Security Now 1059 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.

Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here. He's a little miffed. We actually get a rare Gibson rant over the life cycle of code signing certificates. It's going to be dramatically reduced for no good reason. Ads coming to your ChatGPT. Why did they ban the Raspberry PI from the New York City inauguration? And an astonishingly good British TV series Steve wants you to know about. Plus magnesium as a supplement.

Leo Laporte [00:00:32]:
And then a look at a very big, very problematic flaw called Mongo bleep. It's a jam packed show. Stay tuned. Security now is next.

TWiT.tv [00:00:44]:
Podcasts you love from people you trust.

Leo Laporte [00:00:48]:
This is twit. This is Security now with Steve Gibson. Episode 1059 recorded Tuesday, January 6, 2026. Mongo bleed. It's time for security now. The first show of 2026. Let's see if Steve has changed at all in the new year. No.

Steve Gibson [00:01:14]:
And the answer is no. And that's a good thing.

Leo Laporte [00:01:18]:
And that's a good thing. Steve Gibson is here. The man of the hour. The man every Tuesday we tune in for to find out what the latest is in the security news.

Steve Gibson [00:01:26]:
Hi Steve Leo 2026. It is a new year, a new amazing ride for our listeners, for the world, for everything. I and I have to say I'm developing another major platform feeling philosophical thing for about security is beginning to evolve. We will, we will be seeing authentication is broken again because that's something But I'm really beginning to get a sense of diminishing returns. I'm, I'm reminded of the fact that we can't build light rail because we have so over regulated ourselves, you know, on the off chance that something bad might happen to something somewhere that you know, I mean you can't prove a negative, right? And so the insurance salesman, you know makes his living by saying but what if. Right? And as a consequence you, a lot of people have insurance that you know, they actually may not actually ever need because that thing, you know, didn't fall off or whatever we're beginning to see. I'll be talking about another reduction in certificate length which has no justification. And, and, and this new feature SAP smart app or SAC smart app Control that landed in Windows 11 which cannot be turned off where you can't allow apps you trust or, or, or exceptions.

Steve Gibson [00:03:17]:
All, all of Microsoft stuff as until now all of the Windows Defender you could say okay fine, I want to dedicate this directory to things that you don't bother me about that's going away. So, so end users are being increasingly inconvenienced in the same way and for the same reason that we can't build light rail in California. It's you know, it's like it's diminishing returns. It's the belief that we can apply our fancy technology to solve problems that where the, where the presence of that technology creates a bigger problem than what it is trying to solve. And, and I, I think this is the year where, where we're going to begin to see the signs have been there and we've been reporting this until now. I think it's going to mature unfortunately like this year and next where things are going to are becoming increasingly constrained in a, in a mistaken belief that we're going to be able to fix this just by being more tricky by applying technology to where mistakes we're not really fixing mistakes much and the human factor is still there. Anyway, I'm, I, you've got a new.

Leo Laporte [00:04:46]:
Philosophical framework building I understand. I, I, I, yeah, I was actually when you said that I was hoping you were going to write a new operating system to replace the crappy ones we have but I guess that's, that's.

Steve Gibson [00:04:56]:
Off the table actually as, as you're going to see a bright light for Linux here because I, I have gone.

Leo Laporte [00:05:04]:
All in on Linux. I, I'm long ago was fed up with Windows and I'm not happy with the direction Apple's taking with Mac os. The only operating system out there I know of that I can really have it be exactly what I want no more, no less without ads, without constant. Hey, you want to download Chrome without any of that stuff is Linux. But we'll talk about that in a little bit.

Steve Gibson [00:05:28]:
Yes we will. Today's podcast is titled Mongo Bleed which.

Leo Laporte [00:05:36]:
Is not from Blazing Saddles.

Steve Gibson [00:05:41]:
MongoDB is, turns out it's the fifth most popular database system in the world. We'll be getting to that in a second but it's got a bad problem and the cool thing is we're gonna, where we're gonna look at is a problem that we can perfectly describe that is this bug which has been in there for eight years. So all versions of it all 87,000 copies at least 87,000 have been identified by census are vulnerable and oh it's been a rocky Christmas and New Year's for, for those people. We're going to talk about code signing certificate lifetimes having being shortened. A vote was made late last year to shorten code signing Certificate lifetimes by 2 years. Sadly chat GPT is heading toward an advertising profit model I want to touch on that. The Python package index guys are strengthening their security. They just announced.

Steve Gibson [00:06:51]:
That's great. Bitlocker gets hardware acceleration. But not today. New York City's mayoral inauguration did the weirdest thing. They banned Raspberry PIs and Flipper Zeros.

Leo Laporte [00:07:08]:
Yeah.

Steve Gibson [00:07:09]:
Like what we've got. Oh, I have news. I was bending Benito's ear before we began recording about my discovery of an astonishingly good British time travel series which.

Leo Laporte [00:07:28]:
Oh, I love time travel.

Steve Gibson [00:07:29]:
Oh, Leo, if you have not seen the Lazarus Project, I, I, I don't. There's no danger of me overselling this thing. It is.

Leo Laporte [00:07:39]:
Oh, I want to see it.

Steve Gibson [00:07:41]:
So. And it's, it's. Well, yeah, we'll get there. Also, we've got a at a news just in the news, following our vitamin D special podcast last week of a critical link between vitamin D and magnesium. You know, but our listeners don't know that. Magnesium is another one of the things that I have focused on.

Leo Laporte [00:08:02]:
I did so much magnesium now.

Steve Gibson [00:08:05]:
Good.

Leo Laporte [00:08:05]:
I actually have to, I had to back down a little bit because I think I was reaching a saturation as one does.

Steve Gibson [00:08:12]:
I'm going to delicately explain about.

Leo Laporte [00:08:15]:
Well, there's all kinds. There's glycinate, there's citrate, there's 308. So good. I want to hear more about this. Yeah.

Steve Gibson [00:08:22]:
Yep. And, and ask me things because there are things I didn't get to. I was a little self conscious about, you know, talking a lot about supplements on our Security now podcast. But the response I got from like people being reminded about vitamin D, I think probably, Leo, many of our listeners have been aging along with us for the past 20 years. And so, you know, when you're a, a Gen Z, indestructible, you know, go all day and night person, you don't think about, you know, health in longevity. But when you're in your late 60s and 70s, it becomes something you tend to focus on a little bit more.

Leo Laporte [00:09:07]:
So but anyway, it's too late, of course.

Steve Gibson [00:09:09]:
So yes, you do want to get. Yes, you want to create as much found for the future as you can. And you and I both did 20 years ago. Oh, and a picture of the week. I'm so happy with my, with my headline on this. It was a picture that had a different caption. I gave it one that I love, which I think everyone's going to get a kick out of. So I think probably we've got a interesting podcast for kicking off 2020.

Leo Laporte [00:09:37]:
Well, it's about time, Steve. I'VE been meaning to mention that. No, this is the show I, this is rapidly becoming our most popular program on the entire network and I'm not surprised. It's all because of your stellar personality.

Steve Gibson [00:09:54]:
I spent the last two days, spent the last two days writing it. So all of Sunday and all of Monday went into, I don't know if.

Leo Laporte [00:10:01]:
People understand how much work you put in. I guess they probably do. If they ever look at the show notes, you basically write a novel. This is, this Today's is 22 pages long of density.

Steve Gibson [00:10:12]:
And this one, I did write most of it instead of just copying and pasting stuff.

Leo Laporte [00:10:16]:
You really, you really put a lot of effort into it. So I appreciate that Steve and I know our audience does as well. Let's take a little break. You know who else appreciates it? Our fabulous sponsors. We're very happy to know that they've got an audience of very smart people who are working in security, working in areas that you know, they're experts in, but they're always interested in new ideas, new products, new, new tools that can make their life better. This is a brand new sponsor. We're very happy to have them on. In fact, I had a great conversation with them just a couple of weeks ago.

Leo Laporte [00:10:51]:
It's called Meter. They are a company that's devoted to building better networks and actually their, their history, their story is interesting. They were of course network engineers just like you, working on the ground and they said there's gotta be a better way, there's gotta be better hardware, there's gotta be better control planes. If you're a network engineer like them, you know the headaches. Legacy providers with inflexible pricing, I'm talking ISPs even, right? IT resource constraints stretching you thin. I mean nobody's ever got a sufficient budget. Complex deployments across fragmented tools. Especially nowadays with companies acquiring other companies and other properties.

Leo Laporte [00:11:37]:
You know you're going to have a one WI fi system in, in that warehouse that's not compatible in any way with a WI fi system at the home office and, and on and on and on. You as the network engineer, it all is on your shoulders. You're mission critical to the business, but you're working with infrastructure that wasn't built for modern demands. That's why so many businesses are switching to Meter. Now I admit I had never heard of them. So I went to the website when they first approached us and I looked and I said, wow, this is what people need. Meter delivers full stack networking infrastructure. I mean the whole stack.

Leo Laporte [00:12:16]:
Wired, wireless, Even cellular. It's built for performance, it's built for scalability. It's built for you to manage. That's important too. Meter designs their own hardware, writes their own firmware. They build the software, they manage the deployments, and they provide support. In fact, you can have Meter set the whole thing up if you want. You can have them be a consultant.

Leo Laporte [00:12:41]:
You can have them just be out there for support and do it all yourself. Because they know as a network engineer, everybody's got different needs. Meter will help you with everything from ISP procurement down to that level. Security. Of course, that's job one. Routing, switching, wireless firewall, cellular power. They'll do DNS security, VPNs, they'll help you set up SD, WANs, multi site workflows, all in a single solution. Meter's single integrated networking stack.

Leo Laporte [00:13:14]:
All of this is built on, on the same stack, on the same hardware, the same software. It scales. You'll see people using it in hospitals. I mean, I spent a little time in hospitals over the, over the holiday break. Everybody's fine. But I noted that most of them, cell phones don't work. WI fi work. They need Meter branch offices.

Leo Laporte [00:13:39]:
You got the home office, then you got the branch office and Nether the twain shall meet. No, you need Meter warehouses, giant warehouses, or campuses, large campuses, data centers. You know who uses Meter? Reddit, perfect example. Or I'll give you another testimony. The assistant director of technology for Web School of Knoxville. He said we had more than 20 games on campus between our two facilities. Each game was streamed via wired and wireless connections. The event went off without a hitch.

Leo Laporte [00:14:13]:
We could have never done this before. Meter redesigned our network. If you're just hearing about it now, as I was, I really want you to look at this. With Meter, you get a single partner for all your connectivity needs. This is your dream come true. This is what you've been looking for, from the first site survey to ongoing support without the complexity of knitting together and managing multiple providers, multiple tools. The ISP says, well, it's the router's fault. The router says it's the isp.

Leo Laporte [00:14:41]:
None of that. Meter's integrated networking stack is designed to take the burden off you, off your IT team, to give you deep control, to give you visibility, totally reimagining what it means for businesses to get and stay online. And we needed this because everything has changed. Meter is built for the bandwidth demands of today and tomorrow. We thank Meter so much for sponsoring. Go to meter.com securitynow book a demo. That's all I ask M e t e r.com SecurityNow to book a demo. The time is right.

Leo Laporte [00:15:16]:
We need it. Meter.com SecurityNow thank you Meter for believing in us. And I think you're gonna have some people who are very happy to find out about meter.meter.com security now I am prepared. I have not looked at the picture of the week.

Steve Gibson [00:15:35]:
I think you should just gaze upon it.

Leo Laporte [00:15:38]:
Let it gaze upon I gaze upon it. Will it.

Steve Gibson [00:15:42]:
We'll share your response.

Leo Laporte [00:15:43]:
I shall scroll up and then I.

Steve Gibson [00:15:45]:
Will explain and you can see my.

Leo Laporte [00:15:47]:
Face as I see it for the first time.

Steve Gibson [00:15:49]:
I will share the caption.

Leo Laporte [00:15:51]:
Okay, well, I've seen this many, many times. Account verification. Oh, we, yes, we just said. They're telling me what the code was.

Steve Gibson [00:16:06]:
So I gave this the caption. I gave this the caption. The sales pitch. Really? Why reinvent the wheel? Allow agentic AI to take all the drudgery out of your repetitive coding tasks.

Leo Laporte [00:16:24]:
This is vibe coded. It probably is, isn't it?

Steve Gibson [00:16:26]:
Isn't this wonderful? And then we have, we have the agentic AI and vive code produced a second factor authentication screen. It has the headline account verification. And then it says we have just sent the code 435841 to your phone number and then it has blanked out with the last four digits are 8247. Please enter the code below to access your account. So isn't that wonderful? Oh my God, it is so good.

Leo Laporte [00:17:05]:
And when you first look at it, you might not. Yeah, right. That makes sense.

Steve Gibson [00:17:08]:
Yeah. Yeah.

Leo Laporte [00:17:11]:
I guess I don't have to look at my phone now.

Steve Gibson [00:17:13]:
It does speed up the login process.

Leo Laporte [00:17:15]:
Sure does.

Steve Gibson [00:17:15]:
So that, that's good. You don't have to, don't have to wait for the code to arrive. Okay, so I want to begin this first podcast of 2026 by exploring around the edges of a recently decided and announced and I have to say, discouraging update that follows a disturbing trend which will have a significant impact on our industry. And I understand that those behind it are claiming it will have a net positive impact on security, but I question whether that's true. And I suspect that the positive impact it will most have is upon the certificate authorities, revenues and profits. Today's level of persistent cybercrime, which we know exists. Right. I mean it's out there and the bad guys are, you know, are more aggressive and frankly, money hungry than ever.

Steve Gibson [00:18:19]:
It's the ability to get paid through cryptocurrency that has enabled this. They're pushing the world, you Know, the cybercrime baddies are pushing the world to a place where only software that is validly signed will even be considered for execution. Signatures are required for iOS apps, Linux distros, secure booting, Android APKs, browser extensions, and all of the various gaming consoles, including smart TV, well, and smart TVs and even the firmware for home routers, NASA's and cars. All of this needs to be signed. Linux, being inherently more open, is the only remaining OS where signing is either unnecessary or not strongly needed.

Leo Laporte [00:19:17]:
It's a different kind of signing. I mean I, when I downloaded an app, often it is signed with a hash, you know, MD5/to or PGP key to identify the developer. But that's voluntary, that's not from the operating system, that's from the developer.

Steve Gibson [00:19:32]:
There is no requirement by the os. Right. Windows apps can theoretically run without signing, but only now with Windows Defender there, if they are very well known. The only hope any newly minted Windows app has of running today is if it's carrying a signature, and even then only if that signature itself has previously established a strong reputation by virtue of the applications it has signed that had been previously seen that haven't caused problems. You know, it's all about reputation. But we've seen that other apps like Notepad, which have a sterling reputation, will have serious trouble if they are unsigned or as its author briefly attempted, are self signed. You know, that landed with a big thud because everybody was complaining that Windows Defender wouldn't allow the their update to Notepad that they'd had for years to run it all. You know, so if Linux we could consider is lax, but probably not necessarily guarded, whereas Windows is, then Mac OS sets the bar about as high as it can go.

Steve Gibson [00:20:52]:
Any Mac OS application that's not signed is assumed to be malicious. You know, you really need to be a registered developer in good standing to have any chance of Mac OS running your software. So that's pretty much where we are today. Essentially anywhere it's practical to require a signature on software, a signature will be required. The problem is this is still an imperfect system. But bugs in signed software are no less prevalent than in unsigned software. So signing offers no guarantee about software quality. And bad guys are just as able to exploit bugs in signed as in unsigned software.

Steve Gibson [00:21:42]:
But it is certainly worthwhile to require a signature rather than not. If nothing else, something somewhere in is known by someone about the signer of the software, there's at least some modicum of accountability and traceability. So I can see that, you know, that it's not a bad thing. And if a piece of sign software is discovered to to be malicious, then its signing certificate can be immediately blacklisted and is so that nothing else signed by that presumably malicious certificate will be trusted. Now, it's not unreasonable to expect a Linux user to be cautious about what and where they obtain their software for their machines. That's more the Linux user demographic, Right? But that's certainly not the case for the casual Windows user who browses around Microsoft's Windows Store looking for stuff to download and run just because. Why not? It's there. So everything and anything that comes from the Windows app Store is signed must be by a known developer.

Steve Gibson [00:22:56]:
We're talking about what has become the crucial security topic of code signing today. Because in another move that makes very little sense to me, late last year the CA browser forum voted to reduce the maximum lifetime of code signing certificates for any certificates issued from March 1st of this year on they so less than two months from now, the maximum lifetime of a code signing certificate that will be issued by any certificate authority will be reduced from 39 months, which is a comfortable three years plus three months, to a far less convenient one year and three months, taking two years off of what has been the pattern so far. Yeah, and this is occurring for no apparent reason. That addresses no apparent problem. Back in 2022, the policy was finalized that no code signing private keys could exist outside some form of hardware token or HSM which would prevent their theft. That policy took effect on June 1, 2023, fully two and a half years ago. From that date on, from that date forward, June 1, 2023, certificate authorities would only issue code signing certificates in hardware. And critically, this is not.

Steve Gibson [00:24:46]:
This applied not only to extended validation code signing certificates which had long been required to reside in hardware isolation, but to all code, even of lesser verified code signing certificates. So that move made two and a half years ago, ended the opportunity for code signing certs to be remotely stolen. I remember years ago, Leo, like decade ago more than we talked about a theft somewhere, I don't know, like in Taiwan or there was a theft of a physical facility where their certificates got got stolen or maybe it was a remote break in, but you know, they.

Leo Laporte [00:25:33]:
Have a piece of paper in a safe. How could you? I don't.

Steve Gibson [00:25:37]:
Yeah, so but for the last two and a half years, all code signing certs of any caliber had to be installed in hardware.

Leo Laporte [00:25:47]:
Yeah.

Steve Gibson [00:25:49]:
So there was. As a consequence of that, it meant that no code signing certificate could be exfiltrated by any remote Attacker, period. You, you can't, you know, even the owner of the dongle, the hsm, can't get the private key. It won't. There's no API, you can't extract it. It is a right only system by design. Nevertheless, the certificate authorities have voted and decided that even safely stored code signing certificates for must be renewed now much more frequently.

Leo Laporte [00:26:28]:
So I understand why this happened with TLS certificates because of issues with revocation, right? There's nothing like that for code certificates, right?

Steve Gibson [00:26:38]:
No, no, you could, you know, if so, and, and this is another part of the annoyance. It's not as if this is actually going to prevent maliciously signed malware. You're going to get companies posing as, as reputable software publishers who obtain a code signing certificate and, and establish a reputation very much the same way that, that people who run forums see people creating accounts that are dormant for a while in order to sort of slip under the radar and then they start getting up to some mischief downstream at some point. Same thing is happening here. So it's not like this actually solves a problem. You can still have valid code signing certificates issued to malicious to malicious parties because the validation process is cannot be perfect. Because again, it's the human factor, which is where all of our security ultimately fails. Whether it's humans writing code that has bugs or humans saying, are you really, you know, Steve Gibson? So this raises the question, right? Why would the CA browser forum feel the need to reduce the life of absolutely theft proof code signing certificates? What benefit could there possibly be to them? And does this have any impact upon the browser side? Remember, the CA browser form is the certificate authority and browser form.

Steve Gibson [00:28:14]:
Does this have any effect on the browser side? Looking over the results of the ballot measure which was voted on CSC 31, which was titled Maximum Validity Reduction, I was struck by the mix of voters. And using the term mix would be technically inaccurate since all 10 of the yes votes came from certificate issuers. Subsequently updating myself about a conflict of.

Leo Laporte [00:28:43]:
Interest at all, is it?

Steve Gibson [00:28:45]:
Oh, it gets better, Leo. It's exactly this. What we have forming is a cabal. While updating myself about what's been going on and poking around the industry, I stumbled upon an interesting tidbit that pretty much explained what's happening. The light bulb lit for me. There's been a recent significant increase in cloud based code signing. In other words, the push for shorter and less convenient use of the super secure hardware security modules by shortening the maximum life of the certificates they can contain and store while providing no Automation for their management that has the indirect effect of actively discouraging code signers from obtaining and managing their own code signing certificates. It appears to be that the future of code signing will be the establishment of a subscription relationship.

Leo Laporte [00:29:55]:
Oh my God. Yes, you're right, it does get worse.

Steve Gibson [00:30:01]:
It does get worse with it will be the establishment of a subscription relationship with a major provider such as Global Sign or Digicert. Remember that what code signing actually signs is a cryptographically secure hash of some code. This makes it entirely feasible for that process to be remoted with a code base with a cloud based service. A cloud based code signing utility takes a cryptographic hash of the code to be signed and forwards it to the signing providers cloud service after verification and validation of the identity of the signing party and note Leo. This is the glitch here because they still have to verify. The cloud provider needs to verify the person asking for this to be signed is who they say they are. Well, have we ever seen authentication fail? Huh? Once that's done though, after first verifying that, of course their subscription is in good standing and they're all paid up. The cloud signing provider uses the customer's own private key, which the provider maintains for them and their customer never receives or sees.

Leo Laporte [00:31:27]:
Why would you want your own private key after all?

Steve Gibson [00:31:29]:
That's right. Oh, trust us. Exactly. That's right. We'll keep it for you. They sign the hash of their code for them. The signed hash is then returned to the customer, whereupon the cloud signing utility affixes it to the end of their code to complete the signing process. So taken in aggregate, what has happened, and this is deeply disturbing, is that to an ever increasing degree, all code from anyone and anywhere is inherently mistrusted by default, will probably only run on Linux unless it has been signed by one of a diminishing number of increasingly large select few signers who are pretty much free to then charge whatever they wish for the privilege.

Leo Laporte [00:32:28]:
This is insidification. Exactly.

Steve Gibson [00:32:31]:
Yes it is. Yes, that is exactly what it is. What has been slowly been growing and evolving is a cabal. We've been witnessing a consolidation of certificate authorities over the past decade as the bigger fish swallowed up the littler fish while also not surprisingly raising their rates. Today, the least expensive code signing certificate I could locate was identified at $270 per year. But purchasing a three year certificate offers a 20% discount on so that's $647 for three years. They'd like to get your money up front. They can.

Steve Gibson [00:33:13]:
Global Sign is just over twice as expensive per year at $550 with no multi year discount. And Digicert leads the pack at $840 per year. Think about that for a second. $840 per year for no reason other than because they can. And because we are not, we code authors everywhere will have no recourse, no choice.

Leo Laporte [00:33:44]:
And this really impacts you because you're not running your software on Linux. You're running on a Windows I'm. So this will be a requirement, right?

Steve Gibson [00:33:53]:
Yes. My stuff will not run unless it is signed. I, I made a mistake over the holidays because I've been producing incremental updates of the DNS benchmark. I'm gonna have a really neat surprise for all DNS benchmark people in another couple weeks. But I, I dropped an unsigned copy on virus total and oh, it lit up like a Christmas tree in red. And I thought, what the heck? And then I thought, oh, thank goodness, it's just because I forgot to sign it. I signed it. 0.

Steve Gibson [00:34:30]:
Out of 73 or 72 AV tools thought there was a problem. Unsigned, Not a chance. And then of course we have that noob that pa, the SAC, the smart app control in Windows 11 that doesn't allow an exception. We stumbled on that a couple times. Good news is you try a couple hours later and then it works. So it's, you know, okay. Anyway, so the, the upshot is all of the commercial platforms now require code to be signed. And a very small and shrinking group of increasingly powerful commercial authorities have decided to allow to follow the TLS model of continually shortening the lifetime of those code signing certificates which they alone are empowered to issue.

Steve Gibson [00:35:29]:
Today's code must be signed. Even the Notepad plus plus guy, he's now got a, a global, global sign certificate. He had to, he had to buy one because he had no choice. Today's code must be signed. So code authors have no recourse other than to pay an annual tribute to the certificate gods in order to qualify for the privilege. It's against this backdrop that the certificate authorities all voted to take two full years off of the maximum code signing certificate lifetime that we have today, reducing it by 24 months from 39 months to 15. Why? Because they can. They all voted for it because there's no one to stop them.

Steve Gibson [00:36:21]:
Certificates that have been locked up in hardware are not subject to remote attacker theft, period. And we know where this is headed, right? We've seen this play out already with the web server TLS certificates. We've watched as TLS certificate lifetimes gradually dropped from their original lifetime of 10 years and are now headed down to 47 days days. A few years from now, with certificates expiring more often than every seven weeks as they will be, automation becomes the only practical solution despite all of the many inconveniences it incurs in situations where the use of the ACME protocol is not practical. And there's, there's, I mean it's creating lots of problems for people. And so the same thing is clearly happening with code signing. Once the various certificate authorities get the infrastructure in place to support cloud based code signing, that'll be the only practical way code can be signed. Maximum code signing certificate life was just reduced for no reason.

Steve Gibson [00:37:28]:
Effective this coming March 1st. Does anyone imagine that will be the end of it? In the future it will be necessary for anyone who wishes to produce software for general use that any platform will accept except Linux, which will be the haven. Essentially they will need to obtain and maintain an account with a cloud based code signer.

Leo Laporte [00:37:54]:
What happens when you write your own code? You can run your own code on your Windows box?

Steve Gibson [00:37:58]:
No, no, I can't. The only way I could do it was by whitelisting the entire ASEM tree on my system. Before, when I set up a new system and I forget to do that, the code I assemble and link into an XE is immediately deleted from the hard drive.

Leo Laporte [00:38:22]:
Oh my God, that's awesome.

Steve Gibson [00:38:24]:
That's the world we're in now.

Leo Laporte [00:38:26]:
Now you can disable this feature right under Windows 10.

Steve Gibson [00:38:30]:
I can. Windows 11 is coming with this new SAC, the smart app Control. It cannot be turned off. If it's turned off and you can force it off, you can then never turn it on again because Windows Microsoft has decided that. Oh well, if you're going to turn it off, we're not going to let you turn it on. You have to reinstall Windows 11 to turn it on.

Leo Laporte [00:38:56]:
Yep. Yeah, yeah.

Steve Gibson [00:38:58]:
So I mean, think of it, Leo. I mean basically all of this original PC hobby control, which you could argue built this industry is going commercial and is being taken away from us.

Leo Laporte [00:39:19]:
And this isn't really the spirit of computer of personal computing if you ask me. No. If you can't write your own software, it's not your computer.

Steve Gibson [00:39:27]:
Right, Right. So I don't know when this is going to happen. It'll be gradual over time. That is the shortening of, of code signing certs. But watch it. It happened just like it was with TLS Certs and we have a model for that today. No one needs to Wait, Digicert is ready today for only eleven oh four dollars per year.

Leo Laporte [00:39:55]:
What?

Steve Gibson [00:39:56]:
Eleven hundred and four dollars per hundred bucks a month? They'll be glad. But wait, there's more. They'll be glad to sign your code in the cloud, but there's one limit, Leo. A glitch.

Leo Laporte [00:40:09]:
What?

Steve Gibson [00:40:09]:
They limit it to 1,000 signatures per year. I'm not kidding. Unlike the past world where after obtaining a code signing certificate, we were free to exercise our right to sign as much code as we like. Once code signing has evolved into a DIS service, the provider will hold not only our private key, but all the cards. And with ever few certificate authorities, we can expect this to continue increasing in cost. So what if.

Leo Laporte [00:40:46]:
For what?

Steve Gibson [00:40:47]:
What?

Leo Laporte [00:40:47]:
For what?

Steve Gibson [00:40:47]:
I know. So now there's not only do you have to pay $1000 a year or eleven hundred dollars a year or. But you can. You. There's a limit on how much you can sign because it's now it's a service and they can.

Leo Laporte [00:41:01]:
But okay, that's like 1100. A thousand different programs, not the same program a thousand times.

Steve Gibson [00:41:11]:
Well, yeah, you would never. But, but for example, right now I've been producing incremental bills.

Leo Laporte [00:41:17]:
Oh, every version is a different program.

Steve Gibson [00:41:19]:
Yeah. Yes. Yeah. We're at release 85. All of them signed. Because all of the people testing have to have a signed executable or their windows won't run it.

Leo Laporte [00:41:31]:
So you could easily hit that limit even with just one packet, one software.

Steve Gibson [00:41:35]:
Yeah.

Leo Laporte [00:41:35]:
Wow.

Steve Gibson [00:41:36]:
So for what it's worth, anyone who's been signing their own code, who may be getting ready maybe to make that jump, might wish to grab a 39 month code signing certificate, that is to say three years and three months. While you still can, prior to March 1st, you'll be able to obtain an additional two years of hassle free, cloud free and also unlimited. No one's counting your signings. Code signing and, and frankly thanks to our listeners, generous purchases of Spinrite and our new DNS benchmark, all of which is signed, I can afford to take my own advice and I plan to do so. I will be up refreshing my code signing certificate before March 1st so that I could get 39 months and push off for another three years and three months, whatever happens next, you know, and that means that I won't need to continue to keep continually updating a hardware security module. You know, while that's not a big problem, it should not be necessary. There's no big problem that's being solved by shortening the lifetime of any certificate. That's stored in hardware.

Steve Gibson [00:43:00]:
So forcing this upon the world appears to be about nothing but profit and control. Because they can. I'm sure our listeners are also aware that none of our real world experience suggests that the use of a As I said before, a remote third party cloud based signing system would actually be more secure than simply signing with the use of a local physical dongle that can remain offline unplugged, you know, when needed. Until it's needed. Earlier I glossed over the fact, you know that the remote code signing certificate that the service would need to be certain that the certificate's owner is the one requesting some code be given their signature. You know, I don't know that I want my private code signing key held in the cloud by a third party. How is that more safe for me it's less safe.

Leo Laporte [00:44:02]:
What if they have a breach?

Steve Gibson [00:44:03]:
Yes, exactly.

Leo Laporte [00:44:05]:
And it's not like that's not ever happened.

Steve Gibson [00:44:08]:
Exactly. And before we leave the topic of certificate lifetimes, I'll remind everyone of the upcoming March 15 deadline which is also approaching. That's when maximum TLS certificate lifetimes will will be cut in half from around 398 days to just 200 days. So anyone who may need to be managing TLS certificates manually and there as I said there are still many such use cases updating close to but before this upcoming March 15 deadline will allow you to defer the need to find some better solution for another 13 months before it gets cut in half. So Leo, we are in a different world. And as I and I said this is just, this is. It feels so usery that you Nothing costs them a thousand dollars to for an automated service. Nothing.

Steve Gibson [00:45:12]:
It used to be what $45 a code signing cert.

Leo Laporte [00:45:17]:
You, you know, it's pure greed.

Steve Gibson [00:45:20]:
It is and there's, we have no control. I mean there's, there's nothing you could do. Someone suggested I, I. There was some dialogue of this in the GRC news groups and someone suggested well what about and in fact he was an author of free wear or charity wear, uh to I think like that that supported it was some application that, that supported the members of his church and he said I can't afford, you know, hundreds of dollars every year to, to have a code signing certificate. He said, I mean I, I can't and but of course his members are all using Windows because that's the, the most common desktop platform still. So what does he do?

Leo Laporte [00:46:12]:
Yeah, and you can't tell your, your potential customers oh just disable security on your system and then you'll be able to. You can't say that. That's so.

Steve Gibson [00:46:19]:
No, you, you can't. No. And Microsoft has made it one way. It used to be under Windows 10 with Defender that it would quarantine and you could go in and click a few, you know, drill down and say, no, trust this.

Leo Laporte [00:46:35]:
Or, or that's how it is on the Mac right now. But not probably for very much longer, I would imagine.

Steve Gibson [00:46:39]:
Yes. And it's gone. It has disappeared from Windows 11. They said no, all in the name.

Leo Laporte [00:46:44]:
Of security, but we know better. It's not more secure.

Steve Gibson [00:46:48]:
And that's just it, Leo. It's not. And this is, as I said at the top of the show, it feels to me like, because we can do, we can use our fancy technology to do these things, you know, we're. And it's, I mean it's, it's like, it's like the, the UK saying, well, we want decryption of, you know, of messaging because we know you geniuses can figure out how and you'll make it safe and, and you'll just do it because we're going to pass a law that, that says you have to just nerd harder.

Leo Laporte [00:47:25]:
That's what Cory Doctorow says, nerd harder. You're not nerding hard enough. Is it possible, Steve, for somebody to do what let's encrypt is done and make an open source code signing like free code signing?

Steve Gibson [00:47:41]:
Windows would have to decide to trust.

Leo Laporte [00:47:44]:
Microsoft, have to support it. Yes.

Steve Gibson [00:47:46]:
Yeah, Microsoft And Android. And Android. And they would say that. And so, so, so there is a difference in the model though. Let's encrypt verifies your control of the domain. The only thing the TLS certificate is doing now is giving you encryption. That's why it's called let's Encrypt. It's not saying who owns the domain, it's saying whoever owns it can have a certificate to encrypt it.

Steve Gibson [00:48:18]:
That's where this is different. Code signing certs say this person owns, you know, this person or company owns, you know, is the producer of the software. So, so there is some work that they have to do in order to say, okay, you know, you're, you're who you are. But so it's, it's not automatable in the same way. If it were, then malware would all do it. So malware has to go to some lengths to fraudulently obtain a code signing certificate. But you know, they will and they will then use it like crazy until it becomes blacklisted and then they'll get another one or pull another one out of their queue of previously acquired, maliciously obtained certificates. And, but it feels to me like, like all of the legitimate use cases for unsigned software are being killed in the name of, of trying to pursue forcing everything to be signed, even though that signed code will still have bugs.

Steve Gibson [00:49:30]:
It's not like the bugs are, are disappear because you have a signature. It's just saying we know who signed this. It's, it's like it's creating a big barrier that doesn't actually improve security. It's not. And it's not like they're like, when are we talking about maliciously signed Xs? On this podcast we talk about everything that happens that isn't a problem. It's like certificates being stolen from websites. It's easy to say, oh, they could have their certificate stolen. Well, that doesn't solve the problem.

