and Yami to preload their phones with an app called Sankar Sathi or which is.

Steve Gibson [00:55:01]:
In English is communication partner is what that means within 90 days. The app is intended to track stolen phones, block them and prevent them from being misused. So that was news. Block them. So meaning that the government can prevent a phone from operating. I didn't pick up any of that in the previous reporting so you know you would call that a biggie. That suggests that this communications partner applies would have the ability to shut down a phone. And if that's the case, it's no wonder that Apple is saying no thanks.

Steve Gibson [00:55:41]:
The reporting continues from India Times writing Reuters was the first to report on Monday that the government also wants manufacturers to ensure that the app is not disabled. Also, for any devices already in the supply chain, manufacturers should push the app to phones via software updates. The Telecom Ministry confirmed the move later describing it as a security measure to combat serious endangerment of CyberSecurity. But Minister Modi's political opponents and privacy advocates criticized the move, saying.

Steve Gibson [00:56:16]:
It is a way for the government to gain access to India's 730 million smartphones. So anyway, I'm going to skip the balance of this. Basically.

Steve Gibson [00:56:30]:
A bunch of opinions were polled by Reuters talking about it, you know, being more than a sledgehammer, it's more like a double barrel shotgun.

Steve Gibson [00:56:42]:
So following on the heels of that, as you said Leo, India decided, okay, I guess that's not going to fly. They backpedaled on their requirement that their official press release from the Ministry of Communications which you had on the screen proclaims across its top Government removes mandatory pre-installation of the Sanchar Sathi app.

Steve Gibson [00:57:39]:
You know.

Steve Gibson [00:57:42]:
India may not be done meddling in communications because the India Times also had a headline why your WhatsApp Web may now log out every 6 hours.

Steve Gibson [00:57:58]:
India's Department of Telecommunications said.

Steve Gibson [00:58:03]:
I'm sorry, the India Times is quoting them saying in their story. Due to a new directive from the Department of Telecommunications, WhatsApp Web will automatically log out its users every six hours. Under the new rule, the Department of Telecommunications requires messaging apps including WhatsApp, Telegram and Signal to implement SIM binding.

Steve Gibson [00:59:33]:
And if this move, you know, did not represent some enhanced form of government control, then why would India be mandating this change at all? Okay, but there's more. The India Times explains under the same directive, web versions of these applications will log their users out periodically no later than every six hours and force a re-authentication via a QR code scan.

Steve Gibson [01:00:25]:
Platforms are required to comply within 90 days and submit reports within four months, potentially by around February of next year.

Steve Gibson [01:01:35]:
So, you know, we really appear to be entering a period where government legislators are feeling increasingly empowered, Leo to dictate the operation of the personal communications devices operating within their jurisdictions.

Leo Laporte [01:02:42]:
Yeah.

Steve Gibson [01:02:43]:
Wow.

Leo Laporte [01:02:44]:
So.

Steve Gibson [01:02:44]:
So what do you think that's about? I mean that, that's just like, like.

Leo Laporte [01:02:50]:
Tying.

Steve Gibson [01:02:51]:
Like what's. To be honest, WhatsApp is based on your phone number, right? Because we have to be anymore.

Leo Laporte [01:02:59]:
It used to be, but it does no longer has to be.

Steve Gibson [01:03:02]:
Okay. Because we had that story that we talked about last week where there was no rate limiting on brute forcing WhatsApp web to look up people's identities just by trying every possible phone number.

Leo Laporte [01:03:16]:
Right.

Leo Laporte [01:03:18]:
I guess you do have to submit a phone number. Your ID can just be like my ID on WhatsApp is Leo Laporte 24. So that was a change that they implemented last. A couple of years, maybe last year. I guess that's why it's 24.

Steve Gibson [01:03:32]:
So you can look up by ID or by phone.

Leo Laporte [01:03:35]:
Okay. Yeah. But I don't know if you can look up by phone. That's an interesting question anymore. And of course, I guess the idea to register it. So. Yeah, they have your data. That's right.

Steve Gibson [01:03:46]:
Yeah. And I guess the idea also was that WhatsApp could you. You'd give it access to your contacts and it would, it would go through your contacts, take all the phone numbers out of your contacts and cross. Cross reference that with WhatsApp users in order to populate your WhatsApp contacts.

Leo Laporte [01:04:04]:
Right. Oh, I was thinking of signal. I'm not, I've. You're right. WhatsApp, I don't know, I don't use WhatsApp. I think it is tied to your phone number. You're right. Yeah.

Steve Gibson [01:04:12]:
Yeah.

Leo Laporte [01:04:13]:
And of course every Facebook app asks for access to your contacts and I always say no. Yeah. Because I'm, I'm not gonna.

Steve Gibson [01:04:20]:
What good could come of that?

Leo Laporte [01:04:21]:
I'm not giving out Steve Gibson's phone number and home address and email that. What good could possibly come of that? If I, if you want me to know you're on WhatsApp, you'll let me know you're on WhatsApp, right? Yeah, I, you know, you, you had a, a sentence in here that's. I think you could have, you could shorten.

Leo Laporte [01:04:40]:
Where you say that countries are increasingly feeling, ah. Legislators are feeling increasingly empowered to dictate the operation of the. Etc. Just say legislators are feeling increasingly empowered, period. And I think that's really what's happening is that governments worldwide are becoming more and more authoritarian and more and more interested in enforcing their worldview on their constituents. And I don't think, I don't think that's a good trend at all. No.

Steve Gibson [01:05:10]:
And unfortunately the technology allows that. Right.

Leo Laporte [01:05:14]:
I mean, well, technology has stimulated it because they feel like we are, they've lost control of us.

Steve Gibson [01:05:21]:
Right. But, but it, but, but the technology also is a control mechanism. It is a control mechanism.

Leo Laporte [01:05:27]:
Exactly. So they've discovered that and they're trying to use it. And Yeah, I don't have high hopes for this. It. You know, I think what happens, you give people power, they want more power.

Steve Gibson [01:05:37]:
Yeah.

Leo Laporte [01:05:38]:
And you can do everything you can. John Adams said that. I was watching the great Ken Burns documentary on the Revolutionary War and John Adams Said, you know, we can make a democracy. But I have, I feel like people's greed for money and power is so great that it's unlikely we can sustain it.

Steve Gibson [01:05:58]:
Right. And Washington, you know, responds to, famously to that woman who asks after the signing of the Declaration of Independence, Franklin, what did you just.

Leo Laporte [01:06:08]:
Oh, Franklin, keep it.

Steve Gibson [01:06:09]:
Yeah, yeah. Yes, A democracy or no, a republic. If you can keep it, keep it.

Leo Laporte [01:06:14]:
Yeah. I think even in the beginning they knew that this was going to be a difficult.

Steve Gibson [01:06:19]:
Well and you know, we all grew up, all of us who are a certain age. Yes. The, the pigmentation has left our hair.

Steve Gibson [01:06:33]:
It's always been the way it is and it's always going to be the way it is. And, but that's not the history of democracies.

Leo Laporte [01:06:40]:
Right.

Steve Gibson [01:06:40]:
They have a, they have a period.

Leo Laporte [01:06:42]:
And if it's, if it's at all encouraging. We've been through bad times in the US before. There have been many, any democratic eras.

Steve Gibson [01:06:49]:
Yes.

Leo Laporte [01:06:49]:
In the United States and we survived.

Steve Gibson [01:06:50]:
And we have swung back.

Leo Laporte [01:06:52]:
Yeah.

Steve Gibson [01:06:52]:
Yeah. So let's hope, let's take a break. We're at an hour in. We're going to talk about the abbreviation of scattered lapses hundreds is not an inspired abbreviation, but it helps. And then a bit about RAM pricing that's gone nuts.

Leo Laporte [01:07:07]:
Unbelievable. What's going on Pricing. I'm, you know, I'm, I'm glad I'm well equipped with computers, but I'm worried about the future. I don't know.

Steve Gibson [01:07:16]:
In fact that, that, that thing I had to sign for. I just purchased a machine. My, a machine. Probably my final computer for my new office that I'll be setting up in a month or two.

Leo Laporte [01:07:28]:
Desktop laptop.

Steve Gibson [01:07:31]:
It's a, it's a, it's a small.

Steve Gibson [01:07:35]:
What do they call it? Small form factor.

Leo Laporte [01:07:37]:
Like a nuclear.

Steve Gibson [01:07:39]:
Yeah, that kind of thing.

Leo Laporte [01:07:40]:
Yeah, yeah. I, I think, I'm thinking maybe I, I was going to wait till next year. Apple has OLED screens coming and I really love OLED screens. Maybe I'll just get a PC instead. They have plenty of OLED PCs and just put Linux.

Steve Gibson [01:07:53]:
Well. And of course I, I will do. What this thing has, is, is three display ports on the back.

Leo Laporte [01:07:59]:
Nice.

Steve Gibson [01:07:59]:
Because I, I am a, I'm a three screen person that works for me and I made the mistake on the system I have in my place with Lisa of having that, that curved high resolution screen. No, no, I don't like that because I have lower resolution on the sides and when you drag something across the boundary, it gets all screwed up.

