Security Now 1019 transcript

Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show

0:00:00 - Leo Laporte
It's time for security. Now Steve Gibson is here. We're going to talk about how Kuala Lumpur's International Airport responded to a ransomware attack. I'll give you a hint it involves whiteboards. The creator of have I Been Pwned just got pwned. We'll read his disclosure. He handled it well, I thought. And then is the EU going to switch to Linux, and why that might not be such a bad idea. All that coming up and a whole lot more. Next on Security Now Podcasts you love from people you trust.

This is Twitter. This is Security Now with Steve Gibson, episode 1019, recorded Tuesday, april 1st 2025. Eu OS it's time for Security Now, the show you look forward to all week long, because, well, when else are you going to have a chance to get together with the wonderful Steve Gibson and talk about technology and computing and security and privacy? Here he is the man of the day, the man of the hour.

0:01:08 - Steve Gibson
Sometimes a little AI, sometimes a little supplement, sometimes a little sci-fi D sprinkled on top.

Yeah, today, of course, is April Fool's Day, uh-oh, and as you and I you and I are in agreement that it's a dumb thing to do jokes, I mean, I don't want to go over and look at the registercouk. It's like who knows what's happening there. I did hear one good security conscious buddy of mine. We were together at Berkeley. I met him there and we've stayed in touch. He sent me a note. I met him there and we've stayed in touch. He sent me a note. He said April 1st is the only day people critically consider what they read on the internet. He said let's make every day April Fool's Day.

0:01:56 - Leo Laporte
Good point, Good point. We should always be skeptical, shouldn't we? It's like I don't think that Even the reg is not doing any April Fool's. I think people have finally realized.

0:02:07 - Steve Gibson
Burned out finally.

0:02:10 - Leo Laporte
Remember, google used to spend many, many cycles working on their April Fools jokes. It seemed like a waste.

0:02:16 - Steve Gibson
Yeah, well, what is not a spoof or an April Fools is the existence of something called EU OS, as in European Union operating system. Wow, yeah, baby, it's like bye, bye, microsoft. So, for Security, now episode 1019 for, yes, april 1st we're going to finish by talking about that and it brings up some interesting things, leo, that you and I are going to have fun talking about. Like when FOSS, you know, free, open source software gets to be so important that you know that little guy with the block down in Nebraska holding up the pyramid, it's like okay, wait, you know, is this fair? That, like, the European Union would be getting arguably an incredible amount of value out of this work which was volunteered and is thankless. So, you know, I mean, it feels to me like when it moves from Hobbyland, as it's kind of largely been into like running the world, you know, does the model change? It's, you know.

0:03:44 - Leo Laporte
That's a good question yeah.

0:03:45 - Steve Gibson
Yeah, so um, but we got lots of other fun stuff to talk about. First, of course, the. The first story was driven by a picture that I saw. The koala lampur international airport immediately said no to a ransom attack and got out their whiteboard. Wow, it's like, hey, we don't have that many flights, so we're just gonna have benjamin write them down. Uh, also, oh, leo. Uh, a tired and jet lagged troy hunt got fished. Oh no, then had to list himself on his own site.

0:04:26 - Leo Laporte
Have I been pwned?

0:04:27 - Steve Gibson
yes, anyway, he did a really good takedown of himself and like looked at like how did what? How did this happen to me anyway? So gonna have some fun there. Also, cloudflare decided to completely pull the plug on port 80. Http no more, which you know. It takes actors like that to be able to do that and make it happen. Also, malware is switching to obscure languages to avoid detection and I said this is sort of well, it's apropos of that. Fourth, anyone, and actually Lisp is among them.

0:05:11 - Leo Laporte
Lisp is one of them, yeah.

0:05:13 - Steve Gibson
Yeah, password reuse appears is not dropping. Cloudflare has numbers. A listener has shared his log of malicious Microsoft account login attempts and I asked the question, seeing the list which we'll be sharing, why no geofencing? Microsoft 23andMe is again down for the count. Just a little reminder there and I have a little bit more information. Also, we've got a sobering ransomware attack and victim listing website which, for those who want to jump ahead, is this week's episode numbered shortcut of the week. Also a nice post from a listener, a bit of feedback, sharing that InControl, one of my pieces of freeware, is helping him to keep his VR planes aloft, and then we're going to take a look at what this EUOS means for them and sort of what it suggests about where FOSS goes from here.

0:06:23 - Leo Laporte
So I think for a non-foolish April 1st we've got a great podcast for our listeners and we promise that all the stories you will hear today are true.

0:06:36 - Steve Gibson
Yes, e-u-o-s is that would have been a great one, but it turns out it's true.

0:06:40 - Leo Laporte
Sadly, they're all true. That's really the truth. Sadly they're not made up, All right. Well, we're going to get to the show in just a second. Of course, our picture of the week. Steve says we've seen it before. I don't remember it, but if you do, you could let us know. It's a repeat, but it's worth repeating, I think. Yeah. And somebody has already fed it to chat GPT and come up with a replacement for you steve that, uh, that no one has seen before, so we'll show you replacement for me the podcaster.

0:07:09 - Steve Gibson
No, no, just for that cartoon, because you know I've already heard from our listeners say I dumped all of these transcripts of of the past shows into ai and then I gave it like scan the news of the week and just be steve, yeah. And so if I suddenly start looking younger, yeah, and uh, it could happen.

0:07:28 - Leo Laporte
No, it can happen. Yeah, our show today brought to you by drata uh, you might know this name if you're, uh, leading risk and compliance of your company. I hope you know the name, drata. It's a tough job you've got. You're wearing 10 hats at once. You're managing security risks, compliance demands, of course, budget constraints they're always there All while trying not to be seen as the roadblock that slows business down. You don't want to be the speed bump, but GRC isn't just about checking boxes. It's a revenue driver. It can be. It builds trust. It can accelerate deals. It strengthens security, of course. That's why modern GRC leaders turn to drata, a trust management platform that automates those tedious tasks so you can focus on reducing risk, proving compliance and scaling your program without breaking a sweat.

With dronic, you can automate security questionnaires. You can automate evidence collection. You can automate compliance tracking. That's just a, isn't that just? Do you feel like a sigh of relief just hearing that? Right? You can also stay audit ready there with real-time monitoring, which is really great. Simplify security reviews with dronis, trust center and AI powered questionnaire assistance Instead of spending hours proving trust. Build it faster with Drata, ready to modernize your GRC program. I think you owe them a visit. Dratacom slash security now to learn more. Dratacom slash security now. We thank them for supporting the work Steve's doing here and the work you're doing too, I guess and we thank you for using that address. So they doing here and the work you're doing too, I guess, and we thank you for using that address so they know you saw it here Drata D-R-A-T-A dot com slash security now. Picture of the week time Steve.

0:09:20 - Steve Gibson
So, yeah, this picture takes a rather boring sort of somewhat. I guess it's not really esoteric. It's important if you're writing code that you want to be correct topic. It really puts a good sharp point on it and makes it a lot more fun. I gave this picture the caption.

Subtle coding choices can land you at the bottom of the canyon, and so the picture we have shows the famous Wile E Coyote and the Roadrunner, and so the issue here is whether you test for your loop completion in code at the top of the loop or the bottom of the loop, and both placements have a terrific coding purpose. So, the idea being so you know, in in code you have this general notion of flow control, that is, you know, an if instruction that jumps you somewhere else changes the the flow of of the control of the code. Similarly, you've got looping where you want to do something some number of times, and in some cases the control of the loop is an expression which evaluates to true or false. So, for example, in the first case you would say, while something is true and that could be an inequality expression or a Boolean variable or whatever inequality expression or a Boolean variable or whatever. While something is true, do the following. And so then that following whatever it is inside the loop would be done, and then you'd come back up to the top and re-evaluate that expression. And it may now no longer be true, in which case you fall out of the loop, you drop out of the loop and you continue executing code below. The alternative is an expression which is expressed as do that something and then down at the bottom while, and then you have your expression that you evaluate as true or false, that you evaluate as true or false. So obviously the difference here is, in the first case you're testing that expression at the top before you have even done what the loop contains once. In the second case, do something while, you don't get down to the while until you've done it once.

So this is so beautifully illustrated in the cartoon because because in the, in this coding example in the cartoon, the loop says while not at the edge, run, that is, as in run toward, you know, like, like, the, the, the, the the coyote is chasing the road runner and they're running toward the edge of this cliff and if they're like with a really long Canyon below, of course we all remember seeing the little and then a little puff of smoke down there when the when the coyote hits the bottom and miraculously survives. So the roadrunner is using the first instance while not edge run meaning that I'm not at the edge is being tested before we run, so it stops before it reaches the edge. Unfortunately, the coyote's logic is the other loop in this case the wrong one, which says do run while not at edge, meaning that the run happens before the testing for whether we've gotten to the edge. The coyote overruns the edge, falls to the bottom of the canyon, overruns the edge, falls to the bottom of the canyon. Anyway, you'd have to be into code and geeky nerdiness to think that this was wonderful. But just a great illustration of the difference and from a true coding standpoint.

The caption I gave is subtle coding choices can land you at the bottom of the canyon. The caption I gave is subtle coding choices can land you at the bottom of the canyon. It's probably always the case when someone is writing code that this choice matters. I have used both often because sometimes I do always intend to do something once, then decide after that's done. Do I want to do it again? Other times I want to check to see whether I need to do it at all and just skip over it, never execute the loop. If that's the case, so yeah.

0:14:17 - Leo Laporte
I guess you could say that you should check your edge cases before you get to the cliff is what you're saying yes, you want to make sure that you're not at the edge when you run, unless you could put a try and a catch at the bottom. If you had a catch at the bottom, you'd be okay. By the way, here's a ChatGPT redo of this, with me apparently putting my test clause at the wrong part of the loop, and that's not good.

0:14:48 - Steve Gibson
Very nice.

0:14:48 - Leo Laporte
Yeah, ChatGPT can do those. Now it's kind of a fun.

0:14:52 - Steve Gibson
Yeah, it's amazing. Okay, so the Malaysian Prime Minister, anwar Ibrahim, has declined to pay a $10 million ransom after hackers, and you can put this on the screen. I think it'd be good, leo, for people to see it. To pay a $10 million ransom after hackers paralyzed the IT systems at the country's main airport over the weekend oh my God, airport over the weekend.

0:15:23 - Leo Laporte
Oh my God.

0:15:30 - Steve Gibson
This incident forced the staff at the Kuala Lumpur International Airport to manually post the flight information on a large whiteboard with a pen. Wow, and it's just wonderful. I mean, it's like you know, it's like you can imagine. You know the grandchild saying to grandpa, grandpa, how did you used to know what gate to go to before computers? And there's your answer. So we've got you know flight numbers, destinations, time of departure and then gate numbers in several columns.

Anyway, this is what happens if you say no, we're not knuckling under to the ransomware guys. So we touch on ransomware a few times in this podcast. I've stumbled on a site that is quite sobering. So the prime minister said that it took him. He said it took me less than five seconds to decide to decline to pay the ransom. Wow, and no particular group has taken credit for the hack. And maybe now, if they see this picture, they go well, I guess we're not going to get our 10 million. We're just, you know, I don't know if they're going to give them back the decryption keys. Hopefully they're restoring their systems from backups and they were able to retire the whiteboard, but they didn't waste any time coming up with a workaround. So okay, we would file this one under the heading.

It can happen to the best of us and I'm always saying there, but by the grace of God, because I'm not saying none of this can happen to me I may have an expired certificate or a compromised server. Or a compromised server, I mean, as I said, what is a week or two ago, when I learned about that PHP flaw where in the CGI invocation of PHP I was using a vulnerable version of PHP. I will say that because PHP it's on an isolated server, you know, I mean literally that server can't do any damage if anything gets loose in it, because I just don't trust that stuff that I didn't write myself. So you know again, it could happen to the best of us Anyway. So an alternative heading might be. Even the most security aware person can get tripped up.

Last week Troy Hunt, who's famous for his have I been pwned password leakage tracking site and service, posted his piece titled A Sneaky Fish. You know P-H-I-S-H. A Sneaky Fish Just Grabbed my Mail Chimp Mailing List. So Troy wrote you know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow. That's me right now and the penny has just dropped, that a MailChimp fish has grabbed my credentials, logged into my account and exported the mailing list for this blog. He said I'm deliberately keeping this post very succinct to ensure the message goes out to my impacted subscribers ASAP. Then I'll update the post with more details, but as a quick summary, I woke up in London this morning to the following and then he posted for us and it's on the screen what he saw, which was the Intuit MailChimp logo, and the page looks 100% legit and it says sending privileges have been restricted due to a spam complaint received on March 24th 2025.

We take these reports seriously to maintain a safe and trusted platform for all users. Then it says under the heading what happened your account has been flagged due to a spam complaint and, as a result, you are temporarily unable to send emails until this issue is resolved. What you need to do, it says please review your recent campaigns and audience lists to ensure compliance with our policies. Then, in bold, click below to review your account and take the necessary steps to restore your sending privileges. So anyone seeing this who uses MailChimp probably got a few of these in the early days before they'd established their reputation, while some people were saying what is this?

I didn't ask to be on this list and they, you know, they complain, and so so I mean this is completely believable, and Troy makes a point later, as we'll see that it wasn't over the top. It didn't say your life will end in 15 minutes if you don't. You know, it was just. It was pitched just right. So, and he was jet, lagged and tired, he clicked the button review account mailchimp-ssocom and entered my credentials, which, crucially, did not auto-complete from one password.

0:21:34 - Leo Laporte
One password wouldn't have. Let him do it.

0:21:37 - Steve Gibson
It said that's not a URL that I've seen before, so the fields were empty. He said I then entered the one-time password. So the fields were empty, he said. He said I then entered the one-time password. You know he has an authenticator. So the, the, the, the, the OTP and the page hung. He said.

Moments later the penny dropped and I logged onto the official website, which MailChimp confirmed via a notification email which showed my London IP address. I immediately changed my password, but not before I got an alert about my mailing list being exported from an IP address in New York. So that's what they wanted. And moments later, moments after that, he said the login alert from the same IP. Quote we'd like to confirm some recent activity on your account. Unquote.

He said this was obviously highly automated and designed to immediately export the list before the victim could take preventative measures. There are approximately 16,000 records in that export containing info MailChimp automatically collects, like it turns out, gps coordinates and you know more than people would like to have exposed, but that's what MailChimp collects. He said every active subscriber on my list will shortly receive an email notification by virtue of this blog post going out. Unfortunately, the export also includes people who've unsubscribed. He asks parenthetically why does MailChimp keep these? He said so I'll need to work out how to handle those ones separately. I've been in touch with MailChimp but don't have a reply yet. I'll update this post with more info when I have it. He said I'm enormously frustrated with myself for having fallen for this and I apologize to anyone on that list. Obviously, watch out for spam or further fishes and meaning, like somebody pretending to be him, for example, who wants them to do something with, have I been pwned, you know? Because that's the way this could escalate or snowball. And he said obviously watch out for spam or further fishes and check back here or via the social channels in the nav bar above for more. He said, ironically, I'm in London visiting government partners and I spent a couple of hours with the National Cyber Security Center yesterday talking about how we can better promote passkeys, in part due to their phishing resistant nature, and he had a face palm emoji. He said more soon, I've hit the publish button on this 43 minutes after the timestamp in that first email above. So he prioritized immediately, notifying all the people on that phished list that this was what happened. So you know the email address they had entrusted to him had escaped.