Steve Gibson [00:50:04]:
You still need to route traffic. You need to maliciously route traffic to a domain name, to a bad server. So even stealing a certificate isn't the end of the world. You've got to somehow arrange for that domain to map to an IP which is malicious, which also has that certificate. So we're doing all these things that really create serious inconvenience for very, very, very little gain. Again, why? Because they can. And I was reminded of, of our, of something I said on this podcast earlier. I should be, I, as the owner of grc, should have the ability to say my security model is fine with a, with a TLS certificate that has a five year life or ten year life.

Steve Gibson [00:51:03]:
I, if, if Microsoft or Amazon or, or some, or ebay want to have 47 day or four day continually renewing certificates, great, let them have them. Why force the world down to this lowest common denominator.

Leo Laporte [00:51:27]:
Especially if it doesn't improve security. It doesn't.

Steve Gibson [00:51:29]:
Yes.

Leo Laporte [00:51:31]:
And it just gets in the way of people who want to own their own computer, own their own system. I mean, I understand we got a situation where we got malware and bad guys rampant, but this is not the way to stop that.

Steve Gibson [00:51:45]:
Yeah, we have a guy in the news group's first name is Alan who wants to run his own email server. Well, email has to be tls, but, but email isn't a web server that can accept an ACME challenge, automate it. No. And so, you know, it's like he's going through all this too. It is just diminishing returns.

Leo Laporte [00:52:12]:
Yeah, well, it's good for Linux.

Steve Gibson [00:52:16]:
Actually. Linux is Beginning to look mighty fine.

Leo Laporte [00:52:19]:
Yeah.

Steve Gibson [00:52:20]:
And I did find myself wondering, although this isn't a solution for everybody, whether, whether Wine, the, the whether Wine cares about signatures, I don't know, enforcement mechanism.

Leo Laporte [00:52:36]:
It's not running Microsoft Windows, it's emulating it. Not even emulating it, it's just so.

Steve Gibson [00:52:41]:
You don't have defenders sitting around stomping out things before they have a chance to, to see the light of day.

Leo Laporte [00:52:47]:
Interesting. And mine runs a lot. I mean look, Windows compatibility on Linux has gotten very good partly because of gaming. Yeah. And Wine has done a great job. I mean you can pretty much run anything now.

Steve Gibson [00:53:01]:
Yeah, I've learned a lot in the last few weeks after releasing the DNS benchmark because so many people want to run it on Linux and there are a bunch of like commercialized Wine packages. The WINE license allows commercial reuse of all of that. Good work. Where, and they like round off the rest of the rough edges and you know, and create more of a drop in solution.

Leo Laporte [00:53:24]:
Yeah, it's a business model.

Steve Gibson [00:53:25]:
Yeah, yeah, yeah. But I can't tell everyone, go get Linux and then no software. This is the problem.

Leo Laporte [00:53:32]:
And, and if you're a business you're going to be running Windows. If you're a church you're going to have to support parishioners that run Windows. You just have to. Yeah, they're so dominant now. Somebody's pointing out. Well, I guess you could install a local certificate if you're a business. You could install a local certificate on all the businesses computers. So you could run your line of business software that you wrote without signing or you would sign it, you'd sign it with that personal certificate as opposed to a public certificate.

Leo Laporte [00:54:05]:
Right. You just add it to the certificate store, say yeah, yes, this is trusted. Yeah, yeah but that's not a solution. Except in that environment where you control every computer in that environment.

Steve Gibson [00:54:18]:
Well yeah, try, try telling people who come to your website here install my, my. No, no, my own CA certificate in your root.

Leo Laporte [00:54:28]:
That must be what happens. I mean my synology NAS does not have a certificate. The first time I go there in my browser it says oh, you sure? You sure? It still lets me get through. And once I go once I say yes, I never have to see that again. So it must be installing a certificate at that point.

Steve Gibson [00:54:45]:
Well no, it still sees that there's a problem. It just, it just, it just put in an exception. It whitelist said. Okay, whitelist.

Leo Laporte [00:54:53]:
Yeah, yeah, yeah. You want to take a break? And. I really, for a variety of reasons I'm becoming more and more disenchanted with big tech, big operating systems and I really feel like, I've always felt strongly that open source is the right solution. But more and more I don't want to participate in these, in these big tech things. I want to run my own AI locally. I want to run it on a Linux box. I want to do my own thing. But that's a very.

Leo Laporte [00:55:31]:
Most people cannot do that. It's just, it's a privileged position to be in to say that you can do that. Oh, well, all right. Well, we'll have more in just a bit. Steve Gibson, he's going to have a little coffee. He'll feel better. I hope you do too. Actually, Steve and I are very excited.

Leo Laporte [00:55:48]:
We are planning a trip to Orlando, Florida.

Steve Gibson [00:55:52]:
We're going to Disney World.

Leo Laporte [00:55:54]:
Actually we're going to the Zero Trust world. Very excited about this. This portion of the show brought to you by Threat Locker. They do a wonderful conference every year all about Zero Trust. They are the Zero Trust company and, and Steve and I are going to be presenting at that. I'll tell you more about that in a little bit. But let me tell you about Threat Locker first. It's certainly not necessary to tell you that ransomware is just killing businesses worldwide.

Leo Laporte [00:56:21]:
But there is a way around it. Threat Locker, it can stop ransomware before it starts. Not just ransomware that it knows about. Zero days. Ransomware no one's ever seen before. Ransomware custom designed to target you. Recent analysis from Threat Locker shows how one particular ransomware operation, I think it's Chi Lin, it's called in 20, 22, 45 incidents. They're just getting started.

Leo Laporte [00:56:48]:
Last year, 800 incidents and, and that's just one of dozens of ransomware gangs. ThreatLocker, Zero Trust Platform stops Chilin, stops them all, even the brand new ones, because it takes a. And this is what's so great about Zero Trust. A proactive deny by default approach. Deny by default blocks every action that's not been authorized, explicitly authorized. It protects you from both known and unknown threats. Threat Locker, they call it their ring fencing. Threat Locker's innovative ring fencing constrains tools and remote management utilities.

Leo Laporte [00:57:27]:
It keeps attackers from weaponizing them. So even if they're in, they can't, there's no lateral movement. They can't encrypt mass encrypt stuff. They can't exfiltrate, they can't do anything. Threat Locker works across all industries. It provides a very robust 24. 7 US based support. Really great support.

Leo Laporte [00:57:46]:
People it works in Windows, it works on Macs and it enables comprehensive visibility and control, which is great in a, in a world where compliance is important too. That's just one of the nice side effects of zero trust, because everything has to be approved. You know exactly who did what when you have complete visibility and control. And this is the kind of solution that companies that can't afford to be down for one minute need to rely on. I'll give you an example. Emirates Flight Catering. You know, this is, this is, this is like the best airline in the world year after year. And their food, amazing.

Leo Laporte [00:58:20]:
They're a global leader in the food industry and they're big. I didn't realize it's 13,000 employees for just for the catering. Threat Locker gave full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support that. Just ask the ciso. It's Emirates Flight Catering. He said, quote, the capabilities, the support. And the best part of Threat Locker is how easily it integrates with almost any solution. Other tools take time to integrate with Threat Locker.

Leo Laporte [00:58:50]:
It's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO. It's not just Emirates Flight Catering, it's JetBlue, it's Heathrow Airport. Remember, they had some problems before, they were down for a little bit. They've decided that's never going to happen again. Threat Locker is a solution. The Indianapolis Colts use Threat Locker.

Leo Laporte [00:59:13]:
The Port of Vancouver uses Threat Locker. Threat Locker consistently receives the highest honors in industry recognition. It's a G2 high performer and best support for enterprise Summer 2025 peer spot ranked it number one in application control and get apps best functionality and features award in 2025. Visit threatlocker.com TWIT to get a free 30 day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com TWIT for a limited time. We've got a code for you. ZTW Twit 26 Zero Trust World is ZTW ZTWIT 26 all one word.

Leo Laporte [00:59:52]:
I think it's all caps ZTW Twit 26. That's 200 bucks off registration for Zero Trust World 2026 and it gives you everything, access to all sessions and hands on hacking labs. You get meals, you get that after party. The most interactive hands on cybersecurity learning event of the year. It's March 4th through the 6th in Orlando, Florida. Join Steve and me and do register to save 200 bucks with the code ztwit26threatlocker.com TWIT I'm looking forward to this. It's going to be very, very interesting. This will be a chance to see Steve in a.

Leo Laporte [01:00:33]:
A little bit different setting, I think. Yeah, we're gonna make a show out of it. So even if you're not at Zero Trust World, you'll be able to hear what we do. But. But I think it'd be fun to be there in person. I'll never forget we went to years ago. It must be 30 years ago now. Chris Pirillo's locker gnome in Des Moines, Iowa.

Leo Laporte [01:00:51]:
You remember that?

Steve Gibson [01:00:52]:
Oh yeah.

Leo Laporte [01:00:52]:
And just in impromptu, Steve and I, we went down. We were in the lobby of the hotel. They had a nice little lounge with a fireplace. We sat down, we started talking. And as you were talking, it was like the Maharishis there. People started to gather, crowd got bigger and bigger. You were. Pretty soon you were holding court.

Steve Gibson [01:01:10]:
Leo, I think you're being a little too generous. I was unknown at that point. You celebrity.

Leo Laporte [01:01:17]:
Oh, I. Well, once people heard what you were talking about.

Steve Gibson [01:01:20]:
Well, I was the keynote speaker, so I guess somewhat known, but it was.

Leo Laporte [01:01:25]:
A long time ago. Yeah, yeah.

Steve Gibson [01:01:27]:
That was when I first met Mark Thompson. I had never met. We knew of each other, but Analog X. Yeah, yeah. And he, and he came out for that purpose.

Leo Laporte [01:01:35]:
Yeah, yeah, yeah. It was a lot of fun. Anyway, back to the show.

Steve Gibson [01:01:39]:
Okay, so.

Leo Laporte [01:01:45]:
No, come on, more bad stuff.

Steve Gibson [01:01:47]:
Yeah. We were talking not long ago about this Sad idea that ChatGPT's clean answers only dialogue might become laden with advertising. Now, anyone who was around during the birth of the Google will fondly recall that original super clean, no nonsense Google search results. I mean it was, it was so nice. Well, those days died once Google realized how much money could be made through advertising.

Leo Laporte [01:02:21]:
Yeah.

Steve Gibson [01:02:21]:
One of the observations I can't help making is that AI is currently a money losing enterprise with high hopes for the future. But it's astonishingly expensive at the moment. And that's worrisome because I, like many others I'm sure, and I know you, Leo, have now figured out what our current AI is and how to leverage its benefits for our lives.

Leo Laporte [01:02:47]:
Oh my God, it's amazing.

Steve Gibson [01:02:49]:
I don't ever want to lose access to it. No, it is, it is really phenomenal.

Leo Laporte [01:02:54]:
It is, I'm afraid, because I use Claude code. So now for everything, for configuration, for setup, anything. You know I was saying. Oh, my laptop buttons, the don't turn the screen up and down. How do you fix that? And Claude Code fixed it. Fixed it.

Steve Gibson [01:03:10]:
I know.

Leo Laporte [01:03:10]:
They used to have to go, look, you know, go to Reddit, do all these. It just knows it goes, yeah, fix that. If I lose that, I don't know what I'm gonna do.

Steve Gibson [01:03:17]:
I feel a little guilty sometimes asking it dumb, like, obvious things just because I'm lazy, but it's like, well, there's the answer.

Leo Laporte [01:03:26]:
You know, it's not judging you and.

Steve Gibson [01:03:29]:
And Leo, I do despair a little bit about young ones who grow up with an AI always there. I mean, you've got an oracle on your elbow that just like, why, you know, you're going to end up just learning how to steer it rather than.

Leo Laporte [01:03:44]:
You know, Steve, remember we used to have to. If you wanted to know, like, who starred in that movie in 1939, you'd have to go to the library and look it up. But now you've got all that in your phone and we're all used to it. People don't have to research stuff anymore. This is just the next step along that road.

Steve Gibson [01:04:02]:
We had to learn. We had to know what eight times eight was. Leo.

Leo Laporte [01:04:05]:
Yes.

Steve Gibson [01:04:05]:
We had to learn that multiplication that will no longer be needed.

Leo Laporte [01:04:09]:
I'm sure when people first got calculators, they said, all kids will never learn the math tables anymore. Which is probably true. You know, we had a story on Sunday on Twitter. They took away the cell phones in New York City schools, and it's been a problem because high schoolers can't read analog clocks. So they keep asking, hey, what time is it? They keep asking the teacher, what time is it? And the teacher said, I'm at the point now where I'm saying, well, where's the big hand? Where's the little hand? So this is just the way of the world.

Steve Gibson [01:04:40]:
Yeah, I. I don't know how to.

Leo Laporte [01:04:42]:
I don't know how to shoe a horse.

Steve Gibson [01:04:44]:
If you asked a whole line up a bunch of high school seniors and said, okay, do some long division, they'd say, what?

Leo Laporte [01:04:52]:
What? How do you do that?

Steve Gibson [01:04:53]:
What? What?

Leo Laporte [01:04:54]:
Can I use Claude code? Yeah.

Steve Gibson [01:04:57]:
So a couple days after Christmas, Tom's Hardware posted reporting along these lines, which I wanted to share because it contains a bunch of additional interesting detail as well. Tom's Hardware's headline was Chat GPT could Prioritize Sponsored Content as part of ad Strategy. Now, unfortunately, having the phrase ad strategy affiliated with AI, that's sad. But they open by, by posing the rhetorical question, are we going to see ads in ChatGPT's answers soon and they explained writing OpenAI is allegedly still working on adding ads to Chat GPT, with sources saying staff are discussing ways to bake them into the chatbots responses. According to the information, the AI company is looking to create a new type of digital ad rather than simply copying what existing search and social media companies are running. Well, okay, maybe there's a little bit of hope this is possible because OpenAI can use historical chat data to serve ads that are highly relevant to users interests. Okay, now I'm going to interrupt here just to note that it's difficult to argue with that. Right.

Steve Gibson [01:06:19]:
You know, I mentioned that many of us have come to understand what what's going on with LLMs and we understand that one of the things we've come to learn and and appreciate is the context window that an account holder builds over time. I remember being taken aback the first time Chat GPT offered some example code to me in intel assembly language. I'd like to what? How does it know? I was quite certain that, you know, it wasn't what it would have offered most users, but I've come to appreciate the degree to which it's able to tune its replies based on our dialogue's history. So, you know, this is not to say that that it's going to have any advertisers in its bag that will necessarily match up with my particular interests. That's going to be a problem, right? It's got to have somebody to offer to me. You know, I certainly understand the notion of an AI that's been working with someone for a while being unusually well suited to matching them with relative with relevant advertisers. That idea I think has clear merit and we know from our previous study of advertising tracking and profiling that much more accurate matching means much more revenue for every highly targeted ad. Anyway, Tom continues writing OpenAI told the Information quote, as ChatGPT becomes more capable and widely used, we're looking at ways to continue offering more intelligence to everyone.

Steve Gibson [01:08:09]:
As part of this, we're exploring what adds our product could look like. People have a trusted relationship with Chat GPT and any existing and any approach would be designed to respect that trust. Okay, let's hope anyway. Tom's hardware wrote, staff discussions on ad implementations have ranged from prioritizing sponsored content in the chat bots answers to adding a sidebar that shows ads related to the user's query. They've also considered showing them only when the conversation moves towards shopping or similar activities, or as secondary or as a secondary step where ads are displayed only when someone clicks a Link in chat GPT's results it's been reported that OpenAI is shifting its focus away from ads, especially after CEO Sam Altman declared a code red for the company following the latest version of Google's Gemini, which outpaced Chat GPT in several benchmarks. Altman said that OpenAI needed to improve the AI chatbots personalization speed and reliability and cover a broader range of topics, so the company is pausing work on all other projects to focus on these capabilities. However, it seems to be continuing progress on ChatGPT ads despite the recent change in focus. Chat GPT has three main revenue streams at the moment, subscriptions to ChatGPT plus Pro and Business API access for developers and enterprise solutions.

Steve Gibson [01:09:55]:
Aside from that, writes Toms, OpenAI said it will start earning revenue from non paying users by 2026, projecting $2 per user per year, which will grow to $15 per user per year by 2020. 30. I'm sorry, by by 2030. Despite that, OpenAI has yet to turn a profit since its founding in 2015. Even though its annualized revenue is hit $10 billion earlier this year, it's still expected that the company's operating losses will hit $74 billion annually by 2028. Nevertheless, investors continue to pour money into the company, even as some are starting to ask how its long term profitability will look. For comparison, they finish Google's ad business accounted for $237.8 billion in revenue in 2023, representing 77% of the company's total revenue. This amount is more than enough to cover OpenAI's estimated losses, and it seems it wants to follow the search giants playbook by baking ads into its results as well.

Steve Gibson [01:11:16]:
However, this also raises privacy concerns, especially since ChatGPT likely has more much more information about its users than Google does. Furthermore, there's the question of how OpenAI will ensure its LLM gives the best answer to the user, especially if it stands to make money by showing ads instead of organic results. And to that I will say, oh boy, nobody wants a skewed reply from an AI to that's trying to lead its user down one commercial path because of a hidden kickback that the AI receives. So Leo, what do you think about ads?