Leo Laporte [01:08:21]:
Like your peripheral vision on the screen.

Steve Gibson [01:08:24]:
That's not, not good. Yeah. So I'm going to go three flat screens, all the same resolution. And then, and, and do you organize it in.

Leo Laporte [01:08:32]:
I'm sorry, parentheses. We'll get back to the show in a moment folks. But yeah, do you organize like, do you have code in one window? And you do?

Steve Gibson [01:08:39]:
Yes, I have, generally have static things in different locations. So like I always have Windows Explorer open on the right, the right half of the right side. And that's just where it lives.

Leo Laporte [01:08:50]:
It's always there.

Steve Gibson [01:08:52]:
Yes, it's always there.

Leo Laporte [01:08:53]:
So that's smart.

Steve Gibson [01:08:54]:
Yeah, yeah.

Leo Laporte [01:08:54]:
And it's, you always know to go there.

Steve Gibson [01:08:57]:
And it's interesting because Laurie and I have very different organizational approaches and, and she wants like she's an organizer but she likes to put things in bins and I'm a position based organizer. I know where something is in like in location and so I go right to it. And, but if it's, if she organized it, it's gone. So it's like honey, where did, what happened to the. She says, oh, I organized that. Oh, okay.

Steve Gibson [01:09:29]:
Where is it now?

Leo Laporte [01:09:31]:
We have that problem in the kitchen. I now know where everything is in the kitchen. But if we reorganize, I'm in deep trouble. In deep trouble. All right, let's take a break. I know where the ad breaks are on this show. That's one thing I do know. And it's time for one.

Leo Laporte [01:09:45]:
We'll have more with Steve Gibson in just a bit, but first a word from our sponsor, Big ID. They're the next generation AI powered data security and compliance solution. Big ID is the first and only leading data security and compliance solution that can uncover dark data through AI classification, that can identify and manage risk, that can remediate. Remediate the way you want. You get to choose. That can map and monitor access controls and scale your data security strategy along with unmatched coverage for cloud and on-prem data sources. And by the way, that's huge. Big ID also seamlessly integrates with your existing tech stack which means you can coordinate security and remediation workflows.

Leo Laporte [01:10:31]:
You can take action on data risks to protect against breaches. You can annotate, delete and quarantine and more based on the data, all while maintaining an audit trail for compliance. And as I said, it works with your existing tech stack. Everybody like I'll give you an example. ServiceNow, Palo Alto Networks, Microsoft of course, Google of course, AWS and on and on and on. That's nice. You don't have to adjust how you work to work with Big ID. Big ID's advanced AI models let you reduce risk, accelerate time to insight and gain visibility and control over all your data.

Leo Laporte [01:11:08]:
This is where I really think AI shines. When it's got a specific focused task. It's, it can be so useful and so good. Intuit named it the number one platform for data classification in accuracy, speed and scalability. It really works. And some of the customers, well, people love Big ID so much, they're happy to give it a testimonial. Like for instance, the US Army. Yes, the US Army.

Leo Laporte [01:11:33]:
Big ID equipped the army to illuminate dark data. I can imagine that after 250 years they probably have quite a bit to accelerate their cloud migration, which is is a big priority for the services to minimize redundancy and to automate data retention. Something they have to do for a variety of legal reasons as well. U.S. army training and Doctrine Command gave them such a great testimony. Let me read it to you. This is a direct quote. The first wow moment with Big id, they said, came with being able to have that single interface that inventories a variety of data holdings, including structured and unstructured Data across emails, zip files, SharePoint databases and more.

Leo Laporte [01:12:16]:
To see that mass and to be able to correlate across those is completely novel. I've never seen a capability that brings this together like Bigid does, end quote. That's pretty good. CNBC recognized Bigid as one of the top 25 startups for the enterprise. They were named to the Inc 5000 and Deloitte 4 500, not just once, but four years in a row. The publisher of Cyber Defense magazine says, quote, BigID embodies three major features we judges look for to become winners. Understanding tomorrow's threats today, providing a cost effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach. Start protecting your sensitive data wherever your data lives@bigid.com security.

Leo Laporte [01:13:07]:
Now get a free demo and see how Big ID can help your organization reduce data risk and accelerate the adoption of generative AI safely. Again, that's big.com securitynow. Oh, and while you're there, there's a free white paper that provides valuable insights for a new framework that's just coming down the pike. It's called Aitrism T R I S M. That's AI Trust, Risk and Security Management. It'll help you harness the full potential of AI responsibly. And that paper is free@bigid.com security now. Thank him so much for supporting Steve and Security.

Leo Laporte [01:13:50]:
Now back to you Steve.

Steve Gibson [01:13:53]:
So a random observation that I'm beginning to see the infamous Scattered Lapses Hunters being referred to by the abbreviation SLH. I said no biggie, but SLH, I don't know if it'll catch on but they have been so much in the news that the security industry appears to feel that they've become abbreviation worthy. So the news blurb that caught my eye referred to SLH. It was a note saying that the security firm believed that they have seen SLH's focus shifting from Salesforce over to Zendesk. So SLH appeared to be enamored of the, you know, SaaS model the software as a service exploitation like of customers of that there was a at this point a lack of razor sharp attribution for some of the very recent Zendesk related attacks. But there have been some and the suspicion is it is SLH. So we now have SLH as a, as an, as a abbreviation for Scattered Lapses Hunters. Not quite as fun as Scattered Lapses Hunters, but what the hell.

Steve Gibson [01:15:13]:
And I just completely off topic. I suppose we should have seen this coming. I this next bit of news is not security related, but it's tangentially AI related. And I thought that our computer centric listeners would find it interesting. The short blurb that first caught my attention and I'd seen something about it pass by but hadn't paused was Micron exits consumer RAM Market. And the little blurb said American hardware vendor Micron will leave the consumer RAM market and discontinue its Crucial brand. And of course Crucial has been a, has been a well known, you know, consumer RAM memory brand for years, they wrote. The move comes as the AI boom has led to an explosion in prices in RAM and SSDs as AI companies build data guzzling data centers and have swallowed almost the entire market output for the next few years.

Steve Gibson [01:16:23]:
So okay, you know, I guess we should have seen this coming. That led me to look for some additional detail which I thought that our listeners would appreciate. I found a nice piece over on the Verge whose headline was RAM prices are so out of control that stores are selling it like lobster, they wrote. Michael Kreider's headline at PC World today perfectly captures how ridiculous the PC memory shortage has become. Stores like the San Francisco Bay Area's central computers are beginning to sell RAM at market prices like you'd pay for the catch of the day at a seafood restaurant. A message posted in the store's display case reads, quote, costs are fluctuating daily as manufacturers and distributors adjust to limited supply and high demand. Because of this, we cannot display fixed prices at this time. Unquote, Micro center is apparently doing the same.

Steve Gibson [01:17:29]:
Quote Due to market volatility, we ask that you please see a sales associate for pricing, unquote, they wrote. It's hard to overstate just how quickly the RAM crunch is changing the affordability of computers, and it might soon impact other realms as well as everything from game consoles to smartphones require ram to function three months ago yesterday the author said I bought 32 gig of memory for my gaming PC and at the price of that exact kit. Oh sorry. And the price of that exact kit has more than tripled since then. Three months ago, he says it now costs $300 more now 440 versus 130 in case you're curious, he said. For 32 gig, he said a more common version of the same kit went from 105 to 400. Some prices have doubled since October and while you can still find some 32 gig kits for as low as as $230, a 64 gig DDR5 kit can easily run you 700, 800, even $900. Some high profile product launches might be impacted by the price of memory.

Steve Gibson [01:18:50]:
Valve pointed to the RAM crunch as one of the reasons it could not promise a specific price for its Steam machine just yet. Just as out of control.

Steve Gibson [01:19:03]:
He said. Oh, the author said just as out of control. GPU prices from earlier this year have finally settled down. Runaway memory prices might make them shoot back up again. Every graphics card requires gobs of vram. More is better. And word is that Nvidia and AMD are preparing to raise prices to compensate for the crunch. Digital Foundry is recommending you buy a GPU at or below MSRP while you still can one with 10 gig or more of VRAM.

Steve Gibson [01:19:40]:
Microsoft may also have to raise Xbox prices yet again to compensate, but Sony has stockpiled enough ram for the PS5 to last some number of months. Epic CEO Tim Sweeney says it may take years for high end gaming to recover from the RAM crunch because of AI. He says factories are diverting leading edge DRAM capacity to meet AI needs where data centers are bidding far higher than consumer device makers.

Steve Gibson [01:20:15]:
Wow. So I noted another piece in the news Yesterday that said 200 environmental groups. You know, first of all, I didn't realize there were 200 environmental groups. 200 environmental groups are demanding. I love that choice of words, a halt to the construction of new U.S. data centers. You know, I guess just on principle. First of all, you know, good luck with that.

Steve Gibson [01:20:48]:
That might have stood some chance of happening, you know, if we had a bleeding heart Democrat running the countries at the moment. But you know, our President Trump recently again declared that global warming was a hoax and that wind turbines cause cancer. So I would be highly skeptical that any number of environmental groups, doesn't matter how many you gather together, are going to get much traction in the Washington climate at the moment. But what's interesting to me from a technology standpoint is that it does appear that the desire to concentrate an unprecedented amount of computational capacity within a comparatively small physical area is truly causing trouble. Right. If nothing else, we know that just getting that much electrical power service to a single location is not something that the existing power grid was originally set up to deliver, nor does it accommodate much variation without a lot of lead time. And when you step back to think about it, the only reason to want or to arguably, you know, make a case for needing that much computation in such a small physical space has to be economies of scale. What I mean by that is that what's being built is not a single humongous brain.

Steve Gibson [01:22:22]:
It's a very large number of individual small brains. And they don't actually all need to be under the same roof or even in the same state for that matter. It's just more convenient. Convenient and more cost effective if they're all grouped together in one place. That way they can all share staff and utilities and walls and security and cooling and a parking lot and so on, you know, and this sort of suggests that a reasonable compromise might be to limit the total size of individual AI data centers, have more of them and spread them around more, you know, and that said, I, you know, I certainly get the coolness factor of having a massive AI data center. I mean, I understand that that, you know, appeals to the tech Bros. And, you know, if AI actually made money and could pay for itself, then you'd have a potentially viable business model. So I guess you have to save as much money as you can on facilities, hoping that, you know, you're saving money everywhere you can.

Steve Gibson [01:23:36]:
Because none of this yet makes economic sense.

Steve Gibson [01:23:41]:
You know. Leo Laporte, what does make economic sense?

Leo Laporte [01:23:43]:
Is it that time again? No. Oh, what makes economic sense?

Steve Gibson [01:23:49]:
What makes economic sense is GRC's new DNS benchmark. Oh, I can't wait.

Leo Laporte [01:23:55]:
This is. We've been waiting. How long? How long you been waiting? Well, first of all, you wrote it once before Yes.

Steve Gibson [01:24:02]:
I actually had. And somebody found in a directory of theirs a, the beginnings of a DNS speed test in 2002.

Leo Laporte [01:24:15]:
So.

Steve Gibson [01:24:17]:
Yeah, long time ago. And I distinctly remember in 2008, writing the first version one of the DNS benchmark at Starbucks. I had a little like roadshow where, you know, because I have to have a clanky keyboard. Right. And so I had a.

Leo Laporte [01:24:39]:
Who's that guy with that clanky keyboard again?

Steve Gibson [01:24:42]:
Well, and of course, Starbucks, the Starbucks I was going to was across from UCI. So it's all stuff. And they're, and they're, they all have, you know, spongy, quiet Apple keyboard.

Leo Laporte [01:24:54]:
Sure.

Steve Gibson [01:24:54]:
And I'm over in the corner going clankety, clank, clank, clankity, you know, and I would, I would get there. They opened at 4:30, so I would get there because I had to have. Yeah, 4:30 AM yeah.

Leo Laporte [01:25:08]:
Okay.

Steve Gibson [01:25:09]:
And so, and I, I had to have my corner. Right. So I would be the first person there. I would. Unlocking. You were, I would unlock the door because they, they hired university students who were short and they couldn't reach the, the, the door's upper lock.

Leo Laporte [01:25:26]:
Along comes the guy with the clanky keyboard. He's gonna.

Steve Gibson [01:25:30]:
Having me there, having me there.

Leo Laporte [01:25:31]:
I, they wouldn't still get up at 4:30am no.

Steve Gibson [01:25:35]:
Lord, no.

Leo Laporte [01:25:36]:
Oh, this is a long time ago.

Steve Gibson [01:25:38]:
This was in. I happened to know that it was a 2008 when I wrote the Benchmark.

Leo Laporte [01:25:42]:
Okay.

Steve Gibson [01:25:42]:
Yeah. And so I just sat there and, and then, you know, and then I was part of a group of, of regulars. And so around 6:30, some of the regulars would start showing up and so I'd pause and you know, talk to them and then, and then they'd wander off and I'd go back to work.

Leo Laporte [01:26:00]:
Now I understand why you go to Starbucks because I wouldn't want to be in a crowded coffee shop trying to focus. But at 4:30am it's, you got the place to yourself and lots of coffee to boot. So that's good. I could see two hours of solid work there. Yeah.

Steve Gibson [01:26:16]:
Yes. And, and I would leave at a little after 4. So I would spend about a full 12 hours in a single stint and then I'd go find some dinner. So that was my routine. And I, I also perfected the. Putting the sponge ear foam things deep into my ear canal and then putting these Bose sound blockers on top of that. So, you know, I would just see people's mouths moving, but I'd just be in my zone for about 12 hours a day writing the benchmark.

Leo Laporte [01:26:50]:
And you did this at Starbucks? Why?

Steve Gibson [01:26:53]:
Because it was better than being home alone.

Leo Laporte [01:26:56]:
Okay. Okay.

Steve Gibson [01:26:57]:
I mean, you know, a little socializing people around. Yeah, yeah, yeah. And I, I didn't have to walk far to get more coffee, so it was good. Anyway, so I did not.

Leo Laporte [01:27:08]:
I've known you for so long, I had no idea that's what you were doing.

Steve Gibson [01:27:12]:
Wow. Yeah.

Leo Laporte [01:27:13]:
Okay, so you're on a sprint to write this.

Steve Gibson [01:27:15]:
This would have been '08. This was during the podcast. Yeah, yeah.

Leo Laporte [01:27:21]:
Like I said, I, I had no idea. Okay.

Steve Gibson [01:27:26]:
Anyway, so.

Steve Gibson [01:27:29]:
Put this on. GRC made it available and as I've mentioned before, for many, many, many years it was seeing more than a thousand downloads a day.

Leo Laporte [01:27:41]:
I used it all the time. I still do.

Steve Gibson [01:27:43]:
Yeah, we have more than 9.7, I think it is, or maybe 8 million total downloads. And I just, and I. And it had gotten to be 16 years old. And so it was a year ago, it was in December of 2024 that I'd finished with spin right. Six. One that was finished. Put it to bed. It's like, okay, I've made, I've made my commitment to give everybody a free update to Spin right.

Steve Gibson [01:28:11]:
Even after 20 years. And I thought, okay, I want to see what I can do with like bringing the DNS benchmark back up to speed.

Steve Gibson [01:28:23]:
Anyway, so I spent a year working with a bunch of neat guys in the, and, and, and Layla who maybe are one female in the, in the GRC DNS.dev group. Oh, you know, our, our news group. Old, old school NNTP servers.

Steve Gibson [01:28:46]:
And for a while I remember I talked on the podcast about having, imagining having. Well, so the idea was to, to do something GRC has never done before, which is to have an inexpensive.

Steve Gibson [01:29:00]:
An inexpensive commercial product. You know, I, the only thing I ever had was spin right at 89 and I wanted to try doing a, you know, under 10$. Well, a little bit under 10 dollars. 9.95 cents. Fill it with features, bring it up to date.

Steve Gibson [01:29:23]:
And offer something that I thought was a, a good value for a good price. So that it happened on Friday. Was that it? It? You know it. We had a couple almost finished things that needed to get fixed and, and changed. As everybody knows, the original benchmark.

Steve Gibson [01:29:44]:
Only did. Was only able to benchmark IPv4 servers, which is all there almost was back at the time. So the big change was I needed to add IPv6 support. But then of course none of the, of the UDP Resolution is encrypted, so it's not authenticated, it's not encrypted. So we have DoH and Dot. Android devices support Dot natively. All of our browsers support DoH natively. So.

Steve Gibson [01:30:18]:
And in fact in the picture there, Leo, you can see the IPv6 addresses being lots of little digits in two rows. They're huge. And fourth from the bottom is a DNS over TLS server that's also in the list.

Steve Gibson [01:30:37]:
Anyway, the.

Steve Gibson [01:30:39]:
Essentially what's happened is over the course of these 16 years, the Internet has changed a lot. Oh yeah, and the big problem I had was that I had a bunch of false starts trying to figure out how to get this thing to do IPv6 and TLS connections, because.

Steve Gibson [01:31:07]:
IPv4 addresses fit in 32 bits and I was working in a 32 bit architecture. So it was, you know, so I. So resolver addresses were like, they fit in registers. Well, not in the future they didn't. So that all had to get changed. But the biggest thing that has really changed is that version one prioritized cached lookups over all else. And that's changed.

Steve Gibson [01:31:46]:
When, you know, we've been talking about things like UBlock Origin and other content control utilities. We've noted that the content of today's websites are now being pulled from scores of different places, you know, from all over the Internet. Libraries and ads and trackers and like, like, like chat add ons and, and AI popups and all this junk that are now on web pages. Well those all require DNS lookups. So what's changed is that whereas a server's caching performance was probably most important back in 2008 when I wrote version one, that's no longer true.

Steve Gibson [01:32:52]:
It turns out that Internet transit times completely dominated that measure. Whatever it is we're measuring. When we measure cached performance, all of that time is the time it takes the query to get to and back from the resolver. So it is essentially equal to just pinging the resolver.