Later he continued under the headline more stuff from after the initial publish and he wrote every Monday morning when I'm at home I head into a radio studio and do a segment on scams. It's consumer facing, so we're talking to the normies and whenever someone calls in and talks about being caught in the scam, the sentiment is the same. I feel so stupid that friends, he wrote, is me right now. Beyond acknowledging my own foolishness, let me proceed with some more thoughts. First, I've received a gazillion similar fishes before that I've identified early.

So what was different about this one? He said tiredness was a major factor. I wasn't alert enough and I didn't properly think through what I was doing. The attacker had no way of knowing that. I don't have any reason to suspect this was targeted specifically at me. But we all have moments of weakness. And if the fish event is timed perfectly by coincidence with that, well here we are, he said. Secondly, reading it again now, that's a very well-crafted fish. It socially engineered me into believing I would not be able to send out my newsletter, so it triggered fear. But it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency, without being over the top yeah, that was smart, right.

0:26:58 - Leo Laporte
yeah, because if it's like, oh my god, you're going to go to jail, then he would have known, known, yes.

0:27:04 - Steve Gibson
Yes. And he said thirdly, the thing that should have saved my bacon was the credentials, not auto-filling from 1Password. So why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain and that address is stored in one password. Then you legitimately log on to a different domain. He said, for example, qantas Airlines uses both wwwquantiscomau and elsewhere accountsquantiscom and elsewhere accountsquantuscom. And so his point is you know, we're all used to the occasional failure of our autofill because, as he said, the authentication has gotten so complicated that even that isn't as straightforward as it once was. And he saw MailChimp-SSOcom. That looks, you know. And he saw mailchimp hyphen ssocom. That looks, you know, possible, you know, probably should have been ssomailchimpcom, because then it would have been a subdomain of mailchimp. Obviously the, the bad guys, got this and so they were doing so they had ssocom, and then they were prepending.

No, no, it's MailChimp-SSOcom. Oh yeah that's not right. So they just grabbed a domain that looked legitimate, knowing that someone like Troy or your typical user might go okay, just make sure the URL seems right and it's like okay, that seems right.

0:28:41 - Leo Laporte
I think some password managers will say use the base URL for the matching. But again, this was.

0:28:48 - Steve Gibson
MailChimp-SSOcom.

0:28:51 - Leo Laporte
Well, that's a different base URL, though, right, right.

0:28:55 - Steve Gibson
So one password said ah, what, yeah, yeah. What would be interesting would be if a future password manager did a soft match and saw that well, I've got MailChimpcom, here it is again. And then brought up an alert and said hold on, this looks like one of your domains, but it isn't Right. So then it'd be like what to be like anyway. He said, and the final thought for now is more of frustration that MailChimp did not automatically delete the data of and he says this is not, you know, his fault, more of a frustration that MailChimp didn't automatically delete the data of people who unsubscribed. He said there are 7,535 email addresses on that list, which is nearly half of all addresses in that export. He said I need to go through the account settings and see if this was simply a setting I hadn't toggled or something similar, meaning it was his fault for not turning on delete email addresses when people unsubscribe.

0:30:04 - Leo Laporte
Let show you, by the way and this isn't bit warden but bit warden you have to do this on a per site thing but does have switches for detection of base url, so you can have base domain, but you can also have a regular expression. You could say it has to match exactly. I, I haven't tried one password. I would assume that one password to have this kind of feature as well, right. And then the next step is well, if it doesn't fill, you really should check. Right, don't assume, because he obviously manually entered it right when it didn't.

0:30:37 - Steve Gibson
No, no, no, um, oh yes, yeah, yes, he had to manually enter his username and password.

0:30:41 - Leo Laporte
He said it didn't fill. He said, oh well, it's probably just a thing.

0:30:44 - Steve Gibson
Yeah, and I'll often open the dialogue because none of us know our passwords anymore. So I'll copy the password and then manually paste it into the password field and it's like, okay, fine, you might have done that too, yeah, so you're right.

Anyway, he said the inclusion of those addresses was obviously completely unnecessary. He said I also don't know why IP addresses. Oh, and I'll just say one other thought, although Troy didn't, is even if 1Password wanted to keep them around for some reason, they could have been excluded from an export. Sure reason they could have been excluded from an export or you know, so that they weren't exportable Even if they like, for example, maybe one, maybe MailChimp I'm sorry, I said one password, I meant MailChimp. Maybe MailChimp needs to, you know, like, keep them blacklisted If somebody maliciously resubscribes after saying don't ever send me an email again.

I mean, for example, I, my own system, does that saying don't ever send me an email again. I mean, for example, I, my own system does that. There's a button, that, that that I have, where it's like I don't ever want to hear from you again, no matter what. And there's, there's, and that goes on to a permanent list and it is, if there's, and I've said, if you ever want to get yourself removed from that, I'm going to have to write some code because you're stuck, buddy. Yeah, I just, I don't. I never want to bother anybody with email that they don't want. So, anyway. So he said.

Also, I don't know why IP addresses were captured or how the latitude and longitude are calculated, but all of that was in the export. So he was a little bit annoyed by that, he said. But given I've never seen a prompt for access to the GPS, I imagine it's probably derived from the IP, which is certainly reasonable. He said I'll park this here and do a deeper technical dive later today. That addresses some of the issues I've raised above and again. I'm sure we can all give him a get out of jail free card just based on jet lag and fatigue. You know he wasn't soliciting this notice from them. He didn't go there. It showed up in his email and again looking absolutely believable.

0:33:01 - Leo Laporte
That's when they get you, though, when your guard is down.

0:33:04 - Steve Gibson
When your guard is down. When your guard is down, exactly, you're in a hurry, you know, you, you're, you're, your buddies are outside saying, hey, you know, you know, like waiting for you to go to lunch, and it's like, okay, you know, and you don't think. In fact, I'm, I'm always so careful when I'm like, when I'm logging away from my servers, that I do that I, that I log out and don't shut down because you know, whoops, so those sorts of things happen.

Actually, I have removed shut the shutdown option. I've got to use that smart to do that, anyway. Then a bit later Troy continued. He said unfortunately, mailchimp does not offer phishing resistant two-factor authentication. And then we see a screenshot from them showing two-factor authentication and what is configured is his authenticator app and not configured is SMS, because he knows that's not going to be useful. So that's all good, but he says by no means would I encourage people not to enable two-factor via one-time passwords. But let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the one-time password as soon as it's entered. Good point.

0:34:31 - Leo Laporte
So that's what happened.

0:34:31 - Steve Gibson
That's what happened. It was so quick. Yes, yes, he was. You know. He went to, you know, into his MailChimp account and triggered an automated mailing list export and that's what it was designed to do. That's what it was designed to do. He also wrote I just went to go and check on the phishing site with the expectation of now, that's meaning the MailChimp hyphen SSO dot com. He went to check on the phishing site with the expectation of submitting it to Google's safe browsing. But it looks like that will no longer be necessary because he was presented with a Cloudflare intercept page stating that the page was suspected of being used for phishing. So in the interval of I don't know a couple hours, probably when he got back to it, that site, that MailChimp-SSOcom site, had already been blocked because others reported it as being a phishing site. So he said, two hours and 50 minutes after it snared my creds Cloudflare has killed the site. I did see a Cloudflare anti-automation widget on the phishing page when it first loaded and later wondered if that was fake or they were genuinely fronting the page. As it turns out they were, he said. But I guess that question is now answered.

I know there'll be calls of quote why didn't Cloudflare block this when it was first set up? Defense that it's enormously difficult to do that based on domain or page structure alone without creating a heap of false positives, and Troy knew that he would need to load those addresses into his own. Have I been pwned site? He wrote. When I have conversations with breached companies, my messaging is crystal clear Be transparent and expeditious in your reporting of the incident and prioritize communicating with your customers. Me doing anything less than that would be hypocritical. Including how I then handle the data from the breach, namely adding it to HIBP as such. I've now loaded the breach and notifications are going out to 6.6K impacted individual subscribers and another 2.4K monitoring domains with impacted email addresses monitoring domains with impacted email addresses.

And he finished looking for silver linings in the incident. I'm sure I'll refer this blog post to organizations I disclose further breaches to. I'll point out in advance that even though the data is just he has in quotes just email addresses and the risk to individuals doesn't present a likelihood of serious harm or risk their rights and freedoms. It's simply the right thing to do. In short, for those who read this in the future, not just as I say, but as I do so I've included a link to Troy's entire blog posting, which proceeds with, at the time of this writing, a series of seven additional follow-ups. So for anyone who's interested, there is more there if you want to follow the link, or probably just follow it from TroyHuntcom, which is where he blogs from.

He spends a lot of time looking at the benefits, the many benefits in these follow-ups of pass keys which are inherently phishing resistant, because the information being sent back to the authenticating server is neither static username and password nor short duration one one time codes. The authenticating server sends a unique, never before seen challenge over an end to end encrypted link which the user's client signs. So any man in the middle is cut out. But the biggest takeaway here is that phishing which takes advantage of the human factor remains an active threat today and it can literally happen to anyone, even someone as astute as Troy, who lives and knows this stuff inside and out. It just happened to catch him at a time of fatigue and jet lagged weakness, but it did catch him. Fatigue and jet lagged weakness, but it did catch him.

The addition of one-time passwords has neutered non-real-time attacks where a user's login username and password had been stolen in a site breach, but automated attacks which immediately forward the user's provided one-time password to the authenticating server remain 100% effective, so that's worth keeping in mind. It's not like we get total protection from having to, you know, feel like we're James Bond and looking up our secret password, which changes every 30 seconds, and type it in. You know, and remember that we've also seen how ridiculously long some authentication sites, such as microsoft, will continue to honor tokens which expired many minutes, oh, more, more than 30 seconds.

0:40:14 - Leo Laporte
Oh, yeah, yeah, yeah, that's because it takes time for people to yeah, I mean I, we, we covered it.

0:40:21 - Steve Gibson
It was. There was an instance where it was like five minutes of window and the attackers were hacking Microsoft's one-time password system because they were, by using crowdsourced brute forcing, they were able to get all one million possibilities into that window to neuter anyone's one-time password. And then, finally, the fact that attackers use the domain mailchimp hyphen ssocom further masked the attack. You know, even to someone like troy, who probably noticed the url, that was a perfectly reasonable domain name of the sort we see every day yes, I, I agree with him.

0:41:05 - Leo Laporte
This is why pass keys have to happen. That's why, frankly, squirrel should have happened. It would solve this problem yeah, it did solve it.

0:41:14 - Steve Gibson
It's not the one we got, but we're we got one which is still fishing resistant, and now what we just need is everyone again like nothing makes the world change, and we've got a couple more instances we'll be encountering here today of like what it takes to, and actually actually our next story. But let's take a break, and then we're going to talk about cloud flare making the world change in a good way.

0:41:42 - Leo Laporte
Change is good, sometimes, not always, not easy, not easy and not something you do voluntarily.

0:41:48 - Steve Gibson
It's like, hey well, it worked yesterday and it looks okay today, so well, probably good for tomorrow yeah, um, and paskies would be resistant, right?

0:41:58 - Leo Laporte
I mean, there's no, nope, there's no interaction with the website.

There's no way a third party could snoop cuts the third party out of the loop. Yeah, yeah, okay. Well, let's, uh, let's say hello to a brand new sponsor, shall we? Oh, yes, always happy to get new sponsors. Uh, have you heard of the company out systems? You should. They've been there for 20 years. For over 20 years, the mission of of OutSystems, o-u-t, is to give every company the power to innovate through software. Outsystems is the leading AI-powered application and agent development platform. They've been doing this for a long time.

It's kind of impressive IT teams and if you're an IT team, you know this. You typically have two choices. It's the buy or build choice. Right, we all know it. Buy off the shelf SaaS products for speed, but then they may not be a perfect fit. You lose flexibility. You also lose differentiation with the competitors, right? Or build your own custom software Always fun, right? You lose time and resources.

There is a new way, though, thanks to AI. Ai has given us another path. The fusion of AI, low-code and DevSecOps automation onto one development platform means maybe you can kind of build custom applications faster, better, easier than ever. Well, you can without systems. Your teams will build custom applications using AI agents and we know we've started to see people doing this and it's really impressive. It will make it almost as easy for them to do the build part of this as the buy part as buying generic off-the-shelf sameware right and flexibility, security and scalability come standard without systems.

With AI-powered, low-code, teams can build custom future-proof applications at the speed of buying. Teams can build custom future-proof applications at the speed of buying, with fully automated architecture, security, integrations, data flow, permissions it's all built in Now. That's a great idea. Outsystems is the last platform you need to buy. The last one you need to buy because you can use it to build anything and customize and extend your core systems to build your future without systems. Visit out systemscom slash twit to learn more. Now there's an answer to the build versus buy conundrum. That's better than both. Out systems. Out systemscom slash twit build your own custom built apps and agents faster than ever without systems. I love this idea. Outsystemscom slash twit. We thank them for their support and, of course, you support us when you use that address, so make sure you do so. They know you saw it on security. Now outsystemscom slash twit. All right, steve, let's talk about Cloudflare.

0:45:09 - Steve Gibson
So yes, their blog posting was titled HTTPS only for Cloudflare APIs shutting the door on clear text traffic by writing connections made over clear text. Http ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries such as ISPs, wi-fi hotspot providers or malicious actors on the same network. It's common for servers to either redirect or return a 403 forbidden response to close the HTTP connection and enforce the use of HTTPS by clients. And for example, you know if you are. You can reach GRC over port 80, still HTTP, but my server just immediately bounces the user's browser over to the same URL, but HTTPS, in order to move you over to secure, they said. However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in clear text in the initial client request. This data is exposed before the server has a chance to redirect the client or reject the connection. A better approach is to refuse the underlying clear text connection by closing the network ports used for plain text HTTP. And that's exactly what we're going to do for our customers. Wow, I mean, that's okay. What will break, they said?

