| ||||||
Description: Another Israeli spyware vendor surfaces. Win11 to delete restore points more quickly. The EU accelerates its plans to abandon Microsoft Azure. The EU sets timelines for Post-Quantum Crypto adoption. Russia to create a massive IMEI database. Canada and the UK create the "Common Good Cyber Fund." U.S. states crack down on Bitcoin ATMs amid growing scams. Congressional staffers cannot use WhatsApp on government devices. LibXML2 and the problems with commercial use of OSS. Another remote code execution vulnerability in WinRAR. Have-I-Been-Pwned gets a cool data visualization site. How is ransomware getting in? Windows to offer "safe" non-kernel endpoint security? Proactive age verification coming to porn sites. How? Canada (also) says "bye bye" to Hikvision. Germany will be banning DeepSeek. The whole EU may follow. Cloudflare throttled in Russia? What must the U.S. do to compete in global exploit acquisition?
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1033.mp3 |
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We'll talk about zero-days and what we're doing as the United States to stockpile them, and what Israeli companies are doing using their zero-days to attack journalists in Italy? Also, now that the Supreme Court has decided it's okay to have age verification, how will that impact the Internet? That and a lot more coming up next on Security Now!.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1033, recorded Tuesday, July 8th, 2025: Going on the Offensive. It's time for Security Now!, the show where we cover the latest in security, privacy, how computers work, the greatest science fiction in the world, and whatever else Steve Gibson is into. He is a polymath, and we all give you the salute, Live Long and Prosper. |
| Steve Gibson: One never knows. |
| Leo: We're all counting on it. |
| Steve: I'm going to have to bring you up to speed soon about this. |
| Leo: What's that? Oh, what's that? Is that a little buzzer? |
| Steve: That's the evolution of the device that you and Lisa experimented with. |
| Leo: We were putting electrolyte gel on our temples. |
| Steve: On your foreheads and, yeah. |
| Leo: No, I never do the tongue with you. I do that with the [crosstalk]. And then zzz, zzz, zzz. Oh, cool. I know Lorrie uses this, right, in her practice? |
| Steve: She does. I couldn't sleep if I didn't. It's just completely resolved my insomnia. |
| Leo: Well, I need something to help me sleep. I've done everything under the sun. |
| Steve: And I meant to ask you, how's the GLP-1? |
| Leo: It's going well. We've upped the dose now to .5 milligrams. |
| Steve: Is that double what you were at? Were you at a quarter? |
| Leo: Yeah, they start you on basically inconsequential dose. And then they slowly double it up to a point. |
| Steve: Until things start to fall off? |
| Leo: Until you start - you get the shakes and you can't go on. I think what they're really looking at is what my numbers look like, and then they want to give you the least amount that's effective. So in fact I'm on .5, and they said before we go up I want to see your numbers. So I have to say it's helped the blood glucose a lot. It's really... |
| Steve: And you wait 90 days between changes in order to get an A1C? |
| Leo: A month, yeah, four weeks. Yeah, four weeks. |
| Steve: Cool. |
| Leo: Oh, for the A1C, no. Yeah, 90 days. So I don't know when my A1C - yeah, it wouldn't make sense to do it more than every 90 days. So I don't know when my next A1C is. It's in a couple months, I think. But, see, I'm wearing one of those continuous glucose monitors. |
| Steve: Yeah, yeah. |
| Leo: So I know exactly how I'm doing. |
| Steve: Very cool. And I heard someone say that it - oh, it was Calacanis, I think, who was also experimenting with one, saying that it modified his eating. |
| Leo: Oh, it definitely does. |
| Steve: Like when you see the consequence of what you eat in near real-time... |
| Leo: Well, it's almost like you can't eat what you used to eat. |
| Steve: Right. |
| Leo: Your stomach hurts. One of the negative side effects of it is... |
| Steve: No, no, I meant having a real-time blood glucose feedback. |
| Leo: Oh, that, absolutely. That was Alex Lindsay talking about that. Absolutely. |
| Steve: Oh, okay, right. That's right. |
| Leo: Absolutely. But I've worn real-time continuous glucose monitors in the past. It's only a suggestion. |
| Steve: You sort of get used to it after a while. |
| Leo: Yeah. It's a suggestion. |
| Steve: It's like, yeah, that thing. Yeah, I know. |
| Leo: You know? For me the real problem, I'm on Ozempic, for folks who don't know. My doctor prescribed it. I'm not, you know, I'm not doing it on my own. But for me, the thing that really helps is I, you know, I think people like you and normally thin people don't understand this, but those of us who have weight problems often have this constant hunger. And sometimes people on Ozempic call it "hunger noise" or, you know, it's shouting at you pretty frequently. Oh, I'm hungry, I'm hungry. That's gone. You don't hear the background noise anymore. So that's a huge - more than anything else, that's a huge help. |
| Steve: You would be surprised how much I understand that. |
| Leo: Oh, good. |
| Steve: Because I had it, and it's... |
| Leo: How did you get rid of it? |
| Steve: It was my first - I didn't know whether it was crashing into ketosis or my first experimentations with the zapper because I did both around the same time. |
| Leo: Keto helps, for sure. |
| Steve: And it changed my life. |
| Leo: Yeah. |
| Steve: Well, and that's why I was so reluctant. I was scared to leave keto, worried that that would - I would resume, like, a constant battle. And it never came back. |
| Leo: Well, if you could get rid of that hunger noise without being on a medication, obviously that would be far preferable. But I also am a Type II diabetic, and so my blood sugar was going up into the danger zone. I just saw a study, you'd probably be interested in this, that showed that all this excess glucose, we talked about how it's damaging, it's also damaging to the brain, and it can actually be involved in Alzheimer's. And it's one of the reasons, now they're starting to think, because they do notice that semaglutide and related drugs are effective in lowering Alzheimer's. |
| Steve: Are lowering incidence of, yeah. |
| Leo: Yeah. So I'm happy about that because my parents, both my parents in their 90s are physically fine, but they're mentally not so good. |
| Steve: Your mom, your mom... |
| Leo: My mom's great. |
| Steve: I know, I mean, she's... |
| Leo: She's in a happy place. She doesn't remember what happened yesterday, but she remembers everything that happened in the past, and we have perfectly normal conversations. |
| Steve: Yes. |
| Leo: But she's, you know, she's definitely diagnosed with Alzheimer's. So I would like to keep all my faculties as long as I possibly can. |
| Steve: Sometimes, oh, god, I guess my screen blanker just... |
| Leo: Uh-oh. That's his light, by the way, folks. |
| Steve: I thought I had set it up. Sometimes google 40 Hz, you know, 40 Hz, Alzheimer's. You will be astonished by what comes up. |
| Leo: Well, let me know when you're ready to distribute the box. |
| Steve: Some research out of MIT is astonishing. |
| Leo: Okay. Does it break up the plaques or something like that? |
| Steve: It reverses. |
| Leo: Nice. Oh, well, I'll bring it over to her and see what - hey, Mom. Just strap this to your head and see what happens here. |
| Steve: Okay. |
| Leo: Let's talk about what's going to be on Security Now!. |
| Steve: We're actually here, believe it or not, folks... |
| Leo: Yes. |
| Steve: ...to do a podcast about - nominally about technology. |
| Leo: Yes. |
| Steve: Not body technology, but Internet technology. I ran across an amazing, I guess you'd call it a policy paper out of a Washington, D.C. think-tank which, by an ex-Google, what's the Google security group? I'm blanking on it right now. |
| Leo: Oh, the Project Zero. |
| Steve: It's related. It's not Project Zero. It's - they have an acronym for it. |
| Leo: Oh, okay. |
| Steve: We'll end up encountering it. Anyway, this gal Winnona really knows her stuff. And, I mean, she organizes DEF CON conference content and so forth. Anyway, she's with the Atlantic Council and addressed the question of what it will take for the U.S. to be effective in offensive cyberwar. That is, and she's got fantastic quotes from people on the inside who, like, say things like, you know, we could be effective if we were only not afraid to pull the trigger, and things like that. Anyway, the context is us versus China, of course, like the big two tech superpowers. And we know how much trouble we're getting from China. And I've often opined on the podcast, gee, I wish, you know, I hope we're giving as good as we get. Anyway, we've got some great actual factual content here to share. So I titled today's podcast, #1033, when I came home yesterday to Lorrie I said, well, #1033, the mailing is on its way out. And she just kind of shook her head, she said, "1033." I said, yeah, I know. Anyway. |
| Leo: Amazing. |
| Steve: And I think we're approaching our 20th birthday here soon. |
| Leo: Next month; right? |
| Steve: Yeah, yeah. |
| Leo: Wow. We have to do something. We ought to get you a cake or something. |
| Steve: Just get me a little pointy hat. So I titled this one "Going on the Offensive" because that's what we're going to look at for the first time ever on this, you know, 20 years into this podcast. |
| Leo: August 18th is the 20th. |
| Steve: Nice. We have another Israeli spyware vendor surfacing. We've got the news of Windows 11 choosing to delete its restore points more quickly, just a heads-up in case anybody is, like, worried about that or is, like, depending upon them sticking around. The EU accelerating its plans to abandon Microsoft Azure. We briefly touched on that previously. Also they've set, the EU has set a timeline for its post-quantum crypto adoption, so they're on that road now. Russia creating a massive IMEI database. What could possibly go - I'm glad I'm not living there. Canada and the UK creating a Common Good Cyber Fund. The U.S. cracking down on Bitcoin ATMS amid growing scams we'll talk about. Congressional staffers no longer being allowed to use WhatsApp on government devices. LibXML2 is an open source software, the sole maintainer, very lonely, I don't think he's in Nebraska, but he's - actually I think he's in Germany - talks about the problems with, and we will, commercial use of open source software, why that doesn't really work out well and seem fair. We've got another remote code execution vulnerability in WinRAR. Have I Been Pwned has just got a very cool data visualization site. We look at Sophos's analysis of how ransomware is getting into organizations. Windows offering hopefully safe non-kernel penetrating endpoint security. And it looks like proactive age verification will be coming to porn and other sites near you, maybe far from you, if you use a VPN. We'll look at what that means. Also, Canada is saying bye-bye to Hikvision. Germany will be banishing DeepSeek. The whole EU may be following. And also, has Russia throttled Cloudflare? Anyway, lots of stuff to talk about before we get to what must the U.S. do to compete in global exploit acquisition, which is what this all boils down to. |
| Leo: Oh. |
| Steve: And Leo, I know I've got a Picture of the Week that's going to, if you were still on your ball, it would knock you off the ball. |
| Leo: Well, you'll see my reaction soon, Steve. All right, Steve. I am ready to scroll up, as they say. |
| Steve: Okay. I gave this picture the caption "Ad hoc signage is typically added after a need for it has occurred." |
| Leo: Okay. |
| Steve: Ad hoc signage. |
| Leo: All right. All right. I'm going to scroll up. |
| Steve: Typically added after need for it has occurred. |
| Leo: God, I hope not. |
| Steve: Oh. |
| Leo: I don't know what stimulated this one. Holy moly. All right. Let me see if I can switch over the camera so everybody else can see. |
| Steve: So for those who do not have video, what we have is somebody having very deliberately printed on an 8.5x11 sheet of paper and stuck it on the wall over the elevator call buttons, a sign that reads... |
| Leo: A very important sign. |
| Steve: Yeah, can be. "Attention. Please make sure elevator is there before stepping in." |
| Leo: That's got to be a joke. |
| Steve: It looks like it's... |
| Leo: Think it might not be? |
| Steve: ...on a marble wall, and you can see the little "In case of fire elevators are out of service" warning below. So you have to wonder what situation occurred that caused management to, you know, get up their word processor, set up 36-point font type and put a sign on the wall that warned people, make sure it's actually there when the doors open. |
| Leo: Wow. |
| Steve: One has to imagine that they opened at one point, and there was no elevator present. So, you know, make sure it's there. |
| Leo: Yikes. Yikes. |
| Steve: I don't know how else to explain this sign, but wow. |
| Leo: Wow. |
| Steve: Yeah. Okay. So I have no idea why all of the major commercial spyware publishers seem to be Israeli, but that's what we see; right? You know, it's apparent that that's the case, and it's really not a good look for Israel. I mean, I've often felt sort of self-conscious on their behalf because why? You know? Israel is the home of Cellebrite, which is that famous iPhone unlocker; the NSO Group which sells the Pegasus spyware, and has been for years and still is; a group called QuaDream, which has been formed apparently from former ex-NSO Group members. They offer a spyware called REIGN. We have Candiru, also known as Saito Tech Ltd. But what brought this to the fore today was news of yet another Israeli commercial spyware vendor known as Paragon, which sells a smartphone penetration solution which they call Graphite. I guess kind of, I don't know, it slicks the way in. It lets people into your phone. So this brings the total to five such companies, all Israeli, that we currently know about. Of course we don't know what we don't know, but there's five we do know. In mid-June, the Citizen Lab group's, they're, what, at University of Toronto I believe is where they're located. They posted under the headline "Graphite: Caught First Forensic Confirmation of Paragon's iOS Mercenary Spyware, Finds Journalists Targeted," was what they said. And they wrote: "On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalists that consented for the technical analysis of their cases. The key findings from our forensic analysis of their devices, their physical phone devices, are, first, our analysis finds forensic evidence confirming with high confidence that both a prominent European journalist (who requested anonymity), and Italian journalist Ciro Pellegrino, were targeted with Paragon's Graphite mercenary spyware." They said: "Second, we identify an indicator linking both cases to the same Paragon operator." Actually it's an IP address, as we'll see. "And then, third, Apple confirms to us that the zero-click attack deployed in these cases was mitigated as of iOS 18.3.1 and has assigned the vulnerability CVE-2025-43200." They said: "Our analysis is ongoing." So some of the interesting revelations from their posting include, they wrote: "We analyzed Apple devices belonging to a prominent European journalist who has requested to remain anonymous. On April 29, 2025, this journalist received an Apple notification and sought technical assistance. Our forensic analysis concluded that one of the journalist's devices was compromised with Paragon's Graphite spyware in January and early February 2025 while running iOS 18.2.1. We attribute the compromise to Graphite with high confidence because logs on the device indicated that it made a series of requests to a server that, during the same time period, matched our published Fingerprint P1. We linked this fingerprint to Paragon's Graphite spyware with high confidence. "Graphite spyware server contacted by the journalist's device was at https://46.183.184.91. The server appears to have been rented from VPS provider EDIS Global. The server remained online and continued to match Fingerprint P1 until at least April 12th of 2025. "We identified an iMessage account present in the device logs around the same time as the phone was communicating with the Paragon server at 46.183.184.91. We redact the account and refer to it as ATTACKER1. Based on our forensic analysis, we conclude that this account was used to deploy Paragon's Graphite spyware using a sophisticated iMessage zero-click attack. We believe that this infection would not have been visible to the target. Apple confirms to us that the zero-click attack deployed here was mitigated as of iOS 18.3.1 and has assigned CVE-2025-43200 to this zero-day vulnerability." Now, I want everybody to keep in mind we're talking about a zero-day vulnerability that Apple did not know about that this group, this Paragon group, used because at the end of this podcast we're going to be talking all about zero-day vulnerabilities, which is what it turns out everything today comes down to in the field of offensive cyber war. It's zero-days, period. They wrote: "Ciro Pellegrino is a journalist" - this is another guy - "and head of the Naples newsroom at Fanpage.it, where he has reported on numerous high-profile cases. On April 29th, 2025, Mr. Pellegrino received an Apple notification and sought our technical assistance. We analyzed artifacts from Mr. Pellegrino's iPhone and determined with high confidence that it was targeted with Paragon's Graphite spyware. Our analysis of the device's logs revealed the presence of the same ATTACKER1 iMessage account used to target the journalist from the first case, which we associate with a Graphite zero-click infection. It is standard for each customer of a mercenary spyware company" - and it's interesting that they're using these terms. We'll see in a second where they got that term - "to have its own dedicated infrastructure." Again, it's standard for each customer of a mercenary spyware company; right? So we're talking about that they used Paragon's - somebody used Paragon's spyware, purchased it from Paragon, set up an infrastructure, which they then used with the spyware in order to do the spyware's business. |
