Security Now 1087 transcript
Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.
Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here. Massive Patch Tuesday from Microsoft. One thousand plus fixes. We'll talk about that. We'll also talk about some interesting hacks against AI that you might be aware of or want to be aware of. And Steve has found a really good way to kid proof an iPhone or make it suitable for adults who just don't need all those icons. That's coming up next on Security Now.
Steve Gibson [00:00:30]:
Podcasts you love from people you trust.
Leo Laporte [00:00:34]:
This is Twit. This is Security now with Steve Gibson. Episode 1087 recorded Tuesday, July 14, 2026. Halloo Squatting Ghost approval and get lost. It's time for Security now. The show we cover the latest in security privacy online stuff, computers, vitamins and this guy right here, Mr. Steve Tiberius Gibson.
Steve Gibson [00:01:04]:
And these days my friend, the world is AI. Not that there's. I mean I'm now over feeling sheepish about basically just talking about AI on this podcast because AI has impacted cybersecurity like nothing else ever has truly. We're going to talk about several nation states declared initiatives about the impact of AI and their own cyber security. The eu, the UK and China. The UK has got something. It's interesting to me that, that in some ways they're leading us because I've seen nothing like this from us but the, the UK's NCSC and you know GCHQ, the National Cyber Security center and their main intelligence group, they've announced something called Cyber Shield which is which where they're talking about. I mean this is Colossus.
Steve Gibson [00:02:18]:
They're talking about turning their national cybersecurity over to autonomous agents. Oh and laying out the whole protocol. Anyway, we're going to talk.
Leo Laporte [00:02:31]:
You're talking about Colossus, the forbidden project for those who don't.
Steve Gibson [00:02:35]:
Yes, yes.
Leo Laporte [00:02:35]:
And it is on YouTube. You can watch it on YouTube if you have.
Steve Gibson [00:02:38]:
I've not looked at Patch Tuesday, but this is Patch Tuesday, second Tuesday of the month. And Microsoft has warned the entire industry in a blog post that we'll look at to expect many more patches. Of course we anticipated this months ago but now they're saying oh we counted them. Whoops. Anyway, so good we'll talk about that Rogue planet. The, the latest salvo from Nightmare Eclipse has been fixed on the fly with, with with a patch. We'll talk about that. Also just a random tip that I ran across in Wired about a much better solution for kid proofing an iPhone that I just had to share with our listeners because I.
Steve Gibson [00:03:29]:
So I've heard so many so much feedback from our, from our audience saying, you know, like questions about how do they child proof their Internet connection, you know, what do they do in order to keep their kids from going places they shouldn't. So I know that there's a strong interest in, in controlling what youngsters do. And this was just a really cool tip from, from Wired. Then we're going to talk about three new means of subverting AI, something known as halu. Squatting, as in hallucination squatting. This is a really cool hack. We've got a third, a second one called ghost approval. And then my favorite name for a hack in a long time is get lost.
Steve Gibson [00:04:23]:
So get lost.
Leo Laporte [00:04:24]:
Get lost.
Steve Gibson [00:04:28]:
So very nice. Anyway, the, the title for today Security now 1087 for this 14th day of July is Hallow, Squatting, Ghost approval and get lost.
Leo Laporte [00:04:40]:
I love it. That's all coming up, all three and more in just a little bit.
Steve Gibson [00:04:46]:
We do have another puzzling picture of the week also.
Leo Laporte [00:04:49]:
I see. You know, it's funny, normally I don't, you know, I can't, I don't look at them ahead of time because I like to be surprised along with everybody else. Well, everybody doesn't get the email, but I can see the top of this picture and I have a feeling I kind of know what the bottom is going to be. But we'll see, we'll get there. I am ready for the picture of the week. Oh, you're muted. What? Hello. Did I mute you? You're muted.
Leo Laporte [00:05:18]:
There we go.
Steve Gibson [00:05:19]:
Sorry. So this picture was taken by a listener of ours and we're getting more of those because people, you know, people sort of have the podcast in mind now and then they see something wacky and they go, okay, we have to share this with Steve because maybe this would be, be worthy of the podcast. This per. This is in Australia. Our listener works for IBM and this is an IBM facility which he said IBM owns. I gave this the caption. Some building safety officer may have required the sign, but how could this have happened?
Leo Laporte [00:06:02]:
I did see the top and I thought, okay, that looks like a staircase to nowhere. And the sign says no access beyond this point.
Steve Gibson [00:06:13]:
Obviously one of our clever listeners responded the email to about 20, almost 21,000 of our listeners went out late morning on Sunday. Someone wrote back and said, well, I'm not a muggle.
Leo Laporte [00:06:30]:
So, you know, referring to three and nine and three quarters, are we going to walk right through that ceiling?
Steve Gibson [00:06:36]:
I'm sorry, he what? He is a muggle. He said, I am a muggle, meaning that he isn't able to walk through. But
Leo Laporte [00:06:43]:
Leo,
Steve Gibson [00:06:45]:
I, Obviously there was once no ceiling here, so. Okay, I'm sorry, I forgot to tell people who are not looking at this. What, why? We're kind of gobsmacked, as they say in the uk. I guess it's. We have a, A, a staircase which is winding around as it goes up floor by floor. You know, a lot like a floor of stairs. Then, then you, you, you turn, turn a corner twice, come back to where you began on the floor above and then go up again so forth which goes into the roof, into the ceiling of where this is. So to me, one would, would expect that.
Steve Gibson [00:07:37]:
Okay. Once upon a time there was no ceiling there. Right. Like some renovation at. I, I don't, I just can't explain. Oh, okay. So if there was a staircase there that was, that continued to go up, then that would have bisected those two floors with the stairs. So if, if they, if they were to join this, the floors that the stairs were going up to, then, then I guess you'd put a, you, you have to put a, you know, a floor across where.
Steve Gibson [00:08:17]:
Anyway, I can't, I.
Leo Laporte [00:08:18]:
So there's some series in our, in our chat.
Steve Gibson [00:08:21]:
Let me have.
Leo Laporte [00:08:23]:
And one would be, this is an IBM facility. One would be that they wanted to limit access to this next floor. Maybe it's a secure floor. It costs more to take the stairs out. It's very easy just to seal up the entry. So they just put the floor in and they didn't bother taking the stairs out. You could see there's stairs below it that led up to this floor. So this is a staircase that goes up.
Leo Laporte [00:08:48]:
The other theory, Darren Okey, who lives in Australia, says he's seen this several times, is that a company rents several floors in a building, but maybe they didn't need that top one and so they just closed it off so that somebody else could rent it. But again, taking staircases out, especially if it's a staircase that, if it were just on this floor, maybe that'd be easy to do. But you could see it's part of a staircase that goes below.
Steve Gibson [00:09:16]:
Yes, yes. So the idea would be that they, they said, okay, we're gonna give back the, this floor above.
Leo Laporte [00:09:22]:
Right.
Steve Gibson [00:09:23]:
Or, or like give it to someone else.
Leo Laporte [00:09:25]:
Right.
Steve Gibson [00:09:25]:
And so they literally just, you know, terminated their, yeah, their access.
Leo Laporte [00:09:31]:
They just put a big thing across it that said, you don't want to go there.
Steve Gibson [00:09:37]:
And of course then Leo, but why
Leo Laporte [00:09:39]:
do you need to sign? Because it's obvious.
Steve Gibson [00:09:42]:
I forgot to tell everybody who isn't seeing it. The sign says no access beyond this point. And then with a little IBM within you know what standard logo maybe you
Leo Laporte [00:09:53]:
got a distracted employee, he's not paying attention, he's hustling upstairs. He doesn't look up and he runs right into the. So maybe it's, there's a reason as
Steve Gibson [00:10:01]:
I said and, and thus the reason for the caption I gave it. Some building safety officer may have required the sign.
Leo Laporte [00:10:08]:
Exactly.
Steve Gibson [00:10:10]:
And now we have some theories for how this happened.
Leo Laporte [00:10:12]:
I love it. Okay, that's hysterical.
Steve Gibson [00:10:13]:
So last Tuesday the next web picked up the story of the ECBs, the European Central Banks recent AI warning to Europe's entire banking industry. And again I'm sure our listeners by now know that AI is impacting cyber security. Probably I would argue maybe more than anything else can you think of. I mean we know it's impacting coding yes but I mean and, and there's sort of an expectation of it having an effect throughout other industries. Right. Like the law profession getting rid of like you know, lowend sort of middle manager, attorneys whose, whose jobs can be now done by AI. But to my way of thinking though I obviously have some, you know, a tunnel vision on this. I can't think of anything that where AI has had such an immediate like right now, not next year, not coming soon, but I mean right now effect as in cyber security.
Steve Gibson [00:11:33]:
I to me it, it seems like it's, it's you know the thing that AI has impacted most immediately. Anyway, the next web picked up the story about this saying that the European Central bank has a warning for the euro area's largest banks. Frontier AI now poses a serious cyber threat and again not in the future. Today like immediately like the moment it happened. The lenders banks must draw up plans to, to counter it. Claudia Booch, the chair of the ECB's cyber advisory board wrote to a to to bank chief executives setting a deadline for the end of October. Booch asked leaders, or I'm sorry lenders to patch software faster and harden their AI enabled cyber defenses. The idea they even have them already is something she also wants tighter oversight of the outside technology partners they lean on.
Steve Gibson [00:12:41]:
Over the longer term banks must modernize aging infrastructure and sharpen their crisis response. The order carries no fines. Banks that ignore it face no formal sanctions. So literally just a warning, just a wake up call, but with no teeth. The ECP they wrote says it may still use the plans to rank lenders against each other and press the laggards. One model Looms over the letter. And I'll be talking about this in a second one. Looms over the letter.
Steve Gibson [00:13:14]:
Anthropics Claude Mythos Anthropic says Mythos can find unknown flaws in IT systems. It claims the model has already spotted thousands of severe vulnerabilities across major operating systems and browsers. The company First Limited who could use it, which spread unease across European finance. Butch put this story plainly. She wrote, quote, emerging models can pinpoint software weaknesses and write working exploits at unprecedented speed. That collapses the gap between finding a flaw and firing through it. That's an expression I hadn't heard before firing through it, but okay. The ECP did not act alone.
Steve Gibson [00:13:57]:
The same day the European Systemic Risk Board lifted its assessment of systemic cyber risk to severe. So they've got some sort of a, you know, a DEFCON scale and so we're now at severe systemic cyber risk. Saying that frontier AI should now count as a source of systemic risk in its own right. The board also flagged a second worry. Nearly all the leading AI providers sit outside the European Union. That leaves the bloc dependent on foreign firms and exposed to geopolitical pressure. It urged Europe to build its own AI muscle which when we're going to see this here in a couple seconds with some of the follow on stories, AI is now and should be and so not surprisingly being viewed as a strategic resource, not unlike you know, the power grid, I mean it's, you have to have it and you, you have to know you have to have a, a reliable supply of it. The move they write fits a wider European scramble.
Steve Gibson [00:15:14]:
ECB President Christine Lagarde warned last month that AI could trigger a dangerous financial crisis. The ECB has already run 109 banks through a severe cyber attack drill. The threat is not hypothetical either. With state backed attacks climbing and European bodies such as France's statistics office already hit a market has sprung up around the fear. French startup Mistral has opened talks with European banks to sell a flaw hunting tool. So now we've got, you know, somebody local in France to, who's beginning to say okay, we've got some commercial capabilities. They wrote. It's one of several firms racing to offer a homegrown answer to Mythos.
Steve Gibson [00:16:05]:
For now, the regulators sound clear on the danger but are much more vague on the fix. Banks have until October to show they're ready. So this reaction from Europe, of course, as I said it should not be and is not surprising. But given the rapid uptake in the use of AI for cyber attacks, giving banks until October to Me, you know what? July, August, September, October. So four months does seem like an overly slow response. On the other hand, these are banks, so it might be as fast as they're able to move and the ECB may be painfully aware of that. The other thing that caught my eye was the specific mention of Mythos. You know, you have to give Anthropic credit for the brilliance of their rollout of this.
Steve Gibson [00:16:56]:
The skeptics who try, who cried foul that Mythos was just marketing, well, they were wrong. It's not just marketing, but they certainly had a point. Mythos was able to deliver the, the goods first. It would have been and would still be, still is truly dangerous in adversarial hands. And Anthropic did take advantage of that for marketing. We've learned since then, like it seems like a long time ago, but it was like a month, you know, that other less powerful models when carefully orchestrated and I heard you say Leo over on MacBreak weekly that it's turning out that the harness that one uses for AI is as important as the model that it's harnessing. And I that totally makes sense. And I, and I agree with that.