Today we're announcing that we are closing all of the HTTP ports on apicloudflarecom. We're also making changes so that apicloudflarecom can change IP addresses dynamically in line with ongoing efforts to decouple names from IP addresses and reliably managing addresses in our authoritative DNS. This will enhance the agility and flexibility of our API endpoint management. Customers relying on static IP addresses for our API endpoints will be notified in advance to prevent any potential availability uses. So that suggests that people who've been using the Cloudflare API knew that the IP addresses Cloudflare was publishing, that where their servers were listening, would never change and they've decided so we're going to allow our IPs to float around. They're saying we need we Cloudflare need that flexibility, so we're going to switch back to using DNS and, of course, with DNS over TLS, that becomes or HTTPS, that becomes more feasible, because then you've got your DNS also secured at their end. So they said, in addition to taking this first step to secure Cloudflare's API traffic, we'll provide the ability for customers to opt in to safely disabling all HTTP port traffic for their websites on Cloudflare. We expect to make this free security feature available in the last quarter of 2025. So first they're going to say no to API access over port 80 and then give their customers the option of turning off access to their own Cloudflare-hosted websites over HTTP, again for the sake of enhanced security. They said we have consistently advocated for strong encryption standards to safeguard users' data and privacy online as part of our ongoing commitment to enhancing internet security.

This blog posts details. This blog posts sorry details our efforts to enforce HTTPS only connections across our global network. I've got a link in the show notes for the entire posting because it goes on into great detail with network state diagrams and like showing how all this works and the problems that can be created if you're not careful and more and about. You know how and why. None of the options for redirecting initially plain text HTTP traffic over to HTTPS is able to achieve the same absolute level of security as simply saying no to all non-HTTPS traffic from the start. They wrap up this lengthy blog posting by saying Starting today, any unencrypted connection to apicloudflarecom will be completely rejected. Developers should no longer expect a 403 forbidden response now, because that means that the server there was a server listening on port 80 that accepted the connection and then sent back a 403 for forbidden. Now there is no port 80. It's just gone. So you know TCP is banging its packets against the wall and nothing's happening. So they said, developers should not expect a 403 forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established.

We're also making updates to transition apicloudflarecom away from its static IP addresses in the future. As part of that change, we will be discontinuing support for non-SNI remember that's server name indication non-SNI legacy clients for Cloudflare API specifically, and they said currently an average of just 0.55%, so a little more than one out. Part of the handshake, in part of the TLS handshake, is the SNI value, the server name indication, which is the domain to which the client wishes to connect at that remote server IP. The server needs to know that in order to know which certificate to send back in order to match the domain that the client wants to connect to for TLS. So they said, only you know one in 200, a little over one in 200 clients are still trying to do that. So they said we are committed to coordinating this transition and we'll work closely with the affected customers before implementing that change. So what the other thing they're essentially saying is they're going to be doing some IP space collapsing. Right now they have dedicated IP addresses that are associated with fixed domain names. They don't want to do that anymore. They want to require SNI and they're going to disconnect that binding between a fixed domain name and a fixed IP so that, all together, what this means is they'll be able to serve more domains on fewer IPs, which helps with IP depletion problems and gives them a lot more networking flexibility. So they said we're committed to coordinating this transition and we'll work closely with the affected customers before implementing the change. This initiative aligns with our goal of enhancing the agility and reliability of our API endpoints.

And finally, beyond the Cloudflare API use case, we're also exploring other areas where it's safe to close plain text traffic ports. While the long tail of unencrypted traffic may persist for a while, it should not be forced on every site. In the meantime, a small step like this can allow us to have a big impact in helping make a better Internet. We're working hard to reliably bring this feature to your domains. We believe security should be free for all. So bravo, cloudflare. This is the sort of step that's needed, as I said above, to push the Internet security forward.

You know, just say no to port 80, which makes me wonder I haven't looked.

You know how much port 80 traffic I still have.

Our longtime listeners may remember that I jumped on the bandwagon very early in the in the HTTPS everywhere move, registering GRC with Google and Chrome, so that, so I mean like built into Chrome. Grccom has been there from the start saying only use SSL. In fact it actually was SSL back then Now TLS in order to connect to GRC and feel free to promote any attempt to connect via HTTP to HTTPS, because we will always be there answering a secure port. So anyway, port 80, you know, inherently unencrypted got us to where we are today. But for nearly all purposes, everyone is coming to the position that its day has passed. You know, we know from everything we've seen that, inertia being what it is, nothing ever moves forward on its own. It just doesn't. It's always easier to leave things as they are, but a more secure future means that organizations such as Cloudflare need to take a leadership stance as soon as it becomes feasible to just say no to port 80. And for them they've decided that day is today, so bravo.

0:56:23 - Leo Laporte
I guess I should turn off port 80 on my firewall.

0:56:27 - Steve Gibson
I'm going to guess I should turn off port 80 on my firewall. I'm, I'm forwards, I'm gonna, I think I've at some point. I mean like, not like I don't have other things to do, I do but uh, and like all of us do so but I'm curious you know how many, how many attempts are being made.

For a long time. If you just put GRCcom, for example, in your browser would try to go to HTTP first and then, if I didn't redirect it on the podcast, the browser logic flipped when HTTPS became not only the preferred solution but by far the majority. You know let's Encrypt had been there. Certificates were now free. It wasn't. You know, you didn't have Richard Stallman having a seizure because people were saying we want to. You know, we want everyone to use a certificate-based connection, and so it was like okay, it's time, and so the browser's flipped over. It's probably totally feasible to turn off port 80. It'd be worth taking a look. Now I'm curious.

0:57:43 - Leo Laporte
Yeah.

0:57:56 - Steve Gibson
An interesting newly published research paper by researchers out of Greece and the Netherlands caught my attention. Its title is Coding Malware in Fancy Programming Languages for Fun and Profit Fancy.

0:58:06 - Leo Laporte
They call it fancy it's fancy.

0:58:08 - Steve Gibson
Well, Leo, when you've worn the ink off of your open and close parentheses keys. Yeah, that's fancy. This is where you want those two-shot key tops, right when the actual plastic goes all the way down. Yes, so you know, like the fuzz is worn off of the key top.

0:58:29 - Leo Laporte
It's okay, it's now smooth. I know where the parenthesis keys are. They're a pretty good idea. That's a good point. Yeah, I don't need any hints, and if you didn't know.

0:58:39 - Steve Gibson
It's the fact that there's like ink missing from the above. The nine and the zero keys, that would be a clue, but this, the nine and the zero keys, that would. That would be a clue, um, but this is a long piece, so let's take another break and then we're going to get into it.

0:58:54 - Leo Laporte
Uh good, I always enjoy a good lisp conversation.

0:58:59 - Steve Gibson
I you know I talk about the f language, the f word language and there's, uh, there's a.

0:59:04 - Leo Laporte
There are yes, I there's a a number of, shall we say, obfuscated languages out there that are probably very good for that kind of thing, for malware and so forth.

0:59:17 - Steve Gibson
We're going to have fun with this one, yeah.

0:59:21 - Leo Laporte
I think assembly probably is a better way to go. I'm just saying to your bad guys, but they probably can't figure it out. That's why Right.

0:59:36 - Steve Gibson
So they're not, that's yeah, yeah, yeah ease of use and transportability.

0:59:38 - Leo Laporte
Multi-platform see lisp is great. Although they're using it for p code. They're using for intermediate code, not for well. I mean, you're going to get into it? I won't. I won't steal your thunder. I will, in fact, tell people about our sponsor, because this is the part of the show where I tell everybody about Bitwarden. I was just showing how I really love this is where open source shines, because Bitwarden is, because it's open source, more responsive to what its users want.

Right, they become the trusted leader in passwords. Of course, they also support secrets now and, of course, passkey management. I store all my Passkeys in Bitwarden because that's the easiest way for me, because Bitwarden's on every device I use every computer, every laptop, every tablet, every phone. Bitwarden's everywhere and so are my Passkeys. I love that and I just showed you. I thought how clever. I was pretty sure Bitwarden's everywhere and so are my pass keys. I love that and I just showed you. I thought how clever. I was pretty sure Bitwarden had this capability that, to avoid phishing attacks, when you store your password in Bitwarden, you can even tell it how much of the website has to match where you stored it or how little. I think stricter is probably better. It's really no surprise now.

Bitwarden has more than 10 million users across 180 countries. Surprised me a little bit to hear they have 50 000 business customers too. Yes, bitwarden's widely used in business. In fact, it's consistently ranked number one in user satisfaction by G2. It's recognized as a leader in software reviews data quadrant. Bitwarden protects businesses worldwide, and part of the reason they're so popular with businesses is they're so simple, so easy to use, so easy to move to. The import's straightforward and they add features that are really important to businesses. We're coming close to tax time, you'll be glad to know.

Bitwarden lets you securely send documents. This is built in with Bitwarden Send. Of course, it uses end-to-end strong encryption so all your forms are protected. So if you're a tax accountant or you're dealing with a tax accountant, you can use this to send that information, including your socials and everything, your social security number and everything back and forth without being visible to the outside world. And here's another great feature of Bitwarden. I love them. Recipients don't need an account to access them. So you're not even saying to your accountant, well, you've got to have Bitwarden, you're just saying I'm sending this to you securely. So stop using risky email attachments. Start sharing confidential documents with password protection. They also have expiration dates. They have view limits. You get full control over who has access to your sensitive information of. Bitwarden's got that built in. What a surprise.

There are, by the way, new findings from Bitwarden that highlight 65% of enterprises. More than half still rely solely on passwords, and password management is now cited as the top IAM challenge for 35% of organizations. Only 21% of them are implementing passwordless authentication, which is disappointing to me. But this is where Bitwarden can really help. Enterprises face ongoing credential security risks, but Bitwarden offers enterprises essential tools with end-to-end encryption, mfa, secure password sharing and, of course, passwordless pass keys and SSO. So you don't have these risks. Bitwarden always will be right on top of the current and future needs in authentication.

They added memory hard key derivative functions right. When it was realized PBKDF wasn't memory hard, Bitwarden went out. I think they added no argon too. They added argon too. So I mean this. In fact, it was one of our listeners who said you know what I'm going to implement, because steve's been talking about this memory hard, uh, password key derivatives, uh, I'm going to implement s crypt and argon and send it on as a pull request to bitwarden. Bitwarden vetted it. They said well, we don't want to confuse people with too many, so we're going to use the Argon 2. We're going to make that available to everybody, literally within a month of you talking about this. It was in Bitwarden.

Bitwarden has just announced its ISO 27001-2022 certification. This is, of course, an internationally recognized standard that assures enterprises and developers and security teams at Bitwarden meet stringent security and compliance requirements. I guess you know those are table stakes, but it also is compliant with SOC 2, type 2, gdpr, hipaa If you're in the medical business, this is a solution for you and CCPA, the California Privacy law, reinforcing Bitwarden as a trusted security partner for enterprises. See, when you're open source, it's not about making money, it's about doing the right thing, and Bitwarden consistently does the right thing. And it prioritizes simplicity, because they know if you're going to be using a password manager, it better be easy or your employees won't use it. They'll still write it on post-it notes, right? Bitwarden's setup takes just a few minutes. They import from most password management solutions in seconds and, as I said, they're open source. That means you can inspect their code, anybody can inspect their code, and they're regularly audited by third-party experts and, unlike some companies, they publish the results of those audits in full. You and your business deserve an effective solution for enhanced online security. You deserve bitwarden.

Get started today with bitwarden's free trial of a teams or enterprise plan or and this has been the case as long as I've known them always been free across all devices as an individual. Free forever, unlimited passwords, pass keys, hardware keys for individuals. Bitwardencom slash twit. In fact, if you're an individual, you can even host your own vault, if you decide. All right, I want to do it all. You can Bitwarden again, it's open source, so they have their own implementation of a server, but there are others who've written one. Decide all right, I want to do it all that you can Bitwarden. Again, it's open source, so they have their own implementation of a server, but there are others who've written one. A lot of people like the Rust-based server for Bitwarden. It's flexible, it's your choice. This is the way to go. Believe me, bitwardencom slash twit for you, for your family, for your friends, for your business. Bitwardencom slash Twitter. It's the only password manager I use.

I'm very happy with it and I see people struggling with passwords all the time and I just say get Bitwarden. It's free, not for businesses, no, but for individuals. Free forever. They have to make money somewhere. Actually, I pay the $10 a year.

1:06:28 - Steve Gibson
Yeah, I had the little bill come up again and it passed by $10?. That's not a problem.

1:06:33 - Leo Laporte
Well worth it. Well worth it to support them.

1:06:38 - Steve Gibson
All right, let's continue on, steve. Okay. So coding malware in fancy programming languages for fun and profit? Okay. So I'm going to share the paper's abstract and its introduction, which will give us a sufficient sense for what these researchers have found. The abstract explains the continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts who must cope with thousands of new, heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Right, I mean, like just there's so much software. Now, they said, due to its speed and efficiency, static analysis is the first line of defense. See, static analysis is the first line of defense. Ok, now I'll just interrupt here to mention that, broadly, code can either be examined statically, which is just you know, looking at the code sort often an industrial strength virtual machine to actually run the code after it's been loaded, to examine the code's behavior when it's run. Not surprisingly, static analysis, when you can do it, is much faster and more efficient when that's feasible. So the abstract continues.

In this work we illustrate how the practical, state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. Evident malware traces? The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shell codes that would otherwise immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less used programming languages. To this end, we study the features that such programming languages introduce into executables and the practical issues that arise for practitioners to detect malicious activity. So, essentially, you know, in this ongoing cat and mouse never ending game of of malware and malware detection and avoiding detection and avoiding the avoiding of the detection, here's another domain of you know for escalating this fight, which is let's just change languages. The introduction that they provided gives us some more interesting background. They said.

In the past decade, malware has undergone significant changes. The main drivers of these changes can be attributed to the vast digitization of products and services and the development of a payment system that allows anonymous transactions to bypass the protections of the traditional banking system. In other words, we've talked about this. Cryptocurrency was the enabling requirement for this explosion we've seen, because it allows people to make payments secretly, they wrote. This has boosted the number of possible victims and the potential impact of malware, creating a profit motive. Where viruses used to just kind of exist because they could. Now malware is there to make money. Viruses used to just kind of exist because they could. Now malware is there to make money. Moreover, anonymous payment methods enable a wide range of illicit transactions to be performed, which, in the case of malware, is the apparent case of ransomware.

They said, both the US Cybersecurity and Infrastructure Security Agency our beloved CISA Security Agency our beloved CISA and the European Union's Agency for Cyber Security, anisa, have recognized malware as the top cyber threat. Indeed, malware attacks impact our everyday lives by harvesting sensitive information, crippling critical services and causing significant damages to individuals and corporations. This has placed malware in a pivotal role in the crime ecosystem and created an individual ecosystem with independent roles, operating in a business model called malware as a service, which is not something we've ever seen before Malware as a service. They said the security industry's response to the above mentioned threats is collecting and analyzing malware samples. Right, so that's the threat. How do you go? How do you counter the threat? Well, you need to look at all this stuff.