| Leo: I think it's often the case that the company you buy it from does the infrastructure. I know that's the case with Pegasus. |
| Steve: Okay. |
| Leo: Because they want to control the zero-day. |
| Steve: That is true. And we've talked about that in the past. They don't want just anybody letting this thing loose because this zero-day is so vulnerable to them that they want to keep it under control. So in this case they are writing, and maybe they know more than we do, they say: "It is standard for each customer of a mercenary spyware company to have its own dedicated infrastructure." They said: "Thus we believe that the ATTACKER1 account would be used exclusively by a single Graphite customer or operator." Now, that could, again be a division of Paragon, as you say, Leo. They said: "And we conclude that this customer targeted both individuals." So a single person targeting both. |
| Leo: That would make sense because you don't want your customers to interact with each other either; right? |
| Steve: Right. |
| Leo: They should all be on a separate channel. |
| Steve: Now, can you explain to me why some journalist is worth this? I mean... |
| Leo: Well, I mean, it depends on what he's exposing, high-profile cases. He's in Naples. Could be maybe he was writing about the Mafia? I don't know. There's a lot of organized crime in Naples. |
| Steve: Hmm. Okay. |
| Leo: Who knows? It was obviously... |
| Steve: It just to me it seems like... |
| Leo: Usually these are nation-states, right, using [crosstalk]. |
| Steve: Yeah, yeah. But we do often hear that activists and journalists and, you know, and do-gooders of various ilk... |
| Leo: Well, that's the problem. |
| Steve: ...are the targets of these. |
| Leo: It's not just spy vs. spy. |
| Steve: Yeah. Okay. So their use of the term, I thought, "Mercenary" was interesting. Turns out it's the official Apple term which Apple uses in their formal Threat Notifications when they are informing targeted individuals. I have a screenshot of their redacted Apple notification which these journalists received. And it says, you know, it's got the little WiFi antenna at the top. And it's very clear, Threat Notification, you know, make sure the elevator is there before you step - no. Threat Notification, and it's dated 29/04/25 at 14:03. And it says: "ALERT," in all caps. "Apple detected a targeted mercenary spyware attack against your iPhone. Apple sent the following threat notification via email to [redacted] and via iMessage to [redacted]. We also sent a short notification to the recovery addresses associated with your account." So these guys identified a total of seven Italians who've received - and to your point, Leo, apparently they're frisky Italians - who've received notifications, either from Apple or WhatsApp. So this Paragon group is definitely now on the map and active as another source of Israeli spyware. |
| Leo: Well, now I may be thinking it's the Italian government. |
| Steve: Ah, okay. |
| Leo: Yeah, they might have been writing exposes on the corrupt Italian government. |
| Steve: Wow. Okay. Then a few weeks later, the publication SecurityWeek wrote: "Meta-owned WhatsApp told SecurityWeek that a recent FreeType vulnerability, flagged as potentially exploited at the time of disclosure, has been linked to an exploit of Israeli surveillance solutions provider Paragon." So now they're calling Paragon "an Israeli surveillance solution." |
| Leo: Good, because that's what they are. |
| Steve: Yeah. |
| Leo: That's calling it, that's naming it as it is, yeah. |
| Steve: That's right. If you can pay the price, you get to surveil pretty much anybody you want to. They wrote: "In mid-March, Meta published an advisory on the Facebook security advisories page to inform users about" - this is a CVE 2025, different one, 27363 - "an out-of-bounds vulnerability in the FreeType open source library that could lead to arbitrary code execution. The advisory said the vulnerability may have been exploited in the wild. Meta knew this because the University of Toronto" - that's what I was remembering - "Citizen Lab research group reported that a WhatsApp zero-day vulnerability had indeed been exploited in Paragon spyware attacks. WhatsApp representatives at the time told SecurityWeek that the zero-day attacks involved the use of groups and sending PDF files, and that the weakness had been patched on the server side, without the need for a client-side fix." And that's kind of cool, to be able to, like, fix it so that you're not - so WhatsApp is no longer going to send, will no longer send a PDF that exploits a vulnerability in the client's use of FreeType fonts when it renders that page. So SecurityWeek explains: "FreeType is a development library designed for rendering text onto bitmaps, and provides support for other font-related operations. In the case of CVE-2025-27363" - which is the one that was exploited here - "which impacts FreeType 2.13.0 and earlier, Meta said the issue is triggered when attempting to parse font subglyph structures related to TrueType GX and variable font files." |
| Leo: It's those damn interpreters again. Every time; right? |
| Steve: That's right, baby. It's so hard to get those right. He's right, every time. Meta's advisory explains: "The vulnerable code" - get this - "assigns a signed short value to an unsigned long, and then adds a static value, causing it to wrap around and allocate an undersized heap buffer. The code then writes up to six signed long integers out of bounds relative to this buffer, which can permit the execution of arbitrary code." |
| Leo: It's a buffer overflow, baby. |
| Steve: That's the way it happens, yup. Citizen Lab wrote that Paragon is known for developing sophisticated exploits that do not require any interaction from the targeted user; right? So they just, they send your phone an iMessage, or they send you a WhatsApp PDF, and you don't have to do anything on your end. |
| Leo: Zero-click, yeah. |
| Steve: Zero-click. And your phone is compromised. |
| Leo: Unbelievable. |
| Steve: They found indications that the company was until recently able to hack up-to-date iPhones, and that their spyware has been used in countries including Australia, Canada, Denmark, Italy, Cyprus, Singapore, and Israel. |
| Leo: So Pellegrino, the journalist who this attacked, was also - his editor-in-chief was also attacked with the same spyware. The newspaper they worked for is known for its investigative journalism critical of the Italian government, including exposing connections between the youth ring of Prime Minister Giorgia Meloni's party, and neo-Nazi activities. The Italian government denied ordering the surveillance of the journalists, although the head of Italian intelligence said, yeah, well, we use Paragon spyware, but merely to monitor migrant rights activists. So I think it's pretty safe to say, you know, this is why they were targeted. They were investigating the government. And by the way, these companies like Paragon and Pegasus only, they say, well, we only sell to responsible governments, not known for their human rights violations. Like Italy, maybe. Unbelievable. |
| Steve: Well, and again, like are they - did they want to get dirt on these guys, so they blackmailed them into silence? I mean, I just don't - I guess I don't understand what having your phone hacked by the government because you're - like, are they going to delete your article before you publish it? I just... |
| Leo: Pellegrino says his phone contains sensitive personal data, medical records, and confidential journalistic sources. That's what they're coming after. |
| Steve: Okay. That's, yes. Because protecting your sources is your lifeblood for a journalist. |
| Leo: Right, right. |
| Steve: And so if you can't do that, no one's going to talk to you. |
| Leo: And every government feels justified in saying, well, we're just trying to track down these leaks. We don't want any leaks. So, and the journalist is never going to say. |
| Steve: Well, we saw our own government go apeshit a few months ago. |
| Leo: Oh, really. |
| Steve: When someone questioned whether the bombing of the Iranian nuclear facilities was as devastating as it was initially claimed. Somehow someone said it wasn't, it was like, oh, we've got to find that guy. |
| Leo: I would be shocked, shocked, if the U.S. intelligence agencies don't also use Paragon spyware. We're I'm sure a customer. |
| Steve: Yeah. I think probably all five of the companies, we're probably buying it from all the companies. |
| Leo: And, you know, god bless Apple for patching these every time they find them, and for sending those alerts out. That's huge; right? |
| Steve: Well, and this is that lockdown mode, which is not fun to use because suddenly it's, you know, you don't get balloons exploding on your birthday and all this random nonsense. |
| Leo: Hey. Is lockdown mode sufficient to stop these zero-click attacks? I don't know. |
| Steve: It does what it can. |
| Leo: Wow. |
| Steve: Yeah. |
| Leo: Unbelievable. |
| Steve: The world we live in today, Leo. Let's take a break, and then we're going to talk about - I have got a bunch of little quickie bits of news that I think everyone's going to find interesting. |
| Leo: I'm always up for a quickie. Let's talk about... |
| Steve: Bits of news. |
| Leo: News. News. I meant that. Yeah, of course. |
| Steve: Yeah, I did say little bits, too, yeah. |
| Leo: All right, Steve. |
| Steve: Okay. |
| Leo: Now let's get some quickies. |
| Steve: So just in case anyone listening might have some reason to depend upon their Windows 11 system restore points enduring for their traditional 90 days, I wanted to note that Microsoft's most recent update to the 24H2 edition of Windows 11 has deliberately reduced restore point life to 60 days. I doubt anyone will care, but I thought it was just worth noting. |
| Leo: Wow. |
| Steve: I saw that pass by, you know, it cuts it off by 50%, or by a third. |
| Leo: That's significant, yeah. |
| Steve: I don't know - yeah, it is. And so if you were like depending upon a 90-day lifetime before you were like, okay, then we're going to restore this, and then you look and it's gone, now you'll know why, or maybe get to it before it disappears. I don't know if they're wishing to save space on users' machines, or tightening security because they figure, well, no one really uses them after 60 days, and so it's just more of a security problem, you know, or what. But there it is. So if you're up with the latest Windows 11, and you routinely use restore points, now you'll need to do so within 60 days. Otherwise Windows is going to clean them off for you. I noted last week when talking about the French city of Lyon, which a listener corrected me is not Lyon. |
| Leo: Lyon. Lyon. |
| Steve: Lyon. Which is working to move away from Microsoft solutions to Linux and other open source alternatives. That also the entire European Union is also working to eliminate their dependency upon Microsoft Azure for cloud services. Since then, it's come to light that they're almost, they've almost closed the deal with the French company OVH Cloud. They're now in what's considered advanced talks to dot the I's. The reporting about this indicated that a little more urgency had been put on the EU's need for increased sovereignty and its distance and dependence upon U.S. solutions, after the U.S. administration imposed sanctions on four judges of the International Criminal Court in early June, so early a month ago. One result of those sanctions was that those judges had their Microsoft accounts closed. Just, bang, sorry, goodbye. So the EU will be working to provide alternative services that are no longer subject to the prevailing policies and politics of the U.S. And so, you know, that's probably for the better for the EU. They want to be more independent, and so they're going to work out how to do that. Also on the EU, they've published their post-quantum cryptography roadmap. This instructs EU member states that they need to begin transitioning all of their systems everywhere to post-quantum crypto by the end of 2027. For all high-risk systems, such as critical infrastructure, this transition should be finished by the end of 2030. So essentially, you know, 4.5 years from now, anything considered high-risk critical infrastructure can no longer be solely dependent upon pre-quantum crypto. You could do things like Signal did, where you use a hybrid, which is, you know, belt and suspenders. Why not have both a pre- and a post-crypto and require that both be useful so that, if either are broken, you're still able to rely on the other. Anyway, for the less mission-critical systems, another five years are available. States should have finished the migration of as many systems as feasible, is the way it was put, by the end of 2035. So 9.5 years from now, here we are mid-2025, for non-mission-critical, you know, noncritical infrastructure, and 4.5 years before all EU member states have to no longer solely depend upon pre-quantum crypto. And overall, you know, this entire pre- and post-quantum crypto move in my opinion has been handled with remarkable planning and grace. You know, we have the new algorithms which continue to be tested and stress-tested, and now they're being rolled out. We've already found some problems early on with a couple, and they've been strengthened or in some cases abandoned. Academia has had plenty of time to pound on them and vet them. And we're all seeing our own protocols are beginning to adopt them. We've updated the underlying protocols like TLS, for example, to be able to smoothly accommodate the evolution, the retirement, and the introduction of anything new that may be required, today and going forward. You know, all indications are that, just as were present during the original design and birth of the Internet, it feels like a bunch of very smart people got together to carefully define and establish these next steps in the evolution of the world's networking and security. And, I mean, it's just gone beautifully. Now, of course, this all gets spoiled if someone has some massive quantum computing breakthrough immediately. But I think what we're up to factoring, was it... |
| Leo: We're a ways off. |