Leo Laporte [01:12:00]:
Well, it's all in how you do it, right? I mean if is the worst thing of course would be, as you say, if you included the ads in the results. Yes, and it's not clear that it's not an ad. I Mean, look, we have ads and I think that's how we support ourselves. I think ads are okay as long as they're clearly identified. Advertisers, of course, always want you to somehow hide the fact that that's an ad. They love that.

Steve Gibson [01:12:26]:
One of the, There's a great publication called the Hackers News and I love it. In the last couple years they began slipping in interstitial like, you know, paid for insertions. Yeah, that's not that looked. That were made. You know, there was no way to look at them and know that's what it was. And you had to read a little ways in and then you go oh, wait a minute. And it's, it's, it's sad, but yeah.

Leo Laporte [01:12:52]:
They call that advertorial. Or sometimes if they don't want the word ad in there, they'll call it. What was it? Something content. Create custom content or something. It's not okay. We don't do it. And your AI should not do it either. But if it's a little thing on and the, you know, I understand why they're saying shopping because if you go to an AI and you say I want to buy running shoes and they put a link to a place to buy running shoes and it says ad, I think that could even be helpful.

Leo Laporte [01:13:22]:
Right.

Steve Gibson [01:13:22]:
Yeah, yeah, I know that you know, Lori and I are sharing an account which makes me a little uncomfortable because I wonder if it thinks we have, if chat confuses have a slip personality.

Leo Laporte [01:13:33]:
Yes.

Steve Gibson [01:13:35]:
But I, I look at, at the, at the dialogue history and I mean she's using it for all kinds of things where, which are definitely commercial front end. So you know, she's asking it for like get, you know, give her a table of, of of, you know, we're in the process of getting ready to, to set up a new household. So there's like all these things she's like, you know. Exactly.

Leo Laporte [01:14:02]:
So I mean I can, we're gonna have to pay for it one way or the other eventually.

Steve Gibson [01:14:06]:
Yes. And, and, and, and I'm glad you said that because it did say in Tom's reporting that that non paid users would be generating ad revenue. I would, I'm, you know, I'm, I find ads abhorrent. I, you know, there's not an ad on grc. I could have ads on GRC and we'd be making money from, from all of the page views we get. There's not an ad there because, you know, I practice what I preach and.

Leo Laporte [01:14:33]:
Right.

Steve Gibson [01:14:33]:
And so I wouldn't have a problem Paying more than, what is it, 20 bucks a month or something? That I'm paying 20 plus. Yeah, I mean I'll, I'll pay 50 for what I'm getting. You know, by the way, I, I did see my little, my little $10 from bit, warden. I got my little receipt at the beginning of the year, so.

Leo Laporte [01:14:53]:
Oh, good. Yeah, I know. I like paying for it, warden.

Steve Gibson [01:14:55]:
So we do pay, you know, we pay for the things that make sense.

Leo Laporte [01:14:59]:
But that's what we have to get used to is that this whole idea, this feeling that things were free is always been not true. And you got to pay for the stuff you use. You just do. And that's just the way it is. Nothing it shouldn't. It's not free.

Steve Gibson [01:15:14]:
It can't be free. Well, and the ad revenue model has shown that it works. As you said, that's why TWIT is still here. That's. And I'm here indirectly because TWIT is still here. It's what broadcast TV survived on. And the problem is it could be a slippery slope, right? Because if you have some number of ads in your TV show, there's just so much temptation to squeeze another one in because, you know, at the expense of content, it's like don't, you know, so just don't.

Leo Laporte [01:15:47]:
Okay, stop.

Steve Gibson [01:15:50]:
So anyway, it's going to be interesting, but again, I, I think this needs to get paid for. I, I'm, I, I'm reminded of your comment that the cost that open AI is expending is in training, not in, in, in querying. So I'm hoping that, you know, it's.

Leo Laporte [01:16:08]:
Getting cheaper for sure.

Steve Gibson [01:16:09]:
That, yes, that, because I mean, generating 10 billion and losing 74, that's not the future.

Leo Laporte [01:16:17]:
No. In fact, at CESC, Nvidia announced chips that are considerably more powerful at a lower price. So you're going to see.

Steve Gibson [01:16:26]:
And this is why I think it is so stupid to be building up data centers and using your GPU inventory as the asset against the loan that you took out because you have rapidly depreciating inventory, right? Oh, that's just nutso.

Leo Laporte [01:16:48]:
This is going to be an interesting year. I think that's probably the best way to think of it.

Steve Gibson [01:16:53]:
We went a long time to our first break. Let's take one now and that'll kind of put us back on track.

Leo Laporte [01:17:00]:
Gladly.

Steve Gibson [01:17:02]:
Python package indexes increased in security.

Leo Laporte [01:17:05]:
I have a sponsor that should interest you and everybody who's listening because we're all nowadays working in the cloud. We use Google Docs or Microsoft 365 most businesses our business is completely Google Workspace. Well let me tell you about our sponsor for this segment of security now. Material. They are the cloud workspace security platform built for lean security teams. Managing security in a cloud workspace is a. It's a challenge, right? And by the way phishing is far from the only way in. Today's email security basically ends at the perimeter.

Leo Laporte [01:17:44]:
It's assumed. Well the email got through must be okay. But new attacks are so hard to detect. Not just an email but you know you've got siloed email but you also have data. You have identity security tools. Material protects. They protect the email, they protect the file. They protect the accounts that live in Google Workspace or Microsoft 365.

Leo Laporte [01:18:05]:
If your business runs on those cloud systems you need material. Because effective email security today needs to do a lot more than just block phishing and other inbound attacks. It needs to provide visibility. It needs to provide defense across the workspace. Threat surface that's material. Material ingests your settings, your contents and your logs to give you holistic visibility into the threats and the risk across the workspace along with the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. Yet automated remediations so even when you're not on duty.

Leo Laporte [01:18:46]:
Material is phishing protection and email security. Combining advanced AI detections with threat research and use user report automation because we're all in this together. Detection and protection of sensitive data across inboxes and shared files. You get account threat detection and response. People are trying to hack. I don't know why but everybody's trying to hack Lisa's Google Workspace account pretty much all the time. You need material account threat detection and response with comprehensive control over access and authentication of people and third party apps. If you're living in the cloud it gives puts your attack surface out there.

Leo Laporte [01:19:26]:
You need something that's smart about cloud security Material. It empowers organizations to rapidly mature their ability to detect and stop breaches with step up authentication for sensitive content. It's got something I love. You got to take a look at this on the website. Blast radius visualization for accounts and the ability to detect and respond to threats and risk across the cloud. Workspace Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API based implementation and flexible automated and one click remediations for email file and account issues including an AI agent that automates user report triaging and response. Hey, we all need help, right? Give me all the help you can give me.

Leo Laporte [01:20:16]:
Material protects the entire workspace for the cost of email security with a simple and transparent pricing model. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See Material Security to learn more or to book a demo. That's material. M A T E R I A L this is an idea whose time has come. We are living in the cloud now. Let's have some cloud based security for everything we do there. Material.security.

Leo Laporte [01:20:50]:
we thank him so much for supporting security now. Steve.

Steve Gibson [01:20:56]:
So there's finally some good news.

Leo Laporte [01:20:58]:
Oh, I've been waiting.

Steve Gibson [01:20:59]:
Oh my goodness. On the Python Package Index, the PYPY repository front PYPI posted in their Pypi in 2025 year in review, they said. As 2025 comes to a close, it's time to look back at another busy year for the Python Package Index. This year we focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who who rely on PI PI every day, and responding to a number of security incidents with transparency. Let's look at some numbers that illustrate the sheer scale of PI PI in 2025. And, and I put them in the show notes because they're like, wow. So they have more than 3.9 million new files published during just that year, 2025. Last year, 3.9 million new files, more than than 130,000 new projects created.

Steve Gibson [01:22:07]:
130,000 new projects, 1.92 exabytes of total data transfer. I don't even know what that is. That's big giga gigabyte cake. All right, Gigawatts. It's gigawatts.

Leo Laporte [01:22:22]:
It's many, many, many, many bytes.

Steve Gibson [01:22:25]:
2.56 trillion total requests served, which is an average of 81,000 requests per second. So think about that. 81,000. Every single second of the day, 81,000 pulls from the package repository. So that really does give some sense for the scope and scale of today's repositories. And PYPI is not even the big one. NPM is the, you know, is the biggie on the block. So it becomes, you know, very clear how rapidly, and here's on the security front, how rapidly a popular package, if its developer's account were to become compromised, would have the ability to spread.

Steve Gibson [01:23:15]:
I recall when the notion of a supply chain attack was a new term for us. Yeah, and a new concept on this podcast. Oh, supply chain. That's interesting. Let's talk. What's that now? Sadly, it's become one of the most prevalent and worrisome security classes that there is. They're posting noted these numbers are a testament to the continued growth and vibrancy of the Python community. Then they said let's dive into some of the key improvements we've made to PYPI this year and I'm just going to do the top lead one which is security.

Steve Gibson [01:23:55]:
They said, security first, security always. Security is our top priority and in 2025 we've shipped a number of features to make PYPI more secure than ever. Enhanced Two Factor Authentication for Phishing Resistance they said we've made significant improvements to our two factor authentication implementation, starting with email verification for totp based logins. This adds an extra layer of security to your account by requiring you to confirm your login from a trusted device when using a phishable two factor authentication method like totp. And I'm going to come back to this in a minute. They said since rolling out these changes we we've seen more than 52% of active users with non fishable two factor authentication enabled. Okay, so wait a minute. What we see on this podcast over its 20 plus years is Evolution.

Steve Gibson [01:25:05]:
Recall when the concept of a continually changing six digit code was going to be the end all, be all of security. Remember the little ebay football? The what? PayPal or PayPal football? Yeah, the football is Joe. Look at that Leo. It changes its digits every 30 seconds. No one's ever going to be able to hack that. Okay. It was exciting because even if some site were to lose control of its static passwords, no bad guy would be able to produce the one in a million six digit code that was correct for that moment, but changed every 30 seconds. Well, that was a nice theory while it lasted, but then reality struck.

Steve Gibson [01:25:57]:
We learned that practical applications of time based one time passwords actually needed to open a surprisingly large acceptance window for codes. Remember that Microsoft's was like five minutes or something. It's like what the heck, you just, you know, I mean you could email it to somebody or pay or almost postal mail it anyway they need it turns out they needed to accept many minutes worth of code on either side of the optimal code in order to minimize false negative, negative failures caused by desynchronized clocks or communications delays, you know, or even maybe, you know, the users cutting and pasting or emailing themselves the codes or you know, who knows what, why. But that's that was the reality. But the real death knell sounded when the bad guys realized that those larger acceptance windows may meant that users could be readily fished by having them attempt to log into a fraudulent website which they might get to by clicking on a link in email which of course is able to obscure its actual domain. They would provide their username and password and then be prompted for their one time password. The bad guys would collect all of that and log into their account on their behalf and you know, you know imagine then if that might be a corporate VPN they were logging into or remote access portal or who knows what maybe an A credentials for for API access that would then be that the bad guy would then be able to acquire much damage could result. So what the PI PI folks are saying is that sure by all means use two factor authentication but so many of our past pipe and I'm putting words in their mouth so many of our past PYPI package submitters accounts have been hacked even when they were protected in air quotes by time based password 1 time passcodes that we are strongly now urging all developers to allow us to require that they also on top of all that respond to a link emailed to their account's registered email address.

Steve Gibson [01:28:32]:
The requirement of an email loop authentication slows down the whole login process. No doubt about it, it's not as convenient. But the demonstration of control over an email account remains a strong useful an intuitive authentication factor which displays every sign of being with us for many years to come. So it's great news that PI PI is actively working to strengthen their authentication. And I hope everybody else follows suit because as we know, accounts being taken over of legitimate high reputation integrity software publishers and repositories that then get, you know, quickly have their stuff embedded with malware which is being downloaded at the pace of 81,000 pulls per second. That's a problem we still have to solve. Shortly before Christmas, Microsoft's Windows IT Pro blog posted the news that Windows 11 would be adding support for hardware encryption and decryption to their BitLocker whole drive encryption system. The chart of the relative performance of no BitLocker compared to software versus hardware crypto turns out to be quite bracing.

Steve Gibson [01:30:04]:
But let's first see what Microsoft explained. They wrote we know that users desire both security and great performance, right? Historically we've strived to keep bitlocker performance overhead within single digit percentage points. However, with the rapid rise in popularity and advancement of non volatile memory Express NVME drive technology, these drives now achieve much higher input output operation speeds. As a result, corresponding BitLocker cryptographic operations this is Microsoft can require a higher proportion of CPU cycles. This makes the performance impact of BitLocker more pronounced. Oh, Leo, I've got a picture for you on page 8 here. Especially on high throughput and IO intensive workloads like gaming or video editing. Okay, that's.

Leo Laporte [01:31:12]:
Wow. It does make a difference. Holy cow.

Steve Gibson [01:31:14]:
Oh boy. In other words, what they're saying is, and this makes sense, there's a fixed absolute overhead cost that's required to encrypt and layer decrypt all of the blocks of data being written to and read back from non volatile mass storage. It's a function of the data size. The cost is a fixed function of both processor speed and the amount of data being read and written. Significantly, it is entirely independent of the storage medium being written to or read from. Microsoft talks about the overhead as a percentage that's added to the time that would be required without BitLocker. That's certainly a reasonable way to view the encryption overhead, right? As, as a. How much did this add to what it would have been otherwise?

Leo Laporte [01:32:11]:
Right.

Steve Gibson [01:32:11]:
But then comes along these pesky super fast NVME drives, which are essentially PCIe devices themselves. SATA drives used a SATA interface to a SATA controller which was then attached to the processor's PCIe bus. And SATA is was never optimal for. For doing this, which is why you need a controller. It's basically it packages up the old IDE interface into a packetized system. And of course I know all about that from having written a SATA driver myself for spin. Right? 61. But NVMe drives need no controller.

Steve Gibson [01:32:57]:
They are themselves first party PCIe devices. So they're able to stream their data at the highest speed possible directly to and from the rest of the system. What this means in practice is that. Excuse me, someone inside Microsoft realized that the actual delivered performance of NVME drives was now being dramatically limited by the fixed speed overhead introduced by BitLocker. The chart above right in the show notes which was kindly provided by Microsoft, demonstrates the significance of the encryption overhead. The shortest center bar shows the average CPU cycles per I O operation, that is to say, without any encryption. The hugely tall orange bar is the average number of CPU cycles incurred by software BitLocker encryption. Okay.

Steve Gibson [01:34:05]:
And. And for those who can't see it, it's quite sobering. It stands about four times the height of the NO encryption bar. And finally, by comparison, the hardware accelerated bitlocker only adds a modicum of additional overhead to the no bitlocker transfer so the very clear takeaway from this is that anyone who is currently using BitLocker on an NVMe drive without the benefit of Windows 11's forthcoming BitLocker hardware encryption, which is to say everyone today because it doesn't exist yet, is seeing only a true fraction of the performance they could be obtaining from that drive without the comparatively massive overhead that's being introduced by bitlocker. Now, somebody may be wondering about spinrite. I brought it up, so I'll just mention that you get 100% full performance with Spinwright regardless of whether BitLocker is present or not. Because Spinrite 6.1 doesn't bother with BitLocker encryption and decryption, it just works on the raw encrypted data. But when you actually need to read, write and understand and use the drives data as Windows does, then you have no choice other than to run through BitLocker's crypto pipeline.

Steve Gibson [01:35:39]:
Since the performance with and without BitLocker and with and without hardware acceleration is pretty astonishing, let's see what Microsoft has to tell us about this. They continue writing as NVME drives continue to evolve, their ability to deliver extremely fast data transfer rates has set new expectations for system responsiveness and application performance. While this is a major benefit for users, it also means that any additional processing such as real time encryption and decryption by BitLocker can become a bottleneck if not properly optimized. For example, professionals working with large video files, developers compiling massive code bases, or gamers demanding the lowest possible latency may notice delays or increased CPU usage when BitLocker is enabled on these high speed drives, balancing robust security with minimal performance impact is more challenging than ever. The need to protect sensitive data remains critical, but users also expect their devices to operate at peak efficiency. As a result, the industry has needed to innovate new solutions that ensure both security and speed are maintained even as hardware capabilities advance. To achieve this, we announced Hardware Accelerated BitLocker at Microsoft Ignite last month. Hardware Accelerator BitLocker is designed to provide the best combination of performance and security.

Steve Gibson [01:37:20]:
Starting with September 2025 Windows Update for Windows 1124H2 and the release of Windows 1125H2. In addition to existing support for UFS Universal Flash Storage Inline crypto engine technology, BitLocker will take advantage of upcoming and that's the key upcoming system on a chip and central processing unit capabilities to achieve better performance and security for current and future NVME drives. So they said these capabilities are two first, crypto Offloading bitlocker shifts bulk cryptographic operations from the main CPU to a dedicated crypto engine. This capability frees up CPU resources for other tasks and helps improve both performance and Battery life. And second hardware protected keys. BitLocker bulk encryption keys, when necessary SOC support is present are hardware wrapped, which helps increase security by reducing their exposure to CPU and memory vulnerabilities. This is an addition to the already supported Trusted Platform module which protects intermediate BitLocker keys, putting us on a path to completely eliminate BitLocker keys from the CPU and memory. All that's great.