Steve Gibson [01:34:07]:
You know, and, and while it may not seem very useful to know what a resolver's essentially its ping time is, it turns out that DNS performance is all about connectivity. How well are you connected to the resolver that you are asking for IP addresses from? So, as I said, the problem was that's all that version one of the benchmark took into consideration. If a resolver close by you could beat out other resolvers, then version one of the benchmark gave it the highest rating. It was at the top of the list.

Steve Gibson [01:34:48]:
And it was only in the case of a tie in cached performance within its 1 millisecond resolution that the uncached lookup performance would be considered as, as the second sort key. Essentially it was like a multi key sort where the first key.

Steve Gibson [01:35:10]:
Does the gross arrangement and the second sort key does the finer grain arrangement within the grossly arranged first key. So the problem with that was that a resolver might reply to cached queries in 5 milliseconds, but then take 10 times as long, like 50 milliseconds to perform a lookup for something it didn't already have in its cache.

Steve Gibson [01:36:18]:
The other little confounding thing is that 16 years ago, in 2008, no one had local border NAT routers that were also serving as caching resolvers. You know, we had NAT back then, but those early NAT routers were not doing DNS lookups for their NAT clients as they are now. So that matters because the original version of the benchmark would be seriously over impressed by the performance of that local caching DNS router or resolver sitting right there on our lan. How could any remote DNS resolver know how, Matt, no matter how fast it might be, possibly compete with A caching resolver that was sitting right next to the user on their own lan. So you know, just try pinging your lands gateway and you'll see how quickly it responds. No, no other DNS resolver out on the Internet can compete. And again the, the version one of the benchmark was, was only looking at cached performance. So what does the new version 2 do? It takes the average of all three types of DNS queries, cached, uncached and dot com resolution.

Steve Gibson [01:37:36]:
It's got four sorting options. The original cached first sort if they're still, you know, it's still there for anyone who might want it for some reason. But the new default is best performance which averages all three types. So anyway, I've spoken before about all the features that are in there. We learned that we were not getting much benchmark to benchmark consistency. It turns out that even asking 50 different domains for, for their IPs for each of your resolver, there's enough jitter in the Internet because the Internet's gotten busier and it's gotten bigger than it used to be. It turns out that we need to do more asking in order to get a, in order to get statistical significance from the, the data that we're collecting. So this thing allows you by default to run essentially five rounds of the benchmark and aggregate all the data.

Steve Gibson [01:38:40]:
But you can also go for 10, 20, 50 and 100 if you really, if you don't mind waiting like four hours for a 100x benchmark. And what's interesting is that you see all of the sorting stabilizing after a while because initially they're the, the, the, the, the, the the ranking is jumping around because of Internet jitter and it take, it actually takes a lot more looking. Anyway short version is I'm done with the benchmark. Anyone can have it for $9.95. I appreciated what Andy was or what not. Andy.

Leo Laporte [01:39:21]:
Alex. Jason.

Steve Gibson [01:39:22]:
Alex. Yes thank you. Al. Al. Although Andy did chime in. Alex was, was, was has all of our sentiments about how much he hates subscription stuff. Yes, yes, and, and I hate it as much as everybody. So the, the deal here, you buy this one time.

Steve Gibson [01:39:41]:
I will never ask you no matter what happens for anything for the DNS benchmark. Again, all updates and versions, no matter how big or small they are included in the one time purchase price. So you get to own it for life. And you are also purchasing its entire future when I cycle back around to it and continue to update and improve it. So anyway, I'm done with that I'm gonna get moved into my new home with my wife and then I will be starting in on Valid Drive 2 which is my next project to work on. A major improvement to Validrive, which is now GRC's most often downloaded freeware.

Leo Laporte [01:40:28]:
This is the app that lets you determine if you're getting the proper amount of storage on your USB thumb drive.

Steve Gibson [01:40:36]:
Yes.

Leo Laporte [01:40:36]:
Or if it's just a bogus. Which many are. It turns out even for many it.

Steve Gibson [01:40:40]:
Turns out many are. More than 1,000 copies are downloaded every day now I think we're up about 1100 copies a day.

Leo Laporte [01:40:47]:
Amazing.

Steve Gibson [01:40:47]:
Wow. And I'm gonna do a lot more for version two. So you know the gang who worked with me for a year on testing and came up with lots of good ideas for the benchmark. I mean Leo, this is the like things like it, it looks at the resolvers and I do something called sidelining because if a resolver very clearly doesn't have any chance of even being in the running it just gets sidelined by version 2 of the benchmark so that we don't waste time asking it a lot of questions because it's just too far away. Physical distance on the Internet is what really ends up making the difference. And so anyway this thing is just, it's got a whole bunch of pop up dialogues and anyway I'm very proud of this last year of work and before long we'll be on to the next one.

Leo Laporte [01:41:46]:
Yes. Congratulations. That's fantastic. All written in assembly language we might.

Steve Gibson [01:41:52]:
Add all an assembler. The version one, I think it was 163k. I think this one's 200.

Leo Laporte [01:41:59]:
Holy cow.

Steve Gibson [01:42:01]:
So Christmas couldn't make it any.

Steve Gibson [01:42:06]:
It does run under Wine and Leo, it's very cool. It runs on ARM Macs. Really?

Leo Laporte [01:42:13]:
Under emulation?

Steve Gibson [01:42:15]:
Yes. So the Mac is emulated, the Mac is emulating.

Steve Gibson [01:42:21]:
Intel and WINE knows how to run on a Mac and use the Intel emulation. So we've got guys in our news group who are running it on ARM on maybe it's Windows ARM. We know that but I'm sure someone is running it on a Mac on an ARM based Mac using WINE and the, the, the Intel instruction emulator.

Leo Laporte [01:42:49]:
Well and because this is about network performance not processor performance, running in emulation is harmless. That's not right. Nothing wrong with that.

Steve Gibson [01:42:56]:
Yeah right.

Leo Laporte [01:42:57]:
Nice. Very nice. Congratulations GRC.com for more information.

Steve Gibson [01:43:03]:
And then the top of it, top of every page says click here for GRC's new DNS benchmark version 2.

Leo Laporte [01:43:09]:
Nice.

Steve Gibson [01:43:10]:
Oh, and I got rid of all the plus and pro. I did talk for a while about having a plus version and a pro version.

Leo Laporte [01:43:16]:
Right.

Steve Gibson [01:43:16]:
I just ended up putting everything into the plus into the one version version. It's just. That was just the right thing to do. Yeah.

Leo Laporte [01:43:24]:
So that makes sense. And 10 bucks. Come on, that's nothing. Spend more than that on an ice cream sundae.

Steve Gibson [01:43:31]:
Well, you may spend more than that on our next advertiser.

Leo Laporte [01:43:34]:
I hope you do.

Steve Gibson [01:43:36]:
I'm going to take a sip of coffee. Then we're going to look at some feedback.

Leo Laporte [01:43:40]:
I'm praying that you will. Absolutely our next advertiser today. Let me make myself big. And that small is Zero Trust. Zscaler Zscaler is the world's largest cloud security platform. Wow. Potential rewards of AI we all know are too great to ignore, especially in business. But as we've often talked about, so are the risks.

Leo Laporte [01:44:10]:
Through exfiltration of sensitive data attacks against enterprise managed AI, Generative AI also helps threat actors become much more efficient, helping them to rapidly create phishing lures that are impeccable. Right. Write malicious code. We've seen evidence they're even using AI for data extraction, to automate data extraction. Because nowadays it's not enough. Just a ransomware to encrypt your computer. First they steal all your data so they can blackmail you as well as ask for money ransomware. There were 1.3 million instances.

Leo Laporte [01:44:46]:
This is the, this is actually the topic of AI.

Leo Laporte [01:44:51]:
Maybe it's time to rethink your organization's safe use of public and private AI. Chad Pallet, who is the CISO at BioIVT, loves Zscaler.

Leo Laporte [01:45:31]:
He says Zscaler helped them reduce their cyber premiums by 50%. They said, oh, you got Zscaler. We're going to cut your rates while doubling their coverage. Cut your rates and double your coverage and improve their controls. Take a look. We got a video from Chat Watch.

Steve Gibson [01:45:52]:
With Zscaler. As long as you've got Internet, you're good to go. A big part of the reason that we moved to a consolidated solution away from sd, WAN and VPN is to eliminate that lateral opportunity that people had and that opportunity for misdirection or open access to the network. It also was an opportunity for us to maintain and provide our remote users with a cafe style environment.

Leo Laporte [01:46:16]:
With Zscaler Zero Trust plus AI, you can safely adopt Generative AI and private AI to boost productivity across your business and not have to worry about accidentally sending out private information. Zscaler Zero Trust Architecture plus AI helps you reduce the risks of AI related data loss and protects against AI driven attacks to guarantee greater productivity and compliance. Find out more. That's the best thing to do. Go to Zscaler.

Leo Laporte [01:46:46]:
That's Zscaler.com Security Thanks Zscaler for their support of Security Now. 4:30am Huh? I had no idea.

Steve Gibson [01:46:58]:
Yeah, yeah.