| Steve: ...seven-bit numbers. Yeah. So we're safe because we've got to get to 4096 before we start having problems. |
| Leo: Well, I don't know. IBM and Microsoft both think they're getting close. |
| Steve: Although, yes, and these things can tend to go exponential. |
| Leo: Yeah. |
| Steve: So, but anyway, I just - I'm just, as you stand back and you look at this, this has just been, like, somewhere amid all the chaos that we typically see in our industry where we're talking about, you know, Cisco having monthly 9.8 and 10.0 remote execution vulnerabilities and just this catastrophe of being unable to get Salt Typhoon out of our systems, all the while there are good people just calmly saying, okay, here are, you know, lattice-based crypto that won't rely on the factoring problem. So that's probably not going to be, you know, collapsing in the face of quantum computing. And so here's how we do that, and here's the timeline, and we need to update our underlying protocols in order to be able to smoothly, you know, begin using these without having any interruption at any point. All of this is happening. And it's just like, you know, somewhere there are adults who are... |
| Leo: Somewhere. |
| Steve: I don't know where. But, you know, they're doing a good job. |
| Leo: Yeah, it's great. |
| Steve: That old challenge, remember, of why do you care about privacy if you have nothing to hide? It's receiving a stress test in Russia with the government's recent announcement of their plan to create a single national database of IMEI numbers. |
| Leo: Oh, wow. |
| Steve: Talk about Big Brother. The Russian Ministry of Digital Affairs says the database will be used - and this is of course the way it starts; right? - to combat financial fraud. Banning IMEI codes will allow authorities to block individual devices from mobile networks, even after fraudsters change phone numbers. And of course that's the story, just as you were saying, Leo, governments talk about their use of surveillance only for legitimate instances. |
| Leo: Yes. |
| Steve: And then journalists are, you know, who you would think have rights to privacy have this crap on their phones. As we know, the IMEI numbers indelibly identify physical mobile phone handsets. They're the approximate equivalent of the globally unique MAC addresses that are assigned to every Ethernet NIC to identify and differentiate it from any other. But IMEI numbers must be known to the user's service providing carrier since they're what identifies the mobile device handset to the cellular network. This means that they're never really secret or private. But needing to subpoena individual carriers on a per-subscriber basis would be far less convenient than simply requiring every carrier to provide an exhaustive dump of their entire current subscriber/IMEI database, and then require them to notify the Russian Ministry of Digital Affairs of any changes to that data over time. And as I said, I'm happy to be in the U.S. I'm thinking, you know, wow. Talk about overreach. On June 23rd, the UK and Canada announced their establishment and initial funding under the heading "New Common Good Cyber Fund Launches to Strengthen Internet Security Globally." And we need more of this. Their announcement said: "The Internet Society (ISOC) and Global Cyber Alliance (GCA), on behalf of the Common Good Cyber Secretariat, today announced the launch of the Common Good Cyber Fund, an initiative to strengthen global cybersecurity by supporting nonprofits that deliver core cybersecurity services that protect civil society actors at high risk and the Internet as a whole. This first-of-its-kind effort to fund cybersecurity for the common good - for everyone, including those at the greatest risk of intimidation, harassment, harm, and coercion - has the potential to fundamentally improve cybersecurity for billions of people around the world. "The Common Good Cyber Secretariat members working to address this challenge are the Global Cyber Alliance, the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams, Global Forum on Cyber Expertise, Institute for Security and Technology, and the Shadowserver Foundation. In other words, a whole bunch of non-profit organizations that are, you know, the good guys, sort of the same people who brought you post-quantum crypto in the right way, who are just quietly doing the right thing for everyone in the background. "In a joint statement between the Prime Minister of the United Kingdom and the Prime Minister of Canada on the 15th of June, the Prime Ministers announced that they would both invest in the Joint Canada-UK Common Good Cyber Fund. And I think it's the tune of, oh, it's $5.7 million they're initially funding. |
| Leo: A million? Just a million? What are they, cheapskates? |
| Steve: Well, it's just the beginning. |
| Leo: Okay. |
| Steve: On June 17th - and these are lean organizations. They're not big, you know, money. |
| Leo: I'm so used to billions now. Everything's billions. Millions sounds like chickenfeed. |
| Steve: Yeah, I agree. I was surprised. On June 17th, during the G7 Leaders' Summit in Alberta, Canada, all the G7 Leaders announced they would support initiatives like the Canada-UK Common Good Cyber Fund to aid members of civil society who are actively working to counter the threat of transnational repression. "Despite serving as a critical frontline defense for the security of the Internet, nonprofits working in cybersecurity remain severely underfunded, exposing millions of users, including journalists, human rights defenders, and other civil society groups to heightened risks of digital transnational repression involving the misuse of cyber capabilities to conduct surveillance, track individuals, and facilitate physical targeting. This underfunding also leaves the wider public exposed to increasingly frequent and sophisticated cyberthreats. "Philip Reitinger, the President and CEO of the Global Cyber Alliance said: 'Common Good Cyber represents a pivotal step toward a stronger, more inclusive cybersecurity ecosystem. By increasing the resilience and long-term sustainability of nonprofits working in cybersecurity, improving access to trusted services for civil society organizations and human rights defenders, and encouraging greater adoption of best practices and security' - oh, my god - 'security-by-design principles.'" Please. Maybe give Cisco a call. |
| Leo: My god. |
| Steve: "The Common Good Cyber Fund ultimately helps to protect and empower all Internet users. So the fund will support nonprofits that, for example, maintain and secure core digital infrastructure, including DNS, routing, and threat intelligence systems for the public good." Like somebody is maintaining all of the root servers; right? Not all of those are being run by big organizations. So they need money, and they need, for example, help with DDoS attacks, which the bad guys are doing. "Also, deliver cybersecurity assistance to high-risk actors through training, rapid incident response, and free-to-use tools." I'd give Cisco a call. "The announcement indicated that the fund would initially receive $5.7 million to support these efforts." So this is great; you know? The world has become utterly dependent upon a sophisticated system that just sort of - known as the Internet - that just sort of blossomed organically. It needs support. So this will be very welcome. And bravo to the UK and Canada for leading this. I hope that the U.S. is ready or planning to step in and toss in some money. We can certainly afford a few million because, as you said, Leo, this is not wasting a lot of funds. |
| Leo: No, it's very economical, really. |
| Steve: Alms, yes. |
| Leo: Yeah. |
| Steve: Axios had some good coverage describing recent U.S. state regulations being enacted - I thought this was really interesting - in response to the rise of Crypto-ATMs and, not surprisingly, unfortunately, the high level of abuse thereof. So here's what we learn. Axios said: "States across the U.S. are rolling out tough new laws that cap deposits and tighten oversight on cryptocurrency ATMs, seeking to cut off a favorite tool of scammers and extortionists." You can just see, like, you know, some scammer or extortionist telling, you know, Gramps to go to the Crypto-ATM and put your money in there, and then put in this code, and we won't out you to the world or whatever. Anyway, "These Crypto-ATM," they write, "kiosks are the easiest way for ordinary people to turn cash into crypto, and their use by fraudsters has surged" - to no one's surprise - "over the last few years, especially with scams targeting older Americans." What? Crypto? What's that? Where do I get crypto? Well, you just go to this ATM. "These are popular tools," they write, "of scammers because cryptocurrency provides criminals with a way to receive money that a third-party cannot roll back. These kiosks have popped up all over the country; and over the last few years scammers have increasingly utilized them in all manners of schemes." And Leo, wait till you hear why they've popped up. Oh, boy. They're making the poppers some money here. |
| Leo: Oh, boy. Oh, boy. |
| Steve: Yeah. Axios wrote: "Last September the FTC reported that fraud losses specifically involving crypto kiosks jumped nearly 10x from 2020 to 2023. The FBI reported $247 million in losses," okay, so a quarter billion dollars. Why can't the cyber do-gooder guys get that money? That would be some money, instead of, you know, 5.7 million. Let's give him the crypto kiosk loss, $247 million. Wow. "In losses tied to the kiosks in 2024, with a 99% increase in complaints from the year before." I put my money in, and nothing came out. Yeah, that's right. "Schemes have particularly impacted older Americans, both the FTC and the FBI warn. People 60 and over were more than three times as likely as younger adults to report a loss using a crypto kiosk. States taking action include Illinois. The state legislature sent a bill to Governor JB Pritzker in early June, who had called for legislation to address the issue earlier in the year. Among other things, the law would require Crypto-ATM operators to include details on every receipt such as the blockchain address where funds were sent that would help law enforcement with any future fraud investigation. "Other states have taken similar actions. Vermont passed a law in May. One thing it does is put a daily limit on usage for these machines to throttle how much criminals can gouge their victims. Nebraska stamped a new law in March that establishes a licensing system for Crypto-ATM operators. Nebraska has been eager to bring crypto business to the state, but they want it to be under license. Arizona, which also enacted a bitcoin reserve fund, established a law in May that requires refunds on fraudulently induced transactions. A new Oklahoma law, which survived a veto by the state's governor" - I guess he tried to say no - "will go into effect on November 1st, establishing similar protections. And Rhode Island's governor signed a new law last Monday. In addition to enacting similar measures as other states, Rhode Island's law requires" - and I love this - "a warning about the irreversibility of cryptocurrency transactions to be clearly posted on the kiosk." |
| Leo: Good. |
| Steve: Right. Like don't go into the elevator until you check that there's a floor there. Yeah. |
| Leo: Yeah. |
| Steve: So, yeah, make it - put it like, you know, I've always said that enterprises that have problems with employees not understanding that their use of the company computer is not private, just need to post a sign across the top of the monitor. You know, this is our computer, our network, our bandwidth. What you do is ours, too. And, like, who can complain? So yeah, signage on the kiosk that's like, when you put your money in, it's gone. So be careful. Axios said: "Cities have also homed in on the issue. On June 16th, the City of Spokane, Washington voted to ban" - okay, so they're just going to get rid of them - "ban all crypto kiosks." No crypto for you. "And they've been a topic in Minnesota cities including St. Paul, Stillwater, and Forest Lake." So this is an issue. "Much of this legislation," they wrote, "has been at the urging of the AARP" - of course the well-known American Association of Retired People, who've been after me for quite a while, Leo, they want to get me to join. |
| Leo: You're not retired. I hate to tell them. |
| Steve: Yeah, that's right, I'm not done yet - "which has been urging state legislators to pass these bills. The AARP says they've endorsed 12 bills that have passed in different states so far." Because, you know, those old people, we vote. So pay attention to the AARP. What came as a surprise to me, Leo, was that there is a high fee for the use of these services. |
| Leo: Oh, yeah, of course. |
| Steve: As I said, there's a reason all these kiosks are popping up all over. |
| Leo: Somebody's got to pay for all that hardware. |
| Steve: Exactly. And presumably that's what's going to pay the fines when complaints are filed against these things. So they're going to have to take some responsibility for who is on the other end of these transactions. One Crypto-ATM provider, Bitcoin Depot, reported - that's right, Bitcoin Depot. |
| Leo: This is right next door to Repo Depot. So that's good. |
| Steve: Reported an operating profit margin of 20%, so they're making 20% on the money, generating $33 million in profits for the first, just for the first quarter... |
| Leo: I need to get me a kiosk. |
| Steve: ...of this year. |
| Leo: Wow. |
| Steve: Yeah. Yeah. Just don't cash the money that you make. You may be giving it back, if the state that you're in requires that you license and stand behind your transactions. So I think... |
| Leo: Do you even get bitcoin? What do they give you, like a little wooden nickel? |
| Steve: It's a good question. It did say that the receipt you get must indicate the bitcoin address that it was put on. |
| Leo: Okay. So they give you a wallet, basically. |
| Steve: Yes. So I think what's happening is it's creating a wallet. You get back the bitcoin address. So when some scammer says you need to pay for this in bitcoin... |
| Leo: What's your address? |
| Steve: And you say, well, and you say I don't know what that is, they say, well, go to Bitcoin Depot and put your money in there. That will give you bitcoin. And then you come back and you put that into our web page, and then we're going to send you your auto warming socks, which, you know, are going to solve the problem that you've got with your cold feet. That's right. |
| Leo: Cold feet. No more cold feet. That's good. Yeah, yeah. |
| Steve: So anyway, we live in a country where, you know, individuals wish to preserve as much of their freedom and privacy as possible. So this seems like a tough problem. You know, I like more than anything the signage that says "All transactions are final." No money ever comes out of this thing. It only goes in. And so, you know, you're not getting your money back. |
| Leo: No money ever comes out of this thing. It's a roach motel for money. |
| Steve: That's right. Wow. Bitcoin Depot. It ought to be Bitcoin Black Hole. |
| Leo: Yeah, yeah. |
| Steve: Okay. So one more little bit of news, and we'll take another break. It occurs to me that the way to improve an app's security is to widely and publicly ban its use due to exactly its demonstrated lack of security. So to that end: "The U.S. House's Chief Administrative Officer recently informed congressional staffers that the messaging app [we all know of as] WhatsApp is now banned on all their government devices. "The ban centers on the vulnerability of staffers' data at rest, and it comes as Congress is also taking steps to limit the use of AI programs which it deems similarly risky. In recent years the Chief Administrative Officer has set at least partial bans on" - I have DeepSeek. Is that what I mean? DeepSeek. |
| Leo: Yeah, that's the Chinese AI. |
| Steve: The Chinese much faster - yeah. Also ByteDance's apps, of course, TikTok famously, and Microsoft Copilot. Whoops. |
| Leo: What? How did that get in there? |
| Steve: Uh-huh. It has also heavily - someone told them they're going to store everything you ever do. And very much like the Bitcoin Depot, your data goes in, and it never comes out. It's also heavily restricted staffers' use of ChatGPT, instructing offices to only use the paid version, ChatGPT Plus. Which, okay. Anyway... |