And here was the number at a rate of around 280,000 malware samples per day in 2024. 280,000 malware samples per day in 2024. There's just that much, all distinct. Yes, who's what of. I know a lot of it out there, they said, which is more or less similar to previous years static analysis, given that load static analysis remains the most efficient and profound remedy to detect malicious files quickly. They said, in this arms race between malicious actors and defenders, the development of malware has evolved into an underground industry. I think what I liked most about this was it gives us a sense of scale. I think what I liked most about this was it gives us a sense of scale. I mean, the development of malware has evolved into an underground industry to bypass security controls, they wrote, by employing malware authors and monetizing the infected hosts. In other words, it makes money now, so this is an industry creating malware. Unbelievable, I know.

1:13:14 - Leo Laporte
It's just unbelievable, wow.

1:13:16 - Steve Gibson
So they said. Of course, bypassing static analysis does not grant them a foothold to the targeted host, meaning more is necessary. But that's the first step, right, you got to get in before you can do anything. You got to get past the filter, so they said. Nevertheless, it significantly raises their chances of achieving their goal, as they then often need to bypass behavioral checks. But static is first, they said. Although endpoint detection and response systems you know EDR, as it's now called endpoint detection and response systems usually apply such checks and vendors often portray them as silver bullets, there are several ways to bypass them. In this work, we limit our scope to static analysis. That is, the first stage of prevention. Is detection through static analysis, they said.

Even though malware written in C continues to be the most prevalent malware, operators primarily well-known threat groups such as APT29, increasingly include non-typical malware programming languages in their arsenal. For instance, apt29 recently used Python in their MassPy malware against Ukraine, while in their Zebrosi malware they used a mixture of Delphi, python, c-sharp and Go. Likewise, akira ransomware shifted from C++ to Rust, blackbyte ransomware shifted from C-sharp to Go and Hive was ported to Rust. According to reports, the results of these changes was exhibited increased resistance to reverse engineering and a reduced detection rate, or the malware's misclassification, which is fine with them. You know adware, okay, we're just not. You know we're not bad, we're just annoying.

On other occasions, c-language malware families are not recreated from scratch. Instead, malware authors write loaders, droppers and wrappers in so-called exotic languages. This provides them with several advantages, such as bypassing signature-based detection, so they can effectively wrap their payloads with harder-to-detect shells that are newly built. So it's got a C core, but it's wrapped in something in rust or go, or you know Kotlin or something, in order to you know the static analyzer goes what and then lets it through because it doesn't know that it's bad. Then it unwraps and the bad stuff comes out, they said.

Thus, attackers continue to use the same initial penetration vector and a significant portion of their methods, suggesting that threat actors prefer to transfer the original malware code to different languages instead of modifying their tactics, techniques and procedures, the so-called TTPs, to avoid detection. This approach allows them to maintain the effectiveness of their attacks while remaining under the radar of security systems. Since these languages may be less widely recognized or understood, they add an extra layer of obfuscation to malware, making it harder to detect and analyze. Furthermore, security analysts have reported increased difficulty in reverse engineering such malware samples due to reprogramming efforts, meaning they don't have the tools for reverse engineering some bizarro language. Thus, combining different languages and obfuscation techniques complicates dissecting and reverse engineering the malware structure, functionality and intent.

Our work, they wrote, explores the problem of detecting malware written in uncommon languages using a data-driven approach. Rather than merely reporting and examining this trend, we performed a targeted experiment by writing malicious samples in different programming languages and compilers, drilling down to the distinctive characteristics, to the distinctive characteristics. So they literally implemented their own malware and then wrote it in like 40 different languages and then explored what the different AV systems did and why they succeeded or failed, they said. This analysis practically shows the unique features that adversaries gain and highlights the emerging issues for malware detection and analysis.

This work led to the formation of some interesting research questions that have never been answered systematically and studied in the academic literature, and we try to answer them in this work. So there are three research questions First, how does the programming language and compiler choice impact the malware detection rate? Second, what's the root cause of the disparity, if any, in detection? And third, are there any other benefits to an attacker from shifting the code base to less common programming languages and compilers beyond the detection rate by static analysis. What they learned was quite interesting. As I said, they created their own malware using the top two current malware exploit techniques that have been identified across the industry, and they implemented the underlying malware concept in every language imaginable, even Leo Lisp.

Finally we're getting our due. That's right. Here's what you too could write your own malware, if you are not shy of parentheses. So here's what their extensive research concluded and the answers they arrived at for each of their three research questions. They wrote malware is predominantly written in C and C, plus plus, and is compiled with Microsoft's compiler. Interesting, yes, they had a chart, and I mean it's like 98% visual studio, you know it's like well, because visual studio express is free.

Yeah, and so that's what you're going to use and it's easy, and hold your hand and you know it's like well, because Visual Studio Express is free, yeah, and so that's what you're going to use and it's easy and hold your hand, and you know, you don't have to remember anything. They said. However, answering our Q1 research question, one with our experiments how does the programming language and compiler choice impact the malware detection rate? Language and compiler choice impact the malware detection rate? Our work practically shows that, by shifting the code base to another less used programming language or compiler, malware authors can significantly decrease the detection rate of their binaries, while simultaneously increasing the reverse engineering effort of the malware analysts. It is crucial to note that the malware authors do not necessarily need to radically change their code base, as, for instance, just the choice of and this was really interesting to me just the choice of using a different compiler, even for famous programming languages they wrote like C, have the same impact, that is, you don't have to go away from C, you just use GCC instead of MSC. They said. Our experimental results illustrate that there are significant deviations in how programming languages and compilers generate binaries and that they can serve as an additional layer of obfuscation for malware authors. So OK, in other words this, nearly all of the malware code is written in C and compiled using Visual Studio. And they have that. They said so in their paper. The static analysis AV detectors that blanket the industry have all been similarly oriented or biased toward that assumption, because that's what they're seeing right, that's the code that they're charted with blocking, detecting and blocking. So simply by switching to Turbo C or GCC or Wattcom C, those assumptions about the specific binary code bytes that are being produced will be broken and AV detection rates will drop without any need to rewrite their malware. And as I was reading this, it occurred to me I'm not sure it was good for this paper to be published, but I guess it true either way, whether they publish it or not, because, as they said at the top, they're already seeing malware moving to other languages and the only reason any bad guys would move from a comfortable C programming environment over to Rust is specifically for detection rate avoidance, because they've already got, you know, their malware written and they don't want to do work they don't have to do the researchers.

Question number two asked about the root cause of the disparity. They wrote the root cause for the disparities that we raise in research. Question two, as highlighted with our use case in Haskell and the metrics for each tested pair of programming language and compiler, is that there are radically different ways that each of them reaches the same result. For instance, different ways of storing strings and different approaches in the internal representation of functions can render many static detection rules useless. As a result, there is no one-size-fits-all approach, so further research is necessary to systematically identify these differences and group them.

The short version is AV is about to get a whole lot more difficult to do. Ram, you know, things such as function calling methods which pass parameters in different ways, or static strings that are stored and represented in differing ways, all of which will vary by language, all serve to dramatically confuse static analysis. It might result in false positives, and so they're wanting not to be overreactive, but it's just as likely, when it's confused, to allow bad code to slip past, to allow bad code to slip past. In answering their final research question, are there any other benefits to an attacker shifting the code base to less common programming languages and compilers beyond the detection rate that's used by static analysis? They said? Answering question three, this shift in languages may come with additional benefits for attackers. This shift in languages may come with additional benefits for attackers. An obvious case is cross-compilation and multi-platform targeting languages, which enable malware authors to build a single malware variant and have it compiled for multiple operating systems.

1:25:44 - Leo Laporte
Not to mention you're getting rid of all those buffer overflows in your malware.

1:25:48 - Steve Gibson
Not to mention you're getting rid of all those buffer overflows in your malware. Actually, yes, I make the point a little bit later that they're getting more reliable malware, oh great. If they use Rust, yes, the strategy can significantly reduce the time they wrote and number of tools needed to achieve their objectives, thereby expanding the scope of any hostile campaign. Iot devices in particular support a range of CPU environments, making it necessary for malware targeting these devices to be compatible with not only x86 and x64 architectures, but also various other architectures such as ARM, mips, m68k, sparc and SH4, various microcontroller architectures, much lower-end processors that are being used in IoT devices. A typical example is Mirai, which uses GCC.

Yet one of its successors, noahbot, uses Micro-C-Libc-based cross-compiler and is statically built to target embedded Linux systems. In this regard, other options could be more efficient. For instance, go can be cross-compiled to all major operating systems, as well as Android, javascript and WebAssembly. One of its advantages is that it provides statically compiled binaries by default, eliminating runtime dependencies and simplifying deployment on target systems. Oh great, just what we want for the malware. Go also features a robust package ecosystem that allows developers malware developers to easily pull in code from other sources. Yeah, basically, you know, we've made programming much better for legitimate developers and, unfortunately, malware authors benefit too.

1:27:48 - Leo Laporte
Honestly, that's what's happening is these are all benefits to modern programming languages? Exactly yeah.

1:27:54 - Steve Gibson
Exactly and they said. As a result, malware can be developed at a faster rate oh joy, targeting a broader range of architectures and systems. Indeed, hinatabot, another descendant of Marai, is developed in Go. To take advantage of the above, hinatabat's discovery was much more difficult. As a result, unfortunately, the bar to creating a new variant of Marai using Go or other languages is now quite low. This allows get this Leo criminal groups to create their own variations. So that's one of the reasons there's just so much of it. It's like you know, oh, let's just, you know, tune it and tweak it for our own needs.

1:28:39 - Leo Laporte
It's fancy bear Mirai.

1:28:42 - Steve Gibson
Exactly yes. Beyond cross-compilation, they said there are several other reasons to witness more changes in the malware code base. After all, malware developers, like any other software developers, have specific needs when choosing programming languages and tools. Different languages offer various benefits for different scenarios, and the choice of language can significantly impact the development and functionality of malware. For instance, built-in security mechanisms and type safety may be prioritized by ransomware authors who want to avoid leaks of the encryption keys to guarantee that their victims will not be able to develop decryptors. That's right. We want to scrub the RAM so we don't leave secrets behind, not because we're the good guys trying to protect our keys, but because we're the bad guys and we just encrypted everyone's database and we want to make sure they don't get a hold of our decryption key. Wow, they said.

A typical example is Rust, which offers built-in memory mechanisms to prevent common vulnerabilities and to offer type safety. So even malware is now benefiting from the enhanced memory management and security created through the use of more modern and safe languages. That's just wonderful, they wrote. Other aspects can include library availability, facilitating interaction with the underlying operating system and enabling critical malware functions, low-level access and control over memory layout, having full control over the malware's behavior and performance, but also direct compilation to machine code, creating an executable file directly and use other tools for obfuscation. So, exactly as you said, leo, everything we've done to make languages better for the good guys has made it better for the bad guys. Wow, they said. While shifting to another programming language may seem complicated, especially when considering less popular ones, large language models, llms oh boy, they do a great job with Lisp.

AI may come to the rescue, they said. After all, they've proven their capability for generating code quite accurately, and various cybersecurity tasks and malicious actors are abusing them as a result. Ais can translate code from one programming language to another requiring little fine-tuning, don't even have to understand the language that the AI produced. This way, malware authors can seamlessly develop loaders, droppers and other components in languages they may not be familiar with. It's true that the malware that we examine in this work represents a small fragment of the total. Nevertheless, it is stealthier and introduces more bottlenecks for the reverse engineer. More bottlenecks for the reverse engineer, given that the APT groups are shifting their code bases and the malware as a service model facilitates the trading of malware, so different malware mixtures per campaign can be purchased.

This diversification is expected to continue, and they finish. By disregarding these samples and only focusing on traditional programming languages and compilers, we provide malware authors with an effective hideout they can easily exploit. Therefore, we believe that a deeper analysis of the executables produced by other compilers and programming languages is needed to improve detection rates, but also develop better reverse engineering tools. So what we are now seeing is that, you know, the bad guys are noticing that the AV tools are blocking them right and left, and so they're saying, okay, fine, didn't want to, but we will. You change compilers, change languages, and of course this just it makes the detection rate go exponential, because now that the code could be coming in under any language other than, as it used to be, basically all C, you know, a given like Mirai would be written in C. So the detectors would learn to detect the various variants of Mirai, but only under C. Now go, and all these other things.

1:33:30 - Leo Laporte
So you know, I would say Don't they all compile down to assembly? I mean machine language.

1:33:40 - Steve Gibson
Yes, they do, except that as long as they're written all under the same compiler, that compiler is going to translate the same source into the same bytes Right, right, and so the static analysis that doesn't actually run the code to see what it does.

1:34:01 - Leo Laporte
Oh, it's just like string compare, almost right. Yes, it is.

1:34:04 - Steve Gibson
It is a signature comparison. Oh, okay, and so anything?

1:34:07 - Leo Laporte
you do. Of course that doesn't work. Yeah, Right.

1:34:09 - Steve Gibson
So, yeah, so I wouldn't say that they've discovered anything earth shattering or surprising. You know their results are pretty much what we would expect, yep, but some of the tricks they highlighted, such as simply recompiling unchanged source under a different compiler for the same language, was interesting. You know, just change from Visual Studio to GCC and you get different code which will break the signature comparison, and you didn't have to rewrite your source at all. So by clearly demonstrating, in fact, what we might assume, you know their work should serve to get the authors of the static AV detection to. You know, I'm sure they must be looking at this thing and, oh God, you know, I mean, it's going to be what? 20 times more signatures that they need, given all the compilers and the variants of compilers that are available. Oh yeah.

And that's without changing languages Right, and in reading of this, the one language I didn't see which would have been really interesting actually was Forth. Based upon what these researchers found, I would imagine that Forth would have a number of advantages for malware. For one thing, it only needs a very small and readily available runtime interpreter. That's already been ported everywhere, and I often refer to Forth as a write-only language. We've talked about it before. It doesn't have to be oh, Leo, it does, it does no really Well, it doesn't, because you're creating a dictionary.

you could make it almost english-like if you worked at it well, you can make your verbs english-like, but it is a but the wrote in the stack oriented language, so you are the compiler.

1:36:05 - Leo Laporte
That's a good point. Where you're getting the data from is very obscure because it's popping and pushing it means so, as you're writing it, you know to put this on the stack.

1:36:13 - Steve Gibson
Put this on the stack. Put this on the stack, then call this verb you're the compiler and so yeah, I've you know. You come back and look at something you wrote a month ago. It's like what does this do I? Love it I really love. I do too, I I. It is a beautiful, elegant, tiny language and, uh, I hope I didn't give the bad guys any ideas. On the other hand, it's not easy to use no, they're never going to use that.