Steve Gibson [01:38:49]:
Unfortunately we don't have it yet, they said. When enabling BitLocker supported devices with NVMe drives along with one of the new crypto offload capable SoCs, we'll use hardware accelerated BitLocker with the XTS AES 256 algorithm by default, which is what you want. This includes automatic device encryption, manual BitLocker enablement, policy driven enablement, or script based enablement. With some exceptions, we have enhanced the architecture and implementation of the Windows storage and security stacks to support these new capabilities as an operation operating system enhancement that will bring value to all capable PCs over time. And here it is. Upcoming Intel V Pro devices featuring Intel Core Ultra Series 3, formally codenamed Panther Lake processors will provide initial support for these capabilities, meaning nobody can have it today with support that is on today's hardware, with support for other vendors and platforms planned. Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market. Okay, so all of this fancy new BitLocker crypto engine pipeline support will only be available when using these next generation intel processors, which, as it turns out, were just unveiled by intel yesterday at ces, our annual consumer electronics show.

Leo Laporte [01:40:34]:
And I just bought a laptop.

Steve Gibson [01:40:38]:
This means exactly you and everybody else, Leo, that regardless of the version, regardless of the version of windows being used, 7, 8, 10, or even the latest 11 on our current hardware, the use of BitLocker is exacting a tremendous, typically unseen performance penalty that Microsoft is only now disclosing because they have a solution. Of course it requires buying new hardware, but that seems to be what Microsoft wants to happen, thanks to, you know, Windows 11 needing new hardware too. But that solution is, you know, for tomorrow, not for today. I would say that if Anyone has a BitLocker encrypted NVMe drive which they encrypted out of the box just because, why not where their operating environment doesn't really require that the whole drive be encrypted and where they'd rather receive a significant apparently so, says Microsoft boost in performance. It might be worth considering de bitlockering any high speed NVE drives you might be using, reducing the load on your processor, improving the real time performance of everything else because it bitlocker is not hogging your CPU and finally obtaining the true performance that that's available from a state of the art NVME drive. Everything that Microsoft wrote about the increased overhead of fixed speed encryption and decryption in light of the newer faster performance of NV and NVME drives, it makes absolute sense. What might also make absolute sense is waiting until your machine's hardware is able to support ultra low overhead bitlocker encryption, unless having it now is really necessary. Microsoft ended their post by showing how anyone could check to see whether a bitlockered drive's encryption was hardware accelerated.

Steve Gibson [01:42:55]:
They wrote to check if your device is using a hardware accelerated bitlocker, open a command prompt as an administrator and run manage hyphen BDE. You know that's BitLocker Drive encryption, so manage hyphen BDE space hyphen status. Look at the encryption method section. If hardware accelerated is shown, it indicates that BitLocker is utilizing the system on a chips SOC's crypto acceleration capabilities. So I've got it in the show notes at the bottom of page 10. It's on the screen. Thanks Leo. No one is going to see that today, but this is a useful tip for the future when you're running Windows 11 on the newest hardware that may be able to offer this support.

Steve Gibson [01:43:46]:
And that may be why you purchased the newer hardware. Many years ago, back when we were talking about and exploring whole drive encryption with TrueCrypt, I clearly recall wondering about the performance overhead of using it. So I did some benchmarking of a system's read and write performance with and without TrueCrypt. I recall being surprised that I was unable to detect any performance overhead being introduced by its on the fly encryption and decryption. All in software, of course. And while I no longer recall the specifics, it's likely that the system I was using back then had a fast processor and a comparatively slower spinning hard drive. So as a consequence, the overhead that was being introduced by the encryption and decryption would have been completely masked by the drive's physical read write performance because those two things were able to happen in parallel. So that would have been the drives read and write performance would have been the limiting factor.

Steve Gibson [01:45:00]:
It would have been slower than the system's ability to encrypt and decrypt its data. What's changed since then is that now we have not only solid state mass storage as the new default, but that storage is being attached directly to the system's IO buses, which with no controller translation going on in between, allowing today's mass storage to deliver unprecedented performance. Software based encryption and decryption cannot keep pace even with, you know, doesn't matter how many cores you have. One of the things that is happening is that the pushing all that data and running decryption and software is flushing your processor cache. So it is, I mean it is really rough on the whole system to be, you know, doing bulk encryption and decryption by cpu. You don't want to have to, if you don't, if you don't really need to.

Leo Laporte [01:46:02]:
See, I always turn on full drive encryption, especially with SSDs because as we've talked about before, you really cannot wipe an SSD very effectively. Right?

Steve Gibson [01:46:11]:
That's true.

Leo Laporte [01:46:13]:
So if I don't use encryption up front, I'm probably storing stuff on the in the clear on that drive. That can't be.

Steve Gibson [01:46:21]:
I would say that you, you can't know that you have wiped an ssd. The, the, this secure erase should even deal with all of the little pockets of, of swapped out, you know, leveled regions and, and, and no longer effective chunks that have been mapped out of, of the SSDs use secure erase should do that but you're trusting the manufacturer to, you know, to implement that correctly. So if you, I mean if, if you really are belt and suspenders, then yes, you would turn BitLocker on. You know, I turn on full do.

Leo Laporte [01:47:06]:
Encryption on everything I have. It's on, on by default on a Mac file vault. On Linux I use Lux And I think BitLocker is on by default on Windows Pro. I'm not sure about Windows Home but the point is.

Steve Gibson [01:47:24]:
Otherwise it's not turned on by default on installation.

Leo Laporte [01:47:27]:
You have to know, okay, it is on a Mac. That's interesting that Microsoft doesn't do it. Maybe that's why I'm sure that there's a similar hit in full disk encryption on other systems. But I don't know.

Steve Gibson [01:47:41]:
Yeah, after covering this I did not take any time to look around. I'm sure people have done benchmarks and there that are going to be available so we can see what that is. There is a version of a drive that does it itself but they are extremely more expensive. You know, they're like data center high end drives. They're like triple the price, but it does, it has a, an AES encryption hardware. Well, in fact, that's what the iPhone has. You know, the, the iPhone storage is also encrypted.

Leo Laporte [01:48:14]:
Everything's encrypted.

Steve Gibson [01:48:15]:
Really? Yeah.

Leo Laporte [01:48:18]:
So maybe, you know, hey, we're, you know, we're not getting the full amount of speed that we could be getting, but it's still faster than your old spinning drive in that old processor. A lot, right?

Steve Gibson [01:48:28]:
Yep.

Leo Laporte [01:48:29]:
I don't know, I think I'm going to always still use full disk encryption.

Steve Gibson [01:48:32]:
Just to be interesting to see what, what the, what, what the overhead, what the hit is.

Leo Laporte [01:48:36]:
Yeah, yeah.

Steve Gibson [01:48:37]:
I won't be turning it on because, you know, my environment doesn't really require it. So let's take a break and then we're going to talk about, as you mentioned, Leo, the odd inclusion of two lines in the New York City recent mayoral inauguration. What, what is banned from being brought.

Leo Laporte [01:48:58]:
It's telling, isn't it?

Steve Gibson [01:48:59]:
It's bizarre.

Leo Laporte [01:49:01]:
Yeah. Yeah. Okay. Well, our show today, brought to you, as it often is, by our good friends at Bitwarden, the password manager I use and strongly recommend it's open source. That's the reason I use it. It's also the trusted leader in password pass keys and secrets management, consistently ranked number one in user satisfaction by G2 and software reviews with over 10 million users across 180 countries, more than 50,000 businesses. Whether you're protecting one account on your personal system or thousands in your business, Bitwarden keeps you secure all year long with consistent updates. I'm always impressed.

Leo Laporte [01:49:41]:
Maybe it's because it's open source, but the speed with which they add new features is very impressive. They've just added for enterprise something called Bitward Important access intelligence, which lets organizations detect weak, reused or exposed credentials and immediately guide remediation right there at your user's desk. Replacing risky passwords with strong unique ones. This closes a major security gap. Credentials are still one of the top causes of breaches because people, you know, reuse passwords, they use weak passwords. Their passwords are exposed in breaches all the time. But with access intelligence, those exposed credentials become visible, prioritized and corrected before expectation can occur. You got to have this in your business.

Leo Laporte [01:50:30]:
They've also introduced something brand new. Bitwarden Lite. Bitwarden Lite. This is interesting. This is probably maybe more for us geeks. It delivers a lightweight self hosted password manager. It's for home labs, for personal projects, for environments that want quick setup with minimal overhead. This is a self hosted Bitwarden Vault.

Leo Laporte [01:50:51]:
It's now enhanced with real time Vault health alerts. Actually all Bitwarden users get this password coaching features that help users identify weak, reused or exposed credentials and take immediate action to strengthen their security. Bitwarden now supports direct import too. This is great. You don't have to export into clear text and then import into Bit Warden and then make sure you remember to delete the clear text and all that. No, no. Bitwarden supports direct import from your existing browser password vaults like Chrome, Edge, Brave, Opera and Vivaldi browsers. I guess those are all Chromium based browsers.

Leo Laporte [01:51:28]:
Direct import copies imports credentials from the browser right into the encrypted vault without requiring that extra plain text export. That is a lot safer. It also simplifies migration. You don't have the same kind of exposure that's associated with manual export. Like you forget to delete the clear text version of it. Always makes me nervous. It's one of the reasons both Steve and I moved from that other password manager to Bitwarden. We were very careful.

Leo Laporte [01:51:56]:
We deleted the clear text and now I'm not moving again. I'm staying right there. This is it. I'm very, very happy with bit warden. G2 Winter 2025 the one that just came out reports that Bitwarden continues to hold strong number one in every enterprise category. And that's now the sixth straight quarter number one in all enterprise categories. Maybe that's because Bitwarden's setup is so easy. It supports importing from almost all password management solutions.

Leo Laporte [01:52:26]:
So it's quick to move over. I think it's really important. It is to me that Bitwarden is open source, GPL licensed. You can see it on GitHub, you can inspect it. It's also regularly audited by third party experts. That tells you there's no back doors, there's no insecurity. They're using well known standard crypto. Bit warden meets SOC2 type 2 GDPR HIPAA CCPA compliance.

Leo Laporte [01:52:51]:
It's ISO2701 2002 certified and you can get started today with Bitwarden's free trial of a teams or enterprise plan as an individual free across all devices as an individual user at free forever bitwarden.com TWIT that's bitwarden.com TWIT you might want to do as Steve and I do. We pay 10 bucks a year for the premium just to show our support for Bitwarden. But you don't have to. Bitwarden.com TWIT yes, it supports hardware keys, yubikeys. It supports everything. Secrets pass keys, unlimited passwords bitwarden.com Twitter and I once asked them because we know other password managers that had free trials that yanked them back. And I said, can you ever do that? And the guy at Bitwarden is great. He said, no we can't.

Leo Laporte [01:53:40]:
We're open source, Leo. Even if we did, people would just go, well, that's that. I'm forking it. And we'd always have it for free. So they know perfectly well. Free forever. That's another benefit to open source. Bit Warden Take a look at the enterprise or business plans too, because they're great.

Leo Laporte [01:53:57]:
And the team's plans. Those are not free forever. Obviously those are business plans, but for individuals. Bitwarden.com TWIT thank you Bitwarden for doing a great job. Happy to give you my 10 bucks every January okay Steve, let's talk about the Raspberry PI.

Steve Gibson [01:54:16]:
Okay, so last week the newly elected and controversial mayor of New York City was inaugurated. And that's not an event that would normally be mentioned here, but this inauguration was a bit special. I'm going to deliberately keep those who haven't already heard about this a little bit in suspense for just a minute because the reveal is just too much fun. The reporting that I want to share over this is from a perfect perspective and by someone who writes quite well. They wrote, public safety rules should be dull in the best possible way. Clear, predictable, Written by people who understand what actually causes harm in a crowd of thousands. New York City usually gets this right. It has decades of muscle memory for doing hard things in public under pressure without panicking.

Steve Gibson [01:55:12]:
Which is why the prohibited items list for the January 1, 2026 New York City Mayoral Inauguration block party seemed off. Okay, and at this point, the the Post provided a link to the list of prohibited items which I'm going to share with our listeners. The notice read, Prohibited items All spectators will be screened and as they entered the viewing area, the following items are prohibited Large bags, weapons, fireworks or explosives Large backpacks or duffel bags Drones or remotely controlled aerial devices Strollers, coolers, chairs, blankets, umbrellas, beach balls, bicycles or scooters Alcoholic beverages, Illegal substances pets other than service animals Large items that could obstruct views of spectators around you Laser pens, bats and batons. And finally tacked onto the bottom of the list as the final two items. What do we find? Flipper zero and Raspberry PI. Yep, we wouldn't want any of those crowd disturbing technologies or capabilities being bandied about casually. The posting to the blog of the well known and very popular Adafruit website continues Explicitly banned Raspberry PI and Flipper Zero Why not categories, not capabilities? Two named devices, brand trademarked names parked right next to weapons, explosive and drones, as if the list itself is supposed to do the thinking for us. Raspberry PI is a general purpose single board computer.

Steve Gibson [01:57:10]:
It shows up in classrooms, newsrooms, accessibility rigs, art installations and civic tech demos. Flipper Zero is a consumer electronics testing tool, but its functional territory overlaps heavily with laptops, smartphones, radios, microcontrollers that remain perfectly legal to carry. If the concern is electronic interference, signal disruption or hacking, the policy does not say that. It gestures vaguely by naming a couple of gadgets and hoping the implication sticks. Curiosity, it seems, is now contraband. There already is a list of prohibited items that works great at Times Square on New Year's Eve, one of the most tightly secured public events on the planet. The prohibited list is blunt and practical backpacks, drones, weapons, alcohol, large objects that block movement or sight lines. The rules focus on crowd dynamics and physical risk.

Steve Gibson [01:58:15]:
They do not play whack a mole at the end with brand name electronics. When a policy bans specific devices rather than behaviors or capabilities, it creates ambiguity for people on the ground. Once a Raspberry PI is banned, a smartphone sails through security despite being way more powerful, more connected and more capable of surveillance disruption or both. That's not a security framework, that's a vibe based list. Maybe it was AI generated. That would be interesting if that was what happened. If the goal is to restrict electronic interference, the language should say so plainly. Unauthorized transmitters, signal interception tools, electronic hacking devices.

Steve Gibson [01:59:05]:
Those are enforceable things already. Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy. There's a cultural cost to banning brand names like Raspberry PI. New York is full of educators, artists, technologists and journalists who use small embedded computers as tools of expression and access. A device specific ban turns Curiosity itself into something suspicious while ignoring the far more capable computers already in everyone's pockets. The future ban list will have everything.

Leo Laporte [01:59:48]:
This is my favorite part of this article here.

Steve Gibson [01:59:51]:
Today it's yes to the enumeration. Today it's raspberry PI and Flipper Zero. Tomorrow it's it's Beagle Bone, Blacks, Arduino Q's, ESP35 dev boards, teensy boards, Pine 64s, orange pies, Jetson Nanos, USB, logic analyzers, SDR dongles, bus pirates Defcon badges, hotel key cards, garage door openers, Tamagotchis graphing calculators, old Nokias, Game boys with link cables, a TI83 calculator right held sideways, a pocket operator making beeps too abrasively, a Furby with unresolved father issues, and some guy's wristwatch that definitely has a microcontroller in it. Meanwhile, everyone walks through holding a smartphone phone that can film, scan, transmit, triangulate and live stream the entire event in 4K. Yeah, he said. I tried to find emails to someone on the mayor's team, DM'd their socials, Etc. So far, here's what I received from the mayor's team and some auto replies and bounces. Quote, looping in Audra Hinrich to help answer your questions.

Steve Gibson [02:01:22]:
All the best, Penelope Birnbaum. Penelope was the press assistant on Kamala Harris's presidential campaign and now press and digital associate Zoran for nyc. Audra Heinrichs, quote, directed all press logistics on the Mondami campaign's final events. Public safety is a beacon, a flashlight, not a fog machine. They have heavy hitters here. They can fix this. The list feels symbolic rather than functional. New York has done better before and it can do better again.

Steve Gibson [02:01:58]:
There's enough time for the New York for the new mayor's team to check this out. And if they do, I'll get word out and say there will be no tickets to a security theater. So, you know, I can, I can kind of see the Flipper Zero being on the list. I mean, if it's gonna. If you're gonna have something like that. And I can see why it might have needed to be named directly. You know, it is now a famous mischievous hacking tool that you could argue has no real place or purpose at such an event. If someone were to attempt to bring one in, although I'm sure they could smuggle it, it would not be unreasonable to ask them why they have it and then probably hold it for them until they were leaving afterward.

Steve Gibson [02:02:47]:
And you know, really, it would need to be called out by name, since using the generic no transmitters allowed would of course include everybody's phone. But that said, I can totally agree that the idea of the Raspberry PI being put on the list is nothing short of nuts. And I could see why this author wondered whether AI might have had a hand in there. Although, you know, it's all academic now. It would be interesting to know exactly where those last two items came from. You know, like, how did they find themselves on the list?