| Leo: I don't know how that's more private. Now they have your name and address and credit card number. |
| Steve: These people have no clue what they're doing. But anyway, the Congressional Affairs Office wrote in an email: "The Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data..." |
| Leo: I really wanted to ask you about this. |
| Steve: Sounds like what's his face pissed somebody off. |
| Leo: Oh, Mark Zuckerberg. |
| Steve: Zuckerberg. |
| Leo: Because I don't think WhatsApp's doing anything different than, for instance, Apple Messages. |
| Steve: Well, WhatsApp is Signal. |
| Leo: Right. But so here's the problem with WhatsApp that we know because it happened to Corey Lewandowski is that, if you back up WhatsApp, it backs up the data in the clear. |
| Steve: Ah. |
| Leo: So it would go up to iCloud account. |
| Steve: Yup. |
| Leo: And then there was a subpoena, and they got it from the iCloud account. But that's true of a lot of messaging apps, including the they recommended, Apple's Messages. |
| Steve: We know it's true of iMessage unless you turn on Advanced Data Protection. |
| Leo: Right. So they're recommending something that does the same thing. |
| Steve: Yes. So the issue is reportedly WhatsApp's lack of on-device encryption, which is exactly what you're saying, that the data on the device... |
| Leo: Is in the clear. |
| Steve: ...is not kept encrypted by the app. It's in the clear, and then subject to backup and subpoena. |
| Leo: So is that an unusual behavior? I mean, I thought that was the problem is if somebody has access to your phone, they have access to your messaging no matter what you do in transit. |
| Steve: It's true, but WhatsApp could be... |
| Leo: Messages stored encrypted? |
| Steve: Yeah. Oh, yeah. On the phone it is stored encrypted. And so it's not in the clear. I mean, the iPhone is so locked down, you know, it's all - it encrypts it on the fly in the pipe to the drive. |
| Leo: Right. |
| Steve: And then decrypts it on the fly on the way out. |
| Leo: Right. |
| Steve: So Apple has to, I mean, Apple does have a key that encrypts people's iCloud data. But the point is they have the key. When you turn on the... |
| Leo: It's the same for WhatsApp. |
| Steve: Yeah. Although maybe WhatsApp is not encrypting on the device. The reporting said that it does not have on-device encrypted, and this CAO, the Congressional Affairs Office, said that Microsoft Teams, Wicker, Signal, iMessage, and FaceTime are acceptable alternatives to WhatsApp. |
| Leo: But they don't know if they're doing anything differently. |
| Steve: Yeah, I mean, I don't know. It would have to take - you have to have someone take a look at it forensically and see. |
| Leo: Right, because Apple's not telling. |
| Steve: And as I said, if in fact WhatsApp is not doing it, then they should. |
| Leo: I can tell you for sure that Apple is, I mean, if I can see the messages on the screen, at some point they're unencrypted on the device. |
| Steve: Yes. Well, but we don't know if they're unencrypted stored on the device, or when displayed. But we know that, like, we know that... |
| Leo: But I can scroll through old messages, and they're all there. You think it's unencrypting them on the fly? |
| Steve: Sure. Absolutely could be. |
| Leo: Okay. |
| Steve: Yeah. Yeah. And so just to finish this, to share the other side of this, Andy Stone, a spokesperson for Meta, said in a statement to Axios, who covered the story: "We disagree with the House Chief Administrative Officer's characterization in the strongest possible terms. We know members and their staffs regularly use WhatsApp, and we look forward to ensuring members of the House can join their Senate counterparts in doing so officially. Messages on WhatsApp are end-to-end encrypted by default" - we know that because they're using the Signal protocol - "meaning only the recipients and not even WhatsApp can see them." But that doesn't address the issue. He says: "This is a higher level of security than most of the apps on the CAO's approved list that do not offer that protection." |
| Leo: So Apple says that your messages are encrypted until you enter in your code, until the device is unlocked. Unlocking the device is the process of unencrypting. |
| Steve: And backing your device up to iCloud. |
| Leo: Right. |
| Steve: We know that... |
| Leo: But then they have the keys. |
| Steve: Right. |
| Leo: Right. Okay. So maybe it is - maybe, okay, maybe WhatsApp is less safe. |
| Steve: You know, early in our password manager days, there were issues with password managers that we were, you know, like I don't even remember them, like ones we never recommended. |
| Leo: They're long gone now, Steve. |
| Steve: Yeah, where they, you know, like somebody would discover the file, and there was all your passwords. |
| Leo: There it is, right. |
| Steve: That's like, wait a minute, you're telling me you're not keeping this encrypted on - no. We decrypt it on your system when you log in. |
| Leo: For speed. |
| Steve: Exactly. And then we reencrypt it when it's like, wait a minute, that's not safe. Somebody can come along and... |
| Leo: But nowadays machines are so fast that you can decrypt and encrypt on the fly. |
| Steve: Right. Or incrementally decrypt individual entries; right. |
| Leo: Right, yeah. |
| Steve: Okay. Break time, then we've got an interesting story about the collision of commercial use of open source software. And remembering xkcd's famous cartoon of the lonely guy in Nebraska. |
| Leo: Right, right. Incidentally, you are not freezing. I don't know if anybody's seen a freeze, but I haven't seen a freeze. |
| Steve: Yay. |
| Leo: So that's good news. |
| Steve: Yes, that means a restart of the cable modem did the trick. |
| Leo: Yeah. That or maybe it just was freezing at the beginning, and then once it got settled in - I don't know. We don't know. We don't know. |
| Steve: Okay. |
| Leo: But knock on wood. |
| Steve: Yay. |
| Leo: We don't have any. |
| Steve: I have Formica. |
| Leo: All I have is Formica, as well. What's wood? What's wood, Daddy? Well, there used to be this thing called trees. |
| Steve: It had a grain. |
| Leo: They were green. Steve, did you ever think about where does Shadow IT, where does that name come from? I mean, I know what it is. I mean, it's unmanaged apps. But I just don't... |
| Steve: Yeah. |
| Leo: Like what is it? |
| Steve: I think it's just a made-up name. |
| Leo: Just, well, obviously. Somebody made it up. All right. I'm just curious. Somebody will write you and explain the origin. |
| Steve: Okay. Yes. Yes, you're right, they will. We will have a listener who will go, Steve... |
| Leo: Well, as a matter of fact, I was there. |
| Steve: So I was somewhat distressed to hear what was on the mind of a German developer and the maintainer of the open source Lib, or Lib, but I like saying Lib. |
| Leo: You say Lib, man, it's okay. Nobody's ever told us how to pronounce it. |
| Steve: As in library, not library. LibXML2. Okay. So LibXML2. And I guess what put a point on it for me was learning that this library is being used by macOS, Windows, and Linux. |
| Leo: Uh-oh. |
| Steve: And of course when we hear about a lone maintainer of a library that's being used by all top three of the industry's operating systems, and thus indirectly by anyone using those features of those top operating systems, we're put in mind of the classic xkcd cartoon. So here's what Nick Wellnhofer recently posted under the topic "Triaging security issues reported by third parties." So this is the guy who's maintaining this library that Mac, Windows, and Linux are all using. He wrote: "I have to spend several hours each week dealing with security issues reported by third parties. Most of these issues are not critical, but it's still a lot of work. In the long term, this is unsustainable for an unpaid volunteer like me. I'm thinking about making some changes to allow me to continue working on LibXML2. The basic idea is to treat security issues like any other bug. They will be made public immediately and fixed whenever maintainers have the time." Meaning whenever he has the time. "There will be no deadlines. This policy will probably make some downstream users nervous, but maybe it encourages them to contribute a little more. The more I think about it, the more I realize that this is the only way forward. I've been doing this long enough to know that most of the secrecy surrounding security issues is just theater. "All the 'best practices' like OpenSSF Scorecards are just an attempt by big tech companies to guilt-trip OSS maintainers and make them work for free. My one-man company recently tried to become a OpenSSF member. You have to become a Linux Foundation member first, which costs at least $10,000 per year. These organizations are very exclusive clubs and anything but open. It's about time to call them and their backers out. In the long run, putting such demands on open source software maintainers without compensating them is detrimental. I just stepped down as LibXSLT maintainer, and it's unlikely that this project will ever be maintained again. It's even more unlikely with Google Project Zero, the best white-hat security researchers money can buy, breathing down the necks of volunteers." So he posted that over on GitHub. And that was his issue-opening posting, which evoked a thoughtful reply from Red Hat's Michael Catanzaro, who is on the GNOME Release Team, the Fedora Workstation Working Group, and the desktop team at Red Hat. So somebody to listen to. Michael's reply was: "Problem is, many of these bugs will actually be exploited in the wild if we do this, both in targeted attacks against specific disfavored individuals, and mass attacks against vulnerable populations like Uighurs." So he had three points. He said: "I agree that reducing the disclosure deadline for LibXML2 vulnerabilities might be strategic, at least for the time being, but there is a cost. Downstream vendors might stop reporting bugs here, which is probably worse than the status quo. If you want to do this, then I suggest applying a short disclosure deadline of 14 days rather than zero days. It might not even be necessary to make any changes to the disclosure deadlines at all. Please take a few days to think about what you prefer. Since you are the only active maintainer, I will follow whatever you decide. "Second," he wrote, "if you're burning out, then one option worth considering is to reduce your focus, for example, you might consider focusing on triaging issue reports, reviewing merge requests, and optimistically mentoring new maintainers, rather than trying to fix security issues yourself. It's unreasonable to expect you to handle every problem alone, and it's time for downstream vendors to step up if desired. Many extremely wealthy corporations have a stake in fixing LibXML2 security issues, and they should help out by becoming upstream maintainers. If nobody else wants to help maintain LibXML2, then the consequence is security issues will surely reach the disclosure deadline, whatever it is set to, and become public before they are fixed. This is not your fault." And finally he said: " I'm very grateful to Project Zero" - defending Google - "and other vulnerability research groups for reporting issues. Their reports are invariably excellent, and we should encourage them to continue reporting vulnerabilities as quickly as they can find them. Warning us that problems exist is not a problem. That said, Project Zero has notably reported zero security vulnerabilities in LibXML2 since the start of the year. They have reported three vulnerabilities in LibXSLT." And Nick, the original poster and maintainer of this, answered Michael's reply, writing: "The point is that LibXML2 never had the quality to be used in mainstream browsers or operating systems to begin with. It all started when Apple made LibXML2 a core component of all their OSes. Then Google followed suit, and now even Microsoft is using LibXML2 in their OS outside of Edge. This should have never happened. Originally, it was kind of a growth hack, but now these companies make billions of profits and refuse to pay back their technical debt, either by switching to better solutions, developing their own, or by trying to improve LibXML2. "The behavior of these companies is irresponsible. Even if they claim otherwise, they don't care about the security and privacy of their users. They only try to fix symptoms. I'm not playing a part in this game anymore," he writes, "It would be better for the health of this project if these companies stopped using it. I'm thinking about adding the following disclaimer." And he writes: "This is open-source software written by hobbyists, maintained by a single volunteer, badly tested, written in a memory-unsafe language, and full of security bugs. It is foolish to use this software to process untrusted data. As such, we treat security issues like any other bug. Each security report we receive will be made public immediately and won't be prioritized." And then he finishes: "Most core parts of LibXML2," he writes, "should be covered by Google's or other bug bounty programs already. The rest of the code isn't as security-critical. I don't care if I don't receive security reports as early as possible. Most issues should be easily fixable by anyone. As soon as a patch is available, my job is done. I won't embargo security issues until a release is made. The only time you really want an embargo are on non-trivial issues that take longer to fix. I can live with that risk. Regarding Michael's bullet points," he says, "I'd love to mentor new maintainers, but there simply aren't any candidates. I'm not burning out. Thanks for asking." So earlier, I was admiring with some awe the graceful way our industry has been managing the growing threat of quantum computing, which has the potential to overturn our well-established public key crypto systems. That's in the sharpest possible contrast to the sad and arguably pathetic mess the same industry has made of the open source model. Xkcd's famous teetering tower is so poignant exactly because it's so true. The idea that Apple, Microsoft, and Google are all using this code for free, then Google's Project Zero is finding and reporting flaws, while starting a disclosure deadline countdown clock as a means of forcing the software's developers to fix the discovered mistakes is so deeply wrong on so many levels. |
| Leo: Yes, yes. |
| Steve: So I can see the logic behind Nick's solution. If all flaws, whether or not they are also security vulnerabilities, are immediately made public, then Project Zero is defanged, and deadlines cease to exist. Nick's follow-up posting made it clear that he's well over the glory and flattery of having all of the big OSes incorporating his code into their commercial offerings. Thanks very much. How about paying for the privilege of having me maintaining this code base for you to use year after year after year? And that's the problem, of course. The open source software concept has always been that it's there to be freely used by anyone, for free. And that's what happened. When another hobbyist uses it for their own little project, that's different from when a massive multibillion dollar corporation does so. In the latter case, the value proposition there seems unbalanced. Those multibillion dollar corporations are paying their own code maintainers to keep their code working. But then they also take whatever they want from the open source community without ever returning anything other than complaints when there's a problem. Now, we know that there are more socially responsible large corporations that do employ developers to work on improving open source software. Certainly Google does a great deal of that, as well. But not everybody. You know, this open source movement, while it certainly has its heart in the right place, hasn't yet, I think, managed to figure out how to manage a fair exchange of value. |
| Leo: Right on, Steve. Right on. Yup. Agree 100%. |