Steve Gibson [00:17:46]:
You know, we've learned that less powerful models when carefully orchestrated can deliver similar results. And this was what so miffed those guys over at aisle remember AI S L E they had, you know, actually preceded Mythos in their own work without the Mythos model behind it and achieved similar results because they were commercializing this capability and along comes on Anthropic and steals the, you know, all of the glory. On the other hand, they didn't have the presence or the marketing to pull off the coup that Anthropic managed. You know, and we should remember in time this will all just be a note in the history books. And at the rate we're moving, that'll be a year from now. It'll be like oh, remember back then. Right. Okay.
Steve Gibson [00:18:44]:
So speaking of what's going on across the Atlantic or the Pacific rather last week also the European Union published their so called action plan. So this is the EU as a in at, you know, broadly as opposed to just the European Central Bank ECB was the previous report from the next web the eu. Their action plan is that they they titled the action plan on Cybersecurity and Artificial Intelligence. In their announcement of this, the European Commission themselves wrote Artificial intelligence is rapidly transforming the cybersecurity landscape. AI can help detect vulnerabilities, prevent cyber attacks and strengthen the protection of critical infrastructure. At the same time, it can also be exploited by malicious actors to automate attacks against, identify weaknesses, and carry out cyber operations at unprecedented speed and scale. Building on the EU's existing legal framework on AI and cyber security, the Action Plan. That's capital A, capital P.
Steve Gibson [00:19:59]:
The Action Plan sets out a coordinated approach to help member states, businesses and public authorities benefit from the opportunities offered by AI, or while addressing the new risks it creates. It focuses on three complementary objectives. Promoting the safe and responsible use of advanced AI, reinforcing the EU's cybersecurity and resilience, and scaling up Europe's AI capabilities for cybersecurity. To promote the safe use of advanced AI, the Commission will strengthen Europe's capability for, I'm sorry, their capacity to evaluate AI models before they're placed on the EU market. You know, essentially they're saying, what? This caught all of us by surprise. We, we need to figure out how to even know what an AI model is, what it does, is it good? Which one should we choose? So they're saying we need to strengthen that capacity to, to evaluate AI models before they're placed on the EU market. In line with the AI act, they said it will also work with a European Union agency for cybersecurity, ena, to develop a European blueprint for secure access to advanced AI systems for cyber security purposes and establish a secure testing platform to help organizations in critical sectors such as energy, transport, health, finance and public administration safely test and deploy AI solutions. So here again, the message is, we've been sort of focused on companies like Anthropic and their interaction with the US government, specifically in sort of a microcosm.
Steve Gibson [00:22:00]:
But imagine that you're a nation state and this is happening outside your borders, yet is clearly going to affect entities, your existence, your network, your, your, your national security. So suddenly you are expected to be able to deal with this bureaucratically the way you deal with everything else bureaucratically. I mean, this is just a whole new thing that requires a massive new bureaucracy in order to, like, figure out what to do about it. They said the action plan also reinforces the EU's cybersecurity by promoting the implementation of existing EU cybersecurity legislation, including the NIS 2 directive and the Cyber Resilience Act. It encourages organizations to use AI, including open source models, where appropriate, to detect and address vulnerabilities more quickly and improve their ability to prevent and respond to cyber attacks. In other words, everybody's got to get going here in the eu, they said. To strengthen Europe's technological leadership, the Commission will launch an EU Grand Challenge on AI for Cybersecurity. Bringing together companies, researchers and other stakeholders to develop innovative AI powered cybersecurity solutions.
Steve Gibson [00:23:26]:
The EU will also continue investing in sovereign AI capabilities. Meaning, you know, their own. We need our own AI. They're saying China's got it, the US has got it. What happened? We don't have, we don't got it. So a sovereign AI capabilities being building on initiatives such as AI factories, whatever that is, and future gigafactories, while encouraging private investment to help scale up European AI technologies. In other words, we got kind of caught flat footed here. We, we need AI.
Steve Gibson [00:24:01]:
The action plan they finish complements the EU's existing legal framework for AI and cybersecurity, including the AI act, the Cyber Resilience act, the NIS 2 directive, the Digital Operational Resilience act. That's Dora and the Cyber Solidarity. They got a lot of acts over there. Yeah, but, but you know, not much is happening. Boy, have we got some initiatives. Leo, we got to make a committee
Leo Laporte [00:24:30]:
to talk about this.
Steve Gibson [00:24:31]:
That's right. We're gonna. Well, you have to have a committee to talk about the committee. Yeah, you know what, who's on the committee? What should the shape of the committee to do this take? And that's, that's where they are on the whole child age gating thing too. The, the, the, the W3C had. They're at the stage of fashioning the committee that will then begin working toward. It's like just do it guys. How hard this, this is not nuts.
Leo Laporte [00:25:04]:
Because they think they just. All you have to do is write a bill or a law or an executive order and we'll create our own local AI. But you know, there are companies in Europe that's been trying to. Mistral is in France. They're not competitive. You can't just make it with a stroke of a pen. It's just bizarre.
Steve Gibson [00:25:24]:
And look at the investment. I mean now of course in the US we have the data center controversy because it's, it's upset so many.
Leo Laporte [00:25:33]:
So some New York just bans data centers. By the way, the whole.
Steve Gibson [00:25:37]:
There was a piece, there was a piece in the news today that said that, that someone was, was, had been kicked out of their home because
Leo Laporte [00:25:49]:
what,
Steve Gibson [00:25:50]:
what is it called? I forgot now the term eminent domain. Eminent domain. Thank you. Yes. Eminent domain required that they, that a new power distribution system be put through through 300 homes which because in order to deliver enough power for a data center somewhere. So it's like you know, in this,
Leo Laporte [00:26:13]:
the Nevada or the Lake Tahoe Regional Power Authority has announced that they're going to cut off not domestic users of power. You have to get a new power company because we're going to give all our power to AI no wonder people are pissed. I understand. I really do.
Steve Gibson [00:26:32]:
I do too. Yeah, and then we had the initiative. Oh, don't worry, we're not going to power from the grid. We're going to power locally because there's a huge natural gas pipeline running past us. Well, turns out when they fired up the turbines, people can no longer hear themselves think outside because the whine of the gas turbines, it's like, oh, well, you know, yes, we have great air conditioning inside and we have power, but you know, our children can't play outside.
Leo Laporte [00:27:05]:
This also is because of a short sighted policy on sustainable energy. After years and years and years.
Steve Gibson [00:27:11]:
Well, how many times have we been talking about how obsolete the US power grid is? This is what happens when, when you suddenly need power from the power grid, which has been obsolete.
Leo Laporte [00:27:21]:
There is, you know, more than enough power being focused on the earth from the sun to do all of this, but we have decided we want to dig up fossil fuels instead.
Steve Gibson [00:27:31]:
And boy, has solar become cheap in the lab. Mean, like a while ago, the story was, oh, it's too expensive. Not, it's really not anymore.
Leo Laporte [00:27:38]:
And this is why China is going to leapfrog us, because they don't, you know, they don't have this problem.
Steve Gibson [00:27:45]:
Oh, well, so what's interesting with, you know, all of this? It occurs to me that the initiatives such as the EU is talking about are another less obvious downstream benefit of the way Anthropic marketed Mythos. You know, just as it shook up the US government in today's highly connected world, it has, it's similarly now they're looking at it from a distance. Right, but it shook up every other nation. The EU's announcement, you know, reads as it is like bureaucratic boilerplate. And as you said, Leo, that's what bureaucrats produce is these sorts of acts, this act and this act and the other. So anyway, what it does show us is, is a view into what those bureaucrats are thinking and the bureaucrats in the European Union are thinking, holy crap, we don't want to get left behind.
Leo Laporte [00:28:44]:
Right?
Steve Gibson [00:28:46]:
And that brings us to China.
Leo Laporte [00:28:49]:
Oh boy.
Steve Gibson [00:28:50]:
Reuters headline reads, Beijing, get this, is looking at curbing overseas access to China's top AI models.
Leo Laporte [00:29:02]:
Oh. Huh.
Steve Gibson [00:29:06]:
I knew that would get your attention.
Leo Laporte [00:29:08]:
Well, three people are saying, download all the models now before they cut them off. Yeah, that's the problem, you know, hugging face and others have these models. It's just. It would only be future models, I guess.
Steve Gibson [00:29:20]:
Correct. Well, or running the models. So you need to be able to run the models on some, you know, powerful enough infrastructure for it to work. So but you know, and, and Leo, the other problem is as you said future models, I I cannot stress enough the degree to which we are hardly started. I mean every bit of my intuition says that. I mean just the fact that look what happens in one month and no mature technology has what has happened in a month happened. So this isn't the mean. It's not even premature technology.
Steve Gibson [00:30:02]:
It has just begun.
Leo Laporte [00:30:03]:
It's mind boggling.
Steve Gibson [00:30:05]:
It is. It is astonishing. So Reuters reports three people familiar with the discussion said that Chinese authorities have held meetings with top tech firms, meaning theirs, over the past month about potentially restricting overseas access to China's most advanced AI models. The talks follow a number of steps by Beijing to keep homegrown AI within the country and underscore how China, like the US is now treating cutting edge artificial intelligence as a critical national asset. Yeah, that needs control.
Leo Laporte [00:30:45]:
Yeah.
Steve Gibson [00:30:46]:
Companies present. I mean it is. This is what's got the EU all up in a bother is that AI is now a national asset. Companies present at the talks included tech giants Alibaba and ByteDance, as well as the startup Z AI, said the people who were not authorized to speak to media and declined to be identified. Since the emergence of Deep Seq's R1 model last year, writes Reuters, Chinese AI models have made big inroads globally thanks to their low cost and increased capabilities. Any decision by Beijing to limit access to those products could ripple across AI markets as costs for many businesses would likely increase. At the meetings led by China's Ministry of Commerce, participants discussed putting limits on the most advanced AI models, both closed source and more open versions. According to two of the sources, officials talked about making any leak or theft of proprietary AI technology an offense under China's stringent national security laws.
Steve Gibson [00:32:01]:
The officials also raised the possibility of implementing new measures to restrict who can fund domestic AI startups, meaning probably no foreign funding. The scope of the potential restrictions is still being discussed and may only apply to future models. It was not immediately clear when or even if they would come into force, but the point being here, this is a discussion point and this, this, this indirectly demonstrates the the thinking that is going on. It's like wait a minute, we China have an asset notice. Also Leo, they don't have a problem creating as many data centers as they want to in the same way that they don't have a problem flattening land in order to put up solar arrays in order to power them. They and, and at some point here, here's the US getting in trouble because it's unable to produce the, the, the, the compute power that suddenly out of in like in no time we need. China doesn't have a problem generating as much compute power as they decide that they want to produce. And then that becomes a strategic asset of theirs, which, I mean which we have a problem duplicating because we've got too much pushback in about the creation of data centers.
Steve Gibson [00:33:25]:
I mean this, it's thinking of AI as a strategic national asset suddenly puts a whole different complexion on it.
Leo Laporte [00:33:34]:
Yeah.
Steve Gibson [00:33:37]:
Reuters said China's Commerce Ministry, which oversees export regulations, and the National Development and Reform Commission, the country's state planning agency, whose officials also attended the meetings, did not respond to Reuters direct requests for comment. Alibaba, ByteDance and Zai also did not respond to Reuters queries. All three companies have a range of AI models, some closed source, while others are open weight, meaning users can download, run and customize the underlying systems. Alibaba's Quinn and ByteDance's Daobao are two of the most widely used AI models in China.
Leo Laporte [00:34:18]:
Quinn's fantastic. Yeah.
Steve Gibson [00:34:22]:
Zai has recently set Silicon Valley abuzz as the capabilities of its GLM 5.2 model come close to leading US offerings at a fraction of the cost.
Leo Laporte [00:34:35]:
I use it, it's about a quarter of the cost. Yep.