Leo Laporte [02:03:23]:
It's just A curious. I mean, I can't see getting upset about it. Although I am upset about another thing. Why do we always blame AI when people do stupid things? Humans are very capable of doing stupid things all by themselves.

Steve Gibson [02:03:36]:
We have. Well, first of all, humans train the AI and we have a new whipping boy. Oh, it must have been AI that's right.

Leo Laporte [02:03:45]:
This does not sound like something AI would say. This sounds like something somebody who kind of half had an idea that.

Steve Gibson [02:03:50]:
Yeah. Or someone that someone's nephew said. Yeah.

Leo Laporte [02:03:53]:
You know, you really shouldn't let Raspberry again, I agree with you. I could see Flipper zero. That's. That's a hacking device. That's what that's designed to do.

Steve Gibson [02:04:01]:
Yeah.

Leo Laporte [02:04:01]:
What would you do? What, carry a bear Raspberry PI in your pocket? What?

Steve Gibson [02:04:05]:
In a power supply and antennas and stuff like what we talked about on.

Leo Laporte [02:04:10]:
Twitter and they said, why did they buy Ban Wi Fi pineapples? I mean, let's. Let's get serious. There's some. There's some stuff they could have been, but you can't. There's no way you can make a blanket list now. There's too many ways people can do things. Anyway, I want to hear about this new show. I want to know about this.

Steve Gibson [02:04:30]:
I have, Yes, I have the best news for our sci fi enjoying listeners. Okay, Forbes headline was tight with Forbes headline was Netflix's best new show has a 100% Rotten Tomatoes score. But there's a catch. They're describing a two season, 16 episodes in total. And this is me speaking. I've watched it. Astonishingly well conceived science fiction time travel series that can currently be found on Netflix and Apple tv. Amazon Prime Video only has season two and the rights are expiring this.

Steve Gibson [02:05:23]:
Okay, this thing is called the Lazarus Project. L A Z A R U S the Lazarus Project. There's a movie by the same name. And as you'd expect, Lazarus generically has been used several times before. There. There's a. There's a movie there. There's a Lazarus Project movie, Lazarus Files and other stuff.

Steve Gibson [02:05:46]:
What you want is the Lazarus Project. So beware of name collisions when you're searching. The one I'm talking about is a two season British television production. I was made aware of it when it popped up on Netflix with the news that it would be leaving a few weeks from now on January 28th. I don't know whether or when Apple TV and Amazon may be losing it, but. But since I never want to be without it, I mean that I never want to be without this. After getting a couple of no, it is so good, Leo. I don't even have to worry about overselling it.

Steve Gibson [02:06:21]:
I know I tend to oversell things, but when I'm excited about them or infatuated. But oh my God. After getting a couple of episodes into the second season, I immediately purchased both seasons on Apple TV. They were $20 each, but you know, I assume that means if I bought them on Apple tv, I'll always have access to them. They're Apple TV is not going to say oh, sorry Steve, you. You paid 20 bucks and now you can't see it okay, following their headline, Forbes wrote, Netflix's best new show has a 100 rotten tomato score, But There's a catch. They wrote that show is the Lazarus Project, a sci fi series that Originally aired in 2023 on sky, but as but has now ported over its two seasons to Netflix. The series has a perfect 100 score on Rotten Tomatoes from critics, an infrequent feat.

Steve Gibson [02:07:18]:
Okay, I checked over on Amazon prime, where it has a 4.8 out of 5, with most giving it 5 stars and a few giving it 4. No one gave it a 1, 2, or 3. Now I'm mystified by the show's comparatively low 7.3 rating over on IMDb because I have never, and I really mean never, seen a more compelling, astonishingly clever and gripping time travel concept and plot. There is new stuff here. The Lazarus Project is truly remarkable science fiction. It's so good that I felt duty bound to tell everyone here, and I also posted about it over in GRC's Sci Fi News Group. One of the denizens who hangs out over there replied, I watched it somewhere besides Netflix, and I have to admit, he said, I was amazed as well. But I strongly recommend that people binge watch it because the plot is highly complex and some critical plot points happen almost in passing.

Steve Gibson [02:08:29]:
This is not a series to watch in the background while you're doing something else. No, I can't even. I can't even imagine. I keep hitting the backspace button in order to catch something again because, I mean, there is so much there. He said. The logic of the time resets will have you twisted in knots at times, but it's a completely new take on time travel. And I replied to Milton's posting writing, I agree 100%. It takes extreme attention and focus, which is part of what makes it so good.

Steve Gibson [02:09:04]:
It's the absolute reverse of nothing much happened during that episode. The sense is that they're working to cram as much content into each episode as possible, and they succeed. Oh, okay. So I'll just say that the series has been nominated for a BAFTA award. BAFTA is the British Academy of Film Awards, which is Britain, Britain's highest honor for British cinema. There is a downside, which is the catch that Forbes referred to in their headline, it's that the series apparently did not plan to end after just two seasons. It proved, I believe, to be a bit too much for Sky TV's British viewer demographic, who probably did want to be able to do something while they, like, iron or something while they were watching tv, you know, And I understand. I mean, it really is a lot.

Steve Gibson [02:10:04]:
Lori is lost. She's like, okay, would you just tell me what happened? Because, I mean. Oh, Leo, it is so.

Leo Laporte [02:10:12]:
I can't wait.

Steve Gibson [02:10:13]:
It is so good. So sky chose not to commission a third season and we're left a bit hanging. Milton said that it looked like they tacked on kind of some. Some attempt to satisfy. And I got right. It was. It was almost 1am this morning when I could not make myself watch the final one because I had to go to sleep so I could do the podcast.

Leo Laporte [02:10:41]:
Wait, you watched the whole two seasons in one evening?

Steve Gibson [02:10:45]:
No, no, no, no, no. It took. It took the. I did the first three, then I was hooked. And then I did the second season in two pieces of. Of two blocks of two and five or something. And then. Or.

Steve Gibson [02:10:59]:
Or two and two. And then I watched the. The. The third. The second season in three parts. Anyway, the point is I am one episode from finishing. I did not get the final episode, but. Oh, my God.

Steve Gibson [02:11:11]:
This second or the last one last night. Oh, I mean, it. It. Oh, wow. Anyway. Wow.

Leo Laporte [02:11:19]:
I can't wait to see this.

Steve Gibson [02:11:20]:
It is really, really good. So if you don't have Netflix, I'm trying to think you could purchase, but you could purchase. But if you have Apple TV, you could buy the first episode for whatever it is 295 or something. Just the episode, right? Then when you see how good it is, you could join Netflix just to watch both seasons and then resign and save some money. In fact, if you haven't ever done Netflix before, I think you can join and get a free week or something and then resign. Oh, it is. It is really good. And.

Steve Gibson [02:11:55]:
And so probably by. If you actually start Leo, you will be done by the time we talk about it, if we can. If you watch it by next podcast, because.

Leo Laporte [02:12:05]:
Okay, I'll be that. That hooked. Oh, good.

Steve Gibson [02:12:08]:
It is. It is. Oh, it is beyond. It is. This the, the. Okay.

Leo Laporte [02:12:15]:
Wow.

Steve Gibson [02:12:17]:
Yeah, it's, it's just, it's a treat. So everybody, you know, and, and again, don't have, you know, like distractions while you're trying to watch it. You'll quickly see that you really need to pay attention. The acting is good as British. A lot of British TV really is where they have people you've never seen before, but they're really good. They just, it's. And, and it's one of those shows also where, where you're kind of hope something's going to happen than it does where like everything you want to have happen happens. So it's gratifying that way.

Steve Gibson [02:12:50]:
But then they also completely keep you off balance with things that you didn't expect and then afterwards you go, oh, that's so brilliant. Anyway, yeah, it's really good.

Leo Laporte [02:13:02]:
Can't wait.

Steve Gibson [02:13:03]:
Tom Kreitz sent me a link. He's a listener of ours. He sent Security now feedback. It contained nothing but the link which I would normally be a little skeptical about. But it was the subject of his email that caught my eye, which was vitamin D and magnesium. And the link was to a just December 30th published piece on, on the Science Daily website. Science Daily does sort of synopsis of other studies across the realm of science and sort of like, like, like pulls them all together. So the piece was titled why your vitamin D supplements might not be working now.

Steve Gibson [02:13:48]:
Since I was unaware of a of a tight link between vitamin D and magnesium, since last week's holiday podcast was a replay of our much earlier vitamin D podcast, and since magnesium happens to be another substance that I have extensively researched and experimented with, I wanted to share the substance of this piece, which is brief. The summary at the top says a randomized trial from Vanderbilt Ingram Cancer center reveals that magnesium may be the missing key to keeping vitamin D levels in balance. The study found that magnesium raised vitamin D in people who were deficient while dialing it down in those with overly high levels, suggesting a powerful regulating effect.

Leo Laporte [02:14:44]:
Increases it or decreases it depending it.

Steve Gibson [02:14:47]:
Pulls it into the in, in into the proper range. They, they said this could help explain why vitamin D supplements don't work the same way for everyone and why past studies linking vitamin D to cancer and heart disease as in prevention, have produced mixed results. The piece in Science News is a report on findings published in the American Journal of Clinical Nutrition. And so they went on to say the study published in the American Journal of Clinical Nutrition adds clarity to long standing debates about vitamin D's links to colorectal cancer and other diseases. These questions have gained attention due to mixed results from major studies, including the Vital Vital All Caps trial. The new findings also reinforce earlier research from 2013 by the same team, which found that people with low magnesium intake often had low vitamin D levels as well. So again, there was a correlation at that point they didn't have causation. You need to do what happened, which was a randomized controlled clinical study in order to get the actual causal link.

Steve Gibson [02:16:00]:
So they said. Beyond confirming earlier observations, the trial uncovered an additional insight. Magnesium did not simply raise vitamin D across the board. Instead, you it appeared to act as a regulator, lowering vitamin D levels in participants whose levels were already high. This is the first clinical evidence suggesting magnesium may help optimize vitamin D levels rather than just increasing them, which could be important for reducing disease risk linked to vitamin D imbalance. The Ingram professor of Cancer Research and lead author of the study explained that the healthiest vitamin D range appears to fall in the middle of a U shaped curve. Previous observational studies have linked this middle range to the lowest risk of cardiovascular disease. Despite earlier warnings, vitamin D did not show a clear link to cardiovascular disease in the recent VITAL trial.

Steve Gibson [02:16:56]:
Dye and co author Martha Shrubsole, a research professor of medicine in the Division of Epidemiology, are now examining whether magnesium could help explain these inconsistent results. Their work is part of the ongoing personalized Prevention of Colorectal Cancer trial. Shrubsoul said. There's a lot of information being debated about the relationship between vitamin D and colorectal cancer risk that's based on observational studies versus clinical trials. The information is mixed. Thus far, the researchers turned their attention to magnesium and after noticing that vitamin D supplements did not work equally well for everyone. Some people failed to raise their vitamin D levels even when taking high doses, dai said. Magnesium deficiency shuts down the vitamin D synthesis and metabolism pathway.

Steve Gibson [02:17:52]:
The study included 250 adults considered at a high risk for colorectal cancer, either due to known risk factors or because they had previously had a precancerous polyp removed. Participants received either magnesium supplements or placebo with dosages tailored to their usual dietary intake. Shrub Soul noted that vitamin D insufficiency is widely recognized as a public health concern in the United States, and many patients are advised to take supplements based on blood test results, she said. Vitamin D insufficiency is something that has been recognized as a potential health problem on a fairly large scale in the US and as we know, that's relatively recent. That was since we first did the podcast, she said. A lot of people have received recommendations from their healthc care providers to take vitamin D supplements to increase their levels based on their blood tests in addition to vitamin D. However, magnesium deficiency is an under recognized issue. Up to 88.0percent of people do not consume enough magnesium in a day to meet the Recommended Dietary Allowance, the rda, based on those national estimates.

Steve Gibson [02:19:10]:
And we know the RDA is not the live long and prosper level. It's the keep yourself above ground, barely level. Shrub Soul emphasized that magnesium intake in the study matched RDA guidelines and suggested that diet is the best way to increase magnesium levels. Foods rich in magnesium include dark leafy greens, beans, whole grains, dark chocolate, fatty fish such as salmon, nuts and avocados. Okay, so having said all that, first, I want to acknowledge that I know this is not a health and nutrition podcast and that as a health hobbyist and tinkerer with no formal medical training, I would never presume to be an authoritative source of medical information. So for those who have no interest in the topic of health longevity, please rest assured that we will not be spending much time on the subject. I'm not going to go that, that. I'm not going to go there.

Steve Gibson [02:20:13]:
That said, the subject of the preservation and maintenance of health, vitality and energy as we age is an extreme personal passion of mine. It's something I've quietly devoted a large fraction of my life to researching and understanding as well as experimenting with. So, in reply to this article, which Tom brought to my attention, I'm going to share a bit more of what I've learned and practiced on the magnesium front.

Leo Laporte [02:20:43]:
Good. Because yeah, I want to hear about this.

Steve Gibson [02:20:46]:
Yeah, so it is absolutely true that magnesium is a grossly underappreciated mineral. It is a required cofactor in more than 400 individual enzymatic reactions which in our human body we which transmute, you know, and being enzymes, are involved in transmuting an organic model from one form to another. The book I read back in 2009 that started me down the path to understanding the role and importance of magnesium was called the Magnesium Miracle, written by Carolyn Dean, who's an MD and an nd. I went over to Amazon to double check the spelling of her name and Amazon flagged that book as having been purchased by me in 2009. It's currently $6 on Kindle and available in audio, Kindle and paperback now. And in fact I'm holding it up to the camera. The front of the book says it's titled the Magnesium Miracle, which annoys me because it's not a miracle, right? It's science. But okay, she needs to sell some.

Steve Gibson [02:21:59]:
And apparently she still is. It says, discovering the missing link to total health. Lower the risk of heart disease, prevent stroke and obesity, Treat diabetes, improve mood and memory. So the problem with magnesium, the reason for that report's observation that there's a general magnesium deficiency in the US is that natural sources of magnesium, you know, we don't synthesize the mineral in our body, we have to get it exogenously. And the natural sources of magnesium have largely been removed from our lives before we obtain, Before we obtain our water from municipal processing plants, you know, which is what's happening now. We once used to drink water from wells or from river streams where the water would contain dissolved magnesium and we'd be consuming plants that were rich sources of magnesium. But plants don't synthesize magnesium atoms either. So if they're grown in magnesium poor soil, they're no longer able to provide the magnesium they once did.

Steve Gibson [02:23:13]:
And the water we drink now is, has been processed and filtered and chlorinated and bears very little resemblance to the water that was consumed by pre industrial man. The upshot of living within a poor magnesium environment is a magnesium poor body that's unable to synthesize as many of the enzymes it would like to as it could if magnesium were available in greater supply. Now the problem is how to get magnesium into us, because that turns out to be a little tricky. One of the things anyone who practices dietary supplementation comes to appreciate is that it can be difficult to get some substances into our bloodstream due to the fact that they must first survive our stomach acids deliberately. LOW acidic phone and after surviving our stomach, the substance will be absorbed by our intestinal lining into our bloodstream. But its first destination will then be our livers, where it may need to survive what's known as first pass hepatic metabolism. Our livers may wish to take it apart and use its bits for its own purposes. So what about magnesium? Our stomach's low ph acidic contents is the death of most forms of supplementary magnesium, at least as far as disassociation from its carrier atoms is concerned.

Steve Gibson [02:24:47]:
When my physician recommended, at my age, and this was several decades ago, that I should start probably having a periodic colonoscopy screening, he handed me a large empty plastic jug. Well, it wasn't completely empty. There was a loose white powder in the bottom of the jug. My instructions were to just fill it with water and shake it up to dissolve the powder. Then I was to pour A cup of this mixture every hour and drink it until the entire jug was empty. And not long after that, my entire intestinal tract would also be similarly empty and I'd be ready to have my intestinal lining inspected for any abnormalities. I'm sharing this seemingly off topic story because that loose white powder wasn't the only thing that was loose at that point. That loose white powder in the bottom of the initially empty jug was pure magnesium oxide.

Leo Laporte [02:25:50]:
Ah.

Steve Gibson [02:25:51]:
Magnesium oxide is the least expensive and, and least well absorbed of all magnesium formulations. It was what was traditionally used, along with ample water to flush out one's intestines.

Leo Laporte [02:26:05]:
Because what's in milk of magnesia.

Steve Gibson [02:26:08]:
Yes, exactly.

Leo Laporte [02:26:10]:
Interesting.

Steve Gibson [02:26:10]:
So my point is, this is not the magnesium you want to take.

Leo Laporte [02:26:15]:
You want to absorb it.

Steve Gibson [02:26:16]:
Yes, yes. If you're interested in replenishing and increasing your body's magnesium levels. Now, there are many forms of magnesium. There's magnesium oxide citrate, magnesium malate, taurate, orotate, L threonate, and so on. All of these are simple salts of magnesium. And they all have their proponents.

Leo Laporte [02:26:42]:
They also all have, and probably meaninglessly on the label, different uses. Like L Threonate, it goes through the blood brain barrier.