1:36:38 - Leo Laporte
It's too much learning curves too steep. Yeah, although there is an excellent book called starting force, that is just one of the best programming books ever written that's actually how I got into it is I read the bullio brody's starting fourth and that actually is such a beautifully done book that I couldn't resist and it's just fun to play with. It's fun and eventually your program is one word do or do it or go.

1:37:02 - Steve Gibson
Do it or go. Actually, normally the verb is the name of the program, right? So it's just you know Program.

1:37:09 - Leo Laporte
Sort or something it does not compile to assembly, though it is kind of a bytecode interpreter.

1:37:15 - Steve Gibson
It is yeah, so it has, but it is so lean that the runtime is extremely small.

1:37:24 - Leo Laporte
It was written for telescopes and that kind of thing. Yes, it was originally Charles I interviewed him more Charles Moore Moore and I remember interviewing him. This was back at Tech TV because I was a fan of Forth and he was puzzled. He said I never thought anybody would want to talk to me but he was brilliant and it was for very small embedded environments like telescopes. That's why I think still may be used in robotics and things like that. It's great for robots.

1:37:54 - Steve Gibson
Actually it's in some motherboards. There are some motherboards that are using Forth as their engine for getting systems booted, so there are some hackers who still know Forth.

1:38:05 - Leo Laporte
That's interesting.

1:38:06 - Steve Gibson
Yeah, we have another piece from Cloudflare, but let's take a break, we're at an hour and a half, and then we're going to look at the continued reuse of passwords despite all advice.

1:38:21 - Leo Laporte
Now you're making me want to go back and write some more.

1:38:23 - Steve Gibson
fourth, I know I'll bet our listeners are like fourth, and yes, it is available everywhere. Oh yeah, you can easily find a cute little interactive fourth.

1:38:33 - Leo Laporte
Except for the Mac, because the problem is it's so old. Nobody's written fourth for Apple Silicon as far as I know. In fact, a lot of the fourth stuff was written for PowerPC and was never ported to Intel. So there was a great Mac fourth back in the PowerPC days. It was wonderful. But I don't know today. I guess you could just write it in a VM. It's so tiny.

1:38:58 - Steve Gibson
It is. It is a small runtime.

1:39:03 - Leo Laporte
Here I have the book. I'm running over to my bookshelf and holding up my gently thumbed copy of Starting.

1:39:11 - Steve Gibson
Fourth.

1:39:12 - Leo Laporte
This was such a good, I recognize the cover. Did you read this book? You probably didn't need to, you did. I recognize the cover I have oh yeah, it had great cartoons and it was just a wonderful Leo Brody. And he was working at Fourth Incorporated when he wrote it.

1:39:29 - Steve Gibson
Yeah, Manhattan Beach, I think, is where Forth was located. Wow, oh my gosh.

1:39:36 - Leo Laporte
Yeah, this is so old. It's not Courier, it's just a typewriter.

1:39:45 - Steve Gibson
That ain't Courier, folks, that's just a type or photostat of a typewriter and we can't do bold, so we do underline right oh, but is?

1:39:54 - Leo Laporte
this was such a clearly written uh book and he had such a great sense of humor. Here's his explanation of how the stack, how slicing the stack, works with a little samurai and then there's a rabbit popping numbers off and on the stack.

It's great. Anyway, enough of that. Let me talk about our sponsor. You can get back to you the real work of this show, our show today, brought to you by threat locker. Now these are some guys you should know about. I am very impressed by threat locker effect. When I looked at how how you know how affordable it is, I I thought you know everybody. Everybody should be using ThreatLocker, especially nowadays. You listen to the show.

Ransomware is rampant. In fact, we're going to hear some more about how rampant. It's, harming businesses worldwide. It's happening just you know, like it happened to Troy Hunt, phishing emails, infected downloads. You can't go to those download sites anymore. You're guaranteed to get something bad Malicious websites, rdp exploits. Don't be the next victim.

Threatlocker uses zero trust. Such a brilliant solution. It takes a proactive and here's the key deny by default, deny by default. Approach that blocks every unauthorized action, protecting you from both known and unknown threats. Hackers can't get through it because they can't do anything. It's trusted by global enterprises like JetBlue. You know who uses a threat locker. Uh, as we know, there's a huge risk from ransomware attacks on vital resources. You know like the the pipeline, the colonial pipeline attack the port of vancouver, a vital national resource in vancouver, uses threat locker to make sure their operations run smoothly, and it works. Threatlocker shields you from zero-day exploits and supply chain attacks, while providing complete audit trails for compliance.

Threatlocker is used in some of the most risky businesses, the ones that are constantly under attack, and it's proven its usefulness. Threatlocker's ring-fencing technology that's what they call it isolates those critical applications from weaponization. It stops ransomware, stops zero days cold and, because it limits lateral movement within your network, you don't have to worry about a bad guy penetrating your defenses and then having free reign to put malware on your Linux-based camera, as we were talking about the other day. Threatlocker works across all industries. It supports Macs that's good news. Your heterogeneous environment fine. You get 24-7 US-based support and they enable comprehensive visibility and control. Mark Tolson, who's the IT director, another target the city of Champaign, illinois. Here's his quote ThreatLocker provides that extra key to block anomalies that nothing else can do If bad actors got in and tried to execute something. I take comfort in knowing that ThreatLocker will stop that you know. I'm sure all the people of Champaign Illinois also appreciate that.

Stop worrying about cyber threats. Get unprecedented protection quickly, easily and, yes, very cost-effectively. You'll be impressed at Threat Locker. Visit threatlockercom slash twit. You can get a 30-day trial right now. I think it's good to learn how Threat Locker can mitigate unknown threats and, by the way, because it logs everything and ensures compliance, it makes compliance easy. Threatlockercom slash twit. This is a brilliant solution. Couldn't recommend it more highly. Threatlockercom slash twit. We thank him so much for seeing the good in Steve Gibson and the value that he's providing and supporting it. You support it too when you go to threatloggercom slash twit.

1:43:55 - Steve Gibson
Okay, steve, okay, so once again. Cloudflare recently published a piece of research that I wanted to share. I was initially confused by the headline of their blog post, which read Initially confused by the headline of their blog post which read password reuse is rampant. Nearly half of observed user logins are compromised. And I thought what do you mean? Nearly half of observed user logins are compromised. It turned out that the problem with their headline was the somewhat unclear word compromised. A better choice may have been to say nearly half of user logins use previously leaked passwords right, they've been compromised compromised in the sense of got out loose, in other words, passwords that are, you know, likely known by troy hunts.

have I been pwned? Site cloudflare wrote reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. Based on Cloudflare's observed traffic between September and November 2024, so three months, one quarter of 2024, get this 41% of successful logins across websites protected by Cloudflare involve compromised, meaning leaked, previously leaked passwords. 41% are people are logging in with passwords that have already been leaked out on the Internet. And they said, in this post we'll explore the widespread impact of password reuse, focusing on how it affects popular content management systems, the behavior of bots versus humans in login attempts and how attacks exploit stolen credentials to take over accounts at scale. I'm going to skip over most of this because everyone listening I know our audience, everyone listening to this podcast already well understands the dangers of password reuse, and I'm sure that everyone listening is now using some form of password manager which is able to synthesize complete gibberish passwords, which is what we want on the fly for use, then store and later reuse.

One thing I wasn't appreciating before this was the size to which Cloudflare has quietly grown At one point in their blog posting. They wrote our data analysis focuses on traffic from internet properties on Cloudflare's free plan, which includes leaked credentials detection as a built-in feature, so that's something they offer their free plan users. Leaked credentials, they wrote, refer to usernames and passwords exposed in known data breaches or credential dumps. For this analysis, our focus is specifically on leaked passwords with get this Leo. With 30 million Internet properties comprising some 20% of the web behind Cloudflare, this analysis provides significant insights. Cloudflare is one-fifth of the internet.

30 million internet properties Wow, 30 million internet properties. Wow. They've just been quietly growing since they were a cute little startup that we used to talk about. Oh, you're so cute, you little startup. You Holy crap. One out of every five sites is now running their traffic through Cloudflare. Well, that crept up on us. So they explain. One of the biggest challenges in authentication is distinguishing between legitimate human users and malicious users. To understand human behavior, we focus on successful login attempts those returning an HTTP 200 OK status code, as this provides the clearest indication of user activity and real account risk. Our data reveals that approximately 41% of successful human authentication attempts involved leaked credentials.

1:48:46 - Leo Laporte
That's kind of amazing. How does Cloudflare know that?

1:48:50 - Steve Gibson
Because they've got all of Troy's.

1:48:52 - Leo Laporte
It's going through them.

1:48:54 - Steve Gibson
Right, exactly because it is coming through them, and they're able to.

1:48:58 - Leo Laporte
That's how many, so a huge proportion. What did you say? A third of the net is behind a Cloudflare wall.

1:49:06 - Steve Gibson
in effect, Right, and so they're able to see.

1:49:08 - Leo Laporte
So they can see those passwords in transit. Yep, wow, even on ssl they can see them in transit.

1:49:16 - Steve Gibson
Huh well, well, they're hosting the site, so oh, yeah, yeah, yeah so they're the server that is actually receiving the password oh, so we're not talking about cloudflare.

1:49:26 - Leo Laporte
It's like, uh, protection against dDoS, right, they're actually hosting, they host that much of the web, yes, what.

1:49:35 - Steve Gibson
That's what astounded me.

1:49:36 - Leo Laporte
It's because they have free pages 30 million sites, that's kind of amazing 30 million sites.

1:49:43 - Steve Gibson
Wow, yeah, so they said. Despite growing awareness about online security, a significant portion of users continue to reuse passwords across multiple accounts and they're watching people logging in with passwords, with credentials that have been leaked, that are known, they said. According to a recent study by Forbes, users will, on average, reuse their password across four different accounts. That in four different places, though it's my password. Even after major breaches, many individuals don't change their compromised passwords or still use variations of them across different services. For these users, it's not a matter of if attackers will attempt to use their compromised passwords. They will. They will. It's a matter of when they will, yeah, and they note, as we would expect, automation in the form of bots are the primary abusers of leaked credentials. Just like Troy Hunt got phished by an automated attack, which was able then to thereby to bypass his one-time password, didn't matter that he had a password, a six-digit token that was going to expire in 30 seconds Didn't even take 10 seconds. So, they said, bots are the driving force behind credential stuffing attacks. The data indicates that 95% of login attempts involving leaked passwords are coming from bots, indicating that they are part big part, of credential stuffing attacks. Equipped with credentials stolen from breaches. Bots systematically target websites at scale, testing thousands of login combinations in seconds. Data from the Cloudflare network exposes this trend, showing that bot-driven attacks remain alarmingly high over time. Remain alarmingly high over time. Popular platforms like WordPress, joomla and Drupal are frequent targets due to their widespread use and exploitable vulnerabilities.

Once bots successfully breach an account, attackers reuse the same credentials because that just validated the credential. Attackers reuse the same credentials across other services to amplify their reach. That is oh, if it's good here, then it's probably going to be good somewhere else. So they do that immediately. So, like no stone has been left unturned by the bad guys, they're as clever as we would be if we were the bad guys. Like trying to figure out how to maximize our badness, they said. They even sometimes try to evade detection by using sophisticated evasion tactics, such as spreading login attempts across different source IP addresses, mimicking human behavior, attempting to blend in with legitimate traffic. The result is a constant automated threat vector that challenges traditional security measures and exploits the weakest link password reuse.

Okay, now, purely by coincidence, one of our listeners, jeremiah Albrunt, sent a piece of feedback to me yesterday with the subject Microsoft slash Hotmail account. Password. Stuffing attempts are very real, he said. Talking to some coworkers, they showed a screenshot of their sign-in activity from their Microsoft account. So I checked mine. He said I was blown away. My own screenshot is below the successful attempt, the one successful attempt, he said I know, know, leo, it's so bad. He said my holy, the successful attempt is my own. Clicking through each unsuccessful attempt shows they entered the wrong password. I am so glad I use unique passwords from my accounts.

1:54:08 - Leo Laporte
this is nuts and look at mexico, morocco, saudi arabia, russia, indonesia, indonesia, india, vietnam, uzbekistan, oman, ethiopia, jordan. You know I did. I mention this. I put a ssh server uh, out in public, um, briefly, and I don't use passwords on my ssh server, I use a certificate certificate. So I wasn't too worried about it within two hours and I put it on port 22 because you know you can sniff the ports, it doesn't matter what port it's on, so I put it on the canonical port. Within two hours, I had a dozen attacks from Albania, from China. They were sniffing around for SSH server on port 22 and then started hammering it within two hours of it going up. It's amazing. They're out there, man, they're crazy. Yeah, they really are. Are they using Shodan and stuff to find this?

1:55:07 - Steve Gibson
No, there is. You know, I coined the term 20 years ago. Ibr Internet.

1:55:14 - Leo Laporte
Background Radiation.

1:55:16 - Steve Gibson
Maybe even when you and I were on screensavers at Tech TV before, because that's what I was seeing when I was looking at IPs that nobody had any business poking at. There were packets, inbound, sniffing for stuff.

1:55:33 - Leo Laporte
It was just out there and this IP address hadn't been public in at least a couple of years. They just found it right away. It's unbelievable.

1:55:41 - Steve Gibson
Jeremiah's email finished, just for the sake of our listeners. No, no, no.

1:55:45 - Leo Laporte
No, no, no. This is good stuff, Liam, you got me warmed up, I know For the sake of our listeners.

1:55:49 - Steve Gibson
No, no, no, no, no, no. This is good stuff, liam, you got me warmed up, I know For the sake of our listeners. He says if others want to see their history, I clicked on my avatar in the top right from my inbox, then my profile, then the security tab, then view my sign-in activity. He said, unfortunately, the UI is primitive and doesn't seem to have filter or sorting options, so unless I click the view more activity link over and over while expanding each item, I don't see any other way to determine whether someone has my password and just failed to get past two-factor authentication. He says, in other words, it's necessary to expand each attempt to determine the cause of the login failure. Okay, now I'm glad you put that on the screen and you had the reaction, leo, that I had when I saw that His login log shows about five attempts per day, every single day. At the top we see his one successful login showing its location in the United States, where he actually is. Three hours before, that was a failed attempt made from an IP address in Mexico, an hour before that from Morocco. Six hours before that, from Saudi Arabia. The previous day, attempts were made from, as you noted, the US, russia, indonesia, india and Vietnam, and the day before that we see Uzbekistan, oman, ethiopia and Jordan.

Given that the most obvious security feature for Microsoft to implement would be account access geofencing. But my quick search revealed that not only there's massive demand, but it's only available from Microsoft for business class accounts, not for individual users, and I have to say that's difficult to explain, since anyone examining their history of failed authentication attempts should be infuriated by their inability to block all such obviously bogus authentication attempts from across the globe. You know, as I said, I have no doubt that, just like Jeremiah, all of our listeners are using unique gibberish passwords with the help of a password manager, unique gibberish passwords with the help of a password manager. But really, you know, make sure you are and definitely you want.