| Steve: Okay. I have to report the second remote code execution vulnerability that we've talked about on this podcast in a utility, an app for Windows that a great many of us use. And that's WinRAR. I'm a registered and paid RAR and WinRAR user. So when I hear of an exploitable remote code execution vulnerability in WinRAR, I'm quick to download an update. WinRAR just moved to version 7.12, and everyone using it should update. You just go to win-rar.com/download.html. Their notes, WinRAR's notes, said: "Directory Traversal Remote Code Execution Vulnerability." And this was - it's got a ZDI, so it came from the Zero-Day Initiative. It's their number 27198. They wrote: "In previous versions of WinRAR" - meaning before 7.12. So "In previous versions of WinRAR, as well as RAR, UnRAR, and UnRAR.dll, and the portable UnRAR source code for Windows, a specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction. User interaction is required to exploit this vulnerability" - that is, you have to extract things - "which could cause files to be written outside the intended directory." Whoops. "This flaw could be exploited," they wrote, "to place files in sensitive locations such as the Windows Startup folder, potentially leading to unintended code execution on the next system login. This issue affects only Windows-based builds. Versions of RAR and UnRAR for Unix, the portable source code on Unix, and RAR for Android are not affected. We thank whs3-detonator, working with Trend Micro's Zero Day Initiative, for responsibly reporting this vulnerability." So the danger would be that miscreants would arrange to induce Windows users to download, open, and extract the contents of what would essentially be booby-trapped RAR files. When doing so, even though a user responsibly set the extraction-to directory, for some special malicious files that can be overridden, causing them to be written anywhere the miscreants choose. We covered a similar problem with RAR and WinRAR many years ago, and I recall that, by the time we reported it, that problem was under active exploitation, so fixing it was extra imperative. This time, RAR users had the opportunity to get ahead of the day. I've not heard yet of this being exploited in the wild. But it's just going to be a matter of time. My Windows 10 machine had v5.18. And the installer simply overwrote that with the newer version. Registration remained intact, and I now have a much more current release of RAR and WinRAR on my machine. So just wanted to make sure everybody knew about this. We have a very cool new site for everyone to check out, haveibeenpwned.watch. You're probably going to want to bring this up, Leo, haveibeenpwned.watch. A security engineer named George-Andrei Iosif, who's with Snap, created haveibeenpwned.watch. It is a portal to display the data, live data from the haveibeenpwned.com website in very easy-to-use graphs and infographics. The headline of his page reads: "Open-source, no-fluff charts showcasing haveibeenpwned.com's pwned account data." And his charts support mouse hovers, so you can float your mouse around to explore the charts. Anyway, I just wanted to give everybody a heads-up about it. It's just a very cool facility. |
| Leo: I'm trying to pull it up, but I think I'm being - it's probably newly registered domain, and I'm being blocked. |
| Steve: It worked for me. Do you have maybe something... |
| Leo: Oh, no, I have all that weird security stuff on there. |
| Steve: Of course you do. Yeah. Sometimes when your guys are sending me a link to, like, a different Zoom session or something, it's like, oh, crap, that's on a different computer which is well firewalled, even for me. |
| Leo: Right, exactly. |
| Steve: And so I'm like, how do I get over to it? |
| Leo: Yeah. Let me see. I just added it to my Allow list. It takes a little while to... |
| Steve: But you're right, I'd never seen a .watch top-level domain. |
| Leo: Yeah. Yeah. I don't know. Yeah, I'm able to connect. It's blocked somehow. I'm sorry. Leave this as an exercise for our listeners at home. |
| Steve: Let me see if I can bring it up. |
| Leo: I'm sure you can. |
| Steve: Yes, it came up for me. |
| Leo: It's NextDNS. |
| Steve: Ah, right, right, right. And actually I think I told you that I stopped using NextDNS because I'm developing the DNS Benchmark. |
| Leo: Right. It gets in the way. |
| Steve: One of the things it does is, well, yes. And it produces a burst - actually, it no longer does. But I was experimenting with removing the throttling so that it was just unthrottled. And it looked like a DDoS attack on NextDNS. I said, "Whoops, sorry." |
| Leo: Sorry, guys. |
| Steve: I put the throttle back in, yeah. Never had a problem again. Okay. So Sophos tells us how the bad guys are getting in. They produced a very nice infographic in bar chart form. Among each of the six possible technical root causes, as they called it, that will lead to eventual ransomware attack, it breaks down the percentage of each of those six possible causes for the most recent three years, and in this case 2025 year-to-date. So 2023, 2024, and so far like the first half of 2025. I wish they had shown this as three pie charts, one for each year. Then we could more easily see the relative percentages for the year overall, among the six different ways of getting in. And then by looking across the pies, we can see how those vary from year to year. But I just think they didn't give it that much thought. Not as much as I did, putting this into the show notes, thinking, wow, this is not done right. And I guess I could have done it myself, but no. Anyway, the six categories, in order of clearly increasing incidence, so from least likely to most often occurring, regardless of the year, so there's no change from year to year, the least often is just a download of a file. Doesn't happen very often, like 1 or 2%. Brute force attacks around 3 to 6%. Phishing, between 11 and 18%. And that's across the three years. Malicious email, from 18 to 23%. Compromised credentials, now we're getting there, that's between 23 and 29%. And finally the biggie is exploited vulnerabilities. And that's at 32 to 36%. Regardless of the year, one category, that biggest one, "exploited vulnerabilities," was responsible for a little over one third of all ransomware attacks. And, you know, can you say "Cisco"? Compromised credentials, as we saw, took a strong second place. And in fact, for every year, the sum of exploited vulnerabilities and compromised credential percentages accounted for over half across all six causes. So compromised credentials, exploited vulnerabilities, and not surprisingly that's why that's what we end up talking about so much and seeing so much in the news. That's the way the guys are getting in. You know, there were slight differences in the percentages from year to year, but no real huge pattern. It's not like anything got better over time. So we don't appear to be doing any better from 2023 than we are through the first half of 2025. And in fact the reverse is clearly the case. Since these bars represent percentages, we don't see actual numbers. But down in the fine print of Sophos's caption we see, you know, the statistical "n" values for the number of ransomware attacks tracked from which those percentages were taken. For 2023, all of that year, that number is 1974. For all of 2024, it was 2974. |
| Leo: Oh, big jump. |
| Steve: Exactly a thousand more during 2024 than 2023. But for 2025 year-to-date we're already at 3,400. |
| Leo: Wow. |
| Steve: So we're already at 3,400. So... |
| Leo: Be twice that probably; right? |
| Steve: Yes, twice what we had last year. |
| Leo: Wow. |
| Steve: And hello, Cisco. Anyway, so I don't mean... |
| Leo: You've said that like 12 times in the show today. |
| Steve: Oh, I know. |
| Leo: I get a little salty about Cisco. |
| Steve: Am I a little annoyed? Yeah. Because... |
| Leo: This is actually very interesting from Sophos. It's not so much downloaded or even brute force, it's vulnerabilities. It's a big problem. |
| Steve: Yeah, yeah. And we're going to see that acquiring those is the way you win this game, Leo. |
| Leo: Yeah. Not a surprise. By the way, it was NextDNS. I have been able to go to the haveibeenpwned.watch site. |
| Steve: Yes, nice site. Lots of cool... |
| Leo: Yeah, really cool, very interesting. I love it that HaveIBeenPwned has an API. |
| Steve: Yes, isn't that cool? And are you able to hover your mouse and pick up stats? |
| Leo: Yeah. |
| Steve: Oh, yeah, there, yeah, yeah, cool. |
| Leo: Breaches per year, yeah. Wow. Pwned accounts per year. Why was 2019 so bad, I wonder? Maybe one or two really big ones; right? |
| Steve: You know, we got hit with those credential attack surprises. And, you know, we were talking about that a lot back then. |
| Leo: Look at this. Whew. |
| Steve: Yeah, those little stacked bars are very cool because you're able to explore them. |
| Leo: Yeah. Yeah, very nice. Anyway, thank you for blocking it, NextDNS. I will turn you back on now. |
| Steve: Probably, that is probably just a block unless we know otherwise; right? |
| Leo: Right. |
| Steve: So the bad guys are not cooking up new random TLDs and using that in order to get through until NextDNS is able to add a block on it. So, like, if we don't know it's okay, we're just saying no. |
| Leo: Yeah, yeah. |
| Steve: That's very cool. What is also cool, Leo, we're at an hour and a half, is we're going to talk about what Microsoft hopes they have done to fix the CrowdStrike flaw which brought down all those 8.5 million machines last summer. |
| Leo: Ai ai ai. |
| Steve: But first let's take a break. I'm going to take a sip of coffee, and then we're going to look at that. |
| Leo: Back to you, Steve. |
| Steve: Okay. So we were recently remembering last July's Windows mess which was triggered by a flaw in CrowdStrike's endpoint security system. |
| Leo: Yes. Oh, what a mess that was. |
| Steve: It resulted in more than 8.5 million Windows systems crashing hard and staying crashed hard. Although, Leo, we should be sensitive to the fact that this is no longer the official term for such events. I'm pretty sure that Microsoft would prefer that we refer to those 8.5 million systems as taking an unplanned group vacation. |
| Leo: Oh, lord. |
| Steve: In any event, once those 8.5 million machines returned from vacation and went back to work, Microsoft hosted in September the Windows Endpoint Security Ecosystem Summit, which if you turned it into initials would be WESES. That summit assembled a diverse group of endpoint security vendors and global government officials to discuss strategies for improving resiliency and protecting their mutual customers. In other words, how the eff do we prevent THAT from ever happening again? Because, boy, was that a - that was a mess. So that brings us to today's news. Microsoft is close to launching a new security platform. Next month they've said that they will begin privately previewing their new technology that will allow antivirus and security tools to run without kernel access. And as we know, this has been the great challenge for Windows. To provide truly strong endpoint security, third-party vendors have needed to dig deeply into the OS to get their hooks into all of the various APIs that malware might attempt to abuse. Basically, being able to watch what Windows is encountering and preventing malware from taking advantage of that, if there's a weakness that lies behind. And this is not something that any operating system wants to permit, that is, allowing anything else to hook deeply into it, for precisely the reasons that befell all of Microsoft's and CrowdStrike's customers last summer. When something goes wrong, it's bad. So Microsoft has been caught between a rock and a hard place because they have also been unwilling, apparently until now, to provide any workable alternative solution to the need for deep API kernel hooking. We are now being told that this will finally be changing. So I'm just reporting that. It'll be interesting to see whether the vendors themselves who have been actively participating in this process end up being satisfied with what Microsoft ends up doing. One of the issues is performance. You know, coming in and out of the kernel is expensive. This is the reason that the graphics device interface, the GDI component of Windows, which was deliberately kept outside the kernel because can you say "interpreter"? It's so much potential for problem. Unfortunately, this GDI, the Graphics Device Interface portion, needed to be talking to the kernel all the time. So Microsoft analyzed the overhead of that dialogue and decided we can't afford not to move GDI into the kernel. What happened was, Windows got faster. And its security collapsed. We'll see. |
| Leo: Got worse. |
| Steve: Yes. |
| Leo: Yes. |
| Steve: Much worse. So, you know, they've been recovering from that decision for a long time. And what's really annoying is it was transient because now systems are so fast and GPUs are ubiquitous that you no longer have this problem with having a slow graphic device interface portion of Windows. But, you know, we have history. Anyway, I think we're going to have to wait and see. It's only being released for preview on a selected basis, not even broadly, as I understand it. So they're going to, you know, creep this out, and we'll see how that goes. It would be good if we could move endpoint security out of the kernel without incurring a performance problem. You know, no one's done it yet, so let's hope. And they, you know, they've been working on it for a year, basically, since this disaster last July. |
| Leo: Nothing should run in the kernel. I mean, ring zero should be sacred; right? |
| Steve: And you want a - the concept is a microkernel. |
| Leo: Right. |
| Steve: You know, you want a little small bunch of code whose integrity you can be absolutely sure of. It manages processes. It manages threads. It manages memory. And that's pretty much all it does. Then everything else is around it are clients of this microkernel. That's, you know, everyone starts out that way. And then, just like anything else, it's like our U.S. tax code. Starts out looking great. But, well, but, you know, those farmers, they need some extra help. So let's cut out a little change in the tax code. Similarly, it's like, oh, well, yeah, but this networking API, turns out that this is a little slow to do outside the kernel, so let's just put a little, move a little bit of that code into the kernel. And before you know it, you end up with a big bloated operating system, and you no longer have any control over it. |
| Leo: It's even happened on the Mac. The mock kernel they used was a microkernel. |
| Steve: Yup. |
| Leo: But at this point you'd be hard pressed to call it that, yeah. |
| Steve: It's just, you know, it's one of the unsolved problems of computer science. We have not yet figured out how to evolve software in a way that doesn't cause it to just get really ugly over time. Okay. The U.S. Supreme Court just upheld a contentious Texas law. You know where I'm going with this, Leo. |
| Leo: I do. We talked about it extensively on Sunday, yeah. |