Steve Gibson [02:26:50]:
Well, yes, it is. Magnesium L Threonate is unique in being able to cross the blood brain barrier.

Leo Laporte [02:26:57]:
Okay, okay, so that's not untrue. So. Okay, all right.

Steve Gibson [02:27:01]:
No, that, that is true. And, and so, you know, I guess they, and they all have various benefits, except probably magnesium oxide, which is just really a laxative. So as you experiment, you will find that magnesium in general has this effect.

Leo Laporte [02:27:20]:
That is, by the way, Epsom salts are magnesium sulfate. So we've been used. This is an age old remedy, isn't it?

Steve Gibson [02:27:30]:
Yes.

Leo Laporte [02:27:30]:
Wow.

Steve Gibson [02:27:30]:
Yes.

Leo Laporte [02:27:31]:
Okay.

Steve Gibson [02:27:31]:
Yes. So. So magnesium is not harmful in any way.

Leo Laporte [02:27:38]:
Well, there must be a fatal dose. I mean, I'm sure.

Steve Gibson [02:27:42]:
Well, actually no, because the. You are unable to absorb more than you than your digestive tract will give you. Okay, so, so anyway. So. So, babe. So oxide is, is the cheapest, but you don't want to use it. It's just basically a laxative. And as you experiment with it, you will find in general, magnesium has that effect.

Steve Gibson [02:28:04]:
It's not harmful in itself, which is why it was once used by the medical establishment as the standard means of preparing a patient for being scoped. Right, okay. But the key concept to understand is that the laxative effect induced by magnesium is a result of its non absorption into our bloodstream. It's the magnesium that remains behind that causes that Effect, what happens is our intestines are induced to osmotically pull water into, into them by magnesium. So that's why that happens. It's not what we want for optimal health and certainly not for digestion. So the problem is that to varying degrees, all of those common simple salts of magnesium succumb to our stomach's acidic environment. Their molecules disassociate into their constituent atoms and then they suffer whatever fate awaits them.

Steve Gibson [02:29:06]:
The problem of effective dietary mineral supplementation absorption was finally solved by a company called Albion Minerals. Their nutritional chemists came up with a means of sneaking magnesium and other minerals because actually they sell a huge amount of their bulk product in, in, into the veterinary and animal breeding markets, know be where, where you need healthy animals. Their nutritional chemists, as I said, they figured out how to do this by, by sneaking the minerals into our intestines without being broken apart by stomach acid. The key, it turns out, is instead of creating a simple salt to carry the magnesium, bind it into a dipeptide. Now that sounds more complicated than it is. A dipeptide is just two amino acids. So there are two forms, two most common forms of magnesium that are highly successful and are worth taking. One is known as magnesium glycinate lysinate and the other is magnesium biglycinate.

Steve Gibson [02:30:18]:
The first one, magnesium glycinate lysinate, consists of an atom of magnesium bound to the two amino acids glycine and lysine. Glycine is actually a very good choice. So since it's the smallest of all amino acids and also because glycine is another substance that most people could use a lot more of. The second form of magnesium, which is magnesium bis glycinate, is an atom of magnesium bound to a pair of glycine molecules. And this is handy since as I said, being the smallest of all the aminos, there's a much higher percentage of elemental magnesium per milligram of, of the combined molecule. Okay, so the upshot of all of this is that either of these dipeptide forms of magnesium and they're readily available, you know, at where, wherever you find supplements and, and, and minerals and so forth, they will strongly resist disassociation in our low ph stomach environment. They will be able to transport the magnesium through our stomach and cross our intestinal lining to carry it into our bloodstream where it can be used by our body. So I should note that unlike vitamin D and many other blood borne substances whose levels can be checked with a blood test, there is no reliable blood test for magnesium because most of the magnesium that we have in our body is stored in our skeletal system where it is literally kept out of circulation.

Steve Gibson [02:31:52]:
So anyway, if you decide to get serious about magnesium and I, I certainly have. The first thing I would recommend would be grabbing Carolyn's book or otherwise learn, you know, much more about it from what I. Than what I've just said here because obtaining sufficient magnesium I believe is important. I only just barely touched on the importance of, of, you know, of this very much under appreciated and inexpensive mineral for both immediate and long term health. Carolyn Dean and many others recommend that you experiment to find what's known as your either, sometimes they call it your bowel tolerance level or your gut tolerance level.

Leo Laporte [02:32:37]:
I think we know what that means.

Steve Gibson [02:32:39]:
Yes. That being the amount of magnesium you can consume in multiple divided daily doses. And you should divide them up, not take them all at once where you begin to notice a laxative effect and then back off from that until you are again comfortable if you're taking one of the dipeptide forms that should initially be a lot of magnesium. There was, I kid you not Leo, that during my early experimentation there was a Christmas where I went up to visit my sister and her, her young kids at the time where I was wearing a, some sort of a chronometer around my neck that beeped every hour and I would take a magnesium tablet.

Leo Laporte [02:33:24]:
Oh boy.

Steve Gibson [02:33:25]:
And, and my 7 year old nephew said mom, why is Uncle Steve crazy? Uncle Steve crazy, crazy Uncle Steve. Yeah. Anyway, what, what I noted is that like nine months later I could suddenly take less than I used to be able to. And my brother in law who I, who I explained all this to and who also decided to get on the magnesium bandwagon, he reported the same thing that is you are replenishing your depleted body for quite some time and once it becomes topped off you can't take as much as you were before because it won't get absorbed. So there's really that, I mean you some like real world evidence that you've just done something by, by taking a lot. And I also do know that my, my, my rate of occasional PVCs, preventricular contractions, you know, which is just a normal consequence that, that has, they used to be far higher than they are.

Leo Laporte [02:34:35]:
Now, is that when your heart skips a beat a little bit.

Steve Gibson [02:34:38]:
Exactly. Yeah, yeah, yeah. It's sort of a little double, you know, thumpa thumper and, and then there's a little bit of a pause and then, and then you go on.

Leo Laporte [02:34:46]:
So anyway, I, I may be doing it wrong because I take magnesium L threonate in the morning and I take magnesium citrate at lunch and I take some magnesium glass glycine at night to go to sleep.

Steve Gibson [02:35:00]:
I think that's good because they all.

Leo Laporte [02:35:03]:
They claim to have different properties. Right?

Steve Gibson [02:35:06]:
Yeah. I take, I am experimenting with L3 and 8 because of the promise of it crossing the blood brain barrier.

Leo Laporte [02:35:14]:
Right. And that's a newer form.

Steve Gibson [02:35:15]:
Yeah, it's a newer form. It's more expensive because some, someone has a patent on it. So, so you're, you're paying some like some licensing fee. I, I just take.

Leo Laporte [02:35:26]:
I.

Steve Gibson [02:35:26]:
Because I'm taking what I was always taking which is the, the doctor's best high absorption. Yes. Yeah. And I remember when I was telling, I was trying to turn my mom onto this, she said honey, this is an suv. She said I can't take this. It's huge.

Leo Laporte [02:35:44]:
Oh, it is a big pill.

Steve Gibson [02:35:49]:
But that's one of the things you also get used to after a while is you know, swallowing a bunch of stuff. And frankly, can you have too much though?

Leo Laporte [02:35:57]:
Want to impede the digestion? Like I'm not going to get my nutrients.

Steve Gibson [02:36:01]:
No, it doesn't bind to anything else. So yeah, like, I mean I really liked taking Metamucil. I got into Metamucil in the mornings because I just liked, you know, sort of an orange tart, you know, psyllium fiber drink. But it turns out you can't do it anymore. You can't compare. Well, you can't combine it with supplements because the psyllium fiber, the reason it lowers your cholesterol is it binds tightly with cholesterol in your intestines and transports it out. It also binds tightly with all of the, the mineral, the, the, the supplements you might be taking.

Leo Laporte [02:36:37]:
So, so you know, it's. As you know, I'm on a zempic and it's been a, a boon to me. I've lost weight and my blood sugar is normal now. And it's amazing. But one of the side effects is because it slows the food moving through your stomach that you feel bloated and you might be a little constipated because of it or a lot depending. You know, I thought I was supposed to do more fiber. That's actually counter indicated because it just ends up, your stomach's even fuller. And it turns out magnesium citrate is the, is the kind of recommended solution to that.

Leo Laporte [02:37:12]:
And that's been a.

Steve Gibson [02:37:12]:
Okay, really good. And the reason is that it's not as well Absorbed. What I would do, what I do do, so to speak, is I, I, I, I sorry, I couldn't resist. I, I just increase my, my consumption of glycinate lysinate because that has the same effect. You get to take more because it is much better absorbed. Citrate works at more.

Leo Laporte [02:37:39]:
It's not as well absorbed.

Steve Gibson [02:37:41]:
Yeah, because it's not as well absorbed. So the magnesium that stays behind is the, is the one that causes the mischief. But you want some mischief and I am getting just the right amount of mischief. I, I'm taking a full milligram which is to say 10 of those magnesium lysinate glycinates a day.

Leo Laporte [02:38:00]:
Okay.

Steve Gibson [02:38:01]:
Because each one has 100 milligrams. I'm sorry, a full grammar. They each have 100 milligrams of elemental magnesium. So 10 of those is a full.

Leo Laporte [02:38:10]:
Most of it is not being absorbed. Right. So you take a lot because a lot of it is just going right.

Steve Gibson [02:38:14]:
Through you or No, a lot of it is being absorbed. But okay, but enough is not that it has that effect.

Leo Laporte [02:38:20]:
Okay.

Steve Gibson [02:38:21]:
And you can't overdose and I have, you can't. And I apologize to everyone for taking so much time. You might. The young kids are rolling their eyes going what the heck is he.

Leo Laporte [02:38:31]:
When you get to a certain age, children, right, you start to worry about these things. Let me just tell you, I can.

Steve Gibson [02:38:38]:
Say that I know that our, a huge body of our listeners find this really interesting and they like the fact that I bring science to, you know, to.

Leo Laporte [02:38:47]:
Yeah, we trust you not to be, you know, woo woo about this.

Steve Gibson [02:38:52]:
Well there, and what fascinating is there are reasons this works. There's a reason that a dipeptide form is, is what you want. So.

Leo Laporte [02:39:00]:
Well, I have that doctor's best probably because of you. The glycine.

Steve Gibson [02:39:04]:
Yeah. So it is the one. You could just take more of that.

Leo Laporte [02:39:08]:
Take more of that.

Steve Gibson [02:39:09]:
You could just take more of that.

Leo Laporte [02:39:12]:
You know, one of the bad things about this as I try different supplements and so forth is I have a lot of bottles of supplements I no longer take. I don't know what to do with those. Yeah, I'll donate Goodwill. Been there.

Steve Gibson [02:39:25]:
Yeah.

Leo Laporte [02:39:28]:
Now I have a very large bottle of magnesium citrate. Anybody want it? Okay, yeah. Let's take a little break and we are going to talk about Mongo bleed. Mongo bleed.

Steve Gibson [02:39:38]:
Yeah, baby. And what I love about this is that everybody's going to understand the mistake. It's such a cool mistake.

Leo Laporte [02:39:45]:
MongoDB is everywhere. It's one of the most popular, no SQL databases out there. That's exactly what it is all over the place. Yeah. So a bad flaw and it would be a bad problem. You're watching security now. We're glad you're here. Especially you Club Twit members.

Leo Laporte [02:40:01]:
We hope you will continue to support the show by going to Twitt TV Club Twit. Increasingly your support is what makes the difference to us. It's more than 25% of our operating costs now. That includes Steve. That includes keeping the lights on. Does not include me. It is really for doing our programming. You get a lot of benefits.

Leo Laporte [02:40:26]:
Ad free versions of the shows. You get access to the discord. You get special program you don't do anywhere else. You know, we've been doing this AI user group once a month. We just did it on Friday. It is incredible because we have some really smart AI users in our club. We talk about it. It's like the old school user group where we sit around and do little presentations for each other and talk about what we're doing.

Leo Laporte [02:40:50]:
Just one of the many reasons I think it's well worth your 10 bucks a month. Find out more. Twit TV slash club, Twitter especially a thanks to our existing club members. We really appreciate that going into 2026, your participation is absolutely vital to us. So thank you. All right. Mongo Bleed. You did not name this, I take it?

Steve Gibson [02:41:12]:
No, no. Although I like the name and we'll see why.

Leo Laporte [02:41:15]:
It's got a little blazing Blazing Saddles thing going on.

Steve Gibson [02:41:20]:
Well, remember there was Citrix Bleed and there was Heartbleed. That's the famous one. Actually, Heartbleed is where this got its name. So what is it? Mongodb for those who don't know, is a source available? This is what Wikipedia explains. Source available Cross platform Document oriented database program classified as a NoSQL database product, they write. MongoDB uses JSON like documents with optional schemas. Released in February 2009 by 10gen now mongodb.inc it supports features like sharding, replication and ACID Transactions. From version 400 on MongoDB Atlas.

Steve Gibson [02:42:09]:
Its managed cloud service operates on AWS, Google Cloud Platform and Microsoft Azure. Current versions are licensed under the server side public license, the SSPL. MongoDB is a member of the mock alliance. They said as of May 25, MongoDB was the fifth most popular database software. It focuses mostly on managing large databases of unstructured messy data. It's typically used for mobile and web apps that commonly use unstructured databases. As of 2024 there were 50,000 MongoDB customers. MongoDB was originally best known as a NoSQL database product.

Steve Gibson [02:42:55]:
The company released a database as a service product called Atlas in 2016 that became 70% of MongoDB's revenue by 2024. Over time, MongoDB added analytics, transactional databases, encryption vector databases, acid transactions, migration features and other enterprises enterprise tools. Initially the MongoDB software was free and open source under the AGPL license. MongoDB adopted an SSPL license server side public license for future releases starting in 2018. For those who are interested, I included a chart of the top five databases since I thought that our more DB centric listeners might be curious about the industry's current database popularity LineUp which has MongoDB in fifth place. So Oracle is firmly in first place with a January 26th score. And wherever it was I found this of 1237 MySQL is in second place at 867, Microsoft's SQL Server third place at 706, PostGree SQL at 666 and MongoDB in fifth place at 376. So if it's at 376 and Oracle in first place is at 1237, you know, it's about 1/4 of that popularity of Oracle, but still fifth place and 1/4 of of the of the leading DB.

Steve Gibson [02:44:32]:
So that's a, that's a chunk of to give us a quick snapshot of Mongo's history because this ends up being relevant, they wrote. The American software company Tengen began developing MongoDB in 2007 as a component of a planned platform as a service product. Two years later, in 09, the company shifted to an open source development model and began offering commercial support and other services. In 2013. 10gen changed its name to MongoDB Inc. On October 20, 2017, MongoDB became a publicly traded company listed on the NASDAQ as MDB with an IPO price of $24 per share on November 8th, 2018 with a stable release. And this is important too. 4.0.4.

Steve Gibson [02:45:26]:
Okay. Back in 2018. Back in 2018, yeah. The software's license changed from AGPL 3.0 to SSPL on October 30th. This is basically Wikipedia, just reciting some facts, but the last one is really relevant. On October 30, 2019, MongoDB teamed with Alibaba Cloud to offer Alibaba Cloud customers a MongoDB as a service solution. Customers can use the managed offering from Alibaba's global data centers and the final item in Wikipedia Short summary of notable benchmarks through time. In December 2025, a major exploit was discovered entitled Mongo Bleed.

Steve Gibson [02:46:12]:
This exploit led to the compromising of many corporate servers. And of course it's that final bit of news which is the reason MongoDB is our main topic for this podcast of 20 because a major exploit it was and still is, since we know how slow software updating can be, especially those servers forgotten and left in, you know, in some closet gathering dust somewhere, but still being plugged into the Internet. I've assembled a story of what happened here starting in late December from several sources, but I've chosen this not only because this is a new, significant industry wide mess, but also because Bug, as I've now noted several times, which is now more than 8 years old, that's important too, and is thus present in virtually all instances of MongoDB. It is in many ways a classic mistake. No deep voodoo is used. By the time we're finished here, I'm pretty certain that every one of our listeners will clearly understand what happened, along with how and why. So what's being called Mongo bleed is officially CVE 2025 14847, the CVE assigned to this recently discovered vulnerability affecting all all versions of MongoDB since version 3.6, which was first published on November 28th of 2017. So this encompasses a huge span of major and minor releases, all of them.

Steve Gibson [02:48:05]:
Essentially, it is a subtle bug which was introduced into version 3.6 a little over eight years ago, and it was not discovered until just over eight years later by the MongoDB people themselves internally, after everyone in the world had updated and upgraded to any of the past several years of releases. Meaning that all, I'm sure all mongodb that is out in the world today incorporated this flaw, which was introduced at version 3.6. So now as for everyone in the world, how everyone is that the Internet scanning company Census has identified on the order of 87,000 publicly reachable MongoDB instances. And that's of course the crucial bit of information, since it's those publicly accessible instances that the bad guys have access to and access they have had. This is one of those inopportunely timed events which became public just before Christmas and was not the Christmas present many IT workers were hoping to unwrap. Exploitation of this long present vulnerability allows an unauthenticated, meaning anyone, attacker, which is, you know, again, as you know, unauthenticated attacker is now the fancy way the industry refers to anyone to read memory from the database servers heap, meaning anything that was allocated to memory from previous database operations. It's only the fact that this is not directly a remote code execution vulnerability that rendered this a CVSS of 8.7 rather than 9.8 or 10.0, house on fire, so forth, you know. And it's because this vulnerability leaks database server memory that has been named Mongo Bleed, which is meant of course to remind us of Heartbleed, which was a flaw discovered in open SSL's 1.0.1 implementation and leaked server memory through SSL connections.

