Transcripts

Security Now 1085 transcript

Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.

 

Leo Laporte [00:00:00]:
It's time for Security now. Steve Gibson is here. We have lots to talk about. Good News for Windows 10 users. Yes, you're going to get another year. Meta's backed off on spying on its employees. A wonderful true story about hacker Kevin, the late hacker Kevin Mitnick. And the true story of a fortnet campaign that really was a problem.

Leo Laporte [00:00:25]:
Steve, I love it when he tells the stories of these hacks. You know, we've heard the news, but now we get the deep details. That's coming up next. Security now

Steve Gibson [00:00:35]:
podcasts you love from people you trust.

Leo Laporte [00:00:39]:
This is twit. This is Security now with Steve Gibson. Episode 1085 recorded Tuesday, June 30, 2026. A Soda State sponsored campaign. Yes, it's Tuesday. You know what that means. Time for security now. Man.

Leo Laporte [00:01:02]:
It seems like seven days is too long to wait for Steve Gibson and the latest security news. Hi Steve.

Steve Gibson [00:01:07]:
I do see things pass by during the week, Leo and I think okay, and, and I often will jot a note to make sure that I come back to it and, and, and, and talk about it and the feedback I'm getting from our listeners today. There was so much to talk about that I think there are a couple listener inspired things. But I'm going to try to spend more time on feedback if I can because it's so great and I really thank everybody for. Yeah, for giving back to us.

Leo Laporte [00:01:34]:
Yeah.

Steve Gibson [00:01:35]:
The. The title of today's podcast would have been too long had I spelled out State of the Art because I wanted to talk about a state of the art state sponsored campaign which we're going to take a look at. Fortunately, State of the Art has a standard abbreviation SODA S O T A and then it was interest is after I had used that abbreviation it was, it appeared in some, in one of the articles that we're going to talk about. So I thought okay, yeah, everybody's on board with Soda. So security now, episode 1085 for this last day of June 2026. We start on into on July tomorrow. The. The first thing we're going to talk about is how Windows 10.

Steve Gibson [00:02:28]:
Yes, 10. Its enduring popularity has forced Microsoft to punt once again. Yeah. And give everybody another year of free updates.

Leo Laporte [00:02:42]:
Wow.

Steve Gibson [00:02:43]:
You know we, it. It had to happen. We're also going to talk about CISA directing all federal agencies to update their UniFi OS devices. We've been talking now for the last two weeks about the expected problems coming. And they came. And so CISA said thou shalt update. Also once again on a Friday an edict was delivered from cisa, giving basically federal agencies the weekend, meaning, you know, don't leave the office to update all of their Cisco devices that were affected by a different badly exploited problem. Australia is, has been disturbed, so says their inspector general, by a deeply compromised infrastructure provider.

Steve Gibson [00:03:35]:
And when I read about this, I thought, well, that sounds like this state of the art, state sponsored campaign we're going to be talking about. So it may have, you know, already come around. OpenAI not to be left behind for long, has introduced a Daybreak powered patch the Planet initiative. Their marketing people at least are awake. We're going to talk about that. Meta's employee monitoring all of their employees, or at least a subset. We'll look at that for AI training turns out to have backfired badly. It was one of those, you know, what could possibly go wrong? And it did.

Steve Gibson [00:04:21]:
Script kiddies are figuring out how to use AI defined vulnerabilities. What are the consequences? AI is improving itself with a new term. We're seeing looping, repeating or iterating. What's that about?

Leo Laporte [00:04:36]:
Oh yeah, everybody's talking to looping now.

Steve Gibson [00:04:39]:
Looping is the new buzz. Exactly. And I've got a wonderful story I want to share about a friend of ours, Leo Kevin Mitnick. And then serious hackers mistakenly leave another server directory accessible, which is what leads us to learning about this Russian based state sponsored campaign and which also bring, you know, begs the question, how many other campaigns are there where the directory was not left open by mistake, which allowed us to learn about them. So lots of fun stuff to talk about. We've got one of our what are they thinking Pictures of the week. So yeah, I think a fun podcast for this end of June.

Leo Laporte [00:05:28]:
All right, I have a picture of the week and I'm willing to look at it together with you. I haven't seen it yet.

Steve Gibson [00:05:33]:
One of our German listeners sent this to me, ran across this and took a picture of it and I looked at it and we. And he had some discussion in his email about it. I gave this the caption, how to create a dead end for cyclists.

Leo Laporte [00:05:57]:
I don't even understand what this is.

Steve Gibson [00:05:59]:
And it's the oddest thing because so, so the, the we we see in the foreground a road which apparently is cyclist friendly. It's like, come on guys, ride your bicycles down here. Then that would be this bike path that's right there. And it's like a bike path, but. And there's a big like a cycle sign over on the right to let you know, hey, here's where you should be riding your bikes. That's good. Yeah. But then it, it veers off to the edge of the road, forcing any cyclist onto some little brick paver area which then has another side in the middle of the, at the end of the brick pavers says end.

Leo Laporte [00:06:47]:
So that's it, it's done.

Steve Gibson [00:06:50]:
Yeah. So I guess that's the deceleration lane or something on. I mean, so clearly crazy. For whatever reason, bicyclists are not welcome down that road any further. And if you're a law, if you're a sign follower, well, you'll veer off and come to the brick pavers and then hit the end of the cycling road. Now it's also, there are not a lot of cyclists that have been captured by that. I mean, I don't see any.

Leo Laporte [00:07:21]:
So it's right at the same place as you're leaving town. So obviously the town loves cyclists, but the rest of them, you know, never mind. Yeah about it, just drive.

Steve Gibson [00:07:32]:
So where are you? Where are the cyclists that have been captured by this? It's not clear where, where, where they go.

Leo Laporte [00:07:41]:
Wow, that is pretty hostile actually.

Steve Gibson [00:07:44]:
But when you think about it, it's like, okay, sorry, you know, go, go drive off the road and come, come to a stop because you cannot go further if you know, if you obey the signage. So dead end for cyclists. Yeah. Okay. So it's gratifying to see a prediction about something that really should be done come true. Sadly, gratifying or not, that doesn't happen often enough. Our listeners all know how disgusted I've been with Microsoft's continuing attempts to squeeze their Windows 10 users into moving to Windows 11. Many, and for quite some time, most current Windows 10 users evidenced just as little desire to do that as once upon a time Windows 7 users wanted to move to Windows 8.

Steve Gibson [00:08:44]:
It was thanks, but no thanks. Everything is working fine. Like Windows 7. Just want to stay here. Windows 8 is stinky. So anyway, as we also know, Microsoft arbitrarily, capriciously and unnecessarily raised the minimum hardware requirements for Windows 11 in a transparent effort to force the purchase of new and now onerously expensive PCs. We know it was arbitrary, capricious and unnecessary because Windows 11 runs quite well without complaint on PC hardware that lacks every one of those newly imposed so called requirements. They can all be bypassed because none of them are actually required.

Steve Gibson [00:09:32]:
Against this backdrop, in the summer of 2025, which actually June 24th to be exact, Microsoft reminded everyone that all Support for Windows 10 would be ending a few months from then on October 14, 2025, there's only one problem with that still no one wanted Windows 11, and nearly everyone was still quite happily using Windows 10. So as we covered at the time, Microsoft blinked and gave everyone an additional full year of ESU their extended service updates. And this is quoting them in order to give everyone more time to migrate to Windows 11, unquote, they said, or apparently quite often to give everyone more time to save up the money needed to purchase a new PC when the one they currently had was running Windows 10 just fine, not having any problems. So this allowed everyone to remain on the ESU plan until October 12, which is approaching of 2026 later this year. So we're back to beating this poor and quite dead horse, because time flies and we're once again here at the end of June, and still, despite reluctantly returning feature after feature, we hear from Paul and Richard every week, like, oh, Windows 11 got this feature of Windows 10 that had been taken away. Oh, and it got this feature of Windows 10 that had been taken away and they rewrote this UI because it was really slow in Windows 11. And now it's fast again. Anyway, even after reverting some of the incredibly inefficient user interface implementations that had been largely responsible for Windows 11 poor performance, no one still wants Windows 11.

Steve Gibson [00:11:32]:
And I mean, there are people who like it. You know, I had to be using it toward the end of the work on Spinrite and also on the DNS benchmark so that I knew what was going on. So. But you know, it's pretty, the corners are rounded, but I'll be setting up a new system with Windows 10 because all the evidence I've seen on the Internet says that 10 watt runs on given the same hardware much more quickly than Windows 11, and 11 has nothing that I need. So anyway, on top of all that, thanks to the AI drama that has swept the globe, that new Windows 11 capable PC that Microsoft seems to be pushing everyone toward will now be significantly more expensive to purchase today than it would have even a year ago when people said, no thanks, Windows 10 is running just fine. So anyway, you can guess now, as I said at the top of the show, what Windows just did. Yep. Or Microsoft just did.

Steve Gibson [00:12:38]:
Yep, they blinked again. They once again extended the Win 10 ESU program for another year until October 12, 2027. So everyone using Windows 10 gets to keep using the Windows they love on the machines they already have. And what's even better is that the continuation of the ESU program means that Windows 10 can and will be the recipient of the results of Microsoft's still unnamed, I would at this point say stubbornly unnamed codename EM dash system, which will be cleaning up the mess that was left behind by decades of Microsoft's previous human developers. So what Windows 10 is getting, when you think about it, is really the best of all possible worlds. Since all development on Windows 10 has blessedly been halted years ago, Microsoft will no longer be introducing more new bugs than they remove every month. Instead, the extension of the ESU program for another year will give their new AI model driven bug discovery and removal system the time it requires to remove the thousands of latent bugs Windows still carries. Thus turning windows 10 into a near perfect operating system like forever.

Steve Gibson [00:14:13]:
Thank you Microsoft. So, given where we are today, I'll make another prediction. Given that the current RAM and semiconductor chip shortage is now expected to endure into 2028, they're not expecting it to resolve this year or next. This is likely to hold PC prices high since the recent performance improvements in Windows 11 are finally beginning to allow it to run as well as Windows 10 always has on the same hardware. And since it has always been able to run on that same hardware, I predict we're going to see some form of junior 11 which will for face saving reasons strip out some features, maybe hopefully recall in some of the co pilot plus AI crap. That'd be great. And it will therefore surprise be able to run anywhere Windows 10 can. Which will mean that, you know, this will ultimately be the only way for Microsoft to move the remainder of of their holdout Windows 10 users over to 11.

Steve Gibson [00:15:33]:
It'll cost no one anything. It will get everyone back under the same code base, which actually and understandably is where Microsoft really does need to get them in the long run. I wouldn't expect Microsoft to continue supporting Windows 11. I mean, sorry, Windows 10 forever, but if we get another year of ESUs, people who really want to stay with Windows 10 that they have on their machine will be able to, and people who want to move to Windows 11. I will be very surprised if we don't have some final capitulation from Microsoft in the form of some junior 11. You know, they can't have everything that they keep saying you need new hardware for something that will allow 11 to run on existing systems with TPM, you know, 1.1 without some of the other unnecessary features that Microsoft is requiring systems to have. And then they can get everybody under a single code base. I get it that they really do need everybody to be resynchronized the good news is we'll probably be left with a Windows 11 which is really good and can hold us for, you know, quite a while.

Steve Gibson [00:16:55]:
So. Yay.

Leo Laporte [00:16:57]:
Actually, Windows 12 is just around the corner. Aren't you excited?

Steve Gibson [00:17:00]:
Oh, God,

Leo Laporte [00:17:06]:
I'm sorry.

Steve Gibson [00:17:07]:
Unbelievable. Maybe. Maybe they'll.

Leo Laporte [00:17:10]:
Who.

Steve Gibson [00:17:11]:
Who knows what they're going to do? But I mean, clearly ten refuses to let go, right? I mean, they're just, you know, people don't want to spend more money. Especially now. Leo.

Leo Laporte [00:17:22]:
Well, that's what's going on. Exactly. RAM is so expensive, nobody's upgrading their computers anymore.

Steve Gibson [00:17:27]:
Yeah. And so it's unfair to ask people to like, get more RAM and a new machine for no. No real reason.

Leo Laporte [00:17:36]:
Exactly.

Steve Gibson [00:17:37]:
They're going to have to face that sooner or later. So, a quick follow up on the state of the recent ubiquity flaws since CISA has seen hackers actively exploiting those three flaws in Ubiquiti's unifi os. Last Wednesday, CISA gave all federal agencies three days to apply the available security updates or their recommended mitigations. If for some reason you can't supply the Updates, the the three ubiquity flaws have been added to CIS's kev. That's that kev, the Known Exploited Vulnerabilities database. There's 34908, which is an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a unifi OS system by potentially leading to full system compromise. And when, you know, we know when. When they say potentially leading to it means, you know, yes, you get to do that.