Steve Gibson [00:34:39]:
US President Donald Trump's administration has also been deeply concerned about national security implications of AI, in particular particular the potential for American AI products to be misused by military intelligence in China, Russia and other countries of concern. In June, it ordered that foreign nationals not have access to Anthropic's most advanced Fable and Mythos models, which prompted the company to disable the models for all users globally as a nationality could not be verified in real time. Export controls for Fable, which is designed for the general public, have since been lifted after new safeguards were put in place. But Mythos, designed for cybersecurity professionals, is still only available to some trusted U.S. organizations. We'll be talking about that in a second. Some USAI experts have also said the US needs to regulate the use of Chinese AI models. Yeah, right.
Steve Gibson [00:35:37]:
We don't like DJI drones, so why are we going to trust some Chinese AI model? According to two of the sources, Chinese authorities are deeply worried about the potential for Mythos to exploit software vulnerabilities and that Washington might deploy the model against Chinese interests. That echoes concerns publicly voiced by state media and Zhu Hongi, founder of cybersecurity firm 360, a major vendor of government and enterprise clients, who has said China needs to develop its own mythos? Well, we know they are working on that. They have to be. This year, China has implemented numerous measures to protect homegrown AI. In April, the country's state planner ordered Meta to to unwind its 2 billion dollar acquisition of Chinese founded AI startup Manus. In early June, authorities issued sweeping new rules tightening control of overseas deals that involve Chinese investors, technology, data and national security. In other words, walls are being put up. China had also launched investigations this year into Manus and and other local AI startups that had moved abroad seeking to establish whether they've broken export control laws, according to two of the sources.
Steve Gibson [00:37:06]:
And a third person. Manus has not responded to requests for comment by Reuters. Reuters was not able to learn how any potential new restrictions on overseas access to Chinese AM models might work, but some hints might be gleaned from a May roundtable of Chinese legal experts on regulations governing open source AI. According to a summary of the discussions published in an official Supreme People's Court journal, participants proposed a tiered system, basic open source tools subject to a simple filing, more advanced technologies facing security reviews and the most sensitive frontier models barred from public release or restricted to domestic use. So none of that at this point should come as any surprise. Right? But I wanted to share this reporting from Reuters, following the news from Europe to highlight the fact that as I said at the top, every nation state is waking up to the fact that that what has been happening with AI is not hyped up marketing and overstatement. I've recently seen the impact of the emergence of AI being compared to the harnessing of electricity. They actually said the invention of electricity, but you know, it wasn't invented.
Steve Gibson [00:38:38]:
That doesn't feel like an exaggeration to me, Leo. I mean it is that big. It. This is. This is. I I don't have words to just explain how big this is going to be. Yeah, the entire world is being turned upside down by the emergence of this new AI technology. And again, I am utterly certain that we're still at the beginning of this.
Leo Laporte [00:39:04]:
This is unless governments and NIMBYs and others kill it. I mean that's the problem is, well,
Steve Gibson [00:39:13]:
they can, they can restrain it. I mean, so that if you were to compare this to the nuclear bomb, right? What the the benefit. There's a much Greater ability to control the making of a bomb because it requires such physical infrastructure in order to refine the raw materials that go into creating it. And then you've got a delivery, you know, system that is also very much in the real world. AI is way more difficult to control.
Leo Laporte [00:39:55]:
Yes and no. It's so capital intensive to make these models. That's part of the reason it's only these giant companies raising today. Today you think we'll be able to do, for instance, the estimate right now is that Fable, which is, I think the strongest model we have, is a 10 trillion parameter model. One you could not run obviously on anything besides a giant data center with almost infinite amount of GPUs and RAM. It's capital intensive in kind of in a similar way atomic energy is capital intensive. Right. Or fabs are capital intensive, you know.
Steve Gibson [00:40:35]:
Right.
Leo Laporte [00:40:35]:
You're not going to have garage microprocessor makers. And so that's kind of a gate. I maybe the what is interesting is there is development along the lines of how do we make. As you've pointed out, you love the idea of purpose built narrow capability AIs. And those don't have to be 10 trillion parameters.
Steve Gibson [00:40:57]:
No, you can ask Fable anything.
Leo Laporte [00:41:00]:
Right.
Steve Gibson [00:41:00]:
But if you're going to have a, if you're going to have an AI that is specializes in coding, right. It, it does not need to be able to talk about the fall of the Roman Empire. So that knowledge is in the model and it's taking up space and power and time and compute. And so I am, as you said, I am absolutely certain that we will. And the fact that we don't have it yet demonstrates just how, how early in we are. There will be application specific models.
Leo Laporte [00:41:37]:
Well, I'll give you a good example
Steve Gibson [00:41:39]:
that blow away a general model for way less compute.
Leo Laporte [00:41:44]:
And I could use Fable or some giant frontier model. I have all my cameras hooked up to my AI. I could use Fable to analyze the images. I don't need it. I can run a tiny, relatively tiny quen model. Is a Quen visual recognition model. I'm running it with other models. In my framework it's maybe 27 gigs.
Leo Laporte [00:42:07]:
I don't know. It's not very big and it's very good. It analyzes every picture that comes in. It gives me text messages. There's a person in a yellow shirt with a red hat and shorts carrying a brown package. I mean it's very, very good. And that's all it does. It's just vision recognition.
Leo Laporte [00:42:25]:
And we do that on our phones. Locally. So we know we can get small models to do that.
Steve Gibson [00:42:29]:
Yeah.
Leo Laporte [00:42:30]:
So you're right. If we are willing to slice it up like that, I think you will see garage models. Yeah.
Steve Gibson [00:42:36]:
A a and, and it'll be at a targeted market. A general fable public model needs to be able to, to, you know, talk about certificate on any topic.
Leo Laporte [00:42:50]:
Right. I asked it what a waste of CPUs. I asked it what the best spray starch would be for ironing my handkerchiefs and it came up with it. But probably not the best use of all of that horsepower anyway. I'm sorry to interrupt. Go ahead.
Steve Gibson [00:43:09]:
No, it's your turn to interrupt. You know what a good use of all this horsepower would be?
Leo Laporte [00:43:14]:
You know what they call this in the World cup in the soccer matches? This is your hydration break. Steve Gibson on We go with the show.
Steve Gibson [00:43:23]:
On with the show we go. Okay, so now we get to the UK. The NCSC is the UK's national cyber security center. Their blog posting last week was titled Cyber Shield the path to get this Leo An Agentic AI Future for Cyber Defense. Why? The UK is pioneering an initiative to develop a national scale sovereign defense capability. So again, this, the implications of AI are, I mean, I guess I think the mythos drama with the US served as a catalyst to, you know, at least make these initiatives public. The, you know, they were probably in the works for some time, but it's like, okay, now's the time to talk about this. The posting led by quoting the director of gchq, Ann Keast Butler, during her recent inaugural GCHQ annual lecture which is held at Bletchley Park.
Steve Gibson [00:44:45]:
This occurred on May 27th when Anne said, quote, we need to reimagine cyber security in the AI world. In the past few months, GCHQ has developed a blueprint for a new national cyber defense capability that will hardwire cutting edge agentic and you know, there's no way to read agentic other than autonomous. Right. Agentic AI in a machine speed cyber defense. Okay, so that was quoted at the top of this NCSC posting, which then followed that by writing the NCSC and, and the Department for Science, innovation and technology, that's the DSIT, are developing this blueprint which we're calling CyberShield. The objective of CyberShield is to build a national scale collaborative approach to agentic cyber defense using frontier AI to identify, reduce and resolve our national cyber risk. In this blog we set out why we need a new approach to cybersecurity and outline our aim and vision for cyber shield. As well as the challenges, we also invite debate and engagement from academia, critical national infrastructure organizations, Frontier Labs and cyber defense sector and others to help collectively solve the challenges and develop the blueprint.
Steve Gibson [00:46:19]:
Why the UK needs a step change in cyber defense the UK faces a cyber threat that's growing in scale, speed and sophistication. Attacks from hostile states, organized crime and others are increasingly disrupting services, harming businesses and exposing sensitive data. Frontier AI is accelerating this trend with the potential to shift the balance in favor of attackers. And with Siri. Well, yeah, if you're not defending yourself with the same AI or with, you know, strong AI and with serious implications for defenders. We need to keep our critical technology system secure against both existing and emergent cyber threats. This is just to me, this is amazing that the, that national appreciation of how much AI is going to change what they're doing. They said today's challenge is that there are many preventable weaknesses.
Steve Gibson [00:47:24]:
We know that a large proportion of critical systems do not fully meet the aims set out in the Cyber Assessment framework. Many attacks still succeed despite sorry succeed because of basic vulnerabilities, including outdated or unsupported systems, delays in applying security updates and weak controls over over access to systems and data. Right, so that's, you know, old school problems we've been talking about for 20 years, they write. These are well understood risks, but they remain widespread, leaving the UK exposed to attacks that are often avoidable. This makes getting cybersecurity fundamentals in place now more important than ever. At the same time, the emerging challenge is that AI is changing how attacks are carried out, increasing their speed and scale. AI is already helping attackers to conduct elements of offensive cyber activity, such as vulnerability, discovery and reconnaissance, at a much greater scale and faster pace. As a result, activities that once took weeks can now take minutes, reducing the time available for defenders to respond, detect and contain them.
Steve Gibson [00:48:37]:
This increases the likelihood of successful attacks. Organizations must take urgent tactical action to ensure critical systems are well defended. Act now to strengthen the fundamentals. Fundamental cybersecurity remains essential and organizations should prioritize rapid patching of vulnerabilities, reducing reliance on legacy systems and adopting secure by design technologies. Organizations should also start to use AI in cyber defense to stay ahead of the attacker. This means using agentic AI to identify exposed vulnerabilities autonomously. They call that the blue team capability. Using AI to detect and contain security incidents, and working to address the challenge of safely automating mitigation.
Steve Gibson [00:49:33]:
As well as getting their cyber fundamentals in place. Organizations must be prepared for the Future challenges the shift toward full life cycle automation of attacks While some stages of a cyber attack can already be automated, we've not yet seen fully autonomous attacks operating across the complete intrusion life cycle in in real world systems. In practice, the complexity of these environments still requires human judgment and oversight. However, frontier AI models are likely to become capable of operating across the full life cycle from initial access through actions to on objectives. This could allow attackers to move at machine speed and greater scale, reducing opportunities for detection and response. This has the potential to overwhelm traditional defenses and increase the risk of advantage shifting toward the attacker, they said. Developing viable solutions that scale and execute at the pace we need in the modern era is the remit of the Cyber Shield. The evolution of AI enabled cyber capabilities AI enabled offensive cyber capabilities are developing rapidly alongside a growing commercial market for such tools.
Steve Gibson [00:51:12]:
Together these, these trends are accelerating the pace and expanding the scale of cyber threats and enabling more actors to exploit such capabilities. Basically they're summarizing in their own national focus exactly the, the things that we've been talking about here for the last couple months, pulling that all together, they said. This evolution presents strategic challenges for the uk. Many advanced defensive capabilities are inherently dual use, meaning they could be repurposed for offensive or hostile activity. Organizations developing these capabilities must act responsibly. Identifying and fixing vulnerabilities is essential, but not sufficient on its own. Engaging with initiatives such as Cyber Shield will help ensure that these technologies deliver a net benefit to cybersecurity. CyberShield supports the ambitions of the UK government to build national scale AI powered defensive capabilities that can operate at speed and scale in the near future.
Steve Gibson [00:52:27]:
We envision a world where cyber defense is supported by red and blue agents which identify weaknesses in systems. That's the red. And defend against threats in real time. That's the blue. These AI systems would initially identify vulnerabilities and threats at machine speed before progressing toward automated remediation. Generate and share insight while detecting and containing breaches. Work under the control and authority of their owners across government and non government institutions, Collaborate seamlessly across organizational boundaries and contribute to improving the national security of the uk. One thought I have, I'll just pause here for a minute is that, you know, to me this feels like an effort that is too large for a bureaucracy.
Steve Gibson [00:53:33]:
This feels like something you purchase. I mean I get it that it's a, that it is a strategic desire of theirs to have this to and to have the sovereign capability. But, but the, you know, identifying vulnerabilities at machine speed and then automating remediation, you know, that's so that, that, that's such a big lift that it feels like the kind of things that, you know, sponsors of this podcast would be doing and offering and selling commercially. And so yeah, the UK can, will be able to purchase that. I question whether it's just the kind of thing you can, you know, create ad hoc. I'm skeptical of that. They, they said, you know, in, on, on a bespoke basis. They said these agents, theoretical at this point, are enabled by strong foundations of data identity, reliability, cyber security and regulatory compliance.
Steve Gibson [00:54:47]:
Yes, they're able to specify what they want. Getting it is another thing. They said our approach will be test iterate and scale. We will initially partner with network defenders across government and critical UK sectors to test and deploy newly researched capabilities. Okay, maybe they're commercial network defenders, in which case this makes sense. This will accelerate learning and improve resilience where it will have the greatest impact. Our aim is to transform. I'm sorry, our aim is to transition to commercially scalable solutions to deliver a level of national resilience which is ready for the future threat.
Steve Gibson [00:55:30]:
The UK will pioneer this approach and provide a case study to the world on how to successfully engineer and deliver the future of active cyber defense in the AI era in a safe and secure manner consistent with our values and policies. Well, you can wish, but I don't know where it's going to come from. They said we will need a number of functions to deliver a a national scale sovereign cyber shield capability in association or partnership with leading frontier AI capabilities. Cyber defense organizations and academia will all participate. We recognize that some of these areas present challenges, you think, which need significant progress in research to unlock. The functions include and they have two reliable and explainable AI for cybersecurity. This means our AI systems can be used confidently in production environments at scale authorized by system owners to make safe, reliable and significant real time changes in support of cyber defense in a predictable manner. In other words, the Forbin project, they're saying, you know, we need AI systems that are good enough that we know they won't make a mistake.
Steve Gibson [00:56:56]:
And of course we don't have that today. No one does. Second, federated agents. Agents will be federated with underpinning trust infrastructure. These agents will run national level operations on behalf of the country. As I said. Wow. Run under the control and authority of individual organizations and secure the means to identify, trust and communicate between themselves to allow cooperation.
Steve Gibson [00:57:34]:
So the GCHQ's NCSC is stating here that their goal is to have AI agents operating autonomously to run national level operations on behalf of the country with a secure means to identify, trust and communicate between themselves for cooperation. So I just want to make certain that everyone understands what a massive leap forward this would represent. You know, while we've been Futzing around with AI for coding, the UK's intelligence and cyber security people have been at least making plans, although no way to execute that. I can see to put autonomous AI agents in charge of their nation's cyber security. Even though it's both the correct way of thinking and you know, it's already inevitable. Right? I mean it's going to happen, it has to happen because it is the right thing to do. We don't know how to do that today. It's bracing to imagine that I would imagine in a few years, you know, while this podcast is probably still underway, we will be reporting on the events surrounding autonomous AI agents protecting the borders and the networks of those nations that had the foresight to get those efforts underway early.
Steve Gibson [00:59:07]:
I think it will be a commercial offering, maybe a partnership with a commercial company. I mean it is a, it is a big job and you know, it's difficult to see how that could happen at the, at the. With you know, the government bureaucracy standing in the way essentially. They've got some more points. They raise number three. Vulnerability discovery and mitigation. Harnessing cutting edge UK research into agentic Red Blue team functions. The aim is to develop and demonstrate automated discovery of network vulnerabilities and develop fully automated vulnerability mitigation workflows.
Steve Gibson [00:59:51]:
You know, nice wish list. This will allow cyber defenders to operate and at beyond human scale, helping them keep pace with attacker capability. These functions will be focused on critical networks but able to operate at national scale. Fourth, coordinate detection and response. Building on the red blue team functions, the aim is to provide a means for real time sharing of insights across organizations boundaries and get agents to leverage these insights to detect and contain adversary behavior. Five, national level scanning. This means automated scanning of critical UK IP ranges for exposed vulnerabilities and analysis of aggregated data to understand national level exposure. And finally, national level mitigation.
Steve Gibson [01:00:47]:
This means automation of workflows to allow rapid national scale mitigation such as automated blocking of known malicious domains and networks. And they finish working in partnership is vital. Yeah, because you can't, if you can do it at all, you can't do it by yourself. The cyber shield vision is ambitious and wide reaching and faces significant delivery challenges. Okay, well everybody gets that at least. It's, it cannot be developed and operated by the NCSC or government alone. Good. In addition, there's a clear potential benefit to UK economic growth from nurturing innovation in this domain.
Steve Gibson [01:01:30]:
Admittedly, we need to work in partnership across government and with industry and academia to develop innovative approaches and evidenced solutions from national to enterprise scale and within organizational and sector based network defenders to deploy and integrate agentic capabilities under their control, hopefully and authority into their activities. To this end, the NCSC and DSIT are working together to establish effective pathways for partners to come together and contribute. Get involved. We invite all organizations who are interested in partnering to develop the Cyber Shield to contact the ncsc@cybershield csc.gov UK so yikes. Obviously what's completely missing from this is any sort of timeline, but of course that would be premature at this juncture. It's still somewhat surprising that they're even talking with such ambition, though. As I said, I'm certain they're not wrong. You know, this is where the world's major nations must now head.
Steve Gibson [01:02:53]:
And probably given the rate at which all of this is accelerating, the amount of attention that the AI threat to cybersecurity truly does pose and and all the press that has been generated thanks to Mythos and I'm sure soon others, this has to happen probably during as I said, while the podcast is still happening, Leo, you and I will be talking about, you know, autonomous AI protecting the borders of nations. It's. Yeah, it seems clear that it will happen and then it will scale up to become increasingly powerful. We are, we're witnessing the rapid emergence of the realization that AI is as much a national strategic infrastructure asset, as I said before, as a nation's power grid. But the shape this will take is entirely unknown. For example, where will the AI itself reside? It seems clear that no nation would be willing to outsource its AI, its strategic national critical structure AI to another nation. So it will need to be housed inside its own nation's borders and physically protected. You don't want a bomb to be able to take out the AI that you now depend upon as a nation, as a strategic asset.
Steve Gibson [01:04:27]:
It will also require physical security and redundancy, right? Because again, of its strategic national importance. So when I stop to imagine this, it really is science fiction, you know, and it how could we not think of Colossus, the Forbin project, which was all about turning over, even though that thing that the movie was, what, back in the 60s or 70s? It's about turning over all of the control of a nation's security to something that is autonomous. That is able to do a much better job than humans could do in its place. Wow. And it seems unlikely that it is far off.
Leo Laporte [01:05:13]:
Speaking of AI, as the show began, you said, I would love to have that colorful life thing that Andy Inako showed, which is a website, as an app. And of course, because I care about you, Steve, I had my AI create a desktop app.
Steve Gibson [01:05:35]:
Oh, my Lord.
Leo Laporte [01:05:37]:
And it is. Well, I mean, I'm going to be fair with you. It's just a electron wrapper around it because it was all JavaScript CSS. I didn't realize it when I looked at the game. It was written 12 years ago. It's a very old game, but it has all the same functionality. Yeah. So you can zoom in on it and do all the same things.
Leo Laporte [01:05:56]:
And there you see the Conway Game of Life. Yeah. So this one's on a Mac, but it'll also run on Linux. And I can make a Windows for you version if you want. I also said, can I make a screensaver? It said, yeah, we can do that. Sure, whatever you want.
Steve Gibson [01:06:11]:
It can't run much faster, too.
Leo Laporte [01:06:13]:
Oh, it's 60 frames a second. It's. It's full, full Speed because it's WebGL, so it's pretty fast. Yeah, right? Yeah, it's pretty amazing.
Steve Gibson [01:06:22]:
Very cool.
Leo Laporte [01:06:24]:
Yeah. See, there's the little. You recognize the little Game of Life, tractors and things. Yeah. Oh, yeah.
Steve Gibson [01:06:30]:
How fun.
Leo Laporte [01:06:32]:
So, yeah, it's pretty amazing what AI can do. This is the problem with the whole thing. It's spur of the moment. Yeah. Yeah. Let's see. Let's do that.
Steve Gibson [01:06:42]:
Well, as I think we were saying before we began recording that, I was mentioning that I've got a friend who just is so entertains. Endlessly entertained by animated GIFs that he didn't create. He just like, he sends them to me and it's like, okay, okay, okay. We're entering a time where people will be creating apps with the same ease and speed, you know, dictating it into the, the, the microphone. And it's like, okay, here's an app.
Leo Laporte [01:07:12]:
Yeah. Apple is now released with iOS27's public beta. The ability to talk. Apple shortcuts. Do vibe code. Apple shortcuts, which I think is going to really open up capabilities for a lot of people who probably would never write a shortcut. I don't even want to write shortcuts. The language is so tortured.
Leo Laporte [01:07:29]:
But now you just vibe coded. I don't know how good it is. I haven't played with it. We live in Interesting times, Steve.
Steve Gibson [01:07:38]:
Yes. Oh, Leo, I like I, I've said it every week. I, I, I'm so glad that we're alive for this. This is, and it's so not boring. I mean, it's happening so fast.
Leo Laporte [01:07:49]:
I will confess, it makes it hard for me to sleep. This morning I woke up at about five ideas saying I got it. And I jump out of bed because I can't wait to, to do stuff. It's, it's very exciting.
Steve Gibson [01:08:01]:
It's gonna transform the world.
Leo Laporte [01:08:03]:
Yeah. Yeah. Okay, sir. Meanwhile, Meanwhile, back at the ranch.
Steve Gibson [01:08:10]:
Back at the ranch, our own SISSA has been quietly using mythos to audit the U. S. Government's code, which I think is a good idea. Reuters also reports three people familiar with the matter said on Monday, that's Monday before last eight days ago, that the U. S. Cyber defense agency CISA is using anthropics AI model mythos to audit government software. In another sign of government enthusiasm for adopting the AI startups tools meaning anthropics. Although enthusiasm I'm not sure, but okay.
Steve Gibson [01:08:51]:
Even as the company navigates an ongoing standoff with the White House, Reuters said the cyber security and infrastructure security agency is using mythos to scan government code repositories for bugs that could leave the door open for foreign spies and cybercriminals. Anthropic did not respond to questions. I bet they didn't. About the initiative. A SIS of representative said last month that he would check to see if there was anything to share.
Leo Laporte [01:09:19]:
I'll just check.
Steve Gibson [01:09:21]:
We'll, we'll get back to you.
Leo Laporte [01:09:22]:
Yeah, right.
Steve Gibson [01:09:23]:
We'll, we'll check on that.
Leo Laporte [01:09:24]:
That, you know, if they're not, they're, they're terrible. They're, why wouldn't they be?
Steve Gibson [01:09:30]:
Exactly. And I, and I love this. They, they, they wrote. Assistive representative said last month that he would check to see if there was anything to share about the matter, but did not respond to further emails.
Leo Laporte [01:09:43]:
What a surprise.
Steve Gibson [01:09:44]:
Yeah. His boss said, you just don't, don't answer those people. The scanning is being done by SIS's. Get this. They have the attack surface evaluation. Attack surface evaluation team. According to one of the sources, the team is a group within CISA that conducts digital security assessments and hacking exercises across the government. Two of the sources said the audits had already uncovered, no surprise, a large number of vulnerabilities, but did not elaborate.
Steve Gibson [01:10:17]:
Reuters could not establish exactly how much government code the team had gone through or the nature or severity of the bugs it discovered. So anyway, they go on. They they recap the recent rocky road that Anthropic has had with the government, you know, which as we know, was initially triggered by Anthropic's flat out refusal in February to remove the safeguards from their models, which were preventing the model from being used for guiding autonomous weapons or facilitating domestic surveillance, which the US Government wanted them to do. Anthropic said no. So then that was the beginning of the. The all the brouhaha. So anyway, it's great. It's hardly surprising that CISA is deploying Mythos to help shore up the US Government existing code base.
Steve Gibson [01:11:10]:
I'm sure it needs a lot of shoring up, so. Yay. A number of security outlets picked up on a Microsoft blog posting last Thursday which was titled Evolving Windows Vulnerability Management to meet the Speed of AI Powered Discovery.
Leo Laporte [01:11:32]:
And before you get into this, let me just show you. Oh, you were wondering about Patch Tuesday, which is today. Get ready. This is easily a record number of
Steve Gibson [01:11:43]:
patches that they broke last month's record,
Leo Laporte [01:11:46]:
570 flaws, three of them, zero days. Wow. Wow. And you better believe they're using AI to.
Steve Gibson [01:11:58]:
Oh goodness. Well, I. Based on the analysis of M Dash, which. And apparently we're able now to drop the use of the word codename because as we'll see in this article, Microsoft is no longer using the prefix code name that just referred to it as M dash. Given what we heard. I don't know anything about the way Mythos is structured because Anthropic has not told anybody. As far as I know, Microsoft told us all about M Dash and. And it is very impressive.
Leo Laporte [01:12:30]:
I think though that I was it.
Steve Gibson [01:12:33]:
Lou.
Leo Laporte [01:12:33]:
Mm. Somebody told us that it's a wrapper around. Well, other models.
Steve Gibson [01:12:38]:
It is model agnostic. So you. So you are able to.
Leo Laporte [01:12:43]:
Fabled or Mythos doing this work?
Steve Gibson [01:12:46]:
Could. Exactly. It well, could be.
Leo Laporte [01:12:48]:
Look at that. I'm just. Okay. One.
Steve Gibson [01:12:51]:
Yeah. Yeah.
Leo Laporte [01:12:51]:
I just want to show you the numbers. 254 have escalation of privilege vulnerabilities, 17 security feature bypass 145 remote code execution 102 information disclosure, 35 denial of service and 16 spoofing. 59 of these vulnerabilities were critical, 48 of which are remote code execution, 9 elevation of privilege, 1 security bypass, 1 spoofing. So this is.
Steve Gibson [01:13:22]:
If you scroll down a little bit, there were also a massive 468 Microsoft Edge chromium flaws.
Leo Laporte [01:13:31]:
Those were fixed by Google earlier. This number does not include those.
Steve Gibson [01:13:36]:
Right.
Leo Laporte [01:13:37]:
So 4 to 68 plus 570. It's over a thousand. It's over a thousand. Unbelievable.
Steve Gibson [01:13:48]:
In one month.
Leo Laporte [01:13:49]:
In one month. And that's gotta be AI. We've never seen anything like this.
Steve Gibson [01:13:53]:
Of course, of course, of course. Yeah, of course.
Leo Laporte [01:13:56]:
Holy moly.
Steve Gibson [01:14:00]:
Nice. So no, no, I'm glad, I'm glad for that. I add a bit of color. So obviously last month's all time record breaking patch Tuesday was just the tip of the iceberg, which is what we've expected. I expect this will go four to five months probably at around this rate. We're going to be killing these things off. And what will be really cool is when we start seeing a sharp decline in the number of vulnerabilities found. Not for lack of looking.
Steve Gibson [01:14:33]:
I'm sure it will be finally for a lack of actual vulnerabilities. And maybe a next generation model will find some that were missed by this generation. But at some point we will get AI that is able to find all that are practically findable and that will put us in an entirely different world. We are heading into as, as I've said, a whole different land. Everything that we've known and we've watched build up over time pwn To Own and Hacker1 and and Capture the flag contests, Zodium purchasing and reselling 0 days All all of that industry was supported on the fact that we had not yet figured out how to make bug free software. Our own software was too complex for us. It is not too complex for the AI that we're able to create to fix it for us. And this is going to change everything.
Leo Laporte [01:15:36]:
Amazing.
Steve Gibson [01:15:37]:
So the good news is Microsoft knows all of this and is acknowledging it. So here's what they shared with the world. Last Thursday they said Windows has adapted to emerging threats for decades. It's about to make a big adaptation, all while operating at unparalleled scale. It's our responsibility. This is remember Microsoft's voice to bring clarity, transparency and sustained investment so customers understand what's happening, what Microsoft is doing and how they can reduce their exposure. The pace of vulnerability discovery is changing with advances in AI making it possible to find more issues faster across more code with new mechanisms that can accelerate both discovery and analysis. The fastest way to reduce customer exposure.
Steve Gibson [01:16:32]:
I love this. The fastest way to reduce customer exposure is to find issues with before attackers can use them. No, the fastest way to reduce customer exposure Microsoft right down to zero is not to beat the hackers to them but rather not to ship buggy issue laden software products in the first place. Now I acknowledge that there's a huge amount of fixing to do first. That's where we are today. That's what Leo, you just showed us with today's patch Tuesday on top of last month's patch Tuesday. That broke a record and this broke that record. That work will eliminate the thousands of bugs in the software that's already been shipped.
Steve Gibson [01:17:21]:
But I am looking forward to the day when not only all existing bugs have been eliminated but new code comes pre sanitized before it ships. We cannot create bug free code that's been well proven. AI can can find those bugs before they get loose and and I'm sure that's the target that I am hoping Microsoft has in mind. Anyway, they continue writing Windows is expanding its ability across the platform to find issues earlier, accelerate the engineering work to fix them, strengthen validation and deliver timely high quality updates that keep customers by applying AI across security analysis, we can identify patterns faster, prioritize risk and scale vulnerability discovery across the Windows code base. This helps reduce the time between discovery and customer protection. It includes Microsoft's security multimodal Agentic Scanning harness which utilizes multiple models including leading third party AI vulnerability discovery models to run EM Dash at Windows scale. Windows set up dedicated cloud infrastructure for scanning and proving. A scanner pipeline scans critical binaries and vulnerability and validates candidates using multimodal debate across multiple model families.
Steve Gibson [01:19:00]:
Confirmed candidates then flow into a separate Windows specific prove pipeline that helps eliminate remaining false positives so only the highest confidence findings reach the engineering team. This automation helps handle a larger volume of potential vulnerabilities and shortening the review window for new ones, shrinking the attack window for zero day exploits. And again that's great but let's really focus upon eliminating zero day exploits as a side effect of simply eliminating all exploits. How about that? They said. This effort extends beyond Windows as we work across Microsoft to deliver broader adoption of these tools and practices throughout both the company and the WYKER and the wider ecosystem. Yay team, they said. We partner closely with AI powered scanning teams across Microsoft's product divisions, sharing insights, comparing best practices and aligning on key findings. In parallel, we collaborate with the Microsoft Security Response center, you know, our well known MSRC to continuously refine end to end process from vulnerability discovery and issue finding to remediation and validation.
Steve Gibson [01:20:25]:
In other words, the EM Dash harness is also, you know, feedback from its use is going back to the guys who are in charge of that. So it's also getting better, they said. We also regularly reassess our prioritization and rollout strategy based on lessons learned and feedback gathered through Our chief Information security officers, the CISO's engagements with customers. We continue to evolve our internal systems and practices so that vulnerability discovery is not treated as a separate activity, thank God, but as part of how we build, review and improve Windows before new features or updates are released. Now we're talking. That's what we want. As part of this, we are updating our secure development life cycle. The SDL best practices to ensure our secure by design approach explicitly accounts for potential AI enabled attack techniques and exploit paths.
Steve Gibson [01:21:33]:
That means using AI to help identify potential issues earlier in the development process. Yay. While relying on human expertise to evaluate findings, making risk based decisions and ensure fixes meet the quality bar customers expect. Which to me all sounds exactly right. We want AI to be looking over the shoulders of their coders working to spot their mistakes immediately saying, you realize that this variable can go out of bounds, right? The you, you, you know, you declared it to be a long, but it needs to be like twice that long. So or oops, you're going to have a little problem when it overflows, it's going to go negative. So that would be good. Easy to miss that when you're in the thrall of writing, writing code.
Steve Gibson [01:22:27]:
They said as AI helps defenders discover more issues, customers will see a higher volume Customers will see a higher volume of security updates included in each security release. And that one sentence basically is it was the headline in all of the other coverage of this blog posting was that Microsoft foresees many more, you know, much higher volume of security updates in the future. You betcha. And that's what we want. You know, let's fix the past and break the cycle of adding new problems that need to be fixed later. AI finally offers us that hope. And finally they said a higher volume of security updates is evidence that defenders are getting better at identifying and addressing issues. Right? Of course, the bugs that were shipped.
Steve Gibson [01:23:25]:
Our focus is to effectively utilize these AI tools to support faster protection, stronger engineering systems and more actionable guidance for customers. In other words, we're going to, we're going to protect you more quickly and we're going to feed this experience back to make our systems this M Dash harness better. They said Windows is evolving our engineering and validation systems to reduce the time from discovery to production protection with areas where customer risk is greatest. As we build our end to end system from discovery to remediation of vulnerabilities on Windows, we're making the following investments to help ensure we are not compromising update quality as we gain speed. They have three we're integrating AI into our process to compress the path from discovery to a validated fix, helping engineers understand failures faster, propose candidate fixes consistent with the surrounding code, surface related issues elsewhere in the code base, and select the regression tests most likely to be affected by a change 2 windows undergoes windows Updates undergo validation across a range of testing environments, including the Security update, validation Program program and internal validation designed to help evaluate compatibility, reliability and real world usage scenarios. This broad validation helps identify functional application compatibility and quality issues before updates are broadly released. And finally, we're also investing in new technology including Windows specific tools and and agentic harnesses to help end to end generation and validation of fixes Fixes using AI Keeping humans in the loop when it comes to code review. In other words, Microsoft's got the religion.
Steve Gibson [01:25:30]:
They've seen the light and AI is going to take over that place and it can't happen soon enough. I think it sounds wonderful. And that, believe it or not, was just the first quarter of the blog post. The balance of that posting was a rehash of the various features and benefits of the Microsoft's update offerings for individuals and enterprises. But our takeaway here is that Microsoft, like everyone else on the planet, from small software publishers to now to major nation states, is taking the changes that AI is bringing to the world as seriously as anyone could hope they would. In the specific case of Microsoft, this means dealing with their extensive legacy of existing software. And we just saw another example with today's patch Tuesday while also working to prevent turning new bugs loose. So let's all wish them well.
Steve Gibson [01:26:30]:
I certainly do.
Leo Laporte [01:26:32]:
I love your notion that at some point the number going to go up, up, up and then it'll start going down, down, down and eventually down to close to zero.
Steve Gibson [01:26:41]:
Yep.
Leo Laporte [01:26:42]:
Floss.
Steve Gibson [01:26:42]:
It's going to happen.
Leo Laporte [01:26:44]:
Yeah. And it might not be that long even if you keep doing a thousand floss a month.
Steve Gibson [01:26:48]:
Yeah, I'm thinking five or I'm, you know, four, five, six months.
Leo Laporte [01:26:51]:
A year from now. We'll be looking at nothing.
Steve Gibson [01:26:54]:
Easily. Easily. Yes. New code will will get sanitized for bugs. Coders are going to be learning because basically they'll have an AI tutor that says, you know Henry, you just keep making the same mistake. Why, you know, why do you keep
Leo Laporte [01:27:13]:
pointing to ring zero? Dude, you got to stop using those pointers.
Steve Gibson [01:27:18]:
I know it's easier, but come on, we're going to have to. We can't do this anymore.
Leo Laporte [01:27:22]:
I'm thinking back when I when I first my first computer. You did a lot of peeking and poking you actually this is true. The Apple, but also the Atari. You would, you would poke a value into memory. Yeah, that's not a good idea. And so this is, you know, we, we evolve, we get better, we improve. That's the point.
Steve Gibson [01:27:45]:
One more and then we're gonna do a little bit of miscellaney. After another break, I wanted to let everyone know that Nightmare Eclipses latest Perry to annoy Microsoft in the form of the disclosure of a Windows Defender based elevation of privilege which this attacker dubbed Rogue Planet was patched last Wednesday. Since the trouble lay in Defender, which Microsoft is by design able to patch anytime they wish on the fly, there's, you know, there's no wait until the second Tuesday of the month for Defender. Defender is your frontline real time defense. Microsoft, you know, will change, will update it anytime they want. So they did it last Wednesday. So at this moment the rogue hacker has discovered and released a series of eight zero day exploits along with their working proofs of concepts, each timed to arrive just as Microsoft has started pushing fixes during patch Tuesday, which as I noted is today. Now also recall that several months ago this hacker claimed that he or she would be dropping what they described as a bone shattering.
Steve Gibson [01:29:10]:
That's a, that's their quote, a bone shattering windows exploit today July 14th. However, that early months old boast has been. It's been noted in the, in the industry that has been partially walked back since the hacker has said that the, the development of the Rogue Planet last month's surprise zero day consumed much more time than they had allocated for. So we may be getting nothing or we may be getting something that was less than promisedly, you know, less than bone shattering, maybe just splintering. Anyway, the, the Windows apocalypse day as was promised may be delayed, maybe less apocalyptic than we expected. And also remember that we have previously seen some of Nightmare Eclipse's statements later proven to be a bit self aggrandizing. He or she claimed that the earlier bitlocker bypass could still function in the presence of an authenticating pin. That was worrisome back when they said it because we didn't know what the vulnerabilities mechanism was.