Leo Laporte [01:47:00]:
Somebody in the YouTube chat says that you said that before, but I. I must have missed it. I knew you went to the Starbucks for that quad venti latte, but I know you stayed all day. Not anymore.

Steve Gibson [01:47:13]:
Yeah, I think I was drinking Americanos back then, which was the, you know, stronger shots of espresso in hot water.

Leo Laporte [01:47:21]:
So sort of. That's right. So it's espresso.

Steve Gibson [01:47:23]:
Yeah.

Leo Laporte [01:47:24]:
So.

Steve Gibson [01:47:24]:
So it's.

Steve Gibson [01:47:26]:
No, it was the right thing at the time. So yeah, you know, we had a. We had a great group of people who became, I would say lifelong friends. Except it co. Covid extinguished it.

Leo Laporte [01:47:37]:
But it really was a social thing for you as much as anything else. That's interesting. Yeah.

Steve Gibson [01:47:41]:
Yeah, it was fun.

Leo Laporte [01:47:42]:
Yeah.

Steve Gibson [01:47:43]:
Okay. So Stefano from sunny Italy, as he put it, he said, hi, Steve. I feel there's a specific aspect which has been left out in this whole Cisco improvement of resilience. See the light moment. He says. As a longtime network engineer, I always found infuriating the hoops that I have to jump through in order to download a patched firmware image from any of the biggest vendors, especially Cisco. Them crying about the fact that there's so many unpatched devices still exposed is peak irony and it is partially on them. If I buy some piece of hardware, I expect you, the vendor to support it and patch it for a reasonable amount of time.

Steve Gibson [01:48:33]:
I would argue, you know, the device's useful life. But okay, he says, but within that reasonable time frame, I must be able to easily access updates without them being locked out behind support contracts or similar immoral in my eyes. Double dipping device life cycle management is perhaps the hardest part of this job. The strings of the purse are never in our hands. So it's not our call, only the consequences are on us. Oh, meaning that he's on the IT end, not on the management budget pay for IT end. So you know he literally, if he, if he doesn't have the support contract or the paid for access or whatever, he can't update his hardware. He said he, he finished his writing.

Steve Gibson [01:49:28]:
I'm sure many, many more fellow engineers have been in my same situation. Perhaps after changing jobs and ending up in a barely maintained infrastructure or simply having to wait for the next round of funding in order to swap out some old lemon Quoting Cisco's Anthony Grieco quote this is further amplified by the fact that many organizations have not updated and maintained their network infrastructure, missing opportunities to fix known vulnerabilities, end quote. He said then stop preventing me from doing so. Anthony signed the Steve from sunny Italy. So his note reminded me that back when I was running a bonded pair of T1 trunks remember those old days Leo, when we were doing this over those to my home here I was using a Cisco router to do the work. It's one of the reasons I know it intimately and Cisco was not wonderful to deal with back then. I had assumed that they were better now, but sounds like it's really still the same Cisco based on what Stefano has indicated. So I let's hope that Anthony now in charge, apparently having seen the light, does something with it.

Steve Gibson [01:50:49]:
That'd be really good. Blair Learn wrote hi Steve, Ironic. I ran across an item I don't believe you've covered yet. Google recently rolled out in Chrome 142 something they're calling Local network access. The gist of it is that if you have a public website such as example.com, it has the potential to host malicious JavaScript code which attempts to access resources on your local network. For example, the router admin interface. On 192.168.0.1 he says Parenza technique seems similar to the issue you described a month or two back with adware setting up a server on a phone's local host address to be used by the adware vendor's ad code for tracking purposes. He said local network access is a new permission in the browser.

Steve Gibson [01:51:50]:
The user is it's not quite that, but I'm going to explain exactly what it is. The user is prompted to allow access to devices on the local network and if permission is denied he's right about this then code on example.com is prohibited from contacting resources in the myriad local networks. Now you might ask why would you ever want to allow such a thing in the first place? He says my use case was a development website hosted by an external vendor with a JavaScript application contacting a test version of an API that was hosted on a server which is only accessible via vpn. He said probably not something most home users are going to encounter, but I have to imagine our enterprise developers would he said Google has a blog post about it and then there's the link in the show notes and the spec can be found out can be found at and he has the W3Cs, you know the World Wide Web Consortiums URL. He says I always look forward to the next episode of Security Now, spin right Licensee Club TWiT member and general purpose geek Blair okay, so this issue that Blair mentions Google finally addressing has been a significant and growing problem forever and I'm surprised actually that it hasn't been causing more havoc. There was a point I think it might have been during the pre release of IE11, which was surprisingly long ago. Time flies Leo, where Microsoft and I've mentioned this before, flirted with flatly denying their IE11 browser access to the local host address 127.0.0.1 or and or the local LAN. This came up at the time because I was working on Squirrel and one of the ways that is the Microsoft's plans of blocking local host access came up at the time because I was I was working on Squirrel and one of the ways Squirrel robustly prevented interception of any secrets was by allowing the user's local browser to connect to a little web server running in Squirrel on their machine.

Steve Gibson [01:54:25]:
This gave the browser a private connection to the Squirrel authenticator which they could use to cut out any possible man in the middle. Now Passkeys, as we've discussed, implements the same form of protection with user smartphones over a Bluetooth link to create a local link between the web browser and the smartphone passkeys authenticator that no remote attacker can possibly intercept. Now in the case of Microsoft and IE11 and the local host IP, they fortunately came to their senses and realized that there were far too many valid use cases where a web developer, for example, might be running a local web server or web services on their local machine and need to be able to access it with their browser during the development and testing. Until now this has remained an unsolved problem which was really in need of a comprehensive solution. Our browsers as we know are no longer just passive content displays. Technologies such as JavaScript and WebAssembly have turned them into effective application platforms. So just to be completely clear about the nature of the problem from the perspective of any web browser device, you know, web client, web browsing client, sitting on a private local area network, that web browser has network visibility into two completely different networks. It can obviously see and access the global public Internet because it's able to access and obtain remote content.

Steve Gibson [01:56:18]:
But the browser can also just as easily see its own local area network. We know this because for example LAN routers are managed by aiming a browser at the LAN router's gateway IP, which is typically 192.168.0.1 or dot 1.1 or something like that. You know, our, our web browsers can see everything on our own LANs. So the problem is that a user might visit a malicious remote website which causes their web browser to download and run some malicious JavaScript or web assembly or whatever code. Now that the code is running inside the user's browser, essentially the Trojan horse has been invited into the house. So unless something is done, that malicious code that's now running in the user's browser has the same access to their LAN as they do. It can reach out and log into their LAN router, scan their network for other juicy targets. You know, find printers, transfer code, upload firmware, you know, get up to whatever mischief it might wish to.

Steve Gibson [01:57:38]:
When you stop to think about it, it's somewhat amazing that this big loophole has been not been closed a long time ago. So the good news is it's finally going to happen. The W3C's specification for this new feature explains its entire purpose and scope. They write although RFC 1918, that's the thing that, that set aside our lands 192168 x x the whole 10 dot network, the 172.16 through, you know, a bunch of other successive IPs those were all set aside by, by the specification of RFC 1916 long ago. So they said. Although RF19 61918 has specified a distinction between private and public Internet addresses over for over two decades user agents have not made much progress in segregating one from the other. This is the W3C writing this. Websites on the public Internet can make requests to local devices and servers which enable a number of malicious behaviors including attacks on users routers.

Steve Gibson [01:59:01]:
Then they list a whole bunch of examples they said Local network access, that's the formal name for this. Local network access aims to prevent these undesired requests to insecure devices on the local network. This is achieved by deprecating direct access to local IP addresses from public websites and requiring that the user grants permission to the initiating website to make connections to their local network. The overarching goal is to prevent the user agent, the browser, from inadvertently enabling attacks on devices running on a user's local intranet or services running on the user's machine directly. For example, we wish to mitigate attacks on user's routers or on software running a web interface on a user's loopback address. 127.0.0.1 for better or worse, this is becoming a common deployment mechanism for all manner of applications and often assumes protections that simply do not exist. There should be a well lit path is the way they described it, to allow these requests when the user is both expecting and explicitly allowing the local network address requests to occur. For example, a user logged in to Plex TV may want to allow the site to connect to their local media server to download media content over the local network instead of routing through remote servers.

Steve Gibson [02:00:44]:
The specification then clarifies the intent of this with a couple of quick examples. They said Alice is at home on her laptop browsing the Internet. She has a printer on her local network built by Acme Printing Company that's running a simple HTTP server. Alice is having a problem with the printer not functioning properly. So Alice goes to Acme Printing Company's website to help diagnose the problem. Acme Printing Company's website tells Alice that it can connect to the printer to examine its diagnostic output. Alice's browser asks Alice to allow support.acmeprintingcompany.com to connect to local devices on her network. Since this is something Alice wants and is expecting, she grants explicit permission for that website to connect to local devices on her network.