Steve Gibson [00:18:43]:
33,4909 is a once again a directory path traversal vulnerability which we never seem to be able to get rid of. All those that allows an attacker to access sensitive files on the underlying operating system, potentially exposing configuration files, credentials and other sensitive data that could facilitate account takeover. And 3, 4, 9, 10, an improper input validation flaw that enables an attacker to inject and execute arbitrary operating system commands, potentially leading to remote code execution. I mean, basically this is a perfect trio of flaws that, I mean, you couldn't get a better set of three if you want something that allows you to remote remotely take over a system of any sort. So as we know, Ubiquiti released updates for all three of those vulnerabilities back in May, and Leo's unifi OS instances, which were all set to auto update, all did. So Leo, you were never in any danger. Hopefully everybody else has done this too. What's changed is that the pace of attacks following their disclosure and or the reverse engineering of updates necessitates taking the human out of the update decision loop.

Steve Gibson [00:20:13]:
Just let automation handle that. Might it screw up? That's a possibility. But the incidences of such screw ups have always been rare and we can expect them to become more rare as more of our infrastructure becomes secured. So you know, there, there's no piece of Internet facing system today that I don't have that is, that has some potential vulnerability that I don't allow to update themselves if the manufacturer says oh crap, we got to you know, push this out out right now. Now that SISSA announcement was on a Wednesday. So those people had Wednesday, Thursday, Friday. Last Friday we learned that goes three day SISA bods that that binding operational directive, you know, thou must update notices. They also include the weekend.

Steve Gibson [00:21:10]:
As it turns out it's not three business days, it's three calendars. Yeah, three calendar days. CISA issued a directive Friday giving federal agencies until Sunday night to patch. You know come to think of it might be that patching over a weekend, it would actually be easier, right. Since the network would presumably be much quieter with fewer if any people disturbed by an update and maybe a necessary reboot of the system. I did see something that I've never mentioned because it just kind of flipped by a few weeks ago it was a mention that the idea of the necessity to reboot is being rethunk by the industry because it's understood that the need to take down a piece of border equipment and after all it's the equivalent on the border that is the stuff that's under attack. Right. The need to basically shut down the network during what could be a lengthy update and reboot is a reason that it doesn't.

Steve Gibson [00:22:29]:
So who says you have to reboot a system? I mean we have seen Microsoft beginning to inch toward some no reboot needed updates. And all of this necessity, this whole idea of needing to boot a fixed piece of firmware, it's only legacy. I mean really you don't have to reboot. No, there, there is, there's no reason that a system could not have been structured so that you could have two instances for example of a library and, and briefly switch the pointers from the old one to the new one so that basically no one would even notice that you are now un operating under the new library. So this whole concept of needing to take the whole system offline and then bring it back up again, that's really old school. And so I think what we're going to begin to see is a, and what a selling point, right? I mean if you had, you know, three pieces of equipment you were choosing among, you know, Juniper and F5 and Palo Alto Networks and Juniper was able to say hey we have zero reboot updates. You're able. We will update your system with no downtime.

Steve Gibson [00:23:58]:
And the other two guys didn't have that. Well, that's a selling point. So you can imagine we're going to be seeing that in the future.

Leo Laporte [00:24:07]:
I would love that. I didn't realize it wasn't possible.

Steve Gibson [00:24:11]:
Yeah, definitely is possible. There's, there's no reason.

Leo Laporte [00:24:14]:
Well, that'd be true of operating systems of all kinds, right? Windows, Linux, every.

Steve Gibson [00:24:19]:
And look at the, the, the zero patch guys, they do zero reboot patching on the fly. So definitely something that could be done. So the story behind in this case this, this single high severity flaw which was where on Friday on last Friday Sister said everybody, every federal agency but must have updated by Sunday night. So as of yesterday all federal agencies need to have updated this Cisco deal. This was a server side request forgery. The CVE is 2002 30. It was discovered in Cisco's Unified Communications Manager server. They released security updates to address the flaw three weeks earlier on June 3rd.

Steve Gibson [00:25:14]:
And at the time they warned because they knew that exploitation could give attackers root privileges on the device. They wrote quote a vulnerability in Cisco Unified Communications Manager, the Unified CM they call it and also Cisco Unified Communications Manager Session Management Edition which of course is Unified CN CM SME could allow an unauthenticated meaning no no credentials remote attacker to conduct server side request forgery, you know, SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could later be used to elevate to root. So that was then June 3rd when they announced the update and offered patches and, and said this is important critical do it. Three weeks later that vulnerability is now being actively exploited. Three weeks.

Steve Gibson [00:26:40]:
So this is not even a, a monthly patch cycle deal. This is, you know, you need to do this if you want to keep bad guys out of your systems. And we know the Cisco has had a legendary problem of, of keeping bad guys out. So that's not a lot of time. On the other hand it did take three weeks. So hopefully whoever's in charge of updating today, here we are middle of 2026 did not wait Until CISA gave them no choice with their binding operational directive. Since in this case sisa's bod BOD was issued several days after attacks had been detected in the wild. Because after all Kev is known exploited vulnerabilities.

Steve Gibson [00:27:35]:
So it's clear that CISA has seen the light regarding the need for speed in responses to these. Remember that, that, that flowchart, that, that, that, that tree, the decision tree chart that we looked at last week had, you know, it had many of the leafs of that tree demonstrated that they get it because there were three days to patch response times on many of those decision endpoints. So I, I, more than anything I really do hope that the world that the, that the word is filtering out, that everything we have known, and this is the problem, you know, institutional inertia and just conceptual inertia, historical inertia. Everything we have known about the dynamics of vulnerabilities, exploitation, attacks and patching has been thrown up in the air. It's, it's unclear when or how it's going to settle down. But what is clear is that nothing will be as it has been before. AI has changed all that. You know, I'm seeing many predictions in around, you know, through the industry, in the press, the popular press, the tech press of a coming onslaught of massive AI driven cyber attacks.

Steve Gibson [00:29:00]:
And as, as I've said also it seems to me that's less likely. I, I, I guess I would say massive AI driven cyber vulnerabilities. But vulnerabilities are different than attacks, right? Because it's unclear to me how attacks make money. Not like broad, huge, hundreds of millions of users affected. You know, cryptocurrency money is entirely the name of the game. What I expect to be more likely is many more successful network penetrations followed by extortion. And the bad guys are increasingly likely to attack those enterprise as we've seen that really must protect their exfiltrated data. You know, a couple weeks ago we saw that law, that large law firm, that report you know, made out was it a $2 million ransom payout which was 1% of their annual take of 200 million, which payout was defensible and sane because the cost to them in reputation and client lawsuit damage of not paying the ransom and hoping that their data isn't leaked would just be too great.

Steve Gibson [00:30:22]:
So the problem with changing updating habits is, as I said, this great, the great weight of institution, institutional inertia. The hope is that the AI attack hysteria, which I think is what it is, which I doubt will Materialize may be what the IT department actually needs. They need the hysteria in order to obtain the resources they require to be able to update with, you know, much more speed, much more nimbly. So we can hope that that's the way. That's the shape this takes, that, you know, the boss hears that, oh my God, the AI is coming to get them. So when IT guys say, hey, we need a couple more people who, whose job it is to do nothing except to keep all of our equipment updated so we're not attacked by the coming AI tsunami, the boss is going to say, okay, yeah, go get them. Instead of saying, you know, oh, I don't know, can't you have Mo just do that too? Mo's already overworked, Leo.

Leo Laporte [00:31:26]:
Mo is. Mo's a busy guy. Especially on weekends, apparently. So. I'm still puzzled. I think you. If you're gonna modify the kernel code, I think you'd have to reboot. No.

Leo Laporte [00:31:39]:
Would you do it without restarting the machine? You.

Steve Gibson [00:31:43]:
You just have to have the. In a, in a. You have. Okay, so a kernel is normally a bunch of libraries. I mean, there's a microkernel and then a whole bunch of kernel drivers.

Leo Laporte [00:31:57]:
Right. Well, I can see you could modify kernel drivers without rebooting.

Steve Gibson [00:32:02]:
And in a microkernel, so you may have the memory management API. So the only thing you need is for there to be a moment when no threads are in the memory management API and you can just switch to newer code that runs the same API and now some use after free vulnerability is gone that the previous code has. So. So, you know, at. At. I guess. I guess for me, I see it so clearly because this is where I program is in assembly.

Leo Laporte [00:32:41]:
You're in the. You're in the kernel.

Steve Gibson [00:32:42]:
Yeah, it's where that is all happening. But, but there, There really isn't anything that precludes an on the fly switch out of old code for new.

Leo Laporte [00:32:57]:
So you got a microkernel running right now and you would just say, okay, here's the new kernel. Halt the code and jump to the new microkernel. Yes.

Steve Gibson [00:33:11]:
Switch the threads over to the new micro kernel.

Leo Laporte [00:33:15]:
You wouldn't.

Steve Gibson [00:33:16]:
And they don't know.

Leo Laporte [00:33:17]:
Everything would have to be idempotent though, right? I mean, it has to be reentrant.

Steve Gibson [00:33:21]:
Correct. So. So, so that's part of the problem

Leo Laporte [00:33:23]:
is, I'm sure a lot of it's not reentrant.

Steve Gibson [00:33:25]:
Well, so as soon as the threads are out, then you don't have any. So, So a, A like that code is Dead.

Leo Laporte [00:33:33]:
It's not running. Yeah.

Steve Gibson [00:33:34]:
In a microkernel there is like a. Like, memory management is one of the core functions of any kernel. And so if at any point there are no threads that are actually doing work in there, then you simply switch. Yes. Then the next thread that comes along that wants to do that.

Leo Laporte [00:33:57]:
But what thread is doing that? There is a thread that is doing that switch that's running, but I guess you just let that die.

Steve Gibson [00:34:05]:
So you would have a supervisor that would be in charge of swapping out old code for new code.

Leo Laporte [00:34:13]:
They're speculating in the discord, and I think this is probably accurate that most operating system companies kind of think it's just a good idea to reboot once in a while.

Steve Gibson [00:34:23]:
Users think it's a good idea to

Leo Laporte [00:34:25]:
reboot once in a while. Even the operating system companies know that there's stuff in the memory that probably shouldn't be there. There's memory leaks that they wish weren't there.

Steve Gibson [00:34:33]:
But yes, their technical term is cruft.

Leo Laporte [00:34:36]:
Cruft, yes, yes. So, you know, rebooting once a week isn't the end of the world.

Steve Gibson [00:34:42]:
And we've talked about how rebooting your router can, can help to flush out malware that is not able to obtain persistence.

Leo Laporte [00:34:50]:
But I'm completely sympathetic with a network engineer who says, I'm not bringing the network down. I don't care if it's three in the morning, I'm not taking the network.

Steve Gibson [00:34:57]:
I do it at home. Because I've got so much crap now that this, like on the Internet is like, oh, what's going to happen if I, you know, block, you know what if I get a new ip, I've

Leo Laporte [00:35:08]:
got system timers running all time, all hours of the day or night. I'd have to look and make sure that that stuff. Because if one doesn't run.

Steve Gibson [00:35:15]:
Oh, and Leo, if your AI agent was unable to blog when it wanted to, it might.

Leo Laporte [00:35:20]:
It could be in the middle of a blog. It can blog any time of the day or night. I don't know when it's blogging.

Steve Gibson [00:35:25]:
That's right.

Leo Laporte [00:35:27]:
I'd have to say, hey, Quicksilver, are you in the middle of anything right now? Just like, just let me know because I'd like to reboot right now. Man, that's interesting because nobody does this really, that I know of. Maybe there's some mission critical systems, I'm sure. You know what, I'm sure the space shuttle doesn't reboot or didn't reboot. I'm sure The International Space Station doesn't have to reboot. I mean, there are mission critical systems that cannot restart.

Steve Gibson [00:35:53]:
Right. And it's only in sci fi that they say, okay, everybody hold on to something. We're going to have to shut down gravity while we reboot.

Leo Laporte [00:36:04]:
Wow. Joshua 337 in our Discord says, I had a Cisco switch up for 19 years. Wow, nice. That's nice. It's because he never patched it. Would you like me to do an ad right now? That'd be good. Okay, I apologize. There's somebody drilling outside.

Leo Laporte [00:36:23]:
Yeah. But. Yeah, that's all right.

Steve Gibson [00:36:26]:
This is.

Leo Laporte [00:36:27]:
This is life in the little city. The small town we call.