Second factor authentication use wherever it is offered. That said, we all know that most of our friends and family are not listening to this podcast, so this amounts to a gentle, nudge reminder for us to proactively annoy all of them about this. It would just be for their own good. Make sure that they're doing this and, as you saw from bringing up an SSH server, as we can see from this login log, it's just out there, it's just yeah, what do you think it is?

1:59:13 - Leo Laporte
Are there hacker farms that are just constantly at work, or what they must succeed enough that it is worth their time.

1:59:22 - Steve Gibson
It's like why is there spam Enough? People click on the link for the furry bunny before easter from china.

1:59:30 - Leo Laporte
That it you know you got that one too huh so and it's probably automated. I would imagine it's completely automated.

1:59:41 - Steve Gibson
Oh yeah it's just set up and it runs 24, 7 and, and as new breaches occur, they just pour that new data into their database and start pounding on new username and passwords that have been leaked.

1:59:56 - Leo Laporte
Yeah, so they've got the breaches. They download the database and then they just fire away. It just runs and runs and runs it just grinds away.

2:00:04 - Steve Gibson
Wow, bandwidth doesn't cost anything, so they just pound way. Wow, bandwidth doesn't cost anything, so they they just pound. And I mean, and again, the idea that microsoft is not offering a are you in uzbekistan? Block is ridiculous. You know, you could turn it off when you're gonna go take a trip to france or mexico or somewhere, right, but it ought to be on this guy. Jeremiah, our listener should not have microsoft thinking hmm, is that him? Is he in?

2:00:39 - Leo Laporte
morocco yeah, he must have teleportation but honestly, they can easily spoof their location. It's not a uh, it's not going to be. I mean, in fact, I'm surprised they show that they're from china, right? I mean, why bother, I guess?

2:00:54 - Steve Gibson
I guess that's a good point.

2:00:55 - Leo Laporte
They don't bother spoofing location because they know microsoft isn't checking, he's checking uh darren and our uh club to discord said a few months ago at work I gather he works for fine. I remember he works for a financial institution we had a thing where people were using our site as a vector for checking credit cards. They use some bot to go to the payment page, then tried to purchase get this 10 with tens of thousands of different cards and they had a database of cards right Of breaches. They got maybe 30 successful purchases, wow. But what was interesting? They started very naively, always with the same details and then things as they locked things down, started changing and they eventually got made their way in. They couldn't, even with the geographic blocks, they couldn't find a way to stop people from doing this. And then he said eventually just stopped, just like DDoS attacks, and they moved on to some other site that they could do the same thing with. That's why rate limiting is also really important right.

2:01:55 - Steve Gibson
I, from day one, I built strict blocking into a GRC's e-commerce system. Sometimes users have a problem and they say I'm sorry, but I've just told I've been trying too many times to get my card to get clear and then so they'll write to Sue and Sue says, ok, you know, we'll do that. That's fine, you know we'll. You know, give me the information and I'll do it for you. But because I just like I'd rather, you know, say no to people that are going to do that malicious.

2:02:23 - Leo Laporte
But this he says, this is why people have recaptures on their sites, because that basically slows it down enough that it's not economical for them to continue.

2:02:33 - Steve Gibson
Wow. So just a quick follow up on last week's mention of 23andMe. I ran across a bit more information in a security newsletter under the headline 23 23andMe Files for Bankruptcy After Mega Hack, it said, and I didn't cover this last week. It said DNA and genetic testing service 23andMe has filed for bankruptcy that we know 15 months after experiencing a major data breach. The company has been losing money for years, but its problems were amplified last year after a series of class action lawsuits related to the breach. Its entire board resigned last year, its CEO last week and the company is now attempting to sell itself under the supervision of a court. The company has DNA profiles on over 15 million users. Privacy regulators across the US and Europe are now urging users to request the deletion of their data before it's sold, and I did mention. After I wrote this and before now I saw another bit of news saying that a court just approved the inclusion of its members' DNA data in the bankruptcy sale, so they can sell it now.

2:03:51 - Leo Laporte
Yes, okay, now I am going to delete it.

2:03:53 - Steve Gibson
So I'll just remind our listeners that once you log in to your 23andMe account, you can use the shortcut I created last week grcsc. Slash bye-bye, B-Y-E, B-Y-E. Slash bye-bye B-Y-E, B-Y-E, and that'll immediately jump you to the page containing the various account data, dumping and deletion options.

2:04:15 - Leo Laporte
It's funny, when I log in they're still trying to upsell me. Now it's some sort of heart health thing, God.

2:04:21 - Steve Gibson
Yeah. So again, not a house on fire issue, but the judge a court did say yes, those are your assets. Genetic data which your members gave you voluntarily is yours to sell. So it's going to be of use to somebody. I would just say bye-bye. Okay, now today's shortcut of the week. Oh, leo, you probably want to go there. While I'm talking about this, grc dot SC slash one zero one nine, I was pursuing information about a new on the scene ransomware group calling itself Arcana A-R-K-A-N-A. Arcana's first victim was WOW, one of the largest ISPs in the US. Ransomware hit WOW, this large US ISP, but in following some trails, I ran across a site I had never seen before and which we've never talked about. Site I had never seen before and which we've never talked about it's ransomlookio. So you can also go https//wwwransomlookio or just grcsc/.1019. The site's been around since 2022. They're on Mastodon and Blue Sky and a huge amount of work. You're now looking, you're scrolling, leo, through a list.

These are all from today. They're victims of ransomware attacks today.

2:06:06 - Leo Laporte
Today and then here's yesterday. Oh, my god, it is. These are victims. These are not people under attack. These are people who've actually been encrypted they, yes, they are, they are victims and some of these names I recognize.

2:06:23 - Steve Gibson
These are well-known companies I know once you get to the home page under group profiles, you'll find listed there every group we've ever talked about and hundreds more lesser groups or newer groups that we haven't yet, and they're familiar names. The ransomware notes section lists all of the various notes that the ransomware groups have sent to their victims.

2:06:48 - Leo Laporte
By the way, they're getting much more grammatical.

2:06:51 - Steve Gibson
Yeah, thanks to AI. Yes, oh man. And chilling most chilling of all is what you started with that recent posts page which contains a listing, in reverse chronological order, starting with the most recent, of the latest ransomware victims and which group took them down, as when I was writing this at 3 pm yesterday, there were 22 new ransomware victims listed just for March 31st yesterday, by name, and I don't even know what time zone they're in, so I don't know when they when they started march 31st, but but listed there in black and white are the corporate names and domain names of many victims, and there's just no way to come away from a perusal of this site without the very clear knowledge that the ransomware category of criminal cybercrime is very much a going concern.

2:07:50 - Leo Laporte
How do they get because some of these companies, many of these companies, don't want anybody to know they were hacked. How do they get these names?

2:07:57 - Steve Gibson
From the postings of the ransomware oh the ransomware people announce it.

2:08:02 - Leo Laporte
Yep, of course they do.

2:08:04 - Steve Gibson
There was an Irvine-based architecture firm that I clicked on yesterday and it brought up their homepage. That is legitimate. And then I looked at some samples of the data that had been exfiltrated and it was architectural drawings by this firm, this major architectural firm, from yesterday. I was like oh boy.

2:08:32 - Leo Laporte
This is a great site, isn't that great Wow?

2:08:35 - Steve Gibson
Wow yeah.

2:08:40 - Leo Laporte
Just the recent posts alone.

2:08:42 - Steve Gibson
I know it's just astonishing. This is today. Yes, Hospital pharmaceuticals, fancyfilmscom, I mean unbelievable, and this also talk about an example of the security problems we still have in this industry.

2:09:06 - Leo Laporte
Well, I think it's getting worse, isn't it? Yeah, this must be getting worse. Gooseheadcom, how about jackpot junction, ransom hub, got them. Yeah, yeah, kiosera.

2:09:20 - Steve Gibson
Document solutions europe, okay kill sec three tape took them down. Unbelievable, I know Wow.

2:09:34 - Leo Laporte
Boy, if you're a CISO, this has got to be terrifying.

2:09:37 - Steve Gibson
Just the worst. If you are a CIO who needs to get some money from your CFO, yeah, show them Just go. Yeah, you know, this is the problem.

2:09:47 - Leo Laporte
We hear this again and again that IT, especially cybersecurity, is not a profit center, it's a cost center, and they just want to cut it. Look what they just did to CISA. It's not a profit center, it doesn't make them money. So okay, well, we don't really need it, right? Wow, what a great site's a that is.

2:10:09 - Steve Gibson
That is an eye it is a sobering look at reality. Yeah, ransom, and I have one piece of listener feedback I wanted to share. Uh, just a reminder about in control. Uh, uh, ben dean from the uk wrote hi, steve, just thought I'd send you a quick message to let you know how thankful I am for your incredibly useful little program, incontrol. I'm an avid flight simulator enthusiast and the best way to enjoy flight simulation these days is with a high-end VR headset. Wow, I can imagine as long as you don't get airsick.

As such, I have an hp reverb g2 v2 headset which, when new in 2021, was several hundred pounds or dollars this headset.

2:11:01 - Leo Laporte
I thought he was talking weight. Okay, I don't want to wear several hundred pounds on my head. A big screen pulling it up.

2:11:08 - Steve Gibson
Okay, this headset uses Microsoft's Windows Mixed Reality platform, which is built into Windows. Yeah, While the headset itself is excellent, the WMR platform, Windows Mixed Reality, was somewhat of a failure for Microsoft, with most other manufacturers using other platforms. Despite that, many he has on all caps, people in the flight sim world still use the Reverb G2 with Windows Mixed Reality because of its high resolution. In their infinite wisdom, Microsoft have decided to remove Windows Mixed Reality from Windows 11, from Update 24H2, rendering all WMR headsets, like my HP Reverb, completely useless. Indeed, friends of mine have had the update only to find their VR headsets no longer work, and they have to go through the huge hassle of somehow stepping back to 23H2 to get their setups working again. Thankfully, within control, we can stay on 23H2 and retain the WMR functionality.

I recommended InControl to several of my friends and it seems to do the trick of MS forcing them to update against their will. Sorry for the long email, but many thanks for your work. Cheers Bendine, UK, Nice. So just a little reminder to our listeners it's there, it's free and it works.

2:12:54 - Leo Laporte
In control. Do not upgrade Although October 25th Windows 10 goes out of update. Yes, it does, and the life.

2:13:03 - Steve Gibson
And ask me if I care.

2:13:06 - Leo Laporte
You don't care, if I care I don't care.

2:13:08 - Steve Gibson
Do you know? I never forget how much you laugh, Leo, when I announced the my creation of never 10. I mean, I gave it that name, I described it and I said it was called never 10.

2:13:21 - Leo Laporte
Never.

2:13:22 - Steve Gibson
Never when. Then then they went to 11 and then I thought, okay, it's not going to be never 11. That didn't sound good anyway. So it's in control. That way, we're ready for 12 when it comes along and lucky 13. I bet that's going to be a winner. So our last break and then we're going to talk about the EUOS.

2:13:44 - Leo Laporte
Yeah, that's fascinating, although, as you point out, it probably stands on the shoulders of open source giants, and so well, we'll see.

2:13:52 - Steve Gibson
The question is will it crush them?

2:13:54 - Leo Laporte
Yes, those shoulders are broad, but there's a lot of people sitting on them.

2:14:00 - Steve Gibson
Those shoulders are taken for granted.

2:14:03 - Leo Laporte
Our show today brought to you by. Don't take this for granted. Legato Security, if you think about it, you wouldn't put a burglar alarm in your house but not have monitoring, right, Because when you go away for the vacation, so what if you've got a burglar alarm? If nobody's monitoring it, it doesn't matter. Oh, there's a bell ringing. No business should be their own burglar alarm, right. And this applies to cyber security. Absolutely, because we know, in fact, if you listen to the show, you know the bad guys choose the weekends, they choose christmas eve to target their attacks because they know the it team will be home with their family, will have free reign for a few days at least. Legato Security solves this problem. Perfect for small and medium-sized businesses. They give you the same standard of security controls. Large enterprises you better believe the. You know the Caesars Palace casino operation has full-time security monitoring going on, right, they've got a security operations center. They're sitting behind the screens keeping an eye out at everything. But if you're a small or medium-sized business, a business like ours, you can't, you're not going to do that. Well, thanks to Legato Security, you get that same standard of security controls that the big casino enterprises, the big banks depend on, but you don't have to build your own security operations center. You can use Legatos as a recognized leader by CRN and MSSP Alert in 2024.

Legato Security transforms how businesses approach cybersecurity. Their technology agnostic MSSP platform provides your business with a custom suite of security solutions tailored to your needs. Now you might say well, wait. There's two concerns I know I hear every IT department come up with. First of all, what about what we're using right now? No, don't worry, legato security integrates seamlessly with all of your existing tools, so you don't have to do a big overhaul of your infrastructure. Legato has this proprietary security operations platform they call it Ensemble and what it does? It takes all of the signals from the tools you're already using and delivers consolidated, prioritized, actionable alerts in real time on a single comprehensive pane of glass. Now I know the second concern is oh, they're going to replace us? No, they work with you. They are not taking your job. They're there so you could take a break. Hackers don't take holidays. They don't stop working when you go home. Legato Security's 100% US-based team provides proactive threat detection. They'll do triage, they will do remediation and they will do it any time, 24-7, 365 days a year. Christmas Eve you bet, go home, be with your family Because you've got Legato Security through their purpose-built SOC. Yeah, you should see it, it's on the web page. They have a security operations center. So your team can, you know, focus elsewhere when it's time to clock out.

From entrepreneurs to Fortune 100 companies, legato Security creates custom MDR solutions that protect businesses. Leaders. You focus on growth and let Legato help. A recent customer here's a review says quote Legato Security is the only supplier that's delivered everything they said they would. We didn't have to drive them, they just get it done. This is somebody you want on your team. You know if you get a call right from Legato Security, they're not going to call and say you got a problem. They're going to call to say you had a problem. They're going to call to say you had a problem, we fixed it, we fixed it. So there it. I love this. It.

And security professionals. Legato securities mssp is here to augment your security team, not replace them. They're the professionals, the pros from dover you want on your team to back up your cyber security forces, to fortify your proactive defenses 24 7, 365 days a year. Security tools alone are not enough. You need the expertise, the monitoring to back it up. See if your defenses oh, this is good, you should do this. Or maybe get the boss to do this, the guy who controls the purse strings See if your defenses are as strong as you think, boss, with Legato Security's free risk assessment it's there right now on their website. Say, hey, come here, boss, let's go through this. Just see how safe we are.