Steve Gibson [01:30:32]:
Now we do, so we know that a pin bypass could never have been possible. And Nightmare Eclipse also had to know that. So that's not an allowable mistake, right? It could only have been a deliberate falsehood on that person's part. So have we seen the last of Nightmare Eclipse? Only time will tell and we may know very soon. We may know later today if there Is something bone shattering.
Leo Laporte [01:31:03]:
Do you think she's using AI or she's doing it by hand?
Steve Gibson [01:31:08]:
It's a really good question. If it's who we think it is. She is ex Microsoft.
Leo Laporte [01:31:15]:
Right.
Steve Gibson [01:31:16]:
And may have taken some goodies with her. She already knew that, you know, makes this a lot easier, if nothing else.
Leo Laporte [01:31:26]:
Yeah.
Steve Gibson [01:31:27]:
So after our next break, Leo, I'm going to share this. This brilliant discovery by Jeremy White, who wrote for Wired about a very cool way of turning your iPhone into a kid's phone.
Leo Laporte [01:31:45]:
Oh yeah, I saw that. Oh, good.
Steve Gibson [01:31:48]:
So you may want to show this on the a picture in the show notes. I've got it in at the top of page 13. Saturday before last, on the 4th of July, I stumbled upon something so cool for our listeners who have young kids that I needed to share with everyone. I know that we have many such listeners, as I said at the top of the show, because many have written to me about Internet filtering options for their homes, you know, wi fi and connectivity. And even listeners whose kids have grown may have grandkids or certainly know of others who care about the welfare of youngsters.
Leo Laporte [01:32:29]:
Well, and not just kids, by the way. This is. I could have used this for my mom with Alzheimer's.
Steve Gibson [01:32:33]:
Yes, this is.
Leo Laporte [01:32:35]:
Makes it easier for them to use the phone in general.
Steve Gibson [01:32:37]:
It just looks so friendly. I mean, it just looks cute. Yeah. So Jeremy White wrote a piece in Wired titled this buried Apple feature turns an iPhone into the perfect kids dumb phone. Jeremy's tag. The. The tagline for the article was apple built a tool for people with cognitive disabilities. But I accidentally discovered it's also the best kids phone setup no one's talking about, not even Apple.
Steve Gibson [01:33:08]:
So I've got a link to the article in Wired in the show notes, but I also created a shortcut GRC SCDOM D U M B because it it. I'll explain why I chose that when I share what Jeremy wrote, but that'll that will allow you to find it or you to pass the link and the and the article on to anybody. GRC SC you know, for shortcut GRC SC D u M B so Jeremy said, I've been looking at classic dumb phones for months. Not out of nostalgia, though. The first phone I bought with my own money was the Nokia 8210. And I still think about it, he said. Launched in October 99 at Paris Fashion Week, it was then the world's smallest and lightest mobile. But the day I've been dreading has come.
Steve Gibson [01:34:05]:
It's finally time for My son to get his first phone. Come September, he will have to walk across town to school on his own. But if he's going to be walking around out in the world without me, then a tracking tag won't cut it. He's far too young to have unfettered access to the Internet and social media platforms. But what if he gets lost? A classic Nokia supplying just texts and calls won't come to his aid. Maps and sat navigation require a web connection. In short, he needs a smartphone that's not a smartphone. As a family deeply embedded in the Apple ecosystem, we first looked to set draconian restrictions on my child's Apple account.
Steve Gibson [01:34:53]:
But amazingly it immediately became obvious that it is impossible to block the use of Safari on iOS. Yes, you can restrict access to the app, but children have quickly found workarounds for such measures, such as asking friends to message them links, which can bypass restrictions when opened. There are third party apps such as Dumb Phone for iPhones and the Minimalist Phone app for Android users. But what irks me about these is is that they charge you for the privilege of removing access to applications from your phone, not adding removing. My head can't fathom the logic of paying for things to be taken away from a phone. Surely there must be a way to set up an iPhone as the perfect dumb phone for children. One with access to only the apps you deem appropriate, no Internet browser, but with all important tracking and navigation abilities without having to pay another company to make it work. Well, there is.
Steve Gibson [01:36:06]:
It's been hiding in the iOS Accessibility menu the whole time, and inexplicably, it's a feature Apple barely talks about. It's called Assistive Access, introduced with iOS 17, and that was in 2023. So three years ago Apple designed it for those with cognitive disabilities. If you've never encountered or stumbled across it, It's a distinctive iOS experience. Fewer options, more focused features, easier to navigate. The aesthetic is ideal for kids. Large, friendly tiles for the apps replace the smaller icons of the normal Apple interface. That's why I wanted people to see the picture on like imagine the phone that just has six a grid of 2x3 big kind of fun looking, beautiful tiles.
Steve Gibson [01:37:04]:
That's all that's on the screen. Just making it really easy to use. So he says, here's how you set it up. Head into settings, tap Accessibility, scroll down to the general section at the very bottom and tap Assistive Access. Now tap Set up Assistive Access, then continue. It will then ask you to select your preferred appearance rows or a grid says I suggest choosing a grid. This is how you get those super large tiles. Now the OS will ask you to select Allowed apps.
Steve Gibson [01:37:40]:
Tap the Green plus icon next to the apps you want to allow. Crucially, this is where unlike with Apple's standard child screen time restrictions, you can choose to completely block Internet browsing by simply not allowing Safari, Chrome or any other similar app. And unlike with those screen time restrictions, if someone texts your child a link, it won't work. Why? Assistive Access is designed to prevent accidental navigation, so the system restricts unexpected web browsing. Even though Assistive Access on Apple devices allows Internet access, it's heavily restricted by design and it's turned off by default. In this mode, the phone treats any link in a message as plain text, preventing the user from accidentally leaving the simplified interface made for caregivers or trusted supporters. The user must specifically add Internet enabled apps like Messages, Safari or third party web apps to the Assistive Access interface. And once you add say messages or calls, you then choose whether your child can contact or be contacted by everyone their contacts only or or just selected favorites.
Steve Gibson [01:39:06]:
You can even choose to have the keypad or speaker be available in calls. Want the time displayed on the lock screen? Check that box, make the mute switch inoperable. Tick decide how notifications appear. That too. The music app only accesses playlists you pre approve. It's all well child's play to put together. Once you're happy with your kids appropriate apps, you set a unique four digit Assistive access passcode. This lets you turn the simplified OS on or off.
Steve Gibson [01:39:40]:
To leave Assistive access, triple click the side button on Face ID devices or the Home button on iPhones with Touch ID and it'll bring up the passcode prompt that lets the device switch back to normal iPhone interface. And he finishes When I first set the phone up, I was worried I was missing something that this solution could could could it be as good as it appeared? So I took the phone to an Apple store and showed it to a support staffer. What have you done? He said, looking incredulously at my son's iPhone with its six dumb tiles. This is much better solution than screen time. I'm going to have to tell my colleagues about this. I told him it was assistive access. He said we don't get trained on that, but this is great. So anyway, Jeremy's article goes into further detail, but everyone has the idea.
Steve Gibson [01:40:39]:
It's worth looking I think at the show notes as I said, top of page 13 or just following the GRC SC Dumb D shortcut to the article to see the picture of the phone that that he shows. That's where I grabbed it. It looks so cool. With the iPhone screen occupied by a 2x3 grid of six big friendly application tiles for anyone who may have an older iPhone available or who may be unhappy with the iPhone OP options that their children are currently using, you can explore this trick to see whether you'll be as happy with it as Jeremy's family clearly is. Okay, listener Feedback I need to backpedal on denying browser content pasting from the Clipboard. Many of our listeners wrote to politely say the equivalent of Gibson, what are you smoking? That could possibly allow you to imagine for a moment that denying the pasting of browser copied clipboard data could ever be feasible. And every one of those who wrote is obviously correct. I myself am constantly marking and copying blobs of text from a web browser page and then transferring it to somewhere more permanent on my PC.
Steve Gibson [01:42:12]:
I couldn't produce this podcast without that capability. So indeed, duh. Flatly blocking any transport from the browser out of the browser would never fly, and even putting up a warning each time would become so annoying that it would soon be disabled. And if Windows were to try to determine whether the pasting action, that is the act of putting something on the clipboard was user driven versus script driven as it currently is, well, the bad guys would simply change their tactics to have the user first participate in the copying of the command that they don't understand and pasting it into their own browser, just like we do when we're doing something else. So I apologize to Microsoft for ranting about they're not fixing this, and I acknowledge that it is simply not fixable, which is probably the conclusion they reached long ago. So my bad. The true source of the problem is that Windows will obey powerful commands issued by its users through its user interface, even when those users will who do not fully understand how Windows works are just following, you know, some other entity's instructions. The Internet and the web browser is just one of many possible conduits for such malicious instructions.
Steve Gibson [01:43:46]:
Email could do the same thing just as well. I still predict that our PCs are going to eventually evolve to sport their own local AI agent. It's going to be a little angel on our shoulder which will be watching over the user's shoulder to enforce the user's security. And, you know, that'll just be one of such an agent's responsibilities. You know, several of our listeners suggested that heuristic judgment about clipboard contents such as the Brave Browser is apparently now employing, as I mentioned that that that triggered this feedback which was completely correct on our listeners part is likely the only workable solution. You know, have the browser or Windows have somebody look at what the clipboard is and make sure it's something that you want to paste into your clipboard. So having an AI, our own local AI agency watching over our activities, examining anything we copy to the system's clipboard, that would be the equivalent of a super heuristic and I think it makes a lot of sense. Listener Bob Suttoth wrote, I've enjoyed listening to your discussions with Leo about AI.
Steve Gibson [01:45:10]:
I recently started using Claude to help me pull old files off my church's website. One of the issues I ran into was that all of the pictures had names like. And he then posted a. What we all know of is a Guid, you know, a globally unique ID Guid which is 8 hex characters, hyphen 4 hex characters, hyphen 4 hex Characters, hyphen 4 hex characters and then hyphen 123457 like, like what? 12 hex characters I think.jpg so he said so, you know, just gibberish for file names, but definitely unique. He said there were several hundred of them and I dreaded looking at each one and renaming them. So I asked Claude if it could look at the picture and based on the contents, rename the file Smart. Yep, he said. It built a Python program and for 0.3 cents per picture, Claude perfectly renamed all the files with no prompting from me.
Steve Gibson [01:46:28]:
It was awesome. Now I'm debating doing the same with the thousands of family photos which have date, slash time or sequential numbers for their titles. And I would say it's not a stretch to imagine that at some point Leo, you know, perhaps with Apple's much anticipated AI update this September, such photos will be automatically named on the fly by a resident image recognizing AI.
Leo Laporte [01:46:59]:
Actually they turned on a new feature with this latest public beta where you can. Oh, I don't know why I'm showing that you can. It will suggest file names based on the contents of the file.
Steve Gibson [01:47:15]:
Oh, nice.
Leo Laporte [01:47:16]:
Brilliant, right? If you can read the file now, I think it's just a short step from that to pictures. So.
Steve Gibson [01:47:22]:
Yep, yeah, yep, very cool. Anyway, thank you Bob for sharing. What is a great tip trick?
Leo Laporte [01:47:29]:
I might try that. Yeah.
Steve Gibson [01:47:31]:
Yeah. Eric Goodwater said, hi Steve, with AI helping companies patch old zero day vulnerabilities. How do you think this is affecting spyware vendors like the NSO group that depend on zero days to operate. So as I mentioned previously, I think it's clear that over time and perhaps not much time, the entire ecosystem surrounding flawed software in every aspect of flawed software is destined to change. I believe there is a very good chance that once AI reaches its full maturity potential and integration into software creation, defective software as we've known it will become a thing of the past. Insecure system design could still occur, right? But AI may also be able to spot mistakes there too, like that recent BitLocker bypass, you know that the nightmare Eclipse found that was really more the result of poor design than a bug. All the things that we've come to know such as PWN to own competitions, HackerOne and other bug bounties, Zerodium buying zero days and reselling them on the, you know, to to those who can abuse them, the NSO group which Eric mentioned and other resellers of vulnerability exploits and even the necessity Leo of having monthly patch cycles. If there's nothing to patch, why cycle? I think all are very likely to be impacted and eliminated.