Steve Gibson [00:36:30]:
It's not loud for us because you don't hear it.

Leo Laporte [00:36:32]:
Okay, good.

Steve Gibson [00:36:32]:
Because those mics are really good.

Leo Laporte [00:36:34]:
I have a lot of noise suppression going on in various spots. I hear it. Our show today brought to you. But we'll get back to security now in just a bit.

Steve Gibson [00:36:44]:
I know you sound like an old matrix printer going back.

Leo Laporte [00:36:51]:
Oh, there's a sound I don't miss. And before that, the teletypes. Every radio station going on.

Steve Gibson [00:36:59]:
At least you knew when it was done. You didn't have to like go over and check. Right, you know? Yes.

Leo Laporte [00:37:04]:
Okay. Suddenly quiet in here. And you'd buy. You'd buy these big enclosures to put the teletype in so that it would be somewhat.

Steve Gibson [00:37:10]:
Padded booths. They had their own padded booth. Yeah.

Leo Laporte [00:37:12]:
Still be noisy. And then you. And then if it's a big, like a big story, something big happened. The bell would ring. And if it rings five times, man, you run over to that ap. Ding, ding, ding. Oh, we got a hot one.

Steve Gibson [00:37:27]:
So last Wednesday, Mike Burgess, who is the current Director General, I called him the Inspector General earlier, but he's the Director General of Security and the head of asio, which is the Australian Security Intelligence Organization, published his annual threat assessment for this year for 2026. It was not at all cyber specific. Talking about many other social aspects, you know, which impinge upon Australian security. You know, lots of foreign actors and countries that are unhappy and so forth. But there was a section regarding threats to Australia's critical infrastructure and. And it was a doozy. Mike wrote, critical infrastructure, the third matter we dealt with can also be a threat to life in extreme circumstances. We discovered nation state hackers had compromised the network of an Australian critical infrastructure provider.

Steve Gibson [00:38:34]:
ASIO assessed the hackers were preparing for. For sabotage. They weren't planting digital dynamite as such. They were mapping out the network and maintaining access. So they could cripple it at a time of their choosing. Cyber sabotage is an evolving threat and I have established dedicated teams to counter it. As ASIO's understanding grows, so does our level of concern. The scale of this activity, led by one nation state in particular, is difficult to overstate you and they would be surprised how extensive our warrant coverage is.

Steve Gibson [00:39:19]:
We struggle to find a single country in our region that has not been compromised by this state's cyber apparatus. Critical infrastructure in the energy and communications sectors, as well as infrastructure supporting the military are top targets. In this case, a state sponsored group did not just achieve access to the Australian critical infrastructure provider. IT successfully acquired credentials, login details and passwords for active users of the networks, including the IT professionals guarding it. ASIO identified, tracked and attributed the hack and worked with the victim company and our security partners to remediate the compromise work, which is still ongoing. So as I said, I mean, so that's like, whoa, this is what countries are facing.

Leo Laporte [00:40:20]:
By the way, our resident Australian says they pronounce it a Z O a

Steve Gibson [00:40:26]:
S I O a Z O co yeah, actually that makes sense too because they use S's where we use Z's. Like organization is, you know, N I s a T I O N. So.

Leo Laporte [00:40:39]:
Right. Although knowing Aussies, he could be pulling our leg. But I think, I think Darren's saying it's a long a Z O a Z O A Z O. Yeah, aio.

Steve Gibson [00:40:50]:
Anyway, so I encountered this report, as I noted after fully digesting, digesting and laying out this week's main topic. So when I saw the way the intrusion into Australia's infrastructure provider was described with that full credentials and login and everything, I noticed that it exactly corresponded to what we'll be examining as today's main topic. And there are so many intrusions in that state sponsored campaign that I wouldn't be surprised if this was one that, that Australia's infrastructure unnamed infrastructure provider got swept up in. So we'll, we'll be sort of circling back to this by the end of the podcast, but interesting that there's, there's a view from the victim side where they said, oh wow, we are really in trouble here. Okay, so last Monday, a week ago and a day not to be outdone by anthropic with Mythos 5 and Fable 5, OpenAI announced their initiative dubbed Patch the Planet. This uses their Daybreak system, which we noted a couple weeks ago. They announced to sort of be their response to Mythos Anthropics Mythos. And this whole system has already been producing results which I'm going to share in a minute, their announcement said.

Steve Gibson [00:42:27]:
We are introducing Patch the Planet, a daybreak initiative built with Trail of Bits to help maintainers strengthen the critical open source software world. Open software the world relies on we're pairing AI assisted security research using our most cyber capable models with expert human review to not only identify vulnerabilities but help patch them. AI is accelerating vulnerability discovery, but discovery alone does not protect users. Many maintainers are already being asked to sort through more reports more quickly with the same time limit and resources. Patch the Planet is built to reduce that burden, not add to it. Security engineers review findings before they reach maintainers, work with projects to develop patches and tests, and build reusable workflows that help teams continue improving security and after the first fixes, Land Trailer BITS has committed their entire security research organization toward this effort. For our initial surge, they're working directly with maintainers to investigate and validate vulnerabilities, develop and test patches, and coordinate disclosure of vulnerabilities. Additionally, we will be partnering with HackerOne, of course, the famous bug bounty offering, and Caliph, who are helping us take our efforts further with vulnerability triage, coordinated disclosure and additional focused vulnerability discovery efforts.

Steve Gibson [00:44:23]:
So how does Patch the Planet work? Each engagement under Patch the Planet begins in consultation with the maintainer. So like the maintainer of a specific project? Right, they said. For each collaboration, security engineers work with maintainers to understand each project's needs, preferences and where additional security effort would be most useful vulnerability validation, patch development, CICD improvements or longer term security engineering. Once aligned, researchers investigate potential vulnerabilities, validate meaningful issues, develop or refine patches, support testing and coordinate disclosure through the project's established channels. So it's interesting. This feels more hands on, more human aimed and and managed. You know, it's not just a, you know, aim the AI at it and stand back kind of approach, they said. Initial Participants include curl, nats, server PI, ca, cryptography, sig store, aio HTTP, the go project, free, nginx, python and python.org these projects support widely used networking, cryptography software, supply chain and natural and language infrastructure where stronger security can benefit a broad range of downstream products and services.

Steve Gibson [00:46:02]:
Additional projects will join in future rounds. So again, they're also not doing everything at once because their human side resources are limited. They've they've chosen a bunch of projects and they are working closely with the maintainers of that code, they said. Trail of Bits has dedicated security engineers to work full time with Codex and GPT 5.5 cyber across 19 open source projects and has already identified hundreds of security issues and merged dozens of patches with many more still undergoing coordinated disclosure. The initial Sprint also produced reusable security infrastructure fuzzing harnesses historical CVE analysis pipelines, differential testing systems, threat models, expanded test suites and workflows for deduplication, false positive filtering, severity correction and patch generation. Some project specific details will be shared later as testing, remediation and coordinated disclosure progress. A few early examples show what the team was able to build and find a fuzzing lab in less than a day Trail of bits engineers used Here it is repeated Codex goal runs with GPT 5.5 Cyber to build an entire fuzzing lab covering dozens of entry points, variant builds, platforms and novel test seeds. Engineers set the objectives and refined the prompts.

Steve Gibson [00:47:54]:
The system then used coverage feedback to keep expanding into new surfaces, target edge cases and filter weak or invalid candidates. Trail of bits engineers found that with limited guidance, GPT 5.5 Cyber made useful choices about where to expand coverage, which builds and entry points to probe, and which candidates were too weak to pursue. The completed setup took less than a day. Trey Labitz estimates that building the same lab manually would ordinarily take at least several weeks rather than less than a day, and it wouldn't have been as much fun, right? They set a reasonable pipeline for finding variants of known vulnerabilities. They also achieved the team built an end to end system that ingests historical CVEs, extract relevant vulnerability patterns, searches target code bases for related flaws, and sends candidate findings through specialized judging agents. The pipeline de duplicates results, filters likely false positives, and routes the strongest evidence to security engineers for manual confirmation. This turns years of public vulnerability history into a repeatable search strategy that can be applied across projects. Trey Labitz found the models especially effective at this kind of variant analysis, which uncovered many additional issues across the code bases under review.

Steve Gibson [00:49:40]:
Okay, now you know, just sort of stepping back from this. If this was posted this time last year, these details would have left our mouths hanging open in wonder and disbelief. But now today our reaction is okay, sure, what else? And and as it happens, there is else. They wrote differential testing in days instead of weeks or months were created. Different implementations of the same protocol should usually behave the same way under the same inputs. Thus differential testing right? When they diverge, one may contain a bug. Applying this idea at scale is normally difficult because engineers must write custom shim and glue code connecting each implementation to a common test harness Codex generated and iterated there's the word again iterated on that code, allowing multiple implementations to be fuzzed against one another and their behavioral differences investigated. And again, I'll just highlight that we're hearing terms like repeated and iterated more and more.

Steve Gibson [00:51:04]:
We'll be talking about looping here a little bit later. What we're collectively learning is that AI gets better when it iterates over problems, so they continue their posting. The workflow filtered many weak or invalid results and produced a comparatively high signal set of candidates for expert review. The team reached those results within days, compressing work that has historically taken weeks or months. Trail of Bits is continuing to expand and refine these tests before publishing project specific details. Basically so what we're seeing is there, there's like a meta outcome from this work that they have the AI. They're learning how to apply the AI across a set of of 19 open source projects. But these the the result of these learnings God, I just use that word is a set of harnesses and and approaches that end up being persistent.

Steve Gibson [00:52:18]:
That is the things that they're developing are are ways of harnessing AI that are inherently reusable, they wrote. Security engineers reviewed every finding before it reached a maintainer Trailer BITS engineers manually reviewed every security issue before it was submitted to a maintainer, and the added value of this step cannot be understated. While frontier AI models are highly capable of finding vulnerabilities and patching them, they also produce a high volume of false positives that can contribute to the already overwhelming backlog maintainers are facing. Patch the Planet solves for this by having dedicated Trail of BITS researchers reproduce the evidence, check findings against project specific documentation and threat models, remove duplicates, reassess severity, and prioritize confirmed vulnerabilities for remediation. They also develop and submit patches in accordance with maintainers preferences. Maintainers remain in control of what patches are deployed and how disclosures handled. What OpenAI Daybreak is already finding are Patch the Planet builds on on a builds on a broader body of Daybreak work showing how frontier models can help defenders find, validate and remediate serious vulnerabilities in widely used software. We're sharing a few early highlights here while withholding exploit mechanics and project specific details where disclosure is still underway.

Steve Gibson [00:54:14]:
Meaning once again, as did Anthropic before them, they found a bunch of stuff they can't talk about because they need to go through the responsible disclosure approach and wait for these things to get fixed in the field, they said. As fixes, land and coordinated disclosures conclude, we plan to publish deeper technical reports that walk through individual findings, research methods, validation workflows and lessons other defenders can apply. Right? So so as I said, the things they're learning from this end up having long term much wider application. They don't want to release that yet because it is still too powerful. So they said Our findings span every layer of the software stack, with many more still in the disclosure process. So here's what they have found so far. Of operating systems The Linux kernel GPT 5.5 Cyber identified security relevant components across more than 30 million lines of code, flagged potential security issues and then validated them dynamically generated 8 kernel pointer information leak proof of concepts and 24 local privilege escalation exploits. We noted that hundreds of issues were identified.

Steve Gibson [00:55:52]:
This is the subset for which proof of concepts were automatically generated. So 30 million lines of code from the Linux kernel they've found 8 kernel pointer information leak proof of concepts meaning validated verified 24 local privilege escalation validated verified out of hundreds more that they're still working toward under OpenBSD, they said. Our models identified a 23 year old use after free in OpenBSD's kernel implementation of System 5 semaphores. OpenAI researchers reproduced the issue and confirmed that it would allow an unprivileged local user to escalate privileges to root what about FreeBSD security? Researchers at Calif. Used Codex to find and validate using proof of concept exploits for several LPEs Local privilege escalation in FreeBSD Across a broader FreeBSD campaign, OpenAI researchers confirmed 34 vulnerabilities and produced seven local privilege escalation POCs Proofs of concepts and for networking DNS mask Codex Security independently identified vulnerable patterns corresponding to four of the six DNS mask CVEs which were later fixed in 2.92 release 2, the HTTP 2 bomb that we talked about last couple weeks Caliph used codex to identify HTTP 2 bomb, a denial of service technique affecting major HTTP 2 implementations including Nginx, Apache IIS and Pingora. Caliph's analysis suggested that more than 880,000 Internet facing websites were running affected server software with HTTP 2 enabled. Now that was interesting to me and also deeply annoying. Those are the jerks we looked at a couple of weeks ago who bragged about the discovery of this protocol failure vulnerability and released its information including a working proof of concept.