Steve Gibson [02:50:33]:
Okay, so here comes the description of this exploit, which just ruined many Christmases after bad guys figured out that they could spend their Christmas vacation reading out a bunch of MongoDB server data from around 87,000 publicly available server instances. Okay, first of all, MongoDB uses its own TCP wire protocol that, you know, protocol on the wire, you know, instead of, for example, something like HTTP. And that's not unusual for databases, especially when they are working to obtain the highest possible network performance. So a general just generic raw TCP connection is established to the server's TCP port 27017. Now, as an aside, when I just asked Chat GPT which port MongoDB server uses, as I confessed earlier on this podcast, I I've just asked Chat GPT things like this. I could have gone and looked, done a Google search and I could have found the information too. But I knew that Chat GPT would know. So I asked Chat GPT which Port MongoDB server uses, and to that answer it told me it was 270.

Steve Gibson [02:51:57]:
17. It added the note note exposing 27017 to the public Internet is strongly discouraged. It should be firewalled or bound to private interfaces only, right? So even this unconscious LLM knows better than some 87,000 server deployments.

Leo Laporte [02:52:26]:
You see? You see deployers. Don't blame the AI. People are dumb all on all on their own.

Steve Gibson [02:52:34]:
Okay, so just to be clear, MongoDB itself probably never needs to be publicly exposed. It would normally be sitting behind a publicly exposed web app server of some kind, serving as that web app server's back end database. MongoDB itself really doesn't have any public exposure use cases. We've been talking a lot recently about the need to make these sorts of public exposure mistakes far, far more difficult to make. When I was swooning over Cisco's promises, I a month or two back, it was because the noises Cisco was then making strongly suggested that this might have finally sunk in we can only hope and pray anyway, so we connect with TCP to the server's port 27017. Mongo uses a binary variant of JSON JSON called beson BSO, you know, binary object notation. So the requests that sent the request that's sent to the server contains one of these beson messages, and for the sake of the speed of transmission, that request can optionally be compressed using Z live. Compression makes the message smaller, of course.

Steve Gibson [02:54:10]:
So one of the 32 bit values in the requests header at the front of the message, which specifies that this request has been compressed, indicates the original uncompressed the decompressed size that the message would be, the way that what it originally would be, and what it would again be when decompressed by the receiving server. So this allows the receiving MongoDB server to request the allocation of a block of memory from the underlying actually, it's the runtime, the C runtime. We'll get to that in a second into which MongoDB will decompress the message. So an attacker creates and sends a server request which claims to contain far more data than it actually does. In response, the server allocates the requested memory. An attacker might claim, for example, that the uncompressed request will require 1 million bytes, 1 megabyte, when in fact it only needs 1K. The critical flaw is that once MongoDB has finished decompressing, it never checks the actual resulting size of the newly decompressed payload. It trusts the data the user provided using that as the actual size of the payload.

Steve Gibson [02:55:51]:
Now, I need to stop here to hover over that phrase a bit longer. That phrase being it trusts the data the user provided. If we were to produce a list of the root causes behind many of the worst flaws that we that that have been found in software, trusting user provided input would definitely be right up there near the top, if not perhaps in first place, since even buffer overflows typically result from the similar mistake of trusting and using something that a malicious user deliberately provided. In this case, we have a deliberate buffer underflow that results entirely from trusting input from the user. Okay, so what's the big deal about allocating an oversized buffer that's not needed? In many contemporary languages, memory allocated from a program is cleared to zeros. It's initialized to zeros before it's returned for use by the caller who requested an allocation of memory. But Malloc, the memory allocation function used by C and C, does not bother doing so. This is part of the trusting performance oriented but dangerous legacy of C.

Steve Gibson [02:57:20]:
Since zeroing RAM takes time and blows the processor's cache, C deliberately returns uninitialized memory. And wouldn't you know mongodb is written in C. The result of the bug is that multiple megabytes of the server's raw internal data can be exfiltrated to the attacker. This data might and often does contain clear text passwords and credentials, session tokens, API keys, customer data, database configurations, system info, docker paths and client IP addresses, and so on. In short, all of the internal operations of the server that would otherwise never be made available to anyone whether they had authenticated and were a legitimate user or not. So to sum this up, an attacker sends an otherwise valid MongoDB message which indicates that it employs compression, but that compressed message is deliberately manipulated to specify a hugely exaggerated claim about the messages uncompressed size. Since the server has no way to know in advance, MongoDB obtains a large and uninitialized buffer from the C runtime based upon the attacker's messages claimed need. MongoDB's built in Z Live decompresses the much smaller compressed data into just the front of the huge decompression buffer, thus avoiding overriding the mother load of data that's already sitting there in that buffer.

Steve Gibson [02:59:10]:
Subsequent commands then instruct the database server to return to this attacker what it believes is the user's provided data, even though it's actually megabytes of whatever data had been previously used and left behind by previous database operations and internal workings of any kind. It's obvious now why this critical flaw was named Mongo Bleed, right? And also why it was given a CVSS of 8.7, although it doesn't allow a remote attacker to execute their own code on the server. It's a data exfiltration flaw of the highest order. That's just about about as bad as it gets. Proof of concept code has been published on GitHub and the the the flaw is trivial to exploit. There's nothing like you know, it only works less than one time in 1000, and only when your code wins some slippery internal race condition or something. No, this one is extremely straightforward forward it obeys simple rules. The attacker receives much more than a tiny trickle of data, you know, over time without raising any alarms, without crashing the server or otherwise calling any attention to itself.

Steve Gibson [03:00:34]:
The abuse of this long standing vulnerability that's been present in every version of MongoDB published in the last eight years allows remote bad guys to freely rummage around inside the more than 87,000 currently online and publicly exposed instances of MongoDB. They're able to keep sucking out and examining megabytes of a server's data that is assumed to be utterly private internal working data, and which might therefore and does, it turns out, often contain very juicy information. It's always fun to see Kevin Beaumont's take on these things. On December 16th, day after Christmas, Kevin posted Somebody from Elastic Security decided to post an exploit for CVE 2020514847 on Christmas Day. The vuln, which dropped just before Christmas in theory allowed memory read without authentication. Patches are available. It impacts every version of MongoDB going back about a decade. Another vendor decided it would be a great idea to post technical details on Christmas Eve, and he has a link to an OX Security blog.

Steve Gibson [03:01:59]:
He said the exploit dropped yesterday and is the first public exploit. It's dubbed Mongo Bleed. I validated that said exploit is real. You can just supply an IP address of a MongoDB instance and it'll start ferreting out in memory things such as database passwords which are plain text, AWS, secret keys, etc. The exploit specifically looks for those class of credentials and secrets as well. The Internet footprint of MongoDB is very large, over 200,000 instances. Because of how simple this is now to exploit, the bar is removed. Expect high likelihood of mass exploitation and related security incidents.

Steve Gibson [03:02:53]:
The exploit author has provided no details on how to detect exploitation in logs via products like Elastic. Advice would be to keep calm and patch Internet facing assets. So now we know all about this mess. And Kevin's ending advice to keep calm and patch Internet facing assets reminded me of something Leo and I talked about long ago. We made the observation many times in fact, that once a user's system had been infected by something, anything, it was never really again possible to trust it. How could anyone ever know with 100% assurance that every last bit of an infection had been removed? And what about whether an infection might have spread over the local network to infect other assets? In short, it's a real mess. We've also seen instances where huge problems resulted when companies did not take prior intrusions seriously enough. The advice is always to, you know, rotate all credentials which may have been may have had any chance of being exposed, meaning invalidate any long term authentication tokens, change all passwords, and so on.

Steve Gibson [03:04:21]:
But as I said, we keep seeing instances where companies, for one reason or another, you know what? Oversight, laziness, lack of belief that it was really necessary, who knows. But for whatever reason they failed to adequately and fully remediate the consequences of a breach, only to suffer again, often even worse. So now consider the plight of corporate users of publicly exposed MongoDB servers. You're told that for the past eight years, the database server you've been relying upon has contained a flaw that allows for effectively unfettered mass exfiltration of your server's internal working memory, which contains myriad private credentials, past database search results and and essentially any and all proprietary information to which that server may have had internal access, or may have been storing and retrieving over time. To call this a mess is truly an understatement. And this mess is now squarely in the laps of every enterprise that was using a publicly exposed MongoDB server. My question is, why was even a single instance of MongoDB publicly exposed? I'm sitting here right now as I talk to Leo and our audience in Southern California. From my location here, I have access to any and all of those 87,000 some instances of MongoDB.

Steve Gibson [03:06:11]:
Why? Why do I have access? Why can I send out a TCP sin packet to port 27017 of any to any of those 87,000 IPS and promptly receive a TCP SYNAC packet inviting me to complete the TCP handshake connection? Why? I have no need to ever do so. Whoever runs that MongoDB instance certainly doesn't want or expect me sitting here in Southern California to be able to connect to their database server. But I can. Why? By now, I hope that everyone in this podcast's audience understands not only that this is wrong, but just how wrong it is. If I were to confront whomever it was who set up any given instance among those 87,000, that IT person would probably respond, well, we've password protected access to our database and you can't do anything without that. Oh yeah, Mongo bleed baby. No authentication needed. The decompression of the message is pre authentication and never requires any form of authentication for its exploitation.

Steve Gibson [03:07:46]:
One of the refrains everyone listening to this podcast has been hearing from me beginning last year when it finally so clearly crystallized after we all witnessed mistake after mistake after mistake, which all carried the same pattern. This pattern, which is that authentication does not work. Now the world depends upon and turns on the strength of authentication. So I obviously don't mean that it can't work. What I mean is that it cannot be absolutely depended upon to work. In my hypothetical conversation with that mongodbit person, their defense of their databases, utterly unnecessary public exposure was that I didn't know the secret handshake, so they didn't feel the need to take every possible precaution. The massive sweep of today's mongo bleed vulnerability is the direct consequence of that wrong way of thinking. That way of thinking is obviously defective and wrong.

Steve Gibson [03:08:56]:
Sitting here in Southern California, I have no need to be able to connect to any of those 87,000 MongoDB servers, even if only to test the strength of their authentication. I should not be allowed to do that, but I can. And that's on them. That's on each and every one of them individually. This erroneous reliance upon remote authentication, which we keep seeing over and over, does not work. It's perhaps the single most important thing that has to change in today's Internet network worked world. And what's most galling is that it's not about flaws or mistakes. Right? It's entirely about policy and caring.

Steve Gibson [03:09:46]:
If we cared to, we could fix it.

Leo Laporte [03:09:50]:
Bravo, Steve. Good. Good to know. It's amazing that 80,000 plus people ignore the instructions and just do it.

Steve Gibson [03:10:02]:
I, I, I, I would love to be a fly on the wall to know how. What were they thinking? How did that happen? I mean, it must be that it's.

Leo Laporte [03:10:11]:
Like, well, we have a password maybe, or they not.

Steve Gibson [03:10:15]:
Right.

Leo Laporte [03:10:15]:
But it's not public by default. Right? So they'd have to explicitly say open up this port and make it available.

Steve Gibson [03:10:23]:
It's just like whatever that server was we talked about a couple weeks ago, I mean, it says right there in the docs, do not bind this to a publicly facing interface.

Leo Laporte [03:10:35]:
Right. It's kind of amazing. It's not how you would normally set up a database like this. You'd have. The CMS would access the database and.

Steve Gibson [03:10:48]:
Exactly, yes.

Leo Laporte [03:10:49]:
So it's a weird way to do it.

Steve Gibson [03:10:52]:
Why can I access their database? I have no need or purpose. I shouldn't be able to even see it. I shouldn't know that it exists. It ought to be on their lan.

Leo Laporte [03:11:04]:
It's bizarre that so many people have done that on purpose.

Steve Gibson [03:11:08]:
Well, and Leo, these are the problems we have, not the lifetime of certificates.

Leo Laporte [03:11:14]:
Right?

Steve Gibson [03:11:15]:
That's what's so maddening.

Leo Laporte [03:11:21]:
Okay, well, you've been warned. I mean, probably there are a few people listening to the show who are going, oh yeah, maybe I better go fix that.

Steve Gibson [03:11:31]:
Oh, and after you fix it, watch the Lazarus Project on Netflix. Oh boy, it is so good, Leo, you will be immediately hooked.

Leo Laporte [03:11:42]:
Aren't you glad you listen to the show? Everybody, Steve Gibson's@grc.com the Gibson Research Corporation. It's A website. It's like Stranger Things. It's a throwback to the 60s or the 80s or something, but it's got it all there. Everything you'd ever want to see and know. You've got, of course, many of Steve's software projects, including his Bread and Butter, which is of spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. But there's also the now DNS Benchmark Pro there. And there's a ton of free stuff to too.

Leo Laporte [03:12:16]:
And most of what Steve does, he just gives away. You'll find that@grc.com if you want to contact Steve. I still get to this day email saying, can you send this to Steve? No, you go to grc.com email you put in your email address. Steve in his magic way will validate that it's not some spammer or weirdo, that it's you. And now you're going to be whitelisted. You can email him directly, but there's.

Steve Gibson [03:12:41]:
Also security now@grc.com yeah, it's very simple but.

Leo Laporte [03:12:46]:
But don't send it unless you do that because you'll just bounce, right? Yep. There are two newsletters that Steve offers. They're unchecked by default, but if you check them you'll get the weekly show notes, 22 pages of goodness that you with pictures and everything. Usually it's even more. You'll also get announcements of new software and so forth. Did you ever send out an email for DNS Benchmark Pro?

Steve Gibson [03:13:11]:
Haven't yet. Because I mentioned earlier that I have a surprise and I forgot to mention that everybody who has purchased it and will purchase it gets the surprise. That's the nice thing about today's deployment model is that there's no need to wait and you get it immediately. So yeah, I'm waiting until I, I'm waiting until it gets a little more stable in, in terms of like I've run, I'm just, I'm added. I've added some things that are so cool.

Leo Laporte [03:13:38]:
This is what's unique about Steve. He's. He's actually reluctant to send out the email. So that's why you should sign it up. Sign up for GRC.com email He also has copies of the show there. He has. All of his copies are unique to GRC.com he's got a 16 kilobit audio version for the bandwidth impaired. He's got a 64 kilobit which sounds great, but it's still smaller than the one we offer.

Leo Laporte [03:14:00]:
He also has the show Notes for download. If you want to do that. He has transcripts a few days after the show. Show. Elaine Ferris is probably already madly typing away and she'll have that transcript available for you in a couple of days. So you can read along while you listen or use it to search. It's very handy. I did a little search for the.

Leo Laporte [03:14:17]:
For instance, PayPal Football immediately found the episode. I was sad though, because it wasn't a video episode, it was an audio. So I can't show us holding up the football and showing everybody the PayPal football. But we interviewed the somebody from PayPal who had created it. We actually interviewed, I think it was.

Steve Gibson [03:14:33]:
They were from Verisign or Verisign.

Leo Laporte [03:14:35]:
They created it for PayPal. That's right.

Steve Gibson [03:14:36]:
Right, yeah.

Leo Laporte [03:14:37]:
Verisign actually offers a key, or did. Nobody needs it now. You've got it on your phone. Same thing. Yeah. So that's all GRC.com we have the show as well on our website, Twitter TV SN. There is a YouTube channel dedicated to Security now and I would refer you to that if you want to share anything from the show. Sharing clips in the show is really easy on YouTube.

Leo Laporte [03:14:59]:
Everybody can see it. It's very easy for you to clip it. There's a dedicated channel for it. And of course, the best way to get it is to subscribe in your favorite podcast client and you'll get it automatically. You could choose audio or video. We have on our website the 128 kilobit audio and the video. That's our unique version of the show. We do Security now on a Tuesday right after Mac break weekly.

Leo Laporte [03:15:23]:
That's about 13:30 Pacific Time. 17:30 or no, actually it's. Yeah, that's right. No, 16:30. Sorry, three hours 16:30 East Coast Time. And it's 19. No, 21:30 UTC. So if you want to watch the show live, you can.

Leo Laporte [03:15:43]:
You don't need to, obviously, it's a podcast, but if you do want to get the freshest version, you can watch on YouTube tickets x.com not tick tock, Facebook, LinkedIn, Kik or Facebook. Anyway, oh, Twitch, I ForGot Twitch. Twitch TV. You can also watch if you're in the club, on the club to a discord. So that makes seven places you can watch the show live if you should choose to do so. Well, now I've run out of all the things I need to say. I just want to say thank you, Steve, as always, for an amazing show and we will see you right here next week on Security Now.

Steve Gibson [03:16:21]:
Rado.

Leo Laporte [03:16:25]:
Security now.