| Steve: It requires proactive age verification before accessing pornographic content on the Internet. And as I've noted before, this is fundamentally different from Mom and Dad setting the dates of birth into Jonny's and Sally's phones so that they'll be able to use Facebook. This is Mommy and Daddy needing to prove their own ages to some of the websites they have every legal right to visit. This is made tricky by the fact that at the moment we have no technology for providing anonymous age verification, and the challenge of providing unspoofable anonymous age verification remains an unsolved problem. WIRED's coverage of this had the headline "U.S. Supreme Court Upholds Texas Porn ID Law," and the subhead "In a 6-3 decision, the Supreme Court held that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned it burdens adults and ignores First Amendment precedent." The first four paragraphs of WIRED's extensive coverage I want to share because you get the gist of everything. They said: "If you try to access Pornhub, one of the world's biggest websites, from any of 17 U.S. states, you'll be blocked. Pornhub's parent company, Aylo Holdings, has restricted access in response to a slew of laws that says Pornhub itself should be responsible for checking that every visitor is over 18. Now, the United States Supreme Court has made a decision on a key age verification law, which could have ramifications for the entire country and the wider Internet as a whole. "On Friday, in a 6-3 decision that could reshape the landscape of online privacy and free speech, the Supreme Court upheld in full the Texas age verification law - one of the first passed in the country - requiring many websites publishing pornographic content to check that all visitors are over 18. The law, Texas HB 1181, says sites that are 'more than one-third sexual material' can face fines of up to $10,000 per day if they don't put in place age verification systems, plus extra penalties of up to $250,000. It also states websites should display health warnings about the potential health risks of pornography. "Writing for the majority, Justice Clarence Thomas said that because the law 'simply requires proof of age to access content that is obscene to minors, it does not directly regulate adults' protected speech,' adding, 'adults have no First Amendment right to avoid age verification.' "In her dissent, Justice Elena Kagan argued that the Texas law imposes a direct and unconstitutional burden on adults' access to protected speech. 'A State may not care much about safeguarding adults' access to sexually explicit speech; a State may even prefer to curtail those materials for everyone,' she wrote, 'but the First Amendment protects those sexually explicit materials for every adult.'" So I had no idea that Pornhub could be described as one of the world's biggest websites. |
| Leo: Oh, yeah. |
| Steve: But I did a bit of checking; and, sure enough, it is. It's unbelievable. So from a technology standpoint, it seems clear to me that this creates a market in the short term for VPN services which provide for virtual Internet relocation. But I suppose that anyone living in any of those 17 blacked-out U.S. states who wishes to obtain access to this proscribed content will have already found a way to appear to be connecting from a non-blacked-out location. But I said "in the short term" because VPN services operating within the United States are also subject to the law. And the law doesn't say "no one connecting from within Texas," it says "no one residing within Texas." So once the use of VPNs for geo-relocation becomes commonplace, we can expect our duly elected representatives to close that loophole, too. So this is going to be interesting to watch. And it's another intractable mess we've gotten ourselves into where the cyberworld collides with the physical world. |
| Leo: Yeah, I mean, no one would contest that a grocery store owner should be able to age check kids buying adult material on the newsstand. That's not a problem. |
| Steve: Yup. |
| Leo: This, though, has a much larger impact because age verification is inherently a privacy violation. And furthermore, the definition of what is adult material is very flexible, and it's not hard to imagine at some point Texas or some other state's legislature saying LGBTQ content is adult, or content about contraception, or even, you know, content that is unfriendly to the administration. |
| Steve: Increasing the breadth of the ban. |
| Leo: Yeah. |
| Steve: Well, and I've made the point that in the physical world, you know, a 14 year old trying to sneak into a strip club is going to be stopped at the door by the bouncer. |
| Leo: Right. |
| Steve: Because, you know... |
| Leo: You're obviously 14. |
| Steve: Exactly. |
| Leo: Right. They don't check your ID at every person. |
| Steve: Right. But on the Internet, no one knows how old you are. |
| Leo: Exactly. Exactly. It's a very, very bad precedent. It really undermines the First Amendment, I think. |
| Steve: Well, it is an intractable mess. And, I mean, coming from a technology standpoint, I can solve the problem of Mom and Dad wanting Jonny and Sally... |
| Leo: I love your solution. |
| Steve: ...to have their phones identify their age. |
| Leo: Yeah. |
| Steve: That's not a problem. But Dad or Mom needs to prove that they are of age if they want to access this now proscribed content. And we've also made the point, too, that if a 14 year old... |
| Leo: They can get around it. |
| Steve: ...wants to get around - yeah. I mean, that's just not going to block anybody who's determined. |
| Leo: No. |
| Steve: I mean, were I 14 years old, I'd be having a lot of fun selling access to my peers. |
| Leo: Look, I think it's probably a laudable goal to try to restrict access to that kind of content... |
| Steve: Yes. I mean... |
| Leo: ...to kids. I don't think that's a bad thing. |
| Steve: Having a "Yes I'm 18" button, that does nothing. |
| Leo: Right. |
| Steve: I mean, we know that does nothing. It's like, you know, look, the handle on the door is unlocked. |
| Leo: Every website that sells liquor, every whiskey site we go to on Wednesdays, has that age verification thing on there. That's nonsense. But I wouldn't want to have to present ID before I could go to a liquor site. That's a very different thing. |
| Steve: And that is the problem is that, you know, I'm sure that a lot of people who do want to visit Pornhub do not want to identify themselves. |
| Leo: No, I wonder why? |
| Steve: Because of this interest that they have. |
| Leo: You don't want to give your government-issued ID to Pornhub or Jack Daniels. Either way, it's a bad idea. |
| Steve: Yeah. |
| Leo: All right. I'll shut up. |
| Steve: Okay. A few other bits. Hikvision is another controversial Chinese company. We've talked about them in the past. I remember at one point, Leo, years ago, when they were like in the doghouse, you brought up a picture of their website that had, like, cameras up in the sky, and it was like, it was quite spooky. So they manufacture security cameras, and the Canadian government has just ordered them to close their Canadian operations. |
| Leo: Wow. |
| Steve: Basically kicking Hikvision out of Canada. |
| Leo: Interesting, wow. |
| Steve: The Canadian officials said that the company's business is an active threat to Canada's national security and banned government agencies from purchasing new Hikvision products, even using stores outside of Canada. And as we know, when we covered this previously, the U.S. sanctioned Hikvision for aiding the Chinese government's surveillance of the Uyghur minority in Western China. So, you know, there again, another instance of this growing divide that unfortunately we are seeing. Meanwhile, Berlin, Germany's data protection agency is seeking to ban DeepSeek throughout Germany over what they're claiming is DeepSeek's illegal transfer of user data to China. Germany's data protection agency has reported both apps to the Apple and Google app stores for GDPR violations. In other words, get them out of the store. According to CNBC, this initial action in Germany may lead to a European Union-wide ban on DeepSeek. So Germany first, maybe all of the EU. And I do regard all this as unfortunate, but I guess inevitable. Early last month Russian ISPs - I love the word "throttling" in this reporting. ISPs began throttling traffic from Cloudflare to their customers. Okay? And as we've talked about recently, what a massive percentage of the Internet is now being hosted by Cloudflare. So if Russian ISPs are throttling Cloudflare's traffic, then that means that all of the customers of those ISPs are going to have a problem. Well, they're going to have a bigger problem than throttling would suggest. You would think that that meant forcing pages to load more slowly. No. Russian ISPs are - get this - only allowing 16KB of data to load from a page before completely blocking anything more. Now, you can actually surf GRC with 16K pages, but probably nothing else on the Internet. |
| Leo: Yeah, that's pretty remarkable. |
| Steve: You know, because I'm still hand-coding all of the HTML. |
| Leo: There's a lot of [crosstalk], yeah. |
| Steve: And there's no libraries or scripts or anything. So, okay. The only rationale that I could imagine would be that it would be possible to have a Cloudflare site return an HTTP redirect in fewer than 16K, I mean, it only takes a few hundred bytes. Which would redirect to a Russian-located site. So I don't know, maybe that was the idea? I mean, 16K, you can't even get off the ground on a web page with 16K these days. Any Russian sites hosted by Cloudflare could rehost themselves in Russia and redirect any previous Cloudflare visitors to their Russian-hosted site. But on the other hand, why not just repoint the domain to a Russian-hosted IP, and that would be easier. So I don't understand it. I mean, why, if you want to block Cloudflare, just shut it off. I don't get what 16KB does. It seems crazy to me. But okay. Just a brief update, Leo. Having caught up with Ryk Brown's Frontiers Saga series over the weekend, I started into my re-read of "Project Hail Mary." |
| Leo: Oh, good. |
| Steve: I had forgotten how much I must have enjoyed it the first time, since I am astonished by how much fun I'm having with this book. |
| Leo: And even though you know what's going to happen, you're still loving it. |
| Steve: Oh, well, that's me. Yes. There are some things that my wife Lorrie will do more than once. We really like, well, there are a number of movies that we've seen several times. But generally, if she knows what's going to happen, she has no interest. Now, she loved "The Martian." And I don't think she really paid attention when I was reading "Project Hail Mary" the first time. She may have been in the middle of another book. But when I came home last week with the news of this trailer that we talked about last week, and we started watching it, she immediately stopped me before, like, we only got, like, I don't know, a third of the way in because she didn't want any spoilers. She wanted to read the book because she liked "The Martian" so much. She finished that book, she finished "Project Hail Mary" this weekend and really enjoyed it. Although she thought the ending was sappy, I thought it was wonderful. So, and it was sappy. But okay. |
| Leo: Yeah, well, we're old softies, I guess; right? She's a hard woman. A hard woman. |
| Steve: Anyway, so for what it's worth, for anyone listening to as geeky a podcast as this, who obtains pleasure from reading or listening to books, you will likely love Andy Weir's writing, you know, his science and his humor. |
| Leo: He's great, yeah. |
| Steve: I missed reading Andy's second book, "Artemis," when it was released eight years ago in 2017. I must have been deep into some other series at the time. But I'm not now. So once I finish my reread of "Project Hail Mary" I plan to follow that with "Artemis." |
| Leo: It's not as good. |
| Steve: And that's okay. I don't need it to be as good. |
| Leo: I've interviewed him, as you know, every time, I think three times now, because I did it again for Artemis, as well. |
| Steve: Oh, no kidding. Oh, okay. |
| Leo: And "Artemis" was his plan, he had some really interesting ideas. It was his plan to create a new series. And it has a very - it has a great protagonist. It's a moon colony. It's kind of interesting. I'll be very curious what you think of it. The problem was he started with "The Martian." And everybody was expecting another Martian. |
| Steve: It's like a high bar; right. |
| Leo: Yeah. And it wasn't another Martian. And "Project Hail Mary" is much more in the Martian vein of, you know, "sciencing the crap out of it." |
| Steve: Oh, my god. And it's funny, too, because, I mean, I'm, you know, I love physics, and I love the science, and there have been several points, because I use continuous scroll on my Kindle. |
| Leo: Right. |
| Steve: And so there have been points where I've, like, gone and [gulps]. And like Lorrie's sitting next to me, she says, "What?" And I said, "Oh, I know what the next page is going to have on it." I mean, like, because I, you know, I'm following all of the science. And I'm surprised, I said to Lorrie, I said, "I'm very surprised that he is this good with the science." |
| Leo: He really is; isn't he. |
| Steve: But I think he has lots of advisors. |
| Leo: Oh, maybe. |
| Steve: He gets it really right. I mean, it's astonishing. Well, anyway, I don't want to give any of it away. But I just wanted to say again to our listeners, what's wrong with you? |
| Leo: What's wrong with you? |
| Steve: The only thing that I can see that's wrong is that it's not free. Free is a lot easier than asking anyone to pay, you know, 7.50 or whatever it is, on Kindle. Apparently it's free on... |
| Leo: I can't wait till the... |
| Steve: The movie? |
| Leo: The movie. You know, but... |
| Steve: I wonder, I'm dying to know how they're going to do this because all of this is in his head. We're listening to his thoughts. So the only way I can think they're going to do this is that we're just going to hear his inner dialogue throughout the entire movie. Because I'm a quarter of the way in, I think, now. And it's mostly inner dialogue. We have to be hearing his voice telling us what he's thinking. |
| Leo: Andy Weir was on Triangulation 428 talking about "Project Hail Mary." That was in 2021. We had him on after "The Martian" in 2014, which is pretty wild. I didn't realize it had been such a big spread. And I feel like we also interviewed him on The New Screen Savers. And there's another one, oh, for "Artemis," yeah, Triangulation 322, which is in 2017. So, yes, I've spent a lot of time with Andy Weir. Love the guy. And he's a great author. |
| Steve: Well, and apparently there were plans for an "Artemis" movie which fell through. |
| Leo: Yeah. |
| Steve: Maybe because it just didn't, you know, do as well as it was expected to. I mean, after you do "The Martian," you probably get... |
| Leo: It's pretty hard. |
| Steve: You get the rights grabbed before you even go to print on [crosstalk]. |
| Leo: Well, and that's what happened, I remember him telling us, with "Project Hail Mary." He knew that Lord and Miller were going to direct it, and that Ryan Gosling was going to star in it, even before it was published. |
| Steve: Yeah. |
| Leo: I mean, he already knew all of that. So, yeah. I don't know what happened to "Artemis." I think it's actually quite a good book. If it hadn't come on the heels of "The Martian." |
| Steve: To be compared by... |
| Leo: Yes. Because it's such a different kind of book. But I love his protagonist. I think it's a great story. It's about the moon colony. And I think you'll like the science in it. There's some good science in it. |
| Steve: Cool. |
| Leo: Yeah. |
| Steve: Well, I will let everybody know what I think. Let's let everybody know what we think about this final sponsor. |
| Leo: Oh, our last ad for the show today. |
| Steve: And then we're going to look at "Going on the Offensive," what it's going to take for the U.S. to get nasty. |
| Leo: All right, Steverino. On we go. |
| Steve: Okay. So this podcast has often wondered what's going on with the United State's cyberwar posture. We're endlessly covering China's intrusions into U.S. networks and all the trouble that causes for us here in the states. We recently looked at the concerns over the discovery of undocumented radios turning up in Chinese-made power inverters used in wind and solar energy production. Chinese-made security cameras are being increasingly banned from sensitive locations. We talked about Hikvision just now. And we've worried about the ubiquitous presence of DJI drones being used on military bases and other sensitive areas. What I wonder is whether similarly cyber-aware Chinese citizens located in China - essentially our counterparts - are covering the same sorts of stories about intrusions, plotting, and planning being made by the U.S. Because we're here in the U.S., we don't have the same visibility into U.S. operations in China as we do into China's operations in the U.S. So I've often wondered whether the U.S. is giving as well as it's getting. Are things balanced? Is China worrying about us as much as we're worrying about them? And I just want to say, before we go any further, I always want to be very clear that this entire subject area, and I've alluded to this from time to time, always makes me feel a bit queasy. I know we have Chinese listeners, and there are very few things in this life that feel more unjust to me than racism. So I want to be crystal clear here that in every instance we're talking about the actions of our respective governments and their militaries - not their people. |