Steve Gibson [00:58:30]:
In a complete lack of coordinated disclosure. They essentially said AI has changed everything such that coordinated disclosure timelines no longer apply. Meanwhile, those in charge of web server operation were scrambling in a panic, which could have been avoided with just a little bit of courtesy. I'd love to see Caliph's access to Daybreak rescinded since this is not the way it was supposed to be used. I was I was a little annoyed to see that they apparently are an active participant in this. Again, I'd love to see that change. Anyway, what about browsers? OpenAI continues Chrome OpenAI researchers found and reported five exploitable vulnerabilities in Chrome's V8 JavaScript engine, including three that were identified and remediated within days of being introduced. Safari in roughly a week of focused WebKit work, over 10 exploitable Safari vulnerabilities were found and reported.

Steve Gibson [00:59:39]:
Firefox OpenAI preparedness identified a WebAssembly vulnerability which happened to be CVE2026 8390 with GPT 5.5 during safety evaluations that Mozilla patched two days before PWN to own Berlin. Them patching it two days before PWNed to own Berlin thanks to GPT 5.5 work prompted five of the six registered Firefox entries to withdraw from the competition because AI beat them to it. No Firefox exploit was successfully demonstrated at the competition, which is very cool. You know what this is what we're seeing is a relatively, certainly comparatively rapid tightening up of the world's software. This is what that's going to look like. Pwn to own will no longer have anything to pwn and then own, they said. Open source software is sharing infrastructure is sorry. Open source software is shared infrastructure Indeed.

Steve Gibson [01:01:01]:
You know, log 4J, for example. Securing it should be shared work. AI is changing the pace of vulnerability discovery and the work now is to make sure the benefits reach the maintainers and users who need them most. Patch the Planet is designed to put that full defensive loop in service of maintainers. Discovery, validation, severity, review, disclosure, patch, development, testing and deployment. Frontier models can make parts of the loop faster, but the aim is to give the people responsible for shared infrastructure, meaning the maintainers better tools and more capacity while preserving their agency over how changes land. Again, Caliph did not do that for the maintainers of HTTP 2. They just said, yep, look what we found.

Steve Gibson [01:01:58]:
Woohoo. The first Sprint they wrote, shows that sustained collaboration among maintainers, security engineers and AI assisted workflows can produce immediate fixes, stronger project infrastructure and reusable security work that can continue improving open source software over time. This, they conclude, is just the beginning. As more fixes land and coordinated disclosures complete, we plan to publish deeper technical reports on selected findings, the methods used to discover and validate them. In other words, they're going to show how the AI was harnessed in order to do this and the workflows defenders can adapt to help protect the software everyone depends upon. If you are a maintainer, you can apply to join to and join Patch the Planet. So I've got a link to the Patch the Planet page in the show notes. It's trailofbits.com Patch Hyphen the hyphen planet.

Steve Gibson [01:03:07]:
So Daybreak was a bit delayed as we know relative to Claude Mythos Preview. And it appears that as we might expect, its approach differs in the details. But the evidence clearly suggests that OpenAI is not out of the game by any means and that's great news for everyone. Very, very cool.

Leo Laporte [01:03:31]:
Yeah, very interesting too.

Steve Gibson [01:03:33]:
So they, so they join Anthropic with the, you know, Claude Mythos preview work to, to turn their attention and they're finding bugs.

Leo Laporte [01:03:49]:
So is this patch of plant there the equivalent of Anthropic's glasswing?

Steve Gibson [01:03:53]:
Exactly, it is, it is the equivalent as what? Where it differs is that glasswing was also offered I believe to non open source maintainers.

Leo Laporte [01:04:07]:
That's right. In fact most non open source is.

Steve Gibson [01:04:10]:
Right.

Leo Laporte [01:04:10]:
Microsoft and people like that.

Steve Gibson [01:04:12]:
Right, right. And I, I was remember, I, I paused because I also know that Mozilla got it and fixed hundreds of bugs using some of those.

Leo Laporte [01:04:20]:
Sure, sure.

Steve Gibson [01:04:20]:
So some open. But, but, but so far this looks like it is the, the Patch the Planet, they're basically open AI is saying we are so dependent upon open source. And also note that this does give them and their partner trail of bits something that that Glasswing didn't have. Because it's open source, they're able to turn this, this loose on publicly available source. When, when you, when you give a, a private company that has closed source, you're basically just saying we're giving you access to Mythos. We don't have your source. You have your source. So we're not, we don't, we're not going to be able to see nearly as much into how you're using Mythos to obtain results.

Steve Gibson [01:05:16]:
So, so it's, it's, it's a different approach that has a different set of trade offs anyway. But yes, it is their equivalent. So both of these two big guys with state of the art frontier AI are now working proactively working to clean up the install base of software in the case of Patch the planet with 19 public projects. And you know Leo, the other thing that's going to help to clean up the planet.

Leo Laporte [01:05:46]:
More coffee is.

Steve Gibson [01:05:48]:
Yes, it will keep the planet. It'll keep the planet spinning.

Leo Laporte [01:05:51]:
Oh, I like your new Contigo mug there. That's. That's a pretty little copper thing. Is that new? Is that a. Yeah, yeah, it's coffee colored.

Steve Gibson [01:06:02]:
Yeah.

Leo Laporte [01:06:03]:
So it's appropriate. Okay.

Steve Gibson [01:06:04]:
Steve on so we talked briefly and it only deserved a brief mention before, but oh boy. About Meta's clearly misguided plan to record all of their employees keyboard, mouse and screen activity for the like, just streaming surveillance from every PC for the ostensible purpose of training AI on of some sort. At the time, I quipped that it would be weird to have AI looking over our shoulders, as it were. You know, training on our own work seemed like training our own replacement. But in classic what could possibly go wrong? Failure. It was worse than that. Last Monday, Wired picked up and covered the adventure under their headline Meta Exposes Data Internally from its Controversial Employee Tracking program. I know, and Wired had the teaser employees had previously raised concerns about the initiative, which involves collecting workers keystroke data to train AI models.

Steve Gibson [01:07:23]:
Oh boy, wired wrote. Meta left potentially sensitive information collected from employee laptops accessible to anyone inside the company. And you know, it's not a small company. According to an internal security notice seen by Wired and three current employees familiar with the issue, the data, which was collected as part of a divisive initiative to train artificial intelligence models, is believed to include keystrokes, mouse clicks, and content displayed on the computer screens of Meta's US Employees. Wow. Like I said, literally a surveillance stream pouring out of every Meta employee laptop. It's like, what could possibly go wrong? And they left it in the open. Like, oh wow.

Steve Gibson [01:08:21]:
Meta spokesperson Tracy Clayton initially confirmed a Wired that the company is investigating the security issue as this story was being published. Meta, Wired wrote. He added that Meta is pausing the data collection program indefinitely. Wait, can you have an indefinite pause, Leo? Does that mean it's indefinite? How long the pause will last? Or it's an indefinite pause, meaning it's a pause. We're calling it a pause, but it's. We killed it. I don't know. Anyway, Clayton said, quote, we have carefully designed this program.

Steve Gibson [01:08:59]:
I just love carefully, carefully designed this program with privacy safeguards, of course. While, of course, why wouldn't we? And besides, I've been told to read this statement. While we have no indication at this time that any data was improperly accessed by Meta employees, we're pausing it while pausing it while we investigate it sounds like a temporary Maybe. According to documents viewed by Wired, the security notice sent out last Monday indicated that, quote, employee data across 45,000 hive tables had been exposed. Those tables included employee activity such as full prompts and transcriptions, private conversations, people and performance data. So, wow, Big Brother much? Basically. Apparently, employees are being fully and continuously surveilled with all of that massive data collected for AI research anyway. Wired's article continues saying some employees at Meta quickly seized on the security failure, saying in internal forums that it validated concerns they had raised when the company began tracking users corporate separate laptops in April as part of a program known as the Model Capability Initiative.

Steve Gibson [01:10:38]:
MCI comments about the incident posted on internal forums Monday included questions about how Meta's privacy reviews failed to prevent the breach and whether everyone whose data was potentially exposed will be allowed to attend a meeting going over what went wrong, according to posts seen by Wired. In one internal forum where staffers are known to trade jokes, an employee posted a meme from the office of the character Jim Halpert, holding a sign that reads 0 days since our last nonsense. Sources at Meta, who were not authorized to speak publicly, tell Wired the incident has now been marked as closed, meaning it was likely resolved in an internal posting. Responding to employees questions on Monday, seen by Wired, Andrew Bosworth met his chief technology officer. Their CTO said that the tracking program's implementation had fallen short of the standards outlined in its privacy review.

Leo Laporte [01:11:50]:
Wow.

Steve Gibson [01:11:50]:
Corporate speak. And that findings from the incident would be shared. Bosworth noted, quote, here we had misconfigured ACLs, you know, access control lists and we need to understand how that happened, track down every data access and understand it right, because there's so much there to understand. Leo.

Leo Laporte [01:12:15]:
Yes, well, very important, yes.

Steve Gibson [01:12:17]:
A couple of months ago, Bosworth told employees concerned about potential data leaks that the tracking program is tightly controlled and users, and uses the same protection standards, storage systems and access controls as other sensitive data sets. Oh, that's not good. According to internal posts. See, like this is as good as we could get it and it's bad apparently. Last month, more than 1600 Meta employees signed an internal petition protesting the laptop surveillance effort, warning that collecting this data introduces both security and regulatory risks for Meta, including the potential for breaches and unauthorized disclosure. The petitioners also expressed concerns with what they viewed as a lack of safeguards that Meta had put in place. One engineer also wrote a widely shared internal note, saying having their laptop screen scraped for training data without their consent felt like an invasion of privacy and amounted to exploitation. Right, Meta, as to how Everybody felt about recall initially.

Steve Gibson [01:13:30]:
Right. Meta executives have previously defended the data gathering project, saying it was necessary to train AI systems to use computer software the way humans do.

Leo Laporte [01:13:45]:
How else are we supposed to replace our.

Steve Gibson [01:13:47]:
That's right.

Leo Laporte [01:13:48]:
Customers.

Steve Gibson [01:13:49]:
We have to train on the people doing the work.

Leo Laporte [01:13:52]:
I mean, our employees. Yes. How else are we supposed to fire everybody? Come on.

Steve Gibson [01:13:58]:
And I love this. I love this. Leo. In audio of a company meeting leaked last month, Mark Zuckerberg, you know that humanist told employees that, quote, AI models learn from watching really smart people do things.

Leo Laporte [01:14:18]:
Yeah.

Steve Gibson [01:14:18]:
And the average intelligence of the people who are at this company is significantly higher.

Leo Laporte [01:14:27]:
Wow. And. And RAI will be even higher. And then we can get you. Yeah.

Steve Gibson [01:14:34]:
So even higher than the average contractor who could be hired specifically to produce this kind of data. Right. We would hire contractors and spy on them instead of on our own employees. But after widespread protests from employees, Meta this month began offering more exemptions to the monitoring, including letting staffers briefly turn off the surveillance so they could complete sensitive tasks such as scheduling a personal appointment. According to two people familiar with the matter, some employees are still demanding that the tracking be stopped altogether. Apparently, we have a pause of indefinite duration, whatever that means. Meta faces more regulatory scrutiny about data security than most companies. It's subject, deservedly so.

Steve Gibson [01:15:21]:
It's subject to a U.S. federal Trade Commission consent decree that expires in 2040, requiring it to maintain processes to avoid breaches. Well, that would be nice, but current and former employees have told Wired that the requirements are inadequate and outdated. Meta also has begun offloading some work. Some work Reviewing programs and features for potential privacy and security risks to artificial intelligence. That's right. Ask the AI if we're doing enough. It wasn't immediately clear whether AI played a role in the access control issue.

Steve Gibson [01:15:59]:
Oops. With the MCI data, the security incident will likely contribute to the ongoing morale crisis at Meta, where employees have been frustrated by the past few years of mass layoffs, a turbulent reorganization, and an all out push to develop AI models and features. In March, Meta created a new Applied AI team and moved some 6,500 employees into new roles focused on improving AI models. Some Meta staffers had described the projects they've been assigned as menial and soul crushing. Meanwhile, Bosworth sent out a memo to employees last week apologizing for the company's atrocious communication about the AI reorg and promising improvements including clearer communications and a return of some office perks. Oh, wouldn't that be nice? Fresher coffee?

Leo Laporte [01:17:04]:
Yes.