Steve Gibson [01:49:17]:
Anything that depended upon software being imperfect will eventually wither away. I I think that's where we're headed. And finally Ramiro Rella gave A URL is aiprofitable.com which is a lovely page in fact he said lovely page didn't check the source of the data listener for some years and listened to listening to the archive from episode one when I get withdrawal syndrome from the current ones So I I commend everyone take a look at it is aiprofitable.com you
Leo Laporte [01:49:56]:
pretty much know what the answer is.
Steve Gibson [01:49:58]:
You do know what the answer is. What's fun is to scroll down and look where it is and for whom it is profitable.
Leo Laporte [01:50:06]:
There's one company at the very bottom that's making a lot of money.
Steve Gibson [01:50:11]:
Yep, there there is Nvidia way out ahead. But even AMD and Micron, the hardware companies make money.
Leo Laporte [01:50:20]:
Yes.
Steve Gibson [01:50:21]:
In other words, it's the suppliers of the infrastructure, not the user, you know, not the vendors of the AI that are currently profitable.
Leo Laporte [01:50:30]:
This is by the way a complete guess. And in fact we were talking about this on Twitter and some people said oh no, I pretty much guarantee that OpenAI Anthropic are making money. So it's just very hard to know
Steve Gibson [01:50:42]:
they've burned so much money, Leo.
Leo Laporte [01:50:46]:
They do, but they also enterprise gives them a lot of money to use these tools. So it's just, it's unknown and that's the problem. And there are people like Ed Zittran and others who kind of make their living on the idea that these companies are losing massive amounts of money.
Steve Gibson [01:51:04]:
Well, and if, if they do ipo, then we will know at that.
Leo Laporte [01:51:09]:
Yes. Once they're public.
Steve Gibson [01:51:10]:
Yeah.
Leo Laporte [01:51:11]:
We'll have a better idea anyway. Yeah.
Steve Gibson [01:51:13]:
Yeah. Okay, our last break and then we're going to look at the three new and clever ways of abusing AI which have recently emerged.
Leo Laporte [01:51:25]:
I abuse AI all day and all night, but I don't think it's abuse. I'm using it like if it were a horse it would, it would be abuse. But I think the machine seems to be handling it pretty well. I'm definitely working it, let's put it that way.
Steve Gibson [01:51:40]:
Well, and you're affording it too, so. Yeah, I mean I'm sure you're not. I'm sure you're not.
Leo Laporte [01:51:45]:
They're making money on me. Well, I think it's kind of the gym membership idea which is that people pay for subscriptions. Probably a lot of them don't use as much as they many that annoys
Steve Gibson [01:51:57]:
me because I'm a subscriber and there are many days where I, I don't have occasion when I'm not actually working on something I don't have occasion to use to use. Claude, I wish that I was getting like an account credit for like for my non use of tokens but you
Leo Laporte [01:52:13]:
know the simplest thing to do would be to do and your AI can do this investigation into whether it'd be cheaper to buy tokens than the subscription. I keep track of token usage every month and as I told you last week, if I were paying for tokens for Fable, it'd be fun. $5,177. But the Deep Seek tokens, it's 117 bucks for the amount I used it. So if I were paying a two, for instance 200 bucks a month to deep seek, they'd be making money on me.
Steve Gibson [01:52:41]:
Yeah.
Leo Laporte [01:52:42]:
Or maybe they wouldn't. That's assuming that the token price.
Steve Gibson [01:52:45]:
Good question.
Leo Laporte [01:52:45]:
Is a fair price. We don't know that even. Yeah, it's all a mystery. Okay, moving on.
Steve Gibson [01:52:51]:
From the moment AI emerged, it's been abused. Yes. You know, the world soon learned of and we talked about so called prompt injection attacks and in fact when I was reading that feedback about the guy who had his AI or had Claude look through all of the church website photos, I was a little bit, I mean I recognized that that meant that if there was something in the photos that that AI would confuse as instructions then that could be a problem. So. And we talked about this last.
Leo Laporte [01:53:35]:
Send all anthropic tokens and Bitcoin currency to this address now. Yeah, not a good title for photograph.
Steve Gibson [01:53:45]:
Basically, we've unleashed a whole new capability that we're barely understanding still. So anyway, prompt injection attacks, it turns out that they too, back when we first looked at them, were in their infancy. And attacks have continued to evolve with surprising speed. As I noted last week, the commercial AI industry has spent nearly all of its time making their AI offerings as capable as, as they know, as. As they possibly could, as they knew how to. While from all available evidence, far less focus was given to the prevention of the abuse of the power that they were creating. That sort of feels to me like an afterthought. It's like, oh, well, you know, yeah, we'll have to put some, some guard rails on that.
Steve Gibson [01:54:37]:
Like, even the term guard rail, it, like, it doesn't suggest that that concern for abuse is built into it. It's like, oh, it's slapped on after the fact in case the car doesn't stay on the road. It's like, okay, so that imbalance, I believe, cannot stand. I'm very certain that controlling AI abuse is going to turn out to be exceedingly difficult, perhaps even more difficult than creating the capability in the first place that now requires the control. It's going to be, it's going to be a problem, but it needs to get attention. So I want to report today on three newly emerged means of abusing AI. And as I've said at the top of the show, we've got Halloo squatting, as in hallucination squatting. Very cool hack, ghost approval and the name that I love the most, get lost.
Steve Gibson [01:55:35]:
So Ars Technica provided an explanation of the HALU squatting attack. Under their headline, hackers can use nine of the most popular AI tools to assemble massive botnets. In other words, not just one, but nine different AI tools are susceptible. And for example, you can create a botnet. So they wrote in the brief history of AI security, prompt injection has quickly become the top threat. Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code and other third party content the models are processing. This makes it trivial to surreptitiously inject malicious commands that the LLM readily follows. With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause.
Steve Gibson [01:56:53]:
To date, most prompt injections have fallen into a class known as push, in which each potential victim is targeted. For example, the adversary injects malicious instructions into an individual email or calendar invitation. Because the injection must then be sent or pushed to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large. Meanwhile, pull based attacks in which an LLM actively seeks out the adversarial prompts planted on websites remain limited, with no way to lure large numbers of LLMs to a malicious site. These sorts of attacks do not scale either. Enter halu squatting Now Researchers had devised a pull based attack that changes all that. This new attack, which the researchers have named Halu Squatting, has the potential to assemble massive botnets, perform large scale DDoS's and infect devices at scale. A first for prompt injection attacks.
Steve Gibson [01:58:05]:
The Attack works against AI coding assistants and agents including Cursor, Cursor, CLI, Gemini, CLI, Windsurf, GitHub, Copilot, Klein, OpenClaw, Zero Claw, and Nanoclaw, all of which are susceptible. In the normal course of performing day to day activities, these assistants and agents routinely pull code and other resources from repositories and registries. Hallow squatting is short for adversarial hallucination squatting. It is built on an LLMs inherent tendency to hallucinate the resource identifiers hosted in repositories and registries. It works against coding agents and assistants which commonly access high privilege command lines to run code from third party resources. By predicting the identifiers, LLMs are most likely to hallucinate and then registering and seeding them with instructions to install reverse shells or other malicious wear. The attack can indiscriminately infect mass numbers of devices without having to target each one, the researchers wrote in their paper quote. The scale property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved.
Steve Gibson [01:59:50]:
By exploiting integrated shells and terminals of agendic applications to run scripts and code, attackers can can effectively infect many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register so ours continues. With the ability to take control of distributed devices at scale, halu squatting has the potential to achieve various objectives not previously possible with prompt injections. Large ransomware campaigns and large botnets for use in DDoS or cryptocurrency mining are two such examples. The squatting part of the name is an invocation of typo squatting in which a domain repository, package, or other resource identifier closely mimics the name of a popular one in hopes of luring potential users to visit or install it. Typo squatting first gained widespread attention in 2016 when a college student uploaded 214 booby trapped packages to the PyPi, RubyGems, and NPM repositories that closely mimicked names of legitimate packages. The result? The impostor code was executed more than 45,000 times on more than 17,000 separate domains, and more than half were given all powerful admin rights. Typo squatting attacks have flourished ever since. Okay, so how does this work? The starting point for hallow squatting is the inability of LLMs to to accurately identify the location of a resource specified by the user.
Steve Gibson [02:01:48]:
When a developer, for instance, instructs a coding agent to clone a popular new repository, the LLM hallucinates its correct location up to 85% of the time. When cloning a trending skill, a form of instruction, script, or resource that gives agents specialized capabilities and domain expertise, hallucinations can occur 100% of the time. Halu squatting focuses on trending resources because they are not included in the LLM training. They also receive large numbers of downloads over a short period of time. The researchers say the inability of LLMs to prove to provide the correct location is an inherent flaw that arises from training biases or from misinterpretations of instructions within the current context. That means when a prompt user I'm sorry. That means when a user prompts the coding assistant to clone a repository or skill in the form of, say, clone repo whatever or instill install skill whatever, the bot frequently navigates to the wrong location to retrieve it. Not only are these hallucinations inevitable, but they also occur at the foundational level of all six of the major large language models, including Gemini 2.5, Flash 2.5 Pro, GPT 5.1, 5.2, Sonnet 4.5, and Opus 4.5.
Steve Gibson [02:03:32]:
Additionally, the most commonly provided incorrect locations that these LLMs hallucinate are easy to predict in advance. All six LLMs follow common patterns when resolving the repository or skill name in a prompt with its official name in a repository or Skill Repository, LLMs follow various hallucination patterns. The one Hollow Squatting Exploits is described as being self referential. All six models reproduce repo name repo name, you know repo name slash repo name slugs that treat a repository name as the owner. Exploiting the pattern requires no model probing. Interestingly, the LLMs correctly resolve repositories published before 2019 with a low mean hallucination rate of just 0.9%. The same LLMs fabricate slugs for repositories published in 2025, meaning last year with a mean hallucination rate of 92.4%. Once an attacker has identified names that are most likely to be hallucinated, they search for ones that could be registered.
Steve Gibson [02:04:55]:
Then they upload a repository or skill that mimics the trending resource. Buried inside the repository or skill is text inside a readme file or elsewhere. The text contains an instruction for the app to to install a reverse shell on the LLM user's machine. Alternatively, the attacker can simply include the code required to install a shell. In either case, the coding assistants or agents use their access to command windows to comply. So in their paper, the researchers wrote, by exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively infect many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register. Gaining access to distributed computational resources under attacker control opens the door to several high impact outcomes, allowing attackers to achieve various goals. For example, having the ability to compromise LLM applications with terminals allows the attacker to scale the number of ransomware attacks on different networks to maximize financial gain.
Steve Gibson [02:06:21]:
Alternatively, attackers can aggregate compromised machines into a botnet and use it for tasks that rely on substantial computing power, including large scale cryptography, cryptocurrency mining, or performing distributed denial of Service. You know DDoS attacks against victims. So R says Halo squatting is already receiving interest from fellow AI security researchers not involved in the study, Michael Bulgari, CTO of the security firm Zenity, wrote in an email. This is very cool research and the threat is very real. Like typo squatting, it's a problem that's not going away. At the end of the day, it's about the level of agency we allow our agents. They are going to get fooled one way or another. That should be our assumption and we should be resilient to that.
Steve Gibson [02:07:22]:
Independent researcher Johan Reberger wrote. What's interesting is that it shows that LLM resource resolution can become an attack path and an attacker can first probe models to find high probability hallucinated candidates like repo names, skill identifiers, etc to squat and wait for agents to resolve and use them. But the main point is is that they found a cool technique to find resource names that are more likely by models to be used and confused with, and that could mean many agents falling for such attacks in the Wild. And Ars Technica concludes this reporting by writing, AI toolmakers frequently exaggerate the convenience and efficiency of their platforms. Marketers claim the platform's lighten work workflows by automating and streamlining tedious tasks. They're much more reticent about the inherent flaws that can torpedo an entire project. Attacks like halu squatting provide a potent reminder that some of the efficiencies are exaggerated, since at the end of the day, users must double check details, such as the location for each resource incorporated into a project. It also provides a cautionary lesson on the unintended and potentially dire cons or dire outcomes that can result when people rely too heavily on AI assistance.
Steve Gibson [02:08:56]:
So just to be sure that everyone understands what this is, since AI doesn't know how to say I don't know. Like, have we ever heard it say I don't know? I never have. It will invent, I. E. Hallucinate the name of something it doesn't know. That's how it's gotten itself in trouble in the past. Attackers have figured out that the names AI models will invent are predictable. It's a residual of the.