Steve Gibson [02:01:44]:
Acme Printing Company then connects to her local printer's diagnostic output through Alice's web browser. And I'll just note that it may be a little bit unnerving for people to realize this is possible. That is, it is possible for Acme Printing Company to connect to Alice's web browser to Alice's printer through her web browser. We have the all of I mean these browsers have become incredibly powerful. Now they can act as proxy gateways into our LAN. So Alice's web browser says yes, tells Alice that it is part oh so Acme Printing Company then connects to her local printer's diagnostic output through Alice's web browser and tells Alice that a part is malfunctioning on the printer. It needs to be replaced. Then W3C also provides an alternative.

Steve Gibson [02:02:42]:
Sample. Alice continues browsing online to find the best price for the replacement part on her printer. While looking at a general tech support forum, she suddenly gets a permission request in her browser for https://printersupport.evil.com to connect to local devices on her local network. Being suspicious of why printersupport.evil.com would need to connect to local devices, she denies the permission request. And I'll just say we hope, okay? Which is to say all of this of course presents us with a new problem. Because while yes, it's 100% true that the that for the first time ever.

Steve Gibson [02:03:40]:
The user sitting in front of their web browser will be required to proactively allow some remote website to access their network. And that definitely represents a nice step forward in security capability. The trouble is, it's still just a capability because we've also just saddled users with the new responsibility of determining what's benign and what's malicious. How is anyone really gonna know? If we've learned anything, it's that many users are unable to reliably tell the difference and it's not their fault. Since we've also seen bad guys who are highly motivated and very inventive cooking up all kinds of tricky schemes to trick people, we know that the so very human user remains the weakest link in the security chain. So now Chrome, as of Chrome 142 and presumably other browsers to follow, since this will be, you know, this is a W3C official specification, all the browsers will be popping up notifications when something you're doing requires a remote site to have access to your local network. Allowing that to happen without any notification and as we have been doing until now is certainly not safe. But no one should imagine that if any really juicy targets should appear on user networks, you know, the bad guys aren't going to.

Steve Gibson [02:05:20]:
Gonna wait, right? They're, they're gonna cook up some very reasonable appearing reason why users should give their remote web domains that will not be called evil.com, they're going to be called heavensent.com, you know, access to the user's local network devices. It's going to happen. So I'm sure that the Google Chrome guys, you know, who are driving, who were the driving force behind this W3C spec, you know, they know this is an imperfect solution, but they also know it's the best that they could come up with. They needed to put up some roadblock so that browsers could not do this behind users' backs. They know that they really can't count on users to be judicious about what to and to not allow. I saw a sample Google pop up and it just says example.com wants access to your local network. Hopefully, people know that is that should be no. Unless there's like a reason for it.

Leo Laporte [02:06:26]:
To happen because I go to localhost all the time and well, and see that.

Steve Gibson [02:06:30]:
I'm glad you said that Leo, because that's a good point. What we thanks to the security work that's been done so far, there is a clear binding between any script or WebAssembly and the domain from which it came.

Steve Gibson [02:06:51]:
So, so essentially you are temporarily whitelisting that domain to have access to your local network. Which is to say, you know, a browser will have multiple tabs open those and, and, and there, there will be scripts running from advertisers and from all of the different domains you're visiting. They will not have a whitelist for access to your LAN. It's only the script that you've whitelisted from that domain that will. And, and the point is you'll be able to still put 192.168.0.1 directly into your URL and go there because you are the source of that access to the local domain. You at your browser, not indirectly through some remote domain. Yeah, so I don't. So unless something remote wants to do this.

Steve Gibson [02:07:58]:
Most users, even power users who are logging into their local routers or going to their printers' HTTP server, you know, their browser will just allow that without any trouble. You won't get challenged when you're initiating that to your own LAN yourself. Only when some remote domain wants permission to do that. And then you. And then you get a popup which will only temporarily whitelist any script running from that one domain.

Steve Gibson [02:08:28]:
And here we are, two hours. It's time to talk about the.

Steve Gibson [02:08:35]:
Oh boy. The latest disaster.

Leo Laporte [02:08:39]:
CVE in history.

Steve Gibson [02:08:41]:
Yeah, it's really nothing worse. Nope, you can't get better. It's too bad they didn't give it an 11. That would have been fun.

Leo Laporte [02:08:52]:
A remote access to React sounds pretty about as bad as you can get the definition.

Steve Gibson [02:08:58]:
In fact we're going to define. We're going to start off by defining what would be because our listeners all know now enough about this. What would be the characteristics of the worst possible exploit available?

Leo Laporte [02:09:10]:
Okay, think this is a little thought exercise. Think about that for a moment while I tell you about our sponsor, Hawks Hunt. As a security leader, you get paid to protect your company against cyber attacks. And you know what? Kudos for you for listening to this show, but I know your job's getting harder. There are more cyber attacks than ever. And, and these phishing emails generated with AI, they couldn't be more perfect. They're indistinguishable from the real thing. Here's the problem.

Leo Laporte [02:09:40]:
Those legacy one size fits all awareness programs you'd be using, they don't stand a chance against today's threats.

Leo Laporte [02:10:07]:
They're forced into an embarrassing training program that feels like punishment that nobody learns from. That's why more and more organizations are doing better. They're trying. HOX Hunt.

Leo Laporte [02:10:36]:
When, when an employee sees an email and suspects it might be a scam, HOX Hunt will tell them immediately. And it, and if it is, you know, your test email, they're going to get that dopamine rush you got it.

Leo Laporte [02:11:24]:
You could choose from a huge library of customizable training packages or they have AI, you can generate your own, make them really, you know, effective.

Leo Laporte [02:12:05]:
And you don't have to take my word for it. There are over 3000 user reviews on Hawks on G2 which make HOX Hunt the top rated security training platform for the enterprise including easiest to use and best results. This is easy for you best results for your company. It's also recognized as customers choice by Gartner and it's used by thousands of companies worldwide. Companies like Qualcomm, AES, Nokia, they use it to train millions of employees all over the globe. Visit hoxhunt.com securitynow right now telling my Modern secure companies are making the switch to hawks hunt. That's hawkshunt.com security now. We thank him so much for supporting Steve and Security now and doing a great job and and as an employee I'm both an employee and a boss.

Leo Laporte [02:12:56]:
As an employee I really appreciate it when it's fun fun to learn, you know, not to click on phishing attacks. I look forward to them. All right Steve, now on we go.

Steve Gibson [02:13:08]:
As I said, by this time, from everything we've seen and shared on this podcast through the years, we can probably all define what a worst case vulnerability looks like. It would affect any popular, widely present Internet facing server. It would not require the remote attacker to be in any way authenticated on that server. It would allow said attacker to remotely supply whatever code they would wish any such server to execute on their behalf, and the attack would have a low complexity so that no rocket science is needed. Taken together in the parlance of the day, we would term this as a critical, unauthenticated, low complexity remote code execution vulnerability. A shorter, though less descriptive summary might also be CVSS 10.0. Yeah, because you know, most of what we see is that they're trying to get there. They're a 9.8, but they're not really completely just unbelievably bad.

Leo Laporte [02:14:24]:
Underachievers obviously see this.

Steve Gibson [02:14:26]:
Yeah, they were. This is a 10.0. The headline given to Dan Guden's reporting of just such a vulnerability last Wednesday. So not even a week ago in Ars Technica was admins and defenders gird themselves against Maximum Severity Server V In the subhead. In the subhead it says Open Source React executes malicious code with malformed HTML, no authentication needed. So there's a lot to cover here. Let's begin with Dan's description in Ars Technica. He says security defenders are girding themselves in response to the disclosure of a maximum severity vulnerability disclosed Wednesday in React Server, an open source package that's widely used by websites and in cloud environments.

Steve Gibson [02:15:22]:
The vulnerability is easy to exploit and allows hackers to execute malicious code on servers that run it. Exploit code is now publicly available.

Steve Gibson [02:15:36]:
React is embedded into web apps running on servers so that remote devices render JavaScript and content more quickly, with fewer resources required. React is used by an estimated 6% of all websites and 39% of cloud environments. When end users reload a page, React allows servers to re render only parts that have changed, a feature that drastically speeds up performance and lowers the computing resources required by the server. Security firm Wiz said exploitation requires only a single HTTP request and had near 100% reliability in its testing. Multiple software frameworks and libraries embed React implementations by default. As a result, even when apps don't explicitly make use of React functionality, they can still be vulnerable since the integration layer itself invokes the buggy code and that sends this a little bit like log 4J right? Which we recall. Although that wasn't bad. As it turned out, this has already turned out to be bad.

Steve Gibson [02:16:54]:
The combination of the widespread use of React, particularly in cloud environments, the ease of exploitation, and the ability to execute code that gives attackers control of servers has earned the vulnerability a severity rating of 10, the highest score possible, writes Dan on social media, security defenders and software engineers urged anyone responsible for React related apps to immediately install an update. Released Wednesday, one researcher wrote, I usually don't say this but patch right freaking now the React CVE listing and that's CVE 2020555182 is a perfect 10. React versions 1901, 1912 or 1921 contain the vulnerable code. So that's worth noting. It's only this year's React so this happened this year if I hope you're not running an older one because that would be worse but you know so update again the third party components, writes Dan, known to be affected. So these are third party things that that have React in them include Vite, RSC plugin, Parcel, RSC plugin, React Router, RSC Preview, Redwood SDK, Waku and Next js. That being a biggie of course, according to Wiz and fellow security firm Aikido, the vulnerability tracked as I said, 202555182 resides in flight, a protocol found in the React server components. Next JS has assigned the designation.