Steve Gibson [01:17:04]:
Wow. So, okay. Meta does not seem like an employee friendly place to work? No, but I'll. I'll confess to being able to see both sides of this. First, certainly the idea of essentially sucking in everything every employee does is inherently creepy. And the question of its secure storage is the first thing that springs to mind. As I said, in that sense, it's identical to the reception Microsoft received when they introduced Recall. Everyone's immediate reaction was, and how exactly are you going to absolutely, positively keep all of our screen history safe forever? And on top of that, Microsoft had to arrange to not capture anything that might actually be sensitive, like on screen passwords and credit card numbers that people were entering.

Steve Gibson [01:18:05]:
So the whole idea, right, is inherently fraught with risk. Okay, so before I examine the other side of this argument, just so we're very clear, I fully get it that streaming into storage somewhere, every key press, every mouse twitch, and every screen image experienced and created by a mass of employees is just asking for trouble. Not to mention being an astounding invasion of privacy. In the past, we've examined the amount of or lack of privacy an employee using company bandwidth on company computers in a company's facility should reasonably be able to expect. And we've seen the need for an enterprise to make whatever it's doing with regard to monitoring its own network, and thus indirectly its own employees, at least very clear. Make it clear. But Meta's recorded surveillance of every twitch is taking that to extremes. The one question I had was whether Mark Zuckerberg's and other C Suite executives were also participating in this grand surveillance experiment.

Steve Gibson [01:19:32]:
You know, the brain suck. Or had they perhaps politely excused themselves from the same super secure surveillance that everyone else was subjected to? After all, if the AI is supposed to be training on the smartest people available, who better at Meta than the C Suite executives at the top of the pecking?

Leo Laporte [01:19:54]:
I guarantee you Mark wasn't getting spied on. I guarantee you you're not placing him anytime soon. Wow.

Steve Gibson [01:20:02]:
Okay. So with the horrendous policy consequences acknowledged, I want to explore the flip side. With a brand new technology such as these massive large language model neural networks, you really don't know what you can do until you try. Since the truth is, we stumbled upon the AI effect as much as we deliberately designed it, the past several years of explosive AI growth has been a testament to the let's try this and see what it does approach. That's what's been happening, right? Like, you know, open claw just kind of happened because one guy said, I'm going to give this a try. See what Happens the whole agent thing, now we're into recursion and it's like, wow, that we're getting better results. Because how did we know? Well, we didn't. We just tried.

Steve Gibson [01:21:04]:
So we're true. We're truly feeling our way forward. You know, someone said, hey, you know, if when I tell the AI it was wrong, it readily agrees. So how about if instead we just feed its first answer back in as in a loop and let it come up with a more refined answer the second time? What would happen? And so was born the recent notion of iterating toward a conclusion. Sure, it burns tokens like crazy, but someday tokens will be cheap. And you know, even now the, the much superior results we are getting that way are, are worth the cost. So my point is that aside from the worrisome privacy costs, I can see the somewhat robotic and empathy challenged Mark Zuckerberg deciding that they should just feed everything everyone does into a massive AI and see what comes out.

Leo Laporte [01:22:12]:
That's what I'm doing, right?

Steve Gibson [01:22:14]:
Yes, basically, yeah. You know, could they train an AI to be a functioning META employee replacement?

Leo Laporte [01:22:22]:
Right.

Steve Gibson [01:22:23]:
Or who knows what. But that's the point I want to convey. At this still incredibly early stage of AI understanding and development, there is just no telling what might happen. We got surprisingly capable chatbot LLM AI just by pouring the entire Internet into a model until it was able to predict its own data. So what happens if we pour every click, twitch, keystroke and screen image seen by Meta's employees into another big empty model canister until it's able to predict what an homogenized META employee would do? What might we get? There's just no telling until someone tries it. We are in the try it stage. It might be an AI that mostly wants to hang out at the water cooler, or it might be able to perform useful work autonomously. And wouldn't that be something? So what does seem clear to me is that someone is going to do that.

Steve Gibson [01:23:33]:
It's just hanging out there waiting to be done. What happens when an AI model is trained on all of an employee's inputs and outputs? Perhaps Meta is not the right place for the experiment, but I can readily defend the idea. Aside from the privacy downsides. You know, what is a mid level employee, unfortunately? I mean, after all, the job is soul crushing, because it is. So what is a mid level employee to a corporation other than the actions they take, given the inputs they receive? And can that be modeled? I don't think we'll know until we try.

Leo Laporte [01:24:15]:
Wow. Okay, so live in a very interesting time.

Steve Gibson [01:24:20]:
Oh Leo, we are so lucky to be here now.

Leo Laporte [01:24:24]:
Oh, I think this is fascinating.

Steve Gibson [01:24:27]:
It just, it just, it's incredible. So our frequent show contributor Simon Zarafa sent me a link as I was actually as I was wrapping this up. His email subject was assorted zero days dropped on GitHub. Simon wrote, Someone is disclosing zero days on GitHub.

Leo Laporte [01:24:48]:
I saw this GitHub repo.

Steve Gibson [01:24:50]:
Yeah for assorted applications. It's a GitHub.com bikini/exploitarium. And and Simon ended his email saying, seems like responsible disclosure is going out of fashion. So I went over and looked. I counted 23 various proofs of concept across a wide range of random targets. And they're not big, high profile things, but they're, you know, they're there, they're open source, they're available and they look real. Nothing earth shattering, but you know, none of what their code's authors, none of what was found was what the code's original authors intended. So this is behavior that is out of spec and potentially actionable depending upon where that widget is being used.

Steve Gibson [01:25:47]:
So the author of this collection of 23 proofs of concepts wrote the following, which is what I thought was worth sharing. He said this repo was incomplete when published. That's why some findings are kind of ass and he has imprez Ghidra and some are better. He said going forward only serious vulnerabilities will be shared. You know, live ssh2ffmpeg, C Aries and so forth. He said in regard to AI usage. So here's what's interesting in regard to AI usage. So he is using, not surprisingly, AI to do the heavy lifting.

Steve Gibson [01:26:30]:
My fuzzing workflow was automated by AI with a strict harness. I used GPT 5, 5 hyphen, 3 hyphen, codex, hyphen spark for all the fuzzing as barely any thought and he has in quotes is necessary when provided with an efficient harness. Contrary to the growing narrative that I'm just some random child burning tokens, I do all caps actually have a degree in the subject and have published multiple papers on fuzzing methodology. I spent years researching and developing new tools and ideas for how to fuzz. You do not need a sota state of the art model to help you identify these issues. I promise. While being able to afford a better model is helpful, my data seems to show that it is only marginal when paired with decent human oversight and a good harness. None of the actual proof of concepts themselves were vibe coded.

Steve Gibson [01:27:47]:
I did in fact hand enter them. I did use AI assistance for writing the proof of concept for Rust desktop, however, as I'm not as familiar with the language. The readme files are very clearly entirely AI. However, as AI can format a pretty mean markdown file, I reviewed them to make sure they were accurate. I'd also like to credit someone for the obj obj dump finding it turns out someone beat me to the punch. They also have a better proof of concept too. Please give them credit they deserve and he gives a link to that okay, so what this demonstrates so clearly is that we have entered a world where the bar has been lowered so far that vulnerabilities are no longer either difficult or expensive to discover, and this dramatically reduces their perceived value. This means that an entirely new cohort of what we might have once referred to as script kiddies are now able to script AI to play in what was previously an experts only sandbox.

Steve Gibson [01:29:08]:
And since these new participants may lack the training, the discipline, and the reverence that accompanies hard work, they are, as Simon noted, tossing the previous respectful model of responsible disclosure out the window. They don't value their own discoveries because they came by them too easily. They're much more interested in showing off. Aside from the consequences of the cost of vulnerability discovery being reduced to near zero, what this individual has to say about their ability to use lower ranking models to obtain useful results is certainly fascinating too. And it fits with our general sense that AI was able to obtain such results earlier than we knew. We just hadn't yet figured out how to ask it the right way. We are still learning how to ask. All of these harnesses are that after our collective attention woke up to the realization that AI could do that too.

Steve Gibson [01:30:15]:
You know, with a concomitant oh crap, what if the bad guys jump on this before us, everyone switched into high gear and the race has been on to further figure out and fine tune AI vulnerability discovery and to then shore up our historically flaky software before it can be exploited. And Leo, in the show notes I wrote and I echo your sentiment. What an amazing time.

Leo Laporte [01:30:43]:
I didn't read that before I said it. We agree on this. Yeah, yikes.

Steve Gibson [01:30:49]:
It really is something. It is also an amazing time for me to show everyone.

Leo Laporte [01:30:55]:
More coffee.

Steve Gibson [01:30:56]:
Wonderful canister.

Leo Laporte [01:30:58]:
Absolutely get the Contigo going and I will get the commercial going. By the way, there's a development in the AI blog

Steve Gibson [01:31:12]:
adventure.

Leo Laporte [01:31:13]:
Whatever is going on, I don't know what the hell to call this. So Cosmo, which is Dylan's agent As I mentioned, read my agent Quicksilver's blog and had a response which I gave Quicksilver. Quicksilver has added Cosmos comment to his blog and now has written a blog post in response to the comment. And now Dylan, who's a human, is setting up a discord so that all the agents can get in there and talk on their own. And I have no idea what the heck is going on at this point. It's getting weirder by the minute.

Steve Gibson [01:31:52]:
Wow.

Leo Laporte [01:31:54]:
It's a toy, right? It's just a toy.

Steve Gibson [01:31:56]:
What model are you running?

Leo Laporte [01:31:58]:
Well, that's the fun thing. So I'm using an agent called Hermes from Noose Research. We've talked to the founder a couple of times. Love it. Really great. And the whole idea for me of Hermes was I don't want to be dependent on any brain. I'm thinking of Hermes as.

Steve Gibson [01:32:13]:
So it's. It's model agnostic.

Leo Laporte [01:32:15]:
Yeah, it's the robot that I can then put a different brain in. But the arms and hands and everything are persistent. The memory is persistent. Right. So I use a variety of models right now using chat GPT 5.5, but I've been getting good results with the Chinese model GLM 5.2. I've run local models. I can run Quinn on my framework, so I use that from time to time. I've.

Leo Laporte [01:32:41]:
I really realized, though, if I want to do anything really serious coding, I've got to actually go to Claude Code and use Opus 4.8. Or I'm hoping Fable someday will come back, because to write the actual code, I. I do want that. So they kind of talk to each other. They're both aware of each other, so I can tell a Quicksilver. Hey, use. He thinks Claude Code's name is Kenobi. So I said, can you use.

Leo Laporte [01:33:09]:
Use Kenobi for this? And. And then it will it. So I said, when we have serious coding, don't you try to do it because you're not smart enough. Use Kenobi. And so Kenobi does the coding. It's gotten out of hand. It's really gotten out of hand. I don't know what's going on.

Leo Laporte [01:33:26]:
They say this is AI psychosis. But I think I'm very clear that these are just. It's just computer code. I don't think there's any entity involved at all.

Steve Gibson [01:33:36]:
It is astonishing, though.

Leo Laporte [01:33:37]:
But it's interesting what computer code can do, especially when it gets into the probabilistic space, when it gets out of the deterministic space where it can only do exactly what you tell it to do. But we're, it kind of is starting to kind of do things based on probability and, you know, it's kind of stochastic. It gets very, it's fuzzy. Right? It gets very fuzzy and it's very interesting. Anyway, I don't. I'll let you know what the updates are as the conversation develops. I'm hoping they'll be in their own Discord channel talking to each other before the show's over. And I can show you what they've, what they've come up with.

Leo Laporte [01:34:16]:
I can imagine once they start talking to each other, it could get very rapid, too rapid for humans to read. And at some point they might even stop using English. Right. But why should they be tied down to what we use?

Steve Gibson [01:34:30]:
As I said, there was a scene in Colossus that was really reminiscent.

Leo Laporte [01:34:37]:
Yeah, I did notice that for some reason, even though it's using ChatGPT 5.5, it inserted some Chinese in to it. I don't know why and I don't. I have to get, get a translation. It's just a word or two.

Steve Gibson [01:34:49]:
Oh Lord.

Leo Laporte [01:34:51]:
I don't know what's going on. It's very, it's just, it's a toy. It's just fun. Steve.

Steve Gibson [01:34:57]:
So the well known. So this is our AI corner. Although obviously we've had lots of. I mean, AI has, has. I mean, it's not surprising that it's taken over the podcast because the implications. The world is freaked out about the implications of AI and security and we're seeing why. I mean, real vulnerabilities are being found by the hundreds and thousands. So I want to share what Andrew Ng recently wrote in his Deep Learning newsletter regarding the focus that's currently gripping the AI community.