| Leo: No, I love the Chinese people, I love the Chinese country. But the CCP, not so nice. |
| Steve: Right. So this has nothing to do with ethnicity. Although democracies elect their leaders, those leaders don't always do what many of those they lead wish they would. So we fill out our ballots and hope for the best. So I ran across a fascinating document which was prepared by Winnona DeSombre Bernsen, a former security engineer at Google's - oh, and that's the name, Leo, TAG, the Threat Analysis Group. |
| Leo: Ah, TAG, okay. |
| Steve: Google's TAG group. You know, TAG, you're it. She's the founder of the offensive security conference DistrictCon, held in Washington, D.C.; and she has organized policy content at DEF CON and authored multiple pieces on offensive cyber capability proliferation. She's a fellow at the Atlantic Council, a Washington, D.C.-based policy think tank, and in that capacity she interviewed a sobering list of people whom she lists at the end of her piece. In many cases she's only able to use their approximate titles because of the sensitive nature of their positions within the U.S. government or military. She titled her piece "Crash" - well, it would be Crash and Burn, but she put after Crash, she had in parens "(exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace." So she's taking, you know, a clearly U.S.-centric, how do we give as well as we get stance. And note that her use of the term "offensive cyber supply chain" - in other words, how can the United States reliably obtain the tools, meaning the exploits, we need to attack others? The PDF of this report is 44 pages, and I've placed a link to that PDF in the show notes for anyone who wishes to dig deeper. I'm certainly not going to go through all of that. But it's beautifully organized for the harried policy pusher. It makes all of its points quickly, then backs them up with data and specifics. So I only need to share the beginning of this well-organized, lengthy, in-depth, and detailed report since it contains a ton of very interesting insights and specifics that we've never covered on this podcast before because we didn't have the results of these interviews which she has made. So the report begins by posing a question as its thesis. She writes: "If the United States wants to increasingly use offensive cyber operations internationally, does it have the supply chain and acquisition capabilities to back it up, especially if its adversary is the People's Republic of China?" She writes: "Strategic competition between the United States and China has long played out in cyberspace, where offensive cyber capabilities, like zero-day vulnerabilities, are a strategic resource. Since 2016, China has been turning the zero-day marketplace in East Asia into a funnel of offensive cyber capabilities for its military and intelligence services, both to ensure it can break into the most secure Western technologies, and to deny the United States from obtaining similar capabilities from the region. If the United States wishes to compete in cyberspace, it must compete against China to secure its offensive cyber supply chain. This report is the first to conduct a comparative study within the international offensive cyber supply chain, comparing the United States' fragmented, risk-averse acquisition model with China's outsourced and funnel-like approach. "Our key findings are" - we have some bullet points. "First, zero-day exploitation is becoming more difficult, opaque, and expensive, leading to feast-or-famine contract cycles." And I'll get to explaining that in a minute. "Middlemen with prior government connections further drive up costs and create inefficiency in the U.S. and Five Eyes market, while eroding trust between buyers and sellers. China's domestic cyber pipeline dwarfs that of the United States. China is also increasingly moving to recruit from the Middle East and East Asia. The United States relies on international talent for its zero-day capabilities, and its domestic talent investment is sparse - focused on defense rather than offense. "The U.S. acquisition processes favor large prime contractors, and prioritize extremely high levels of accuracy, trust, and stealth, which can create market inefficiencies and overly index on high-cost, exquisite zero-day exploit procurements. China's acquisition processes use decentralized contracting methods. The Chinese Communist Party outsources operations, shortens contract cycles, and prolongs the life of an exploit through additional resourcing and 'n-day' usage." Meaning not just zero-day. "U.S. cybersecurity goals, coupled with 'Big Tech' market dominance, are strategic counterweights to the U.S. offensive cyber capability program, demonstrating a strategic trade-off between economic prosperity and national security. "China's offensive cyber industry is already heavily integrated with artificial intelligence institutions, and China's private sector has been proactively using AI for cyber operations. And finally, given the opaque international market for zero-day exploits, preference among government customers for full exploit chains leveraging multiple exploit primitives, and the increase in bug collisions, governments can almost never be sure they truly have a 'unique capability.'" Okay. So it feels as though there may be an inherent conflict between the traditional way the U.S. military has conducted its business and the faster, more furious, and significantly less certain way the zero-day cyber-marketplace functions. It also sounds as though the U.S. may still be stuck in a "but we're the good guys" mindset, whereas China's management may evidence more of a "just get it done" style, which more closely aligns with the realities of cyber. Winnona next lists three recommendations, writing: "First, strengthen the supply chain by creating Department of Defense vulnerability research accelerators, funding domestic hacking clubs and competitions, expanding the NSA's Centers of Academic Excellence in Cyber Operations, and providing legal protections to security researchers. "Second, improve acquisition processes by establishing a government-sponsored vulnerability broker in a federally funded research and development center to decentralize and simplify exploit purchases while increasing cyber capability budgets and expanding research on automated exploit chain generation. "And third, adjust policy frameworks to consider counterintelligence strategies in the zero-day marketplace (burning capabilities of malicious actors while recruiting willing 'responsible' actors into a more formal pipeline), funding n-day research through U.S. Cyber Command (USCYBERCOM) where appropriate, and leveraging alliances to counter China's growing cyber dominance." That all appears to amount to: "We need to be getting serious right now about zero-day exploit acquisition. That's where all the action is and where it's going to be in the future. And we're going to be in trouble if we don't rearrange our operations and priorities right away." She concludes: "Without meaningful reforms, the United States risks ceding to China whatever strategic advantage it has left in cyberspace. By fostering a more deliberate offensive cyber supply chain and adjusting acquisition strategies, the U.S. can retain a steady supply of offensive cyber capabilities to maintain its edge in the digital battlefield." Okay. It's unclear to me where the assumption comes from that the U.S. currently has any "edge" at all in the digital battlefield. We don't know what we don't know. But I wonder if this isn't just a bit of soft pedaling so as not to ruffle too many higher-up feathers who are reading this policy piece. Her report then provides a pair of pull-quotes to set the stage for a bit more background. The first quote is from Alexei Bulazel, incumbent Special Assistant to the President and National Security Council Senior Director for Cyber. Alexei says: "America has incredible offensive cyber power. We need to stop being afraid to use it." I dearly hope that America has incredible offensive cyber power and that the only reason we haven't seen more evidence of it is that we've been afraid to use it. That suggests that it might be available if and when needed. Jeremy Fleming, former GCHQ director is quoted saying: "Geopolitical conflicts are increasingly shifting to cyberspace, including tensions between the U.S. and China. Technology is therefore no longer just an area for opportunity, but also a battleground for control, values, and influence." Okay. So here's the background Winnona provides to preface her more detailed analysis that follows, which I'm not going to share. But the background has got some good stuff in it. She says: "China and the United States are engaged in strategic competition in cyberspace. While cyber operations are often an overlooked area of geopolitical power, both countries' militaries, intelligence communities, and law enforcement agencies conduct cyber operations. They do so to obtain intelligence crucial to national security, assist conventional military operations, and even create kinetic effects to achieve strategic goals. To make a cyber operation possible, one must have the capacity to break into a particular system." I want to repeat that because this is where the whole thing turns. "To make a cyber operation possible, one must have the capacity to break into a particular system. Offensive cyber capabilities, and particularly zero-day vulnerabilities, are the necessary strategic resources required to conduct such operations." In other words, that's it. That's what we need. That's the future. Zero-days. We need them. She writes: "The United States clearly wishes to further leverage its cyber prowess in the international arena, particularly against the People's Republic of China. Doing so would help the United States protect its vital national security and economic interests, international partnerships, and norms. However, to operationalize a 'cyber power' strategy, the United States must acquire enough high-end capabilities to ensure it can achieve such strategic goals. Moreover, the timeline for implementing these policies is urgent, given the increasing potential for conflict with China in the coming years. Thus, given the international privatized offensive cyber capability marketplace" - let me say that again. "Given the international privatized offensive cyber capability marketplace, how can the United States and its allies continue to ensure the availability of offensive cyber capabilities," she says, "focusing on zero-day vulnerabilities, while limiting China's access to those same capabilities?" In other words, we want to buy them. We don't want them to be able to buy them. "Cyber operations consist," she writes, "of a variety of offensive cyber capabilities. Many of the most crucial cyber capabilities involve the exploitation of 'zero-day' vulnerabilities, also known as zero-days or 0-days. Zero-day vulnerabilities" - and I'm repeating. We all know this, but I'll just set the context. "Zero-day vulnerabilities are issues or weaknesses ('bugs') in software or hardware, typically unknown to the vendor and for which no fix is available. In other words, the vendor has had 'zero days' to fix the issue. Some of these vulnerabilities are exploitable. An actor with knowledge of the vulnerability could write code that takes advantage of said vulnerability. "This results in a 'zero-day exploit' - code enabling a range of behaviors that could include establishing access into the computer system the software is installed on, escalating privileges on those systems, or remotely issuing commands." You could tell this woman knows of what she speaks, and she was, after all, in Google's exploit world. "The work of finding vulnerabilities and writing exploits, thanks to its strategic necessity to governments worldwide, has become" - get this. "The work of finding vulnerabilities and writing exploits, thanks to its strategic necessity to governments worldwide, has become a billion-dollar international services industry in the last 20 years." During this podcast, a billion-dollar international services industry has appeared, selling exploits to governments. She writes: "Private firms now often create cutting-edge offensive cyber capabilities for governments. Given the sensitivity around supporting government cyber operations, many of these firms do not openly advertise their services, shrouding the industry in secrecy. Between this secrecy and the variation in products offered, for example, governments target different technology systems, and no two zero-days are identical, the supply chain for such capabilities is not only opaque to outsiders, but also to governments, and even among players in the industry. "Within this highly fragmented and opaque market, large firms, like the United States' L3Harris or ManTech, frequently hold multimillion dollar valuations. Notably, Israel's NSO Group's worth reached $1 billion at its peak. Meanwhile, individual U.S. government agencies receive millions of dollars to procure offensive tools. Such companies' tools have clearly been purchased by such government agencies and put to use in modern-day cyber operations. Notably, of all the zero-day vulnerabilities found exploited 'in the wild' in 2023 and 2024 by Google, around 50% of them were attributed to commercial vendors that sell capabilities to government customers." Again, half of the zero-days that Google found through 2023 and 2024 are directly attributable to commercial vendors selling them to government customers. She says: "While this statistic only encompasses detected zero-day exploits, this is still a significant set of capabilities being provided by private sector actors." Private companies selling to government customers. She says: "The offensive cyber capability industry itself is international and ranges in professionalization depending on the region; companies in Russia, Israel, Spain, Singapore, and the United States all have varying relationships with their home governments, other firms (including middlemen and brokers), international government customers, and even cyber-criminal groups. However, the study of offensive cyber capabilities has largely over-indexed on firms based in Israel and Europe rather than the United States' greatest geopolitical rival, China. This is surprising, as the Chinese hacking and cybersecurity ecosystem is robust. Chinese companies have, on multiple occasions, been directly linked to Chinese government-sponsored cyber operations against the United States. "Moreover, the development of offensive cyber capabilities in the United States remains largely unstudied or examined in a way that does a disservice to the domestic hacker community." In other words, she just said what I keep talking about on this podcast is that what's going on here? We don't ever see anything. Right. She asks: "Why is this question important? At first glance, it can be difficult to see why the private sector zero-day exploit market - a series of obscure companies selling code that can enable governments to break into widely-used software - would be important in preserving national interests in cyberspace, particularly against China. A simple explanation of this relationship is as follows. The United States and its allies rely on an increasingly digital world, and China is both a savvy adversary and a hardened target in cyberspace. When any country's intelligence community wishes to infiltrate high-value, hard-to-access digital targets, it likely must use zero-day exploits or other bespoke (in other words, custom-made or tailored) offensive cyber capabilities. "Intelligence organizations from both the United States and China, due to decreasing internal supply and rising demand for such capabilities, have increasingly relied on acquiring such exploits from the private sector zero-day exploit market. However, the private sector zero-day market is murky and more international than policymakers expect. Even if the United States and China are truly entering a 'New Cold War,' both countries still source these capabilities