Steve Gibson [02:18:51]:
They have a different CVE 666-04-78 to track the vulnerability in its package.

Steve Gibson [02:19:01]:
And then Dan hits us with the nature of the vulnerability, which will also come as no surprise to our longtime listeners since this podcast long ago identified interpreters as a particularly a particularly tough problem for secure systems, Dan writes the vulnerability stems from unsafe deserialization the coding process of converting strings, byte streams and other serialized formats back into objects or data structures in code. Hackers can exploit the insecure deserialization using payloads that execute malicious code on the server. Patched React versions include stricter validation and hardened deserialization behavior. In other words, they fixed a bug in the deserializing interpreter which interprets the serialized stream and makes a mistake, Wiz explained. Quote When a server receives a specially crafted malformed payload, it fails to validate the structure correctly. This allows attacker controlled data to influence server side execution logic, resulting in the execution of privileged JavaScript code, they added. In our experimentation, exploitation of this vulnerability had high fidelity with a near 100% success rate and could be leveraged into a full remote code execution. The attack vector is unauthenticated and remote, requiring only a single specially crafted HTTP request to the target server.

Steve Gibson [02:20:44]:
It affects the default configuration of many popular frameworks Both companies write Stan are advising admins and developers, meaning React and Next js. Both companies are advising admins and developers to upgrade React and any dependencies that rely on it. Users of any of the remote enabled frameworks and plugins mentioned above should check with their maintainers for guidance. Aikido also suggests admins and developers scan their code bases and repositories for any use of React, meaning you might have included it as a dependency in some build structure and not even know it's in there. But React is still accepting that stream when it comes to it and could then trip over its own feet and execute bad code in your system. Dan's article quickly generated 79 comments from which the RS staff chose one which reads just ask Grok for a proof of concept. Basically, the deserializer can be made to execute any arbitrary code by encoding a nested object with an eval expression into base 64 bytes. Shockingly easy to do, he wrote.

Steve Gibson [02:22:09]:
Okay, so now let's step back a bit to answer the question. What is it? Wikipedia sums it up nicely. Writing React, also known as React or React, is a free and open source front end JavaScript library that aims to make building user interfaces based on components more seamless. It's maintained by Meta and a community of individual developers and companies. According to the Stack Overflow Developer Survey, React is one of the most commonly used web technologies today. React can be used to develop single page, mobile or server rendered applications with frameworks like Next and React Router. Because React is only concerned with the user interface and rendering components to the DOM, React Applications often rely on libraries for routing and other client side functionality. A key advantage of React is that it only RE renders those parts of the page that have changed, avoiding unnecessary RE rendering of unchanged DOM elements.

Steve Gibson [02:23:21]:
React is used by an estimated 6% of all websites. Okay, so now we have some sense for what React is, how widespread is its use? The platform security company Ox titled their reporting of this Wednesday. Millions of servers vulnerable to RCE in React components they wrote A critical vulnerability in React and Next allows attackers to execute code on vulnerable servers without any authentication, potentially exposing millions of applications to immediate risk. React is one of the most popular JavaScript libraries for building user interfaces created by Facebook Meta, with over 1.97 billion total downloads. One point almost 2 billion downloads.

Leo Laporte [02:24:16]:
That's a lot of downloads.

Steve Gibson [02:24:18]:
That is a lot of downloads. Discovered today, Wednesday, this vulnerability affects the React and Next ecosystems, which power over 10 million active websites globally, including major platforms built with React such as Instagram, Netflix, Airbnb that serve billions of users daily. With React downloaded over 20 million million times weekly, new vulnerable applications are being deployed continuously. The potential exposure is massive, spanning E-commerce platforms, financial services, healthcare applications and enterprise systems worldwide. Okay, so you know the bad guys are going to be just salivating. They wrote what we know. React CVEs and that's the 55182 and Next's CVE6 6478 contain a critical RCE vulnerability, enabling the attacker to execute arbitrary privileged JavaScript code on the vulnerable server. While the core issue stems from the React vulnerability, the Next vulnerability exists only because it directly used a vulnerable version of the React framework itself.

Steve Gibson [02:25:40]:
The attack doesn't require any kind of authentication from the attacker or a valid running session for the RCE to work. Who's affected? Any server running an unpatched version of React or Next, or any package based on a vulnerable React component. Using Shodan, we found that there are over 571,249 public servers using React components and 444,043 using Next. So together, more than a million. While we don't know the versions of each of those servers, it would be safe to assume that even if a small number of them are inside the vulnerable versions range, the impact.

Steve Gibson [02:26:38]:
Is on a high scale and should be addressed immediately. Since this issue impacts any server online running React or Next, which are highly popular JavaScript based packages, this means that attackers could now scan and directly exploit those servers. This potentially could harm millions of servers around the world, causing information leakage, secret extraction and more. More all right, so it's not good. Did anyone notice? Ha, you betcha. Two days later, Friday, December 5, Ox followed up with their report of active exploitation under their headline React's CVE 202055182 is now actively exploitable verified pocket, they wrote. Hacker Maple 3142 published a working proof of concept for 55182, which we successfully verified just two days after we published our initial analysis of the React Next server side RCE vulnerability. A fully functional exploit has been released publicly.

Steve Gibson [02:27:53]:
The proof of concept works exactly as expected and results in unauthenticated remote code execution on vulnerable servers the exploit abuses, React, blah blah blah. We all know about that. So then they get into details of the attack and congratulate the exploit's author this Maple3142 calling it great work. They also provide a link to Maple's exploit demo on GitHub and I have a link at the bottom of page 20 in the show notes for anyone who's interested to no one's surprise, the industry has jumped to get this resolved. This is an emergency and there were apparently a few hiccups along the way. Cloudflare notably suffered a 25 minute oopsie outage while working to protect all of the servers behind them from the abuse of the vulnerability, Network World reported under their headline Cloudflare Firewall Reacts. You know pun there badly to React exploit mitigation with the subhead in attempting to fix one problem, Cloudflare caused another, they wrote. Cloudflare's network suffered a brief but widespread outage Friday after an update to its web application firewall.

Steve Gibson [02:29:13]:
You know, a WAF to mitigate a vulnerability in React server components went wrong at 9:09am UTC, the company reported that it was investigating issues with the Cloudflare dashboard and related APIs, warning that customers might see requests fail or errors displayed. Just 10 minutes later they had deployed a fix. And actually it looks more like it was a 25 minute outage. So maybe it was 15 minutes into it, then 20, then 10 minutes after that they had a fix. So a total of 25, they wrote. But not before a flood of reports of problems with Cloudflare and its customers poured into uptime tracking sites such as downdetector.com during the same window Down Detector saw a spike in problem reports for enterprise services including Shopify, Zoom, Claude AI and Amazon Web Services, and a host of consumer services from games to dating apps. Cloudflare explained the outage on its service status page, writing a change made to how Cloudflare's web application firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning. This was not an attack.

Steve Gibson [02:30:32]:
The change was deployed by our team to help mitigate the industry wide vulnerability disclosed this week in React Server Components, unquote.

Steve Gibson [02:30:43]:
The OX report said Cloudflare was no doubt attempting to protect those of its customers who've not yet had an opportunity to patch the vulnerability in the two days since it was revealed. The wobble in Cloudflare services comes just two weeks after a much bigger one rendered its customers' websites inaccessible and so forth, blah blah blah. So anyway, I appreciated how these guys at Network World concluded their posting. They wrote there are some advantages in relying on single service providers such as Cloudflare or AWS for these tasks, including economies of scale and service consistency. But it also makes them single points of failure. When they go down, everything goes down with them. This is what we were just talking about two weeks ago. In such a monoculture, the alternatives that might be able to take up the slack have already been weeded out, meaning acquired or put out of business or they're just not available for whatever reason.

Steve Gibson [02:31:49]:
So I think that gets it exactly right. Cloudflare's own posting about this noted that their logs did not capture any evidence of successful exploitation of this vulnerability against any of their free or commercial customers. And by the way both were protected by this. Cloudflare's WAF their web application firewall update also protected anybody on the free plan. They never said explicitly that their apparently WAF change service outage was a mistake, but it certainly seems like it had to be. You know they're continually updating their web application firewall patterns with new detections and blocks and their customers are not experiencing system-wide outages on an ongoing basis. So I think they fumbled fingered. It's you know something somewhere.

Steve Gibson [02:32:45]:
Of course AWS and Fastly and other CDNs also quickly deployed their own network protections for their customers. So everybody pretty quickly got protected. I should also mention that two China-based threat actors were seen to immediately jump onto this exploit with attacks beginning within hours of the vulnerability's public disclosure well remember that was Wednesday and the CDN protections didn't snap into place for a full 48 hours, so there was likely some serious damage done during this window from disclosure to fix, which sort of suggests that this could have been done better. There's no reason, for example, that the major CDNs at least could not have been brought into a loop, you know, on the DL and allowed to have their application.