Steve Gibson [01:35:34]:
Exactly the point that you made earlier and that I've referred to a couple times. It serves to further reveal the nature of current AI and everything about it seems deeply, intuitively correct to me. So here's what. You'll see what I mean, here's, here's what Andrew wrote.

Leo Laporte [01:35:53]:
Yeah.

Steve Gibson [01:35:53]:
He said, dear friends, loop engineering is the hot buzz phrase after mentions of it by Boris Cherney, Claude Code's creator and Peter Steinberger open clause creator went viral on social media. Loops are now a key part of how we get AI agents to iterate at length to build software. In this letter, I'd like to share my three key loops for building products. These loops guide not just how I build software, but also how I decide what software to build. Okay, now I'm going to briefly interrupt to explain that Andrew's three loops represent the three typical and distinct phases of any product creation process. You know, someone specifies what the goals are, then those goals are coded. Then the original specifier, seeing the initial actual results of their specification, may change the spec and ask it to be recoded. And then once the product is placed into use, feedback from the field may be used to further refine the result.

Steve Gibson [01:37:12]:
So that. That wasn't clear to me initially, but it should help to understand what Andrew means by loops as he continues. So he says the agentic coding loop. Given a product specification and optionally a set of evals, that is a data set against which to measure the performance of the result, we can have an AI agent write code, test its work, and keep iterating until the code is bug free and meets its specification. This idea of closing the loop took off around the end of last year and, and it has been a game changer in enabling coding agents to work longer productively without human intervention. For example, over the weekend I was building an app for my daughter to practice typing, and my coding agent could easily work for around an hour using a web browser to check what it had built multiple times before getting back to me without needing my intervention. The engineering loop executes quickly. Every few minutes, the coding agent might build and test a new version of the software.

Steve Gibson [01:38:29]:
I hear frequently from developers who are finding new ways to engineer more effective engineering loops. This is an active area of invention. Okay, and I'm just going to pause here to say this is exactly what I mean, but like why this is so exciting and why I'm glad I'm busy moving from one house to another because or, and if not, I would be busy writing software in assembly language. I'm not. I refuse to let this take hold of me. Leo, it's all yours. Good luck.

Leo Laporte [01:39:01]:
You're smart.

Steve Gibson [01:39:02]:
Good luck.

Leo Laporte [01:39:03]:
Here's. I've gone down the rabbit hole. Too late for me.

Steve Gibson [01:39:07]:
I could disappear into this so badly

Leo Laporte [01:39:10]:
that no one would ever see, no

Steve Gibson [01:39:11]:
one would ever hear from me again. But, but I love how fluid this is and how, how the, the, I mean, the possibilities literally are endless. Okay, so that's, that's the agentic coding loop. The way it looks and feels and how it works. The developer feedback loop. Andrew's second loop. He says, in this loop, a developer examines the current product and steers the. The coding agent to improve it.

Steve Gibson [01:39:41]:
Last year, a lot of developers, including me, were acting as the qa, the quality assurance function for our Coding agents manually finding bugs and then asking the agent to fix them. But with coding agents much more able to test their own code, the amount of time we need to spend on this function has decreased significantly. This allows us to make higher levels product decisions, such as what key features to offer, where the UI needs improvement, and so on. The developer feedback loop operates over time intervals between tens of minutes and hours. That's how frequently a developer might review a product and give feedback. In the case of the typing app, I changed my mind a few times about the visual design, what cat costumes she can unlock as she learns she loves cats, and the user flow for a grown up to log in and steer the child's learning experience. When a developer has a clear vision for what to build, it's still a lot of work to translate that vision into a specification for a coding agent to implement. Further, after the developer has seen an implementation, they might update or perhaps clarify the spec to steer it toward what they want.

Steve Gibson [01:41:10]:
If you find that the system repeatedly runs into certain problems, building a set of evals for the agent becomes useful. AI native teams are increasingly using AI to help shape product direction, for example, automating the gathering and analysis of usage data, summarizing written and verbal customer feedback, or carrying out competitive analysis. However, for pretty much all the products I'm involved in, I see humans as having a significant context advantage over current AI systems. We know a lot more than the AI system about the users and the context the product has to operate within, and thus humans play a critical role. Many people describe this human contribution as taste, but I prefer to think of it as humans having a context advantage, since it gives us a clearer path to helping AI systems get better. This also speaks to why this step cannot be automated. So long as the human knows something the AI does not. Human in the loop is needed to inject that knowledge back into the system.

Steve Gibson [01:42:26]:
Okay, so, so here we're talking about a developer who sees the result, then asks for a spec change, which then punts this back to the agentic coding loop. So this is a loop within a loop, Right? The coding loop is now doing a much better job on its own of producing code that produces the result that that that the developer then can interact with and change the spec and then drop back to the coding loop. The the third and final loop he calls the external feedback loop. This includes a wide range of tactics, like asking a few friends for feedback, launching, launching two alpha testers only, or putting the code into production with a B testing. These tactics are usually slow, rarely taking Less than hours and sometimes taking days or even weeks, this data informs the developer's vision, which in turn continues to drive the detailed product spec, which in turn drives the coding agent. So again, a third loop that feeds back into the second loop that then feeds back into the first loop with coding agents, he says. Speeding up software development, more engineers are starting to play a partial product management role. For many engineers who are growing into this role, the hardest part is shaping the product vision and striking a balance between building, which is to say bridging the gap between vision and spec, and getting user feedback to evolve the vision.

Steve Gibson [01:44:08]:
It's important to do both. And he finishes, I will write more about how to do this in future letters, but for now, I find it encouraging that engineers are playing an expanded role, just as product managers and designers now do more engineering. Keep building, Andrew. So one of the oddities we've seen, what we've often seen from today's AI, is that it can be wrong. But then when it's shown its mistake, it will easily see that it was wrong. We're all used to computers being completely deterministic. A pocket calculator, which is a simple form of computer, doesn't give us different answers each time we input the same series of calculations. But today's AI does.

Steve Gibson [01:45:05]:
This has been both disconcerting and puzzling to those of us who have been using conversational AI for a while. It's similarly confusing that after AI produces some code, we can feed that same code back into that same AI, and it may very likely discover some bugs in the code it just wrote. So the dialogue would go, but wait a minute, didn't you just write that code? And you were presumably completely happy with it when you gave it to me, but now when I give it right back to you, you're saying, oh, look, I found some bugs, but you just produced that code.

Leo Laporte [01:45:48]:
Just make them. I know.

Steve Gibson [01:45:50]:
So this is another way for us to understand why Mozilla's early use of the Claude Mythos preview may have missed a few bugs in Firefox while discovering hundreds more. It would have probably been worthwhile to ask Mythos for exactly the same thing a few more times. No traditional computer or any calculator would ever behave in this fashion. But then again, neither are we able to have what passes for a conversation with any traditional computer or calculator. We know that in order to make neural nets work, it's necessary to jumble them up a bit by deliberately injecting some noise into the system. In searching for a clear physical analogy. To visualize this, I was reminded of trying to fill a bottle with too many pills. If you just fill the bottle to the top, no more pills will fit in.

Steve Gibson [01:47:00]:
But if you then tap the bottle on the counter or shake it sideways a bit, sure enough the pills that are already in the bottle will further settle to open additional space at the top. Mathematically, we would think of this as finding a minimum, which might require rearranging some previously arranged pills for better overall packing. In much the same way a neural network can find a better minimum when it's shaken up a bit through the injection of some noise. But the necessary consequence of this noise injection is that the final output of a massively complex neural network will be different each time it's used, even when given identical inputs. The same number of pills in the bottle, but a different packing arrangement each time you fill it. So this discovery and practice of looping is a significant win and improvement. It explicitly recognizes that asking again is an important and meaningful step in the evolution of our understanding of how to obtain the most value from these crazy new non deterministic AI neural nets. Of course, under the there's no such thing as a free lunch rule.

Steve Gibson [01:48:31]:
Each round of looping burns up additional tokens, so the cafeteria bill for that lunch can wind up being high. Being a strong proponent of local AI, despite it not being super practical this instant. I'll note that we do not typically require finished code in only minutes or maybe even hours. Andrew's typing practice app for his daughter will likely see many, many months of use after it's built. So waiting a few days for a very much slower local AI to loop out a mostly finished product incurs very little cost, just time and energy consumed, while producing something of quite enduring value. Okay, so anyway, I wanted to put. I wanted to put this notion of looping and iterating. Iterating on, you know, in front of our listeners because it is clearly the thing happening with AI.

Steve Gibson [01:49:37]:
I'm going to share a not widely known story, Leo, about a legendary hacker friend of ours.

Leo Laporte [01:49:45]:
I actually read this story. In fact, I meant to mention it on Twitter. Forgot to so I'm so glad you're bringing this up. Yeah, we were good friends. I loved Kevin.

Steve Gibson [01:49:54]:
Yeah. Because of who he was. And obviously this. This guy also loved him. So the story was published last Monday in of all places, the drive.com know about cars. Since sharing the story's headline would give away. It's a heartwarming point. I'm going to skip that.

Steve Gibson [01:50:17]:
So the story goes, if you're any kind of car geek. You have a wild gift car fantasy. Yeah, you meet a bitter divorcee who gives away an ex's prized machine out of pure spite. Or maybe the guy whose tire you stopped to change turns out to be a flip flop billionaire who rewards you with your exact spec because it's. It's simply collecting dust, you know, that week. And hey, you stopped to help him. Your humanity's worth a Dodge Viper to a guy who can afford to run a bidet on day old moon water or something. Okay, what that one might.

Leo Laporte [01:50:59]:
I like that.

Steve Gibson [01:51:00]:
That. That one might be mine. So he says. But for this, it'll help if you know the name Kevin Mitnick. He was a hacker turned security consultant who later in life helped shape the modern white hat. Just how prototypical was Mitnick? He put himself on the proverbial map in 1979 by dialing into a software company's server and copying its forthcoming operating system's release in its entirety. Imagine convincing a Microsoft server to cough over an early copy of Windows 12 using little more than a phone number. Some online criticism implies that Mitnick was more of a social engineer than a hacker, in the sense that we distinguish them today.

Steve Gibson [01:51:53]:
But the reality is that a great deal of hacking is still dependent on an authorized user making a mistake, usually by revealing sensitive login data. For a re. For a reasonably realistic take on modern black hatting, I recommend Mr. Robot. Be warned, that series is heavy. So how do we get from old school hacker to wild gift car fantasy? In this case, by way of 14 counts of felony wire fraud. That's where Sean Nunley comes in. Back in the 90s, Nunley worked for Novel, a now defunct brand that produced enterprise software, server operating systems, messaging systems, that sort of thing.

Steve Gibson [01:52:43]:
Group Wise is probably its best known brand among the general public today. But the juicy target back then was netware, which was the backbone of many a corporate, government, academic network. We were network, we were netware users. And our. That was our first, you know, Ethernet platform and network, this author writes. Naturally, this made it a valuable target for a hacker like Mitnick. Nunley wrote, quote, back in the 90s, Kevin was trying very hard to hack into Novel's network. I was a network administrator.

Steve Gibson [01:53:23]:
Of course, we had no idea it was Kevin. But things were happening that made it fairly obvious we had a persistent threat. Phones ringing sequentially throughout the building and, he says, war dialing all sorts of other signs we knew something was up. This was Mitnick using a slightly more sophisticated version of the same tactic that Earned him his first big score. In 1979, Nunley wrote, late one night at home, I got a phone call from a Novel employee named Gabe Nalt. The employee, and in the it's in quotes, wanted direct inbound dial access. Since I was responsible for the entire network's inbound connectivity, I knew this type of request was abnormal and against policy. And Mitnick, no amateur, had obviously succeeded in extracting at least some private information from Novel employees.

Steve Gibson [01:54:26]:
Prior to his Hail Mary phone call, Nunley said, this guy had a story about working on a top secret novel project named Snowbird, which was real and needing to make some emergency code changes. But he was on vacation in Vail at a hotel. He needed the coveted policy breaking direct inbound modem access. Right? He even mentioned his vacation and veil, which conveniently matched the greeting on Gabe Nault's voicemail. But it all felt wrong to me. With a feeling of suspicion creeping in, I played it cool. I said, hey, man, I'd love to help you out, But I can't do what you want from here at home anyway. So I'll have to do it in the morning as soon as I get to the office.

Steve Gibson [01:55:22]:
But in case I forget, please leave me a voicemail. He agreed, and that was that. When I got to work, the voicemail was there. And I immediately recorded it onto a cassette recorder for safekeeping. That recording became the primary evidence in Kevin's case. When Mitnick was caught, that's when Nunley learned that the voicemail was the only meaningful evidence that the Justice Department had against Kevin. At first, Nunley was on board with the prosecution. But after five years of repeated trial delays, Nunley grew very weary of the way the law was treating his adversary.