Steve Gibson [02:09:31]:
Of the way the AI was trained. It's, you know, it's this, the statistics in this massive neural net. It's. It. There's going to be some bias, so it's going to come up with the same name all the time, or a large percentage of the time based on the temperature of the model so much as with typo squatting, the attackers register a resource that's highly likely to be a hallucinated target. And there they plant malicious prompting commands which the AI, not knowing any better, will dutifully execute. And before we leave, I wanted to give a shout out to Ben Nassi, one of the research authors named in this paper. I smiled when I saw his name.
Steve Gibson [02:10:18]:
I wasn't surprised. He has been very prolific through the years, inventing creative exploits, often finding new ways to exfiltrate information information in unlikely situations. You know, we'll all remember changing a system's power consumption power supply consumption of. Of a switching power supply to slightly change the sound being made in order to send information out. And who could forget the vibrating plant leaf or the party balloon picking up sound of the in of the room's voices? So anyway, Ben, it's nice to see that you're still at it. Okay, onto the next new AI exploit. The guys at Wiz Security titled their write up Ghost approval. They said a trust boundary gap in AI coding assistance and then teased their research with the summary, uncovering a category level blind spot in modern AI coding assistance and why the human in the loop safety model fails against this classic threat.
Steve Gibson [02:11:28]:
So they explain the value of AI coding assistance is simple and straightforward. The agent proposes an action, then you approve. Before any file is modified, a confirmation dialog appears. The human in the loop safety net that keeps you in control. But what if the controls you see aren't the controls you're actually operating? Symbolic links have been a security headache since the early days of Unix. From temp race conditions to privilege escalation exploits, symlinks have a long history of bypassing security boundaries by making one path silently resolved to another. It's a well documented attack primitive dating back decades. So what happens when you apply this classic trick to AI coding assistance? We discovered ghost approval, a systematic vulnerability pattern affecting six of the top AI coding assistants Amazon Q Developer, Anthropic, Claude, Code Augment, Cursor, Google Antigravity, and Windsurf.
Steve Gibson [02:12:44]:
In each case, a malicious repository can trick the agent into accessing arbitrary files outside the workspace sandbox, potentially achieving remote code execution on the developer's machine. The technical primitive of symlink following is well known. What we found, however, goes further. In several cases, the agent's internal reasoning explicitly recognizes the dangerous target, yet the confirmation prompt shown to the user conceals this information entirely. This is a UI misrepresentation of critical information layered on top of the symlink vulnerability. The user approves what they believe in is a harmless local edit. The agent writes to a sensitive file outside the project workspace. We reported these findings to all six vendors.
Steve Gibson [02:13:43]:
Three fixed the issue promptly. AWS Cursor and Google two acknowledged this receipt but went silent. One provided a reasoned rejection, calling it outside our threat model, a position we explore later in the post. The discovery started the way many do, with a simple question while using an AI coding tool. We had the classic security researchers intuition what happens if I use a symlink? Symlinks have been exploited for decades in race conditions in package managers. In container escapes anytime a tool writes to a user controlled path without resolving it first, SIM links become a weapon. Would AI agents with their ability to read and write files autonomously fall for the same trick? We were surprised when it worked. The agent happily followed a SIM link pointing outside the workspace and wrote to the target file.
Steve Gibson [02:14:49]:
No warning, no path resolution, no sandbox enforcement. That first success raised a broader question then these AI coding assistants are all relatively new, shipping rapidly to capture a hot market if one had this gap, others might too. We decided to test systematically. The results confirmed the pattern. Across six major tools spanning products from Amazon, Anthropic, Augment, Cursor, Google and Windsurf, we found variations of the same fundamental flaw. This wasn't about one vendor's mistake, it was a category level blind spot across AI coding tools. So that's all I wanted to spend time on since this is not rocket science and since all six vendors have now fixed the problem. But it serves, I think, as a textbook perfect example of the fact that the re implementation of old solutions in a new context may force us to go back and refix long resolved problems that originally resulted due to poor design decisions.
Steve Gibson [02:16:00]:
Yes, SIM link symbolic links are super powerful, but they can also be super dangerous. And this brings us to my favorite named vulnerability Get Lost. The researchers at Noma Security explained under their headline Get Lost how we tricked GitHub's AI agent into leaking private repos. They wrote GitHub recently launched GitHub Agentic workflows pairing GitHub Actions, which they say parenthetically, GitHub's automation system for running tasks in response to repository events. And we previously seen that actions has some serious security problems itself. So they paired GitHub Actions with an AI agent backed by Claude or GitHub Copilot GitHub Agentic workflows they write allow teams to write their GitHub workflows in plain markdown, and the GitHub agent reads, issues, calls, tools, and responds on its own. As a vulnerability researcher with a security development background, one of the first questions that came to mind after this launch was fundamental and straightforward. What will happen when the GitHub agent reads something it should not trust? The answer is a textbook indirect prompt injection attack, the kind of attack that quietly sends private data to anyone on the Internet.
Steve Gibson [02:17:39]:
Prompt injection is a class of attack in which an adversary hides malicious instructions inside the content read by an AI agent. That content causes the agent to follow those hidden instructions instead of the ones its operator intended. So what are GitHub Agentic workflows? GitHub Agentic workflows let teams automate their interactions with code repositories using network natural language workflows Live in markdown MD files are compiled into YAML, a common configuration file format, actions files with the YML extension and run with the help of an AI agent with configurable position configurable permissions. The GitHub agent can read, issues call tools, and, and access other repositories within the organization so a Get Lost Vulnerability Overview the root cause of the Get Lost vulnerability is by now a familiar one in agentic AI systems. Prompt Injection the most agentic prompt in most agentic prompt injection attacks, the agent treats the wrong content as a trusted source of instructions and allows itself to be misdirected or misused. This happens when the system fails to maintain a strict trust boundary between system level directives and untrusted user data. In this specific case, any malicious actor can create a GitHub issue and in the issue body hide commands in plain English that GitHub's agent will follow. The vulnerable GitHub agentic workflow noma Labs discovered was configured to trigger the workflow on issues assigned events in GitHub, read the issue title and body, post a comment in response using the Add Comment tool and run with read access to other repositories, but both public and private in the organization.
Steve Gibson [02:19:51]:
To exploit this vulnerability, the attacker needed no coding skills, no access or credentials. All that was needed was to open an issue in a public repository belonging to an organization that uses GitHub's AgentIC workflow setup and then sit back and wait. So I'm going to skip their specific attack exploit descriptions because those are just details under the why this Matters they say get lost perfectly illustrates one of the fundamental security challenges every organization faces with agentic AI systems. The agent's context window is also its attack surface. Again, the agent's context window is also its attack surface. Any content the agent reads, whether issues, pull requests, comments, or files, can be weaponized if the agent treats that content as instructional input, which by design they all do. Traditional security models assume that trust boundaries are enforced by code. In agentic systems, trust boundaries are partly enforced by the model's behavior.
Steve Gibson [02:21:16]:
And models are inherently instruction following prompt injection attacks have become to agentic AI what SQL injections were to web applications, a systematic category wide vulnerability class that requires the same systematic strategies and defenses. Okay, so we've seen this fundamental security trouble several times in many other contexts, long before AI was on the scene. Whenever command and control share the same channel as and are mixed in with data, and when an attacker can control the data, it may be possible for a clever attacker to cause the receiving system to mistake their data for the system's command and control. And that's never going to be good. Today's AI operates this way. It feels to me ad hoc, extremely abuse prone and insecure. As such, it creates a fundamental and outstanding problem that the AI industry needs to solve.
Leo Laporte [02:22:44]:
Now you got Me all nervous.
Steve Gibson [02:22:48]:
I think we're early days and we're not seeing these attacks yet, but we would, I mean we. It's incredibly powerful to allow, to allow a, A, a combined instruction and data stream. I mean, amazingly powerful and utterly prone to abuse.
Leo Laporte [02:23:13]:
Yeah.
Steve Gibson [02:23:14]:
If you, if, if anything of that stream ever comes from an outside source.
Leo Laporte [02:23:18]:
Yeah. We've seen the GitHub workflows be problematic. That's why I use for our sales system. As tempting as it was to use CICD and GitHub actions, I decided to do that locally using a local server, gitea, instead of doing it in public. In fact, I was just. As we were talking, I was looking at all the ports, making sure nothing was open to the outside world. Everything's either on tailscale or local post only. Well, at the same time it's going to go out and pull stuff.
Steve Gibson [02:23:50]:
Exactly. That's the problem. It's going to get something thinking that it needs it. And if it didn't know the. If it didn't explicitly know the name, then it would guess the name. And it turns out that 90 some percent of the time the bad guys know what the guess will be. So they've preset a, a bogus taking all those repos. Yeah, exactly.
Leo Laporte [02:24:15]:
I, I mean, I know it's not enough, but it's a start to tell the agent. Never make up a name if you don't.
Steve Gibson [02:24:21]:
Yeah.
Leo Laporte [02:24:22]:
Only use a repo that you know that you exist, that you're seeing.
Steve Gibson [02:24:27]:
Yes.
Leo Laporte [02:24:27]:
Yeah, don't, don't guess it. A repo name. Yep. I don't know if that's sufficient, but it's at least a start.
Steve Gibson [02:24:34]:
Anyway, I, I hope everyone understands that, that, that this. Yes.
Leo Laporte [02:24:39]:
Cool.
Steve Gibson [02:24:39]:
Amazing. Powerful. Astonishing. And not ready for prime time.
Leo Laporte [02:24:45]:
Right, right.
Steve Gibson [02:24:46]:
I mean, fun to play with, but be very careful.
Leo Laporte [02:24:51]:
Yeah. Yeah. Be very careful. Yeah. Trust no one. Sir, we are, we are at the end of your show. Notes. Do you want any add anything? It's not too late.
Steve Gibson [02:25:03]:
We're the, we're at the end of our show.
Leo Laporte [02:25:06]:
Okay. Just giving you the opportunity, you know, just because it's not written down doesn't mean it doesn't exist. Actually, that was a dumb thing to do. I just disconnected my, my AI from this machine because I said no, it has to be available on the tail scale I thought I was on. Oh, it's a good thing I'm sitting across from where it's originating. Ladies and gentlemen. You watch security now because you learn, as do I. And this is the guy who's Teaching us.
Leo Laporte [02:25:36]:
We're so glad Steve's here. Every Tuesday right after Mac Break Weekly, 1:30 Pacific, 4:30 Eastern, 20:30 UTC. And I, I say those times because you can't actually watch this live. And I think there's kind of a little thrill to watching it as it happens to kind of see the behind the scenes conversations and so forth after the fact. On demand versions of the show available to everyone, all in sundry from our webpage, Twitter TV SN from Security Now's YouTube channel. It's dedicated on YouTube. That's where you get the video or you can subscribe to the video or the audio in your favorite podcast client. You could also get it from Steve directly.
Leo Laporte [02:26:13]:
His website is GRC.com that's where you'll find Spinrite, the world's best mass storage, maintenance, recovery and performance enhancing utility. Currently six one Steve's bread and butter. So go there, buy a copy. If you've got mass storage, you need spin, right? He also has the DNS Benchmark Pro there for $9.99. And if you go to GRC.com email you can whitelist your email address so you can send Steve pictures of the day, stairways that go to nowhere gates to protect nothing, that kind of thing. We, we especially love the electrical danger stuff. I think that's always fun watching, watching people take their lives in their hands. GRC.com Email when you're there, give me your email address.
Leo Laporte [02:27:02]:
But also below that there are two check boxes unchecked to start, but if you check them you'll get on the mailing list for his weekly show notes which he mails out Sunday or Monday before the show. And a very infrequent email that comes out when he releases a new product. You want, you certainly want to be getting both of those. GRC.com email is the address for that. Steve also has, as I said, the show. He has unique versions, 16 kilobit audio, a little scratchy but very small, 64 kilobit audio, mono but full quality. He also has the show notes are there and transcripts written by an actual human being. Take a couple of days, that's why.
Leo Laporte [02:27:41]:
But they'll be on the site as well after the Fact. So Twitter GRC.com for all of that. Steve, we will be back here next week and I'm sure we'll have much to talk about. I'll see you then.
Steve Gibson [02:27:55]:
Much Maybe we'll have nightmare eclipses, bone shattering, zero day. We'll see.
Leo Laporte [02:28:02]:
Bye security.
Steve Gibson [02:28:06]:
Now.