Visit legatosecuritycom, discover how they can help you regain control and, you know what, enjoy your weekends like you used to legato security dot com. You can take a break without letting your guard down. Legato security dot com and you know, do us a favor. We really appreciate their support for security. Now they they said we're gonna be, we got to be on security. Now, let them know when you talk to them, say I heard it on security now, because that helps us. You know they go, oh yeah. Oh yeah, it was worth it, cause, Steve, you're not cheap. Legata security I just found out this is the most expensive show to get an ad on, as it should be right. The companies who advertise in this show. No, they're talking to the people who really are in this business and and in this business and need their help. All right.

2:19:35 - Steve Gibson
Let's talk about the subject at hand, the EUOS. So yes, robert Ryman is the head of sector for digital transformation in the technology and privacy unit at the European Data Protection Supervisor in Brussels. He contributes to the overall IT governance of the EDPS, which is European Data Protection Supervisor, and supports the EDPS representation in several EDPB subgroups. Whatever, that is something, oh, the Data data protection supervisor in Brussels. So his CV indicates that he holds a PhD in computer science with a thesis on distributed protocols for aggregation of confidential data with applications. So he's a serious comp sci guy in, for example, online voting, and he also has his master's in physics from Berlin's Humboldt University. So he's the guy. As the title of the podcast, eu UOS, suggests, robert is spearheading a well-thought-out departure from EU's dependence upon Microsoft Windows. The site where this is being organized calls itself the European Union's home for their free public sector personal computing operating system, highlighting three key features of the project Secure, sovereign and sleek.

2:21:11 - Leo Laporte
I guess we wanted three s's yes, so sovereign. I like this. This is good. They've got an ad man writing their copy. That's good, secure, sovereign and sleek, uh.

2:21:19 - Steve Gibson
Secure means an os built from open source. Yes, and then they said that does not phone home.

2:21:25 - Leo Laporte
Yes, yep, that eliminates Microsoft. Okay, go on yes.

2:21:32 - Steve Gibson
Sovereign means an OS built to the requirements for the EU public sector, meaning, for example, it inherently honors GDPR.

2:21:43 - Leo Laporte
GDPR yeah, exactly.

2:21:45 - Steve Gibson
And sleek means an OS that is fast and eco-friendly on new and old hardware. So obviously none of those goals Sorry, microsoft. Sorry None of those goals are met by Windows. No, on that homepage. They ask the reader the question what is EUOS? And their answer is EUOS is a proof of concept for the development of a Fedora-based Linux operating system with a KDE Plasma desktop environment in a typical public sector organization. Other organizations with similar requirements or less strict requirements may also learn from this proof of concept. Despite the name, euos is technically not a new operating system. Astrowatch lists currently over 250 Linux operating systems. Then they say distributions, not counting their many various flavors, spins or sub variants.

The added value of EU OS is a different one. First, a common Linux OS as a base for all EU OS users, with options to layer on top modifications at the national layer, the regional or the sector specific layer or organization specific layer. You know different configurations is what he means A common desktop environment and a common method to manage users and their data, software and devices. The site is at eu-osgitlabio, which endeavors to fully articulate the goals of this initiative. Again eu-osgitlabio, and they said when at the beginning, the user base is too small to pool sufficient resources to take care of the EU OS that is the base version within the public sector. It may be possible to contract commercial support for maintenance, that is like until they can generate their own internal maintenance organizations to support it. For this reason, the EUOS proof of concept proposes to choose an upstream Linux OS with options for commercial support.

Euos is not the first to propose a Linux-based operating system for the public sector, is not the first to propose a Linux-based operating system for the public sector. The motivation is often the same and can be looked up from projects like Genbuntu and Lemux, and those are public money. Public code means the public investment profits the entire public and the private sector. Synergy effects lead to tax savings because there's no per seat license cost. Independence from software suppliers and vendor lock-in. Independence in scheduling software migrations and potential hardware upgrades. Windows 11, anyone Deploy new technologies with controlled cost. Use of open standards to foster innovation, better use of IT administration resources. Then it says parens, reportedly for the French use case, with 90,000 seats, ability to do own code analysis. In other words, open source, not closed, not proprietary, worldwide free software community. And then the project lists the philosophical goals as the use of open source, the use of desktop environment KDE plasma, open source, the use of desktop environment, kde Plasma. And then it says, though GNOME as an alternative is not excluded, and the use of GitLab. They're leaving the entire scope of the project somewhat open-ended.

Writing. There is no clear scope yet and the scope may evolve in the future. But the rule of thumb so far in scope that is, in scope is everything necessary to deploy a Linux based operating system to an average public body with a few hundred users. And they do give examples of what is clearly out of scope. So, for example, not the development of a novel Linux OS, a distribution from scratch. Instead, euos, they write, should build on top of an existing, well-established Linux distro. Also not is the development of EUOS outside of a corporate environment. For their personal computers people can already choose between a large variety of Linux distros. So this is not meant. I mean it's not meant it's not directed at the personal user that already has all their choices wide open. They're aiming this more at the several hundred user level, public sector or organization. You know, like a police department, for example. Public sector or organization, you know, like a police department, for example. Also out is the deployment of EOS OS on other devices than typical desktop workstations or laptops. Hence, for example, smartphones are out of scope. So it's really the Windows desktop environment. Replacement is their target, but not for everyone, although everyone could use it if they wanted to. So, looking at use cases and at some previous attempts and successes, the site notes, to make EUOS a success it should support a large number of use cases and consequently a large user base. This helps to gather political support and funding for continuous improvements and innovation.

They note that some specific regions outside of Europe have already utilized the benefits of an operating system which is under their control, and these are historical, back from the early 2000s. They said. Astra Linux is a Russian Linux-based computer operating system that's being widely deployed within the Russian Federation to replace Microsoft Windows. Kylan is an operating system developed by academics at the National University of Defense Technology in the People's Republic of China ever since 2001. Together, kylan and Neo-Kylan share a 90% market share within the government in China.

Nova Linux was central to the Cuban government's desire to replace Windows. Hector Rodriguez, director of University of Information Science in Havana, said that quote the free software movement is closer to the ideology of the Cuban people, above all for independence and sovereignty. Other cited reasons, of course, to develop the system include the United States embargo against Cuba, which made it difficult for Cubans to purchase and update Windows, as well as potential security issues feared by the cuban government because of the us government's access to microsoft source code. So here the the site is making the point that other governments of you know government size decisions have been made to say goodbye to windows, and linux is where they've gone, just Just to sort of like, I'm sure, to demonstrate that this is feasible, and they would not be the first movers on this. Citing these use cases, the site states this leaves no doubt about the feasibility of large-scale Linux deployments in the public sector. It is only a matter of political support, priority and funding.

The site notes some details of past migrations away from experiences with Microsoft and Windows, the city of Munich. And again, historically this was 20 years ago, but it serves to highlight the problems inherent in the use of another country's commercial operating system for public sector needs. The report wrote the city of Munich is migrating its desktop computers from Windows to GNU Linux. After preparations began in 2003, the city's basic client, a customized version of Debian GNU Linux, is being developed on a growing number of PCs since the fall of 2006.

The Lemux project puts great emphasis on becoming independent from software suppliers. Florian Scheibel, the deputy project coordinator for Lemux, explains. The deputy project coordinator for Lemux explains Microsoft has shown us what it means to be dependent upon a vendor. Until 2003, the city was using Microsoft Windows NT4 across the board and was by and large satisfied when Microsoft decided to end the support for this operating system. This meant that hardware and important procedures would eventually stop working. It was from this experience of being totally at the mercy of an external party that we wanted to take the road to more independence. So they cut that umbilical cord 20 years ago and didn't look back For the French gendarmerie. Genbuntu is possibly one of the largest Linux on desktop deployments in the EU public sector, with about 82,000 seats. Lieutenant Colonel Guimard said quote moving from Microsoft XP to Vista would not have brought us many advantages, and Microsoft said it would require training of users. Moving from XP to Ubuntu, however, proved very easy. The two biggest differences are the icons and the games, and he said games are not our priority.

They didn't want people playing games in the police department.

2:32:20 - Leo Laporte
No tux runner on this one.

2:32:23 - Steve Gibson
He said, the transition to Linux went unexpectedly smoothly. Almost no additional training was required for the local police forces using the computers in their daily work. The Ubuntu user interface was easy to get used to. Pascal Danek points out that a transition from Microsoft Windows 2000 and XP to Vista would have been more difficult, since the new version of that OS introduces many new features and designs which might confuse users. Unquote. The French currently uses a customized version of Ubuntu called Genbuntu. If you EU OS would be used instead, writes Robert, resources could be mutualized across all users of EU-US. So the idea being, over time that you know there already have been major public sector deployments of Linux, that it would be a value to, to you know, homogenize all of these under a single umbrella, and he's proposing EUOS. One of the references for this on the page was an Ars Technica piece from 2009 with the headline French police save millions of euros by adopting Ubuntu, and it's not difficult to imagine at this point that they're glad they did that back then. You know they're likely still running on the same hardware without any trouble.

And then we have the case of the Swiss federal court. Quote until 2001, the court had a simple all-in-one IT platform which lacked greatly in functionality and ultimately became outdated. The court's IT direction thus saw the necessity to introduce a new IT infrastructure that would ensure sustainable standards in the future. During the analysis done as part of the planning process, open source software emerged as more sustainable than proprietary software, especially with regard to modularity and file formats. The use of open source software also ensured vendor independence and security, which are two very important aspects for a court. In 2001, the new IT system, running on the operating system Solaris by Sun Microsystems, was introduced. With this also came the introduction of the Office Suite, star Office, the internet browser Firefox and the email client Novell Evolution, besides other more specialized applications. At the early stages of the migration, users had to get used to the new programs, but as the migration from the previous system brought numerous improvements, the process went relatively smoothly and was broadly accepted. Where some doubts about open source software existed in the beginning, they mostly faded by now. Source software existed in the beginning. They've mostly faded by now.

And finally, linux, or two more. A short one Linux plus one in northern Germany. A region in the north of Germany is currently preparing the migration of their entire public administration to a Linux desktop. This migration would become one of the largest Linux on desktop deployments in the EU public sector, with 30,000 seats. It's unclear which operating system will be used. Rumors say it will be based on KDE Plasma. If EUOS would be used, resources could be mutualized across all users of EU OS, and a reference listed for that was a piece in the ever irreverent register last April with the headline Germany's northernmost state ditches Windows. Yeah, indeed, and you know, leo, microsoft must be feeling all of this I don't know they still are like 99 of all computing I know, but they are.

2:36:35 - Leo Laporte
I've been advocating for this forever, and I think, especially in the public sector. Yes, why should you be? Uh using windows? Uh, yes, didn't they do this in china, though? They have the? What is it red the red os.

2:36:48 - Steve Gibson
It's uh, it, it's uh. I just talked about it uh it's another kylix or something.

2:36:55 - Leo Laporte
Yeah, oh, that's right, but it's another linux yes, it is, it is yeah because you can't create your.

2:37:00 - Steve Gibson
You can no longer write an operating system, and why would you? There's a free one that a bunch of really good, smart people have been working on for years well, and this is why android is so popular on handsets, although it's just another spin of linux.

2:37:13 - Leo Laporte
So yeah, yeah, it's kind of interesting I. I think when you retire you should probably move to linux. I'm just saying you're not gonna do it, are you I? You, I'm not going to retire. Oh there, if that's better, good answer. That's right, we're all going. Whew, that was close. What's Leo? Is he nuts? Don't use the R word with Steve.

2:37:39 - Steve Gibson
Anyway. So, as we know, there's still a lock-in problem with Microsoft's otherwise very compelling solutions. Under the headings of cities and communities, robert wrote only a few cities have migrated to Linux so far.

2:37:55 - Leo Laporte
I think support is probably part of the issue as well. Right, Right.

2:37:59 - Steve Gibson
Yes, exactly, and that is one of the things that he noted is it will be necessary to be able to get support, so, um, so I think that's one of the reasons to to look at fedora as a possibility is that it's possible to get commercial support until they're able to, to like, build up enough internal knowledge to do that themselves. But, but but. He wrote compatibility with the federal government and the plethora of business processes a city owns. But he wrote the browser. A workaround may be possible to sort of, you know, pry the operating system out from underneath the browser and look at microsoft moving all of their focus to the cloud that.

2:38:54 - Leo Laporte
Sure they don't mind, they're going to get your money. Yeah, yep, yeah, I would suggest it'd be good to get off the docx format as well at some point. Yeah, paper office LibreOffice is out there, you can use that.

2:39:09 - Steve Gibson
So let's see oh I'm sorry, so, so, so they.

2:39:12 - Leo Laporte
I'll stop making snide comments. It's all you. No, it's not a problem.

2:39:16 - Steve Gibson
They have an FAQ that offers some interesting technical insights. They ask themselves is EUOX, euos, another Linux distribution that I can try out? And Robert answers EUOS is not another Linux distro. Euos is a community-led proof of concept which employs existing Linux distributions. The challenge of the proof is not that an individual can use Linux on their own computer and actually at one point Robert has like five that he uses at home constantly. So he's like you know, he's really deep in. He said that the challenge of the proof, he said the challenge is to prove that an admin team exactly to your point, Leo, an admin team can manage users and their data, software and devices with or without Active Directory and without Microsoft Windows, within a migration period of two years rather than 20 years. Yeah, he said for this, euos wants to propose a common Linux OS and desktop environment as a base and, more importantly, a common method to manage users and their data, software and devices. Euos is not meant for home users, but for system administrators who want to automatically deploy and manage Linux across many corporate computers and laptops. So and that's where GitLab comes in they're talking about this as a you know, as a deployment management issue, where that's what they need to work out. In the same way that Microsoft has done this for Windows in a corporate environment, they want to recreate some of that infrastructure for Linux that doesn't exist currently.

So question how can the EU achieve its goals of being secure and sovereign when it relies on software from other countries, for example the US? And he responds to this question EUOS shall not confound sovereignty and protectionism. There's no problem per se in relying on international free and open source software components, and oftentimes it is practically unavoidable. However, euos promotes the maintenance of strict control over business data and telemetry data, meaning no phoning home GDPR compliance. This includes the free choice where to store such data on-premise or cloud of choice. Furthermore, the availability of know-how for a given FOSS component within the EU shall be considered. It remains to be studied if EUOS FOSS components such as the Linux kernel, systemd, wayland, pipeware, fedora or AlmaLinux could face export limitations, which would pose a threat to the sovereignty offered by EUOS. Such threads cannot be mitigated by EUOS alone and should be addressed through industry supply chain security policy.