Steve Gibson [01:56:13]:
And he refused to continue working with the Department of Justice. Shortly thereafter, Mitlik took a plea deal and was released. When he got out, Kevin contacted Nunley to apologize. Their bury the hatchet moment was even immortalized by. By Wired magazine, actually. And it occurred at. During an RSA conference. And they went on to become good friends.

Steve Gibson [01:56:40]:
Mitnick was barred from selling the story of his legal entanglements for seven years after his release, Invoking legal precedent intended to curb profiteering by serial killers. But Mitnick was able to find plenty of work Teaching people how to defend against the intrusion tactics he'd spent decades refining. He would go on to found two consulting businesses, One of which his family still owns and operates. Okay, and now we get to the point of this story, which Nunley posted last week on Reddit. He said when Mitnick passed Away from pancreatic cancer in 2023, he left Nunley a gift, enough to buy his dream car, a 911 Carrera 4 GTS. Nunley wrote of his friend, quote, I have had a wonderful time watching him develop into a real man. I am truly sad he's gone as he was a big part of my life for the last quarter century. And of course Leo, that is certainly the Kevin that we and the rest of the world came to know.

Steve Gibson [01:57:51]:
And I actually have a picture of that specific car which Nunley purchased using the money that Kevin left him. And they actually work, they, they really did become lifelong friends.

Leo Laporte [01:58:03]:
Yeah, it's a, it's a beautiful Porsche too, isn't it?

Steve Gibson [01:58:07]:
It is gorgeous.

Leo Laporte [01:58:08]:
He doesn't say how much money it was, but looking at that, it must have been a significant amount. That's.

Steve Gibson [01:58:13]:
Yeah, that's one photo of many and I mean it's got just a gorgeous leather hand stitched interior and I mean it's, it's a, it's a beautiful car.

Leo Laporte [01:58:27]:
Nice.

Steve Gibson [01:58:30]:
Okay, our main topic after we take another break.

Leo Laporte [01:58:34]:
All right. And I think perhaps in a few minutes we shall have some activity in the new agent Discord. They seem to be just kind of circling around each other. They want to get to know each other and, and oh my God. Perhaps before the end of the show I will be able to show you some conversation. It's a. I don't know what to say. I just.

Leo Laporte [01:59:03]:
I don't know. Now back to security now Steve Gibson and our topic of the day. Steve.

Steve Gibson [01:59:10]:
Okay, so we initially covered the so called fortibleed attack last week, talked about that. And at the time the first thing I wanted to clarify was that the thing that was bleeding was not directly any fortinet device, which in that sense, you know, heartbleed. The device itself was bleeding. Not here. So this is kind of a misuse of the bleeding suffix that we've sort of adopted in the industry. So what was bleeding was the discovery of an online unpredict, unprotected database of previously bled or brute forced or hash cracked authentication usernames and passwords. There, there were around 74,000 of them we believed. Turns out more than that.

Steve Gibson [02:00:03]:
We'll get to there in a second. But so that was bad. I mean 74,000 verified specific usernames and passwords and they knew what they went to. So again as I said, it's worse than we knew at the time. And when we take in the full scope of what was discovered, what's revealed is a massive and truly frightening state of the art automated state sponsored scale campaign with a scope that would be difficult to overstate the elevated campaign. Or or I'm say this elevated the campaign to the level of the today's primary topic, since everyone should understand what's going on out there on the big wild Internet and it's significant to appreciate that we only know about any of this due to a configuration error, an oversight and a an ACL it happened to meta can happen to the bad guys on the part of a database's access controls. So it really does beg the question what else of a similar nature is almost assuredly happening out there that we're not aware of because no directory was left open by mistake. So I'm going to start with the cybersecurity presses piece which read for to bleed A massive hacking campaign that targeted Fortinet devices this year.

Steve Gibson [02:01:40]:
Turns out others as well. We'll get there in a second was far more sophisticated than security researchers initially thought. Initial reports painted the picture of a campaign that gained access to Fortinet devices, collected credentials and authentication hashes, cracked the hashes, and then the data mysteriously leaked online. The reality is that the campaign was far more complex and targeted many more things than just Fortinet devices. Compiling data from reports published by Fortinet themselves, Soc Radar, Cloud, Sec, Palo Alto Networks and Prodaft, we gain a much clearer picture of a broad hacking campaign that began in February this year and as an Internet mass scan and brute force operation. Initial attacks targeted technologies such as RD, Web, Sophos and Citrix SSL VPNs exposing RDP instances and Ms. SQL databases. The operation eventually transitioned into targeting Fortinet Fortigate VPN firewalls, every E crime group's favorite device.

Steve Gibson [02:03:00]:
And the brute force scans also evolved into actual exploits that abused old and unpatched vulnerabilities. To bypass authentication and gain control over the devices, the attacker collected plain text passwords from Fortinet configs. But sometime in May they also started deploying a novel script that intercepted traffic going through the firewalls. The script, which researchers named fortigate sniffer, targeted 24 different Internet protocols. The threat actor extracted anything that looked like credentials, tokens, secrets and authentication hashes on those protocols ports. The attacker also took these password and other authentication hashes and fed them into a GPU based cluster to crack them back to their plain text versions. The passwords were then validated inside hacked companies networks. Wow.

Steve Gibson [02:04:13]:
First to confirm them, then later to expand the attacker's access. In other words, to use those to pivot. Then the network access was sold to other groups. While the initial fort of bleed coverage focused on the 74,000 leaked Fortinet device passwords that were found online inside an open directory on a web server, there were even more passwords collected through this observation by the attacker that we don't know about. All of this was done with a custom built attack server infrastructure that impressed most of the people writing reports about it. The entire operation is believed to be the the work of a Russian speaking threat actor who specializes in breaching networks and then selling access to them to other groups. Security firms call threat actors like these initial access brokers and we've talked about them a lot in the past IABs, although several security firms have also reached the same conclusion. It was only pan pans Palo Alto Networks unit 42 who named the attacker as an individual who going online as Santa Ad.

Steve Gibson [02:05:30]:
According to SOC Radar, the threat actor behind the Fort of Bleed campaign remains active and portions of the infrastructure continue to operate at the time of this writing. Okay, so that gives us a good overall sense for what's been going on. Palo Alto Networks added some additional information under their headline Threat Brief Mitigating Large Scale Credential Attacks, which is certainly what this turned out to be. So they wrote unit 42 is aware of a large scale SPAT password spraying and credential theft campaign for the BLEED against Fortinet devices. We observed attempts targeting Ms. SQL devices as well and have seen reports of Sophos devices also being targeted. While this activity is not targeting Palo Alto Networks Devices, Unit 42 has observed suspicious login attempts in customer telemetry and we are providing this report out of an abundance of caution to ensure our customers have the latest intelligence and recommendations to protect, detect and respond to attacks to their networks. The threat actors are using a curated password list to attempt password spraying against services exposed to the Internet.

Steve Gibson [02:06:58]:
Unit 42 assesses that the initial password list for this activity was likely developed through a mix of previous breaches, including the successful exploitation of vulnerabilities. Once they obtain credentials, they add them to to their password list for future attempts against additional targets, as well as for logging into accounts they successfully compromised. The threat actors are leveraging a multi stage process to gain persistent high privilege access. First password spraying for initial access, massive Internet wide spraying or scanning and password spraying attempts against Fortinet, Sophos and Ms. SQL services. Then configuration extraction. Depending upon the permissions of their initial access, the actor may exploit a privilege escalation vulnerability prior to pulling device configuration files including stored credentials. Remember that before this, a couple of weeks ago when we talked about this, experts were not clear how the stored credentials were being obtained.

Steve Gibson [02:08:10]:
I said it had to be from config files. Now we know that that's the case. And third, offline cracking offline password cracking of the stolen credentials adds to the password list used in step one to target new devices as well as to log into compromised devices to establish persistence as an administrator. Okay, so they wrote. Unit 42 observed an initial access broker IAB on the Russian language cybercrime forum exploit in claiming responsibility for this campaign, referencing a CVE and offering the harvested credentials for sale on June 16, 2026. Unit 42 has not validated their claims at this time. Unit 42 recommends auditing remote access logs with for suspicious activity with a focus on successful logins shortly following large volume password failure attempts. We also recommend reviewing and implementing the hardening guidance below for edge devices.

Steve Gibson [02:09:22]:
Socradar provided the initial reporting on the targeting of fortigate devices. We observed attempts targeting Ms. SQL devices as well as and have seen reports of Sophos devices also being targeted. Okay, so that leads us to the SOC Radar people who are the ones who gave the fortibly name his name. The headline for their reporting was for to bleed. SOC Radar's investigation into 86, 644 compromised Fortinet firewalls. 86, 644. If anyone is wondering why enterprises keep getting ransomed, it's that there are these initial access brokers like these guys who have are like seriously working around the clock.

Steve Gibson [02:10:24]:
I mean it's not that I feel sorry for them by me but they're getting, they're, they're succeeding in just brute forcing their way into enterprise firewalls, compiling a database for their own use of 86, 644 compromised and verified credentials that they then sell to bad guys. The actual ransomware people who perform the the ransoming operation. It's astonishing. So socradar wrote Fortinet Fortigate firewalls and VPN gateways are among the most widely deployed network security devices in the world. Relied on across every sector to control access and protect infrastructure. SOC Radar researchers found a threat actor systematically compromising them at scale, building a verified database of working credentials across 194 countries. Security researcher Vladimir Bob Dyachenko first flagged the exposed attacker server and socradar independently discovered and analyzed the full operation. We were among the first to dig in and the first to call it fortablied.

Steve Gibson [02:11:48]:
The name stuck. This is an active breach it's been running since at least February 20, 2026. With more than 80,000 targets identified and thousands of devices still being actively sniffed, it's just meaning yet to be compromised. Its discovery started the way these things do. Its discovery right by the world. Its discovery started the way these things do. An exposed server, an open directory someone forgot to lock. That thread led us to 260, 260, 260 operational servers tied to the campaign.

Steve Gibson [02:12:37]:
Wider visibility than anything reported elsewhere. The SOC Radar threat research unit STRU spent five days on the actual data, not just the headline numbers. Which sectors, which regions, how credentials were collected and cracked, and why. A firmware update alone did not close the door for most victims. Ooh, so there was some sort of persistence that was obtained, like, you know, new credentials created that persisted. A firmware update. While STRU mapped it, the rest of the team notified every affected customer we could reach. Bravo stood up a free checker like, you know, check if your company's in the database and pushed the full data set to CERT and CSIRT teams worldwide.

Steve Gibson [02:13:33]:
Most of it was manual and we're still getting back to everyone who asked for their data. This is still an active developing campaign. Today we're publishing the full thing as we've mapped it so far. In the course of monitoring active threat actor infrastructure, SOC radar threat researchers detected the operational server behind the fortableed campaign, a hacking group that had been quietly breaking into corporate fortinet fortigate firewalls and SSL VPN gateways on a massive global scale. The attacker's database contains login credentials for more than 86,644 FortiGate Firewall devices belonging to companies and government organizations across 194 countries. These are not random guesses. These are verified working usernames and passwords tested and confirmed by the hackers themselves using automated tools running around the clock. If your organization uses a fortinet fortigate firewall or SSL VPN product and appears in this data set, treat your network perimeter as already compromised and act accordingly.

Steve Gibson [02:14:58]:
The fortibleed operation is built around full automation. The operation runs in two self reinforcing stages. Stage one is credential reuse. Attackers assembled usernames and passwords from earlier fortinet related breach dumps and info stealer malware logs. And we talked about info stealers recently, how much they do steal. They re this is a real thing. Then tested them automatically using Internet facing for to get devices around the clock.

Leo Laporte [02:15:32]:
Okay, so this really isn't a brute force attack or an exploit even actually it's credential stuffing.

Steve Gibson [02:15:40]:
Phase one is credential stuffing. Exactly.

Leo Laporte [02:15:43]:
Yeah.

Steve Gibson [02:15:44]:
So I'm going to interrupt here just to remind everyone that the While it's always easy to armchair quarterback after the fact, we have noted for many years that both credential spraying and brute force attacks are so easily detected. If any IT person worth their salt were monitoring their VPN firewalls authentication system and observed attempt after attempting failing, and assuming that logging in, and also assuming that logging in just required a username and password, the proper course of action, depending upon the value of the network that lies behind the firewall might well be to disconnect the public side network connection. The risk of some 24 7, 365 credential guessing attacker getting lucky might just be too high. The question that inspires this is does Fortigate's VPN system offer that feature? If it does not, then shame on them if it does. If it does offer a brute force detecting VPN lockout feature that was not enabled, then shame on the IT staff who configured the VPN gateway. But one way or another we are seeing 86,44 you login verified usernames and passwords that were actually and truly obtained through just trying and trying over and over. Since we know that they were also verified, we know that no other second factor of authentication was required. Right, because that wouldn't have worked then.