Steve Gibson [02:33:45]:
Firewalls updated so they would have been protected before the disclosure. No reason for that not to happen. So maybe somebody will be thinking about that. The AWS security team linked the attacks that they saw to two groups tracked as Earth Lamia and Jackpot Panda, AWS wrote. Earth Lamia is a China Nexus cyber threat actor known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East and Southeast Asia. The group has historically targeted sectors across financial services, logistics, retail, IT companies, universities and government organizations. And Jackpot Panda, they wrote, is a China Nexus cyber threat actor primarily targeting entities in East and Southeast Asia. The activity likely aligns to collection priorities pertaining to domestic security and corruption concerns whenever that means so Amazon says the attackers used anonymizing proxies to hide their infrastructure, so requests were being bounced through other systems, and also deployed exploits for other vulnerabilities using these as the back doors to get in.

Steve Gibson [02:35:14]:
Interestingly, both groups use their own homegrown exploit implementations. Remember the proof of concept. Even that took two days before it went public. But this thing was so dead simple to do that it no one waited. You didn't have to wait two days. These things the attack started within hours of the disclosure that there was a problem and they rolled their own exploits because it was so easy to do so. Then later, multiple public proof of concept exploits were released, including one from Lachlan Davidson, a security researcher we've talked about before.

Steve Gibson [02:35:57]:
He was the guy who initially found and reported this devastating vulnerability. So it's likely not an exaggeration to say that this vulnerability is probably going to haunt the developer ecosystem for some time due to its ease of exploitation, widely available proofs of concept, its low complexity versus its power, as well as React's popularity. Next.js is currently considered to be the best web technology available for producing very SEO friendly content. If a technology was, you know, ever expected to replace WordPress, those you know, people in the know argue that it would be Next.js that would be the replacement for WordPress, Palo Alto Networks wrote. Ultimately, this incident underscores the inherent friction between performance and security. And in modern architecture, while React server components optimize data fetching and search engine optimization by moving logic closer to the source, they simultaneously move the attack surface closer to organizations' most sensitive and valuable data, so. Which I think that's a terrific perspective. So anyway, I wouldn't say we dodged a bullet.

Steve Gibson [02:37:22]:
I would say that a bunch of people probably got hit. And over time we may get some more news like by next week of, you know, what organizations are in trouble as a result of this. We could see that, that those who weren't immediately reactive, so to speak, are going to be in trouble and we'll start getting, you know, extortion notices and data exfiltration and all of the follow on.

Steve Gibson [02:37:51]:
You know, badness that comes after a network is penetrated.

Leo Laporte [02:37:55]:
Yeah. Wow. And so it's been patched.

Steve Gibson [02:38:02]:
Yes.

Leo Laporte [02:38:02]:
And are. Does react work to automatically update itself or do you have to explicitly.

Steve Gibson [02:38:09]:
No, there's no. You need to get the. The updated stuff. Yes. And I should mention that the benchmark that is now available does have automatically check for updates enabled.

Leo Laporte [02:38:23]:
Oh, good.

Steve Gibson [02:38:24]:
And it will, it will alert its user every time they use it. All I do is send a short DNS query to grc. I'm using DNS.

Steve Gibson [02:38:33]:
In order to send back the. The, the most recent release number. And so it checks that against its own release and it lets you know if there's something better and, and also gives you the link to update and puts your transaction code from your purchase into notepad. I mean into the clipboard so you can paste it directly into the form and get the download link for the new one. We had, thanks to a year of development, we had lots of time to polish the. The whole update delivery system.

Leo Laporte [02:39:06]:
Feedback's great. That's really great.

Steve Gibson [02:39:09]:
Well, good.

Leo Laporte [02:39:10]:
Everybody should go to GRC.com and get your copy of the DNS Benchmark. You're not calling it just v2 version 2.

Steve Gibson [02:39:20]:
Buy it once, own it forever, and own its entire future.

Leo Laporte [02:39:23]:
Nice. That was now. Did you send out the email to the list?

Steve Gibson [02:39:29]:
No, I, I need. I want to do a walkthrough video. I need to get the documentation I had. The documentation pages need to be updated. They're still all talking about version one, so I'm not ready to do that. But I still have no spam being reported by Google. So all of those changes I made to my email system have taken hold and it'll probably be a couple weeks and then I will do that. I will notify that the.

Steve Gibson [02:39:54]:
That main mailing list is now up to 153,000 subscribers. So that'll be fun to let them know.

Leo Laporte [02:40:01]:
Well, I'll tell you what, you can kill two birds with one stone, if you go to GRC.com email, the idea here is you enter your email address and then Steve Gibson will know that you're you and not some spammer. And that means you can email him from then on. And you'll also see the two additional subscriber lists. I always say there's a check mark, but, but I don't see a check mark. You just.

Steve Gibson [02:40:27]:
You get one when, so.

Leo Laporte [02:40:29]:
Oh, it's in the email.

Steve Gibson [02:40:30]:
Yeah, well, yeah, well, you, you, you, you fill that out. Then I send you a link for managing your account. When you click that, that brings up your own page where you can subscribe and unsubscribe from. From whatever.

Leo Laporte [02:40:46]:
Right. So, yeah, and there, there isn't a banner on this page to buy to upgrade.

Steve Gibson [02:40:52]:
There it is.

Leo Laporte [02:40:53]:
It's on this page though. It's just not on the email page. So Steve, you might want to add that to the email.

Steve Gibson [02:41:00]:
Like I said, I mean, the site has only. The only thing I've ever had for sale was SpinRite. So the site is SpinRite sales oriented. And for example, SpinRite is there in the top level menu, but there's no mention of the benchmark in the menu. I do have it under freeware utilities, but it's not really a freeware utility. Although for what it's worth, version one is still available. If for whatever reason somebody doesn't can't spend 9.95, I understand. I still want them to have what I have available, which is version one.

Steve Gibson [02:41:36]:
And so you're still welcome to that.

Leo Laporte [02:41:37]:
Good grc.

Steve Gibson [02:41:40]:
It does misrank your resolvers, unfortunately. I did the best job I could back then, but I know how to do it now because the world's changed in six in 16 years, a lot.

Leo Laporte [02:41:49]:
It absolutely has. If you go to GRC.com, you can also get the show there. There are a lot of places to get the show, but that's one of the places. There are some unique versions there though, I want to tell you about. There's a 16 kilobit audio version for the bandwidth impaired. There's a 64 kilobit audio version that's full, full fidelity. There are the transcripts written by an actual human being, not AI generated, but a language. Lane Ferris does those.

Leo Laporte [02:42:15]:
Those take, as a result, a couple of days to get up on the site. And there's show notes, by the way, the show notes are one of the mailing lists Steve offers. So if you sign up for those mailing lists, there is one for show notes. So you'll get that automatically. Otherwise you can go to GRC.com and download it. Get yourself a copy of the DNS Benchmark spin. Right.

Leo Laporte [02:42:35]:
Give me your email, sign up for the newsletters and then anything that's your assignment. Anything else, it's on you. There's a lot of other fun things you can do@grc.com and one of them is his whole vitamin D story under. I think it's under research.

Leo Laporte [02:42:51]:
It might be interesting for you to know that we are going to repeat that very famous. Yeah, under health. That very famous vitamin D episode from I think 2009. It's that old. And that will be our New Year's Eve show. New Year's Eve Eve show. The penultimate day of 2025 show.

Steve Gibson [02:43:14]:
We're going to update it a little bit also.

Leo Laporte [02:43:15]:
Yeah, we'll have to update it. The other thing is, because it was audio back in those days, there was no video. Anthony Nielsen has created a very nice kind of yule loggy thing you can run in the background. You can. You'll see when you do that, you're listening to the show. There is a little bit of video associated with it that Anthony did a nice job with that. So GRC.com to get all of that stuff. You can also, of course, get the.

Leo Laporte [02:43:43]:
Podcast. I almost called it a radio show. Get the podcast at our website, TWiT.tv/SN. There's audio there and video. 128 kilobit audio and video. There's video at the YouTube channel dedicated to Security Now, in fact, you'll find that YouTube link on our website, TWiT.tv/SN, as well as a link to a number of podcast clients. Or you can use your favorite.

Leo Laporte [02:44:07]:
If you subscribe in the podcast client.

Steve Gibson [02:44:09]:
Then you get it automatically.

Leo Laporte [02:44:10]:
We'd also like to invite you to join the Club. This is the time of year when I am being very grateful for all of our wonderful Club members who make all of this possible.

Leo Laporte [02:44:41]:
Go to TWiT TV Club. TWiT. 10 bucks a month, $120 a year.

Leo Laporte [02:45:01]:
You'll get access to our Club, TWiT, Discord, all the special programming we do. There's a lot of great stuff as a thank you really for your support of TWiT.

Leo Laporte [02:45:30]:
I am finished, Steve. We'll see you next week on Security Now.

Steve Gibson [02:45:39]:
Bye.

Leo Laporte [02:45:43]:
Security Now.