Okay, why does EUOS propose to rely on Fedora-based Linux distributions? Answer EUOS is not a product, yet only a proof of concept. The choice of the employed base Linux distribution or desktop environment, gnome or KDE is not a core concern as it does not impact how admins manage users and their data, software and their devices, and that's the focus. Nevertheless, euos cannot avoid picking some base Linux distribution, to start with, intern European Commission DG Digit, german Center of Digital Sovereignty, zendesk known from OpenDesk, gnome OS and OpenSUSE through their dedicated blog post. Considering the advice received, the decision was to advance the proof of concept with Fedora for a production deployment. After the proof of concept, any Fedora based Linux distribution with longer release cycles could be used. Also, a switch to any other boot C supported Linux distribution would always remain possible.

So this effort in the EU is what we would call definitely handwriting on the wall for Windows. You know, I mean this existing will help to facilitate other small, you know disconnected movements without any big mandate being needed. Disconnected movements without any big mandate being needed. Individual entities in the public's EU sector can decide hey, here's the support that we've been needing in order to, you know, hold our breath and make the move.

But as I was reviewing and assembling all this, I realized, as I was reviewing and assembling all this, I realized how Windows-centric most of the US is. And, leo, to your point, how dominant Windows itself is. And of course, I know that many of this podcast listeners have already liberated themselves from Microsoft's proprietary grasp. But throughout most of the United States, encountering anything other than Windows, you know, anywhere you go is a rarity and that shows little sign of changing. You know, to your point about my retirement, leo, I'm very comfortable with Windows. I love the platform, which I've been using since before its birth and as a commercial product developer. It's still where the market is. But I'll also note that I spent some time, for example just last weekend, updating my Ubuntu system, since I go to whatever links are necessary now to assure that anything I do will run smoothly under Wine, which of course, is the free Windows emulator for Linux In the EU.

As we saw mentioned, leaving Windows will not be an easy thing for any large organization to do. I suspect that future migration will not occur from the top down, but rather from the bottom up. You know the broad pyramid, the broad base pyramid. Smaller entities that are more able to leave Microsoft will be under increasing pressure to do so, as Microsoft's well what I would consider nearsighted policies attempt to force wholesale hardware replacement. When they force software upgrades. This will cause smaller and inherently more flexible entities to explore what alternatives to Windows 11 may exist for them, and having the EU OS present may provide a path for smaller organizations to take, you know, once Microsoft has pushed them in that direction.

Now, as I said at the top, all of that said, I'm haunted again by that brilliant and poignant XKCD cartoon which we've looked at from time to time. It's the one showing that massive stack of various sized blocks all stacked on top excuse me of one another, which is so brilliant because it's exactly the way modern software stacks are created and operate and where, amid this towering collection, there's one little block off to the side, near the bottom, upon which all the other blocks implicitly rest. Now, as I was putting this together and wanting to find that XKCD cartoon again, I turned to chat GPT to let it do the legwork for me. I copied and pasted that description which I just read above, since I'd already written it, and here's what ChatGPT replied.

It said. The XKCD comic you're referring to is titled Dependency, comic number 2347. Comic number 2347. This illustration depicts a precarious tower composed of numerous blocks symbolizing the modern software infrastructure. At the base of this towering structure is a single small block labeled quote, a project some random person in Nebraska has been thanklessly maintaining since 2003,. Unquote, highlighting the fragility and reliance of complex systems on often overlooked components. Now, okay, let me just say AI, holy crap, you know I mean it produced that paragraph.

2:48:46 - Leo Laporte
I mean, you could have done a google search and found it too. But okay, yes, yeah, I know it is kind of cool that it can do that, though it's incredible and it said.

2:48:55 - Steve Gibson
The comic serves as a poignant commentary on how critical pieces of modern digital infrastructure can depend heavily on small open source projects maintained by individuals without widespread recognition or support. This theme resonates with real world scenarios where the failure or abandonment of such a project can have widespread repercussions across dependent systems. Okay now, I'm 100% certain that everyone listening to this, who has been following along with this for even a few years, will perfectly understand the motivations surrounding the desire to switch away from an operating system solution, regardless of how functional, compatible and interoperable it may be. That does not appear to be directly driven by a motivation of planned obsolescence, which is to say, you know why are we? As you said, leo, support for Windows 10 is ending this coming October, and what is it? A quarter million systems, a quarter million systems currently running Windows 10 will not run Windows 11. So you know, it's one thing to be a computing enthusiast, where we're using and working with computers for their own sake, as many, if not most, of people listening to this podcast do and are, but it's entirely different to be a police station out in a small rural town in France, where all you want is to be able to bring up records, search the internet, balance the books and communicate with colleagues, and not needing to play games. This is a place where a computer is a tool, not a toy, and its reduced ability to be used for playing games may be a feature, not a bug. You know, maybe a feature, not a bug. So it's clear why a move from Windows to Linux would make so much sense for them. If it's possible for Linux and the tools that run on top of it to get their job done, then it's going to be far more cost effective in the long run to say bye-bye to Microsoft, you know, and to be able to keep running effectively and efficiently until the day that hardware itself finally dies, because, you know, eventually the power supply will or some capacitors will leak or something.

But this brings me back to XKCD's observation of that random person in Nebraska and all of the tens of thousands of other random people everywhere who thanklessly create and maintain that system the whole house of cards, the whole stack of bricks, you know, only, apparently for the sheer joy of doing so. Right, that's their reward. Now I suppose this is a sustainable model, but that's my question. The sustainability model, but that's my question. The sustainability it has always been, after all, the goal of the free and open source software world that this is addressing. That dream is really coming true now in spades.

But as more and more incredible value is obtained from the tireless work of volunteers I don't know sometimes it feels maybe a bit unfair to them because, to use XKCD's word for it, it really is thankless work. You know, I've created a great deal of free software which has been and remains quite popular, but it doesn't feel thankless to me at all because everyone who downloads it knows where it came from and who created it. You know, and I get sufficient feedback, literally in the form of thanks, from its users who use it to. You know, find an open port on their router they didn't know about. Spot a bogus thumb drive, keep windows from updating, find faster DNS servers, whatever. I receive plenty of thanks.

But I worry about those thankless people who toil without any recognition. I suppose the recognition they receive from their peers within the community they share is enough. I hope it's enough because, having achieved the dreams of the likes of Richard Stallman and Linus Torvalds, what we need now is sustainability. You know, as these thankless developers see more and more of the world using their stuff and taking it totally and literally for granted. I hope they see it as a badge of honor that what they've created is helping so much, so many people for such low cost, many people for such low cost. What has been accomplished, as evidenced by the creation of this EUOS unification project, is truly I mean truly a stunning achievement. But now we have to have it. Keep going.

2:54:42 - Leo Laporte
I think I mean it's definitely hard to work in open source. The open source communities can often be grading and I know a lot of project leaders, even in the last couple of years, have abandoned their projects because they're so fed up with the process.

2:55:00 - Steve Gibson
Or they just age out.

2:55:02 - Leo Laporte
Well, yeah, I mean, there are probably many projects that are simply done by one person, but most of the big ones have a group of people. They have a fearless leader, benevolent dictator for life and the rest of them go along and work on it. I think, increasingly, it'll be politically motivated. Right now it's somewhat altruistic, somewhat just Well, china and Russia, certainly political.

2:55:27 - Steve Gibson
It'll be politically motivated right now it's somewhat altruistic, somewhat just well, china and russia certainly political I think.

2:55:32 - Leo Laporte
But even more than that, people are starting to resent the these big corporations extraction of value from them yeah, I think it's economically motivated.

Yeah, well, that I'm, yeah, I'm considering that political because it's anti-corporate, it's anti-capitalistic, it's it's it's more of an operating system for the people, by the people. Uh, I love. I have to say I have loved linux since I first installed slackware 25 years ago, used it non-stop since then and I I can't see any way that it's not superior. What's interesting is that a lot of what people are doing is really just in the cloud. So for a lot of these people you mean you, you said all you need is a browser google sheets.

It's just a browser and for that, you know it'd be a simple I mean, that's what a chromebook is is basically chrome based, uh, linux operating system. But it'd be simple enough to create a browser. You know open source browser on top of an open source operating system, but then you're still using the big tech. You know google, microsoft's cloud-based stuff, I, I don't know. I'd love to see a world where, uh, it's more, uh, do-it-yourself I world where it's more do-it-yourself. I mean, there's definitely a do-it-yourself movement in hardware and software.

2:56:55 - Steve Gibson
Well, and certainly… that I really like the maker movement you know, right, and certainly this sort of effort with GitLab and EUOS. I mean, this is very much. I mean, the guy himself who's driving this project has a. You know we're going to use our own cloud approach, right, because you know we really do want to as government probably should, right. Yeah for GDPR. We want to have no phoning home. We want to cut the apron strings Right, right, darren makes another.

2:57:26 - Leo Laporte
Darren's so good. He makes a lot of good points. He made another good point. He says at some point in the next I don't know a few years, uh, maintainers of these projects may be ai based, if not fully, at least primarily.

And that would be fantastic, right, if you could say okay, ai, your responsibility is open ssh, make sure it's reliable, robust and bug free and respond to any vulnerabilities that are yeah and that's one of the problems right now is you get all these pull requests and you get all these bug rug reports, and if it could process them quickly and efficiently, I I like that idea, darren. Maybe we are and maybe we'll enter a new world at that point, because really humans shouldn't have to maintain the infrastructure. Humans should be able to use the benefits of that. Yeah, you know the front end of it. And maybe something computer-based can maintain it. I like it, I do, and maybe something computer-based can maintain it.

2:58:26 - Steve Gibson
I like it, I do. I've said from the beginning our first discussions of AI that AI and code really do seem like they go hand in hand. I mean, it is it kind of makes sense.

2:58:37 - Leo Laporte
The computer speaks its own language, right yeah.

2:58:40 - Steve Gibson
Better than any human does. Well, and ultimately logical, right. I mean, it's not fuzzy, know fuzzy english wording, although they sure do have that mastered, my goodness, yeah it's pretty.

2:58:56 - Leo Laporte
It's pretty amazing. Uh, we are going to do some more. Uh, we've do we talk a lot about ai now on wednesday on our intelligent machines show, we've got some great guests coming up, including, in a couple of weeks, harper reed's going to talk about how he uses ai for pair programming. You know that's uh where he he's writing code in conjunction with uh ai coder and he has his workflow is quite interesting. Um, it's, we live in a new world.

2:59:21 - Steve Gibson
It's exciting you do we're here for it? Yay, and we're gonna, we're gonna, we're gonna be here for the foreseeable future.

2:59:28 - Leo Laporte
Yay, no retirement in the works for this cat. He's going to stay here. Yay, I feel like I could almost touch you, steve. I want to clap you on the back.

Steve Gibson does this show every Tuesday. I hope you come and watch us. You can watch us live if you're in a hurry and you want to know what the latest is. We do it live Tuesdays right after Mac break, weekly. We're striving to make that one third as close as we can to one 30 Pacific, that's four 30 Eastern, 2030 UTC. There are eight live streams you can watch it on, including discord for our club members YouTube, tik TOK, twitch. We're on LinkedIn, we're on Facebook, we're on Xcom, we're on Kik. So if you want to watch live, you can. You don't have to because we make edited versions available in a variety of places.

Steve has his own unique versions of this show on his website, as one might expect website. As one might expect, he actually goes in and edits it by hand and creates a 16 kilobit tiny file for bandwidth impaired folks, a very good quality 64 kilobit mono audio version. We don't make that anymore for a variety of technical reasons. We do 128 bit. So if you want the smallest audio version. Steve's got those. He's got an even smaller version, handwritten transcripts by Elaine Ferris of every episode.

Great for searching or just reading along while you're listening or just reading, although I would say if you just wanted the content. He also has the show notes there and Steve does the best show notes I've ever seen. I mean, everything you need is there in the show notes, including the picture of the week. So all of that is at GRCcom. Pick up a copy of Spinrite while you're there the world's best mass storage, maintenance, recovery and performance enhancing utility. If you have mass storage, you absolutely must have a copy of Spinrite. There's other stuff there, including soon. He's got right now a wonderful DNS tool to let you find the fastest DNS server. But DNS Search Pro is coming out. Or what is it? Dns Test? What do you call it? Dns Benchmark, bench, dns Bench? Yeah, dns Bench Pro is coming soon.

3:01:41 - Steve Gibson
It's looking very good.

3:01:42 - Leo Laporte
If you want to get the notification the minute it ships, go grccom slash email and that's where you can give steve your email address. That's mostly just to validate it so that you can send him emails. That's the best way to comment with him. Go to grccom slash email, say I'm going to write to you from this address and that way he'll allow it through. He'll whitelist you. But the other thing he does, he has two boxes they're not checked right below it for his newsletters. One is the weekly Security Now show notes newsletter. Actually, not just weekly. Occasionally Steve will do an emergency release Well, you've done it at least once with the AI thing and then a very occasional newsletter announcing new products, like the DNS bench, when it comes out the new pro version. So do that grccom slash email if you're a fan of the show. That's really a must. Uh, you can also get copies of the show on our website. We are the network proudly hosting security. Now, twittv slash sn has a lot of things there. There are links to the show notes. Uh, there's a link to the 128 kilobit audio. Our unique version is video. You can watch us. We do video of the show. Uh, that there's a link to the 128 kilobit audio. Our unique version is video. You can watch us. We do video of the show. That's there. There's also a YouTube channel dedicated to security. Now you can see the video there. That's a good tool to know about because it's a great way to share little clips. So if you you know you want to turn somebody on to the show or something that you heard on the show, you can just share with your boss the list of malware attacks, ransomware attacks today. You know, maybe just that clip right there. This is boss. This is why we need help. We don't want to be listed there, don't want to be in that list. That's one list you do not want to be part of. So that's at youtube. And then, of course, you can subscribe in your favorite podcast player, choose audio or video and you'll get it automatically the minute it's available.

Club Twit members get a unique version of the show. I should mention they get the ad-free version of the show. That's actually if you join Club Twit. $7 a month is all it costs. You get ad-free versions of every show we do. You get access to that Discord, which is a great hang that's where Darren is and a whole bunch of great, smart, interesting people. You also get the special events we do.

Thursday we're going to have Chris Marquardt's photo workshop. We have that AI I missed it again, I'm kicking myself. The AI users group is the fourth Friday of every month. Stacey's book club's coming up. We've got a coffee segment coming up, so there's a lot of stuff we do in the club and, of course, the club itself is a great place to hang out with really smart, interesting people who are very happy to share their discoveries and experiences. It's kind of like a 24-7 Twit going on in the Discord. All that for seven bucks a month that's a pretty good deal Makes a big difference to our bottom line twittv slash club twit. If you're not a member, please consider uh joining. We really appreciate it. I'm sorry, did I spit at you? I got excited I didn't mean to steve.

Uh, he wiped his eye. Uh, steve, we will be back next week. You will too.

3:04:42 - Steve Gibson
Right, I'll be here on apr 8th for not April Fool's Day. No, no, we're not kidding about that, we'll be back.

3:04:52 - Leo Laporte
It's no joke.

3:04:53 - Steve Gibson
No joke.