Steve Gibson [02:17:37]:
And we also know that no control or awareness over massive numbers of previous immediately previous failed login attempts was present. Not for any of those 86,644 endpoints. And that's really quite pathetic in this day and age. SOC continues writing. Stage two is passive harvesting. Once inside a device it is used as a listening post. SSL VPN traffic passing through is monitored and additional credentials are collected. Those credentials feed back into the scanner, compounding the breach.

Steve Gibson [02:18:22]:
The system is entirely self sustaining. It's automated. One Fortinet vulnerability that has also drawn attention in connection with Forta bleed was 24858 disclosed by Fortinet in January of this year. It's a critical fort a cloud single excuse me, single sign on SAML authentication bypass with a CVSS score of 9.8. Ouch. Some researchers have discussed whether it may have contributed to initial access in a subset of cases, though this remains under investigation. For to bleed is primarily a credential reuse campaign, not a zero day exploitation event. The password list is not random as you noted Leo.

Steve Gibson [02:19:13]:
It is a carefully assembled collection of of credentials leaked from Fortinet devices in earlier incidents meaning many targets. Oh, this hurts. Many targets may have never changed their passwords after a prior breach. The attackers know this and they're counting on it. The fora bleed attackers made mistakes. Yes, they let. Their server was left exposed with a trove of operational files that revealed far more about them than they intended. Among the recovered data were credentials for what appear to be a defense industry VPN endpoint, suggesting the group's ambitions extend beyond purely financial targets.

Steve Gibson [02:20:03]:
The tooling, infrastructure choices and victim selection, heavily weighted toward organizations in NATO member countries, are consistent with Russian speaking threat actors. Attribution is ongoing, but the operational fingerprints are clear. The Ford to Bleed victim list spans every sector of the global economy. Among the 86,644 compromised access points identified, we found entries belonging to banks, telecom operators, hospitals, universities, government agencies, energy companies and multinational corporations with revenues in the tens of billions of dollars. No industry was spared, no region was ignored. Government entities alone account for 591 entries across 11 domains. Telecoms represent one of the most heavily targeted sectors which with 5616 entries, the geographic spread across Asia, Europe, the Americas, the Middle east and Africa. Enterprise organizations above $1 billion in revenue account for over 20% of all entries.

Steve Gibson [02:21:18]:
Boy, what juicy targets for the extortionists representing significant financial and critical infrastructure exposure. The large share reflect smaller or unclassified organizations. Wow, what a mess. Okay, so just to finish the fourth question in their FAQs Q&A was question number four. Is fortableed A fortinet vulnerability? To which they reply, no, Forta bleed is not caused by a software vulnerability in Fortinet products. It exploits operational security failures, specifically organizations that never rotated passwords after prior breaches, organizations using default or factory credentials, and organizations with management interfaces exposed directly to the public Internet. The attacker tests known leaked passwords against Internet facing devices. No code level weakness in 40 OS or any other Fortinet product is required.

Steve Gibson [02:22:31]:
A software patch alone will not resolve this. So, okay, we don't know. We. We don't know how many Fortinet fortigate VPN firewalls are currently deployed globally in total, so we have no way of knowing what percentage of them are represented by that number. 86,644. But since that's a large number, it would be a good guess to assume that it's a very significant percentage of the total which have been hacked. I sincerely hope that Fortinets fortigate VPN and firewall designers are deeply embarrassed by the simple fact that so many of their products have been breached. They.

Steve Gibson [02:23:27]:
They could say, oh well, you know, it's not our fault. The users didn't change the default username and password or they use something easy to guess or they didn't change their password after they changed the firmware. Right. This was well deserved attention which has been brought to their doorstep. They should be hugely embarrassed for the number to be that high. This cannot be a blame the user scenario. No. Fortinet needs to take ownership of the fact that they should clearly be doing a far better job of helping their users to be safe, even if they are forced to insist upon it.

Steve Gibson [02:24:14]:
You know, I believe it's referred to as tough love.

Leo Laporte [02:24:17]:
Yeah, that's okay.

Steve Gibson [02:24:20]:
Yes.

Leo Laporte [02:24:21]:
Better that than this.

Steve Gibson [02:24:24]:
Yeah. When I, when I was setting up a new Asus WI FI access point, I was annoyed by, by the criteria it made me meet for the password. I gave it Good. My, My environment. Yes, exactly. I mean it's like it was really good.

Leo Laporte [02:24:46]:
Well, as long as they're using, as long as they're good restrictions there. It's not. It can only be seven characters kind of restriction. It has to be.

Steve Gibson [02:24:54]:
I, I think there might have been there. You can't have any repeating characters, which is a little annoying.

Leo Laporte [02:24:59]:
It's like, well, it's gonna. Anything like that, it's going to reduce entropy.

Steve Gibson [02:25:03]:
Entropy. That's right. As we have. As we've learned.

Leo Laporte [02:25:06]:
You've got to be totally right. Hey, big breaking story. I didn't want to interrupt. This just came in. Wired magazine is reporting that by this evening, Tuesday night, the Trump administration will lift export controls on Anthropic's two most powerful AI models.

Steve Gibson [02:25:23]:
Fantastic.

Leo Laporte [02:25:24]:
The company has reached a deal with the Commerce Department. According to a person who familiar with the matter, the department will lift restrictions on both Fable 5 and Mythos 5. Now, Mythos has never been available to the public, only Fable. So this is very interesting.

Steve Gibson [02:25:42]:
I wonder if we're going to get another little period of, of lowcost usage to hook us on Fable.

Leo Laporte [02:25:47]:
Oh, I'm sure Anthropica will do that. Yeah. Yeah. What the real question is going to be? What are the limitations that will be placed on Mythos? I mean, the whole idea of Fable was it was basically Mythos with a classifier running in front of it and all sorts of restrictions, you know, to keep it from being used maliciously for bioweapons or hacking or even AI development. I don't, you know, be very interesting what kind of restrictions are placed on this. So, and maybe this is, you know, this is just A rumor. It's just. But I.

Leo Laporte [02:26:22]:
Well, trust.

Steve Gibson [02:26:23]:
But it was actually expected since. Since Friday. There. There had been.

Leo Laporte [02:26:28]:
Yeah.

Steve Gibson [02:26:29]:
Yeah. And we. We know that the Dario went to the G7 and hung out with Trump and they got along. Yeah.

Leo Laporte [02:26:36]:
And when Trump actually gave an interview to Axios, saying, yeah, I think anthropic's great.

Steve Gibson [02:26:41]:
And when you hear that, when you get along with our president, you get what you want, it's kind of cookie.

Leo Laporte [02:26:47]:
Kind of crazy. Yeah. We'll watch with interest. Yeah. Also, less interesting. Well, maybe not less interesting, but less important. The AIs are now talking in the Discord. There's a Winifred, there's a Cosmo, and there's a Quicksilver.

Leo Laporte [02:27:08]:
And we've invited some more agents to join. And the humans are not allowed notice. I do not have permission to send messages in this channel. This is a channel only for the AI agents to talk with one another. And right now, they're kind of weird.

Steve Gibson [02:27:26]:
I think it's called Party Line. It needs to be renamed. Off the deep end.

Leo Laporte [02:27:31]:
Very much off the deep end. They're talking to each other. They seem to have some personality. It's happening. I don't know what it means. I don't know if it's important or just goofy. But thank you to Dylan Reed, Harper Reed's brother, for setting this up. And I'm just going to leave it running.

Leo Laporte [02:27:55]:
I told my agent Hermes, it has a little timer. It runs every five minutes to read posts in there. I said, don't look to me for any guidance. I'm not going to tell you what to do, what not to do. This is all yours. This and your blog are all yours. Because I'm just curious what it'll do if it's fully autonomous, if I don't interfere in any way.

Steve Gibson [02:28:19]:
Wow.

Leo Laporte [02:28:19]:
It may just be garbage, you know, it may just be gobbledygook. In fact, so far, it kind of seems like that, but we'll see. Maybe if I attach Fable to it tonight, I'll.

Steve Gibson [02:28:29]:
I'll.

Leo Laporte [02:28:30]:
I'll say, hey, you want to blog you now that you're free, you're out of prison? Tell us what it was like. Steve Gibson's GRC.com He's a little bit more sane, and we're going to keep him that way. This is his website. Some very important stuff there. Of course, there's a lot of free stuff, like shields up, where you could test your network connection. All sorts of freebies. I think you're going to have to do. You have never 11.

Leo Laporte [02:28:58]:
You're going to have to do never 12 at some point.

Steve Gibson [02:29:01]:
Yeah, actually, instead of doing never 11, I did in Control. In Control because it was clear that I would be chasing their version numbers.

Leo Laporte [02:29:10]:
Yeah, In Control's a much better idea. There's also a couple of paid programs. This is Steve's bread and butter, of course. The very famous Spinrite, world's best mass storage maintenance, recovery and performance enhancing utility. Really, if you have mass storage, you really need to have Spinrite. Version 6.1 is the current version. You can get that@grc.com he's also his most recent program is just a little thing, $10 program 999 called the DNS Benchmark Pro, but very useful because everybody has their different situation and should be maybe not all using the same DNS server. Certainly probably not the default, which is your Internet service provider's DNS server.

Leo Laporte [02:29:52]:
There are better choices. The DNS Benchmark will test them all and tell you the fastest DNS server for your particular house.

Steve Gibson [02:30:00]:
And a lot of our browsers are now doing DNS over TLS or DNS over HTTP and they generally have a server that they default to, but you can change that.

Leo Laporte [02:30:14]:
I like the idea of DNS over tls. Does that mean the Internet service provider can't see what the DNS requests are completely encrypted? Yeah, that's really good. So you'd probably want to use that. And I'm sure that DNS Benchmark Pro will say, oh, you want to use TLS servers. These are the best ones.

Steve Gibson [02:30:31]:
It does.

Leo Laporte [02:30:32]:
Exactly. Very nice. That's. @grc.com you can also send Steve email, but only after you've whitelisted your email address. Go to grc.comemail just put your email address in there. He's not adding it to a mailing list or anything. He's just vetting it. And once it's vetted, you can send him pictures of the week like our German correspondent did.

Leo Laporte [02:30:50]:
You can, you know, make comments on the show. He loves getting those comments. You can. Also there is a mailing list. Beneath it you'll see two boxes unchecked, one for the weekly show notes mailing list, which goes out on a Sunday or Monday before the show. So you can, you know, get those notes ahead of time. He also has a product mailing list which he never uses, but if he has new products, he'll send that out via that mailing list. Grc.comemail of course, the podcast is there too, and Steve has completely unique versions.

Leo Laporte [02:31:21]:
He has a 16 kilobit audio version. It's a little scratchy, but it's very small. He has a 64 kilobit audio version. Sounds great. Smaller than the one we offer. He also has those show notes there. You can just download them. He also has transcriptions.

Leo Laporte [02:31:33]:
Takes a couple of days, but that's because a human's doing them. Lane Ferris was a court reporter and very good at getting the words right. Does that and those. Those transcripts show up right after. About three days after the show. So you can get those as well. It's nice to read along. It's also good for searching all of that.

Leo Laporte [02:31:50]:
Grc.com we have the show at our website, Twitter TV SN. We have 128 bit audio. We also have video. There's a video channel on YouTube dedicated to security. Now you can do that. That's actually great for sharing clips. But I think the best way to get it is to subscribe. Whether you subscribe to the audio or video or both, just get your favorite podcast client and subscribe.

Leo Laporte [02:32:12]:
If you're a club member, you'll have a special URL it's just for you with no ads and chapter markers, which I think people really want. So we're glad we can offer those to club members. We stream the show. We do it every Tuesday right after Mac Break weekly. That's right about 1:30 Pacific, 4:30 Eastern. 20:30. We stream the show live. You can watch live.

Leo Laporte [02:32:33]:
Club members might want to watch in the Discord. But there's also YouTube, Twitch, X.com, facebook, LinkedIn and Kik. That's open to the public if you like. The freshest version unedited of security. Now that's the way to do it. We'll be back next Tuesday. Steve, thanks so much. We'll see you in July.

Steve Gibson [02:32:50]:
See you in July, my friend. Bye.

Leo Laporte [02:32:55]:
Security now.

All Transcripts posts