from an overwhelmingly opaque international market of offensive cyber capability firms, and do not know if they are being supplied with potentially overlapping capabilities. "In short, any cyber operation that relies on an acquired capability, conducted by the United States, China, or anyone else, carries a counterintelligence and operational security risk, with no guarantee that they can source a similar capability in the future. Thus, securing the cyber supply chain - which means understanding the industry, constraining malicious actors, and ensuring availability from trusted parties - is important to address such risks. "While former President Joe Biden's administration sought to constrain private sector actors with additional regulation and placing bad actors on the entities list, these policies were framed around human rights concerns largely out of Europe and Israel. President Donald Trump's administration is moving away from this approach, focusing on China as a geostrategic threat over transnational digital repression framings, as well as signaling willingness to engage with private sector actors in the space. "The Trump administration, as of 2025, has accelerated plans for a U.S. Cyber Command 2.0, focusing on working better with private industry partners. This is a continuation of the first Trump administration's policies. Trump was the first president to delegate the authority for offensive cyber operations down to the Secretary of Defense, allowing USCYBERCOM more leeway to conduct operations without presidential approval, albeit still with a robust interagency review process. "And finally, if the United States wishes to further leverage its cyber prowess in the international arena by leveraging private sector partners, does it have the supply chain and acquisition capabilities to back it up, especially if its adversary is the People's Republic of China? Although the author does not condone general analogies between cyber and other domains, supply chain and acquisition analysis in the cyber domain can be similar to nuclear or other arms proliferation. For example, to answer whether a country has the capability to construct a nuclear weapon, one must understand how much enriched uranium the country can easily acquire. Similarly," she writes, "to answer whether a country can become a cyber power that can access the hardest of digital targets, one must ask how easily it can source and acquire zero-days and other offensive cyber capabilities." So Winnona made assertions, a lot of assertions, in what I just read. In nearly every case those assertions were followed by a reference in her text to their source. So none of this was just her opinion, regardless of how well informed it may be. So we have a somewhat bizarre new world where governments need to purchase newly discovered zero-day vulnerabilities from anywhere they can be purchased, and where the "anywhere they can be purchased" is an entirely ad hoc mishmash of entities, from someone in their mother's basement to an international weapons dealer or a public government contractor. If we were to extend Winnona's uranium acquisition analogy a bit, this would be analogous to tens of thousands of individuals, each with their own little backyard uranium enrichment operation, who then sell what they've created to the highest bidder, or to someone they trust. She offered some interesting numbers to give us a sense of scale of what's going on today. She wrote: "Live hacking competitions (where hackers hack into systems live onstage), and bug bounty programs (usually company-run reward programs that encourage hackers to find and report system vulnerabilities), enable hackers to develop similar skill sets as those required for government-sponsored hacking. These programs and competitions are both common recruiting pipelines for defensive cybersecurity companies and offensive vendors alike." Common recruiting pipelines. She said: "The number of individuals that participate in such programs globally is staggering. In 2020, HackerOne, a well-respected bug bounty platform, reported around 600,000 contributors spanning 170 countries. A 2024 survey of Bugcrowd, one of the largest bug bounty and vulnerability disclosure companies on the Internet, revealed most of Bugcrowd's over 200,000 hackers hailed from India, Egypt, Nigeria, Pakistan, Nepal, Vietnam, Australia, and the United States; 78% of them are self-taught" - 78% are self-taught - "and 58% of them were under 25 years old. While not all of these individuals possess the skills to find zero-day vulnerabilities and write code to exploit them, multiple security experts interviewed estimated that there are likely thousands of international individuals able to do so, with numbers in the low hundreds that can be trained to do so well." Okay. So we have an informal community of hackers who are potentially able to make a bunch of money. But as the saying goes, "Don't quit your day job." Winnona provides some interesting background to that, writing: "While selling offensive cyber capabilities (and particularly zero-day vulnerabilities) to governments is a lucrative profession, it's a risky industry. Creating a zero-day exploit to leverage against a widely used technology product may require between six and 18 months of full-time engineering and research work. Unless an offensive cyber capability firm has multiple engineers working on different products or uses different payment schemes (meaning salaries), this timeline can lead to long downtimes between exploit sales." And this is what she means when she says: "This 'feast-or-famine' payout schedule carries risks for companies that rely on one or two windfalls a year to pay their overhead and engineering costs. "In addition, finding a customer to sell exploits to is more difficult than it first seems. In general, potential sellers must find an existing government contract through which to sell their exploits or know the right government individual to speak with. Unless an offensive cyber capability firm has hired employees who have recently left a government interested in such capabilities, actual buyers may be extremely hard to find. Thus, international hackers without former government connections normally sell their products to middlemen, many of whom operate internationally." Like Zerodium; right? We've talked about Zerodium a lot in the past. You know, this is exactly that. "Even then, the exploit may go through multiple levels of middlemen to get to a government customer. This frustrates both buyers and sellers. Buyers know that exploits sold to them have extremely high mark-ups, given the number of middlemen involved, and often will not know who the original bug producers are. Meanwhile, the sellers are likely aware of the extreme markups, but they don't know whether their bugs were sold to multiple governments." So she quotes a former official with the Office of the National Cyber Director, saying: "An individual researcher who is not informed on what bugs are selling for may sell a good bug for $100,000. By the time it makes it to a customer, an individual bug could go for 750,000 to $1 million." This is the National Cyber Director saying this. And a senior DOD official working on offensive cybersecurity research programs, who thus knows exactly what he's talking about, says: "The system by which zero-day vulnerabilities are acquired is horrendously inefficient and broken." Okay. So we learn that there's a system of middlemen who are not contributing anything meaningful beyond their connections and contacts within government. And they almost certainly owe their loyalty only to the dollar, not to any nation. Nothing prevents them from double-dipping. We know that money motivates. So if a program existed to cut out the middlemen, to protect hackers legally, and to allow governments to purchase those vulnerabilities directly, hackers could be making 10 times the money and have 10 times the motivation. They would also have the assurance that their work would only go to help the country they wish to help, and not their country's enemies. The problem is that there's a well-deserved prevalent mistrust of government within the hacking community. Winnona reminds us of a bit of this past, writing: "Undermining all these efforts is the anti-government sentiment that remains strong within the U.S. cybersecurity and hacking community, which likely contributes to difficulty in maintaining an offensive talent pipeline. Much of the original U.S. hacking community emerged from counter-cultural activities like phone phreaking," she says in parens, "(i.e., bypassing Pacific Bell telephone lines to make long-distance phone calls without paying)." She said: "Law enforcement responses from the 1960s to the early 2000s treated many hackers as criminals rather than as innovators. In 1990, the Secret Service's Operation Sundevil seized more than 40 computers and 23,000 data disks from teenagers in 14 American cities and charged individuals who managed the hacker magazine Phrack with interstate transport of stolen property. The charge was based on information published by Phrack that later proved to have already been widely publicly available. The arrests and subsequent court cases resulted in the creation of the Electronic Frontier Foundation. While the U.S. government has made significant strides toward repairing the relationship with domestic hackers in recent years, anti-government sentiment still persists." And of course, Leo, we all remember our friend being arrested and handcuffed at McLaren in Las Vegas as he was leaving, you know, trying to go back to England. |
| Leo: We also remember the wonderful scene in "Good Will Hunting," where Matt Damon is - they attempt to recruit Matt Damon to the NSA. And he has a fairly good, cogent reason why he would never work for the NSA. |
| Steve: Yup. |
| Leo: So I recommend that, if people haven't watched the movie. I wish I could play the sound, but I don't want to get taken down, so... |
| Steve: Yeah, it's a great scene. |
| Leo: Yeah. |
| Steve: So, yeah. Uncle Sam, you've been a big bad bully in the past, and now you want and need the brains of those people whose rights and freedoms you blithely ignored out of your own fear of the unknown. Not cool. There is so much content in this fantastic 44-page paper that I've had to skip over. So all I can do is commend this to any of our listeners who are interested in knowing more. The paper goes into much more depth about the many significant challenges presented by the way the U.S. is organized versus the comparative ease that China's processes face. So anyway... |
| Leo: Well, also they have a kind of compelling regime where you don't think you have a lot of choice; right? |
| Steve: Yeah. Yeah. |
| Leo: By the way, I don't know if you saw it last night, one of the Chinese nationals associated with Salt Typhoon was arrested in Italy. |
| Steve: Ah, no. |
| Leo: And the U.S. is seeking extradition. So that will be interesting to follow. |
| Steve: So we come away with a much better appreciation for what's going on out in the world of offensive warfare. Offensive cyberwarfare is 100% about penetrating into one's perceived adversaries' networks. That's it. And in turn, that's all about leveraging exploitable zero-day, which is to say currently unknown vulnerabilities that exist in the devices attached to that network. What's really interesting is that there's an inherently level playing field when it comes to discovering these potentially ultra valuable zero-day exploits. I would like to be seeing hackers getting paid much more and not having this, you know, lining the pockets by huge factors, huge multiples of the middlemen. Anyone anywhere can make a discovery of a flaw in software, then work to engineer that into a working exploit. And we heard more than half of the - or, what, is it almost three quarters are self-taught, and more than half of these hackers are less than 25 years old. At that point, when you've created a working exploit, the holder of that intellectual property has an asset worth potentially a million dollars. But only if that intellectual property can be conveyed to a deep-pocketed government that in turn has the means to exploit it for its own ends. So what we come away with is a much better appreciation for what's going on out in the world of offensive cyber warfare. Offensive cyber warfare is 100% about penetrating into one's perceived adversary's networks. And that, in turn, is all about leveraging exploitable zero-day - which is to say currently unknown - vulnerabilities in those networks. What's really interesting is that there's an inherently level playing field when it comes to discovering those potentially ultra-valuable zero-day exploits. Anyone, anywhere, can make a discovery of a flaw in software, then work to engineer that into a working exploit. And we heard more than half of the - or, what, almost three quarters are self-taught, and more than half of these hackers are less than 25 years old. At that point, when you've created a working exploit, the holder of that intellectual property has an asset worth, potentially, a million dollars. But only if that intellectual property can be conveyed to a deep-pocketed government that, in turn, has the means to exploit it for its own ends. Today, opportunists - who may provide some value such as mutual anonymity for both the buyer and the seller - are taking the lion's share of the value for a hacker's work because only they are able to turn that highly valuable and volatile intellectual property into cash. Hackers who receive only 10 cents on the dollar are much less incentivized to hunt down tomorrow's exploit, yet what we have learned is that offensive cyber warfare is all about having that next exploit. It's called a "supply chain" because it creates a supply, and that's what it needs to do. It's clear that the U.S. government itself needs to emerge from the shadows. It needs to become a well-advertised, high-value, explicit buyer of zero-day exploits. It has to stop being ashamed or embarrassed by that. It needs to put the middlemen out of business. It needs to provide irrevocable protection to any hackers against any form of blowback for their work in discovering valuable cyber attack tooling. It needs to be widely known that it's possible to become wealthy from selling zero-day exploits to Uncle Sam. This is not the world I wish we had, but it's today's reality. If having a strong deterrent helps to keep the peace, then let's get one. |
| Leo: Yeah. Yeah, I mean, I think there's also been some reluctance on our part to escalate cyberwarfare because what happens when you escalate is you escalate. |
| Steve: Yeah. You get a reaction. |
| Leo: But it's being escalated with or without us, so... |
| Steve: Yes. It's happening either way. |
| Leo: Yeah, yeah. |
| Steve: And there is this notion, too, if we can maintain an inventory. The problem with zero-days is that they're volatile. |
| Leo: Right. |
| Steve: We have seen many instances, in fact we just covered them on that most recent Pwn2Own, where the hackers believed they had zero-days, but those just had not yet been updated from the vendors. |
| Leo: Right, right. Well, there's also the problem of, once you use them, you've burned them. |
| Steve: Yes. |
| Leo: So you need many. |
| Steve: Yes, exactly. They are consumables. |
| Leo: The good news is there seems to be an unlimited supply. |
| Steve: Isn't that bizarre? It's just amazing. Even Apple, with all the work that Apple has done. |
| Leo: Yeah, yeah. You'd think we'd have fixed it by now. But, you know, perfect software and all of that. But I guess not. That's Steve Gibson, ladies and gentlemen. He writes perfect software, the world's best mass storage maintenance, performance enhancing and recovery utility. It's known SpinRite. He writes it in assembly language so it's fast, it's small, and you can get it from him directly at GRC.com. Just finished v6.1. I'm going to bet on the fact that it took a little while for 6.1 that we shouldn't worry too much about 7.0 yet. |
| Steve: I have some other things to do first. |
| Leo: Yeah, I think it might be a little while. So get it. Get it right now. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Jul 14, 2025 at 05:51 (127.37 days ago) | Viewed 6 times per day |