| ||||||
Description: A look back at Issue #1 of BYTE magazine exactly 50 years ago. The enforcement of the SHAKEN & STIR Telecom protocols. The inherent danger of consolidating authentication. Can AI be controlled. Vivaldi says a big "no" to AI-enhanced web browsers. How WhatsApp figured into Apple's recent zero-day attacks. Leveraging AI as an attack aid. The latest TransUnion data breach. Two scummy websites sue the UK over age requirements. OpenSSH reminds its users to adopt post-quantum crypto. The DOD uses open source maintained by a Russian national. Much great feedback from our terrific listeners. Sci-fi news from The Frontiers Saga's Ryk Brown.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1041.mp3 |
SHOW TEASE: It's time for Security Now!. I know you look forward to it. It's a listener question episode. Yes, we'll cover some of the news, including breaking news about the Google monopoly lawsuit, and a big birthday celebration, and a very positive review from a few years back. Steve will celebrate next on Security Now!.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1041, recorded Tuesday, September 2nd, 225: Covering All the Bases. It's time for Security Now!, the show where we protect you - well, I don't do anything. I sit here and listen while Steve Gibson protects you and your hardware and your software and your Internet and your privacy and all that stuff, the Man of the Hour, Mr. Steve Gibson. Hi, Steve. |
| Steve Gibson: Hi, Leo. It's great to be with you. Okay. So, yes. And I don't protect everyone. I do what I can to help everybody protect themselves. |
| Leo: You give us the information we need to do it for ourselves, which is the best, yes. |
| Steve: We have a great podcast. I know I've been saying that a lot lately. I think they maybe have been a little better than usual. I think after, you know, the first thousand, as I've said, we kind of have the hang of it. No big news overwhelmed the week. So I wanted to take the opportunity to spend a little more time than I have been recently with our listeners' feedback. So about half of the podcast is that because there was so much interesting good stuff - some corrections of things I had said before, some additional information on topics. So lots of good stuff there. Also some interesting news and one big event that I thought would be fun to spend a little time on, which is the Picture of the Week event. So as a consequence I just called this podcast #1041 "Covering All the Bases," since it's just a potpourri of interesting security and privacy-related stuff. So I thought that... |
| Leo: You could call it "The World's Greatest Toy," but we'll save that for the Picture of the Week. I thought that was a... |
| Steve: Well, now, yes, the world's greatest toy. You know, without any context, without any context that could be dangerous. |
| Leo: We'll see. What is it we're talking about? We'll find out. |
| Steve: That's right. Digital, the world's greatest digital toy, I would say. |
| Leo: It's a pretty good toy generally, in every possible respect. |
| Steve: Yes, indeed it is, yes. |
| Leo: All right. And some sci-fi and a lot of good stuff coming up. I'm excited. |
| Steve: Yup, we've got lots of interesting news stuff. |
| Leo: All right. So we will get to that and the world's greatest toy, our Picture of the Week, in just a bit. Time for a toy. |
| Steve: And I realize that what I normally do I've skipped over, which is to sort of run through a quick enumeration of coming attractions. |
| Leo: Well, that's okay. I mean, I was ready. I was ready to jump to the ad. Do you want to do it now? |
| Steve: Well, I just - I was thinking, okay, our listeners might want to know what we've got. We're going to talk about the enforcement of the Shaken & Stir telecom protocols, the inherent dangers of consolidating authentication, look at the question of whether AI can even be controlled, and that Vivaldi says a big "no" to AI enhanced web browsers. We now know how WhatsApp figured into Apple's recent zero-day attacks that we talked about, you know, we talked about the update, the emergency update last week. Also we've had an instance now of leveraging AI as an attack aid. And it's creepy. Also news on the latest TransUnion breach, two scummy websites sue the UK - good luck with that - over age requirements that they're enforcing with their Online Safety Act. OpenSSH has decided to remind its users to adopt post-quantum crypto. The DOD, the U.S. Department of Defense, was found to be using open source which is being maintained by a Russian. What could possibly go wrong with that? |
| Leo: Oh, my god. |
| Steve: And after, as you mentioned a bunch of great feedback from our listeners, we've got a little bit of sci-fi news from one of our favorite authors, The Frontiers Saga, and how his relationship, Leo, with Amazon has soured, much as yours apparently has. |
| Leo: Oh. |
| Steve: So anyway, I think as I said a great podcast for our listeners. Which brings us to... |
| Leo: Our toy. |
| Steve: Our first topic, our favorite toy, and it probably is at this point, especially as you get older, our Picture of the Week is - I gave this the topic "50 Years Ago." It was 50 years ago this month, now that we're in September of 2025. "Issue #1 of BYTE magazine declares: 'COMPUTERS, the World's Greatest Toy.'" |
| Leo: Yes. |
| Steve: And I got a kick out of the fact that it was $1.50 for, you know... |
| Leo: That was probably expensive in 1975. |
| Steve: Probably was, yeah, you were paying your dues. |
| Leo: Mad Magazine was 35 cents, so I think it was, yeah. |
| Steve: Although when you consider the quality of information. Anyway, 1975. So I was two years out of high school at that point. |
| Leo: Wow. I was just going into college myself. I was a junior. |
| Steve: Yes, right. The cover says: "Which Microprocessor for you?" because back then no one had really, you know, settled on any particular thing. "Cassette Interface - Your key to inexpensive bulk memory. Assembling Your Assembler. Can YOU use SURPLUS KEYBOARDS? (You bet you can!)." And then, finally... |
| Leo: I have a whole drawer now of surplus keyboards, so that's... |
| Steve: Well, and by these we mean, like, some weird keyboard from a radar set. |
| Leo: These are from Wyse terminals and stuff, yeah, yeah, yeah. |
| Steve: Yeah, exactly, for like the - like, what the hell? This doesn't even have all of the ASCII characters on it. And then it finishes by declaring, "COMPUTERS - the World's Greatest Toy!" |
| Leo: So you've got to remember, '75, this is before the Apple II. This is before anything. This is when microcomputers are first starting. |
| Steve: Yes. In fact, it just - it's such an interesting walk for those of us who are around our age, Leo. I think it's really worth taking a look inside the inaugural issue, which we're able to thanks to the Internet's Archive. |
| Leo: Well, I wanted to show you there's many places you can get BYTE magazines, including the Internet Archive. But my favorite now is - somebody's put these online. Let me go back to the website. This is a visual archive of all the BYTE covers. If you zoom in, you can actually see the covers, the contents resolving themselves. But what I like about it is, as a regular expression, search. So for instance, I can look for Leo Laporte. |
| Steve: Wow. |
| Leo: And it says no matches. Well, let me try that again because I know there's a match. Oh, well, maybe not. There was a match the last time I did this. |
| Steve: What happens if you look for SpinRite? |
| Leo: Oh, yeah. Let's see. Oh, I wrote my first - the first article I wrote for BYTE was in 1984. There's something wrong with this site because I know SpinRite - let's try it again. SpinRite. Ah, yeah, there's something wrong with this site, unfortunately. But I know SpinRite's in there, and you probably could search through Internet Archive and find it faster, as well. It's pretty cool. This is really - anybody who's interested in the history of technology should absolutely take advantage of these various archives because it's incredible. |
| Steve: So even in this first issue you'll find, among other tips, tips for desoldering multi-legged integrated circuits from a circuit board because, you know, they were rare back then. |
| Leo: That happens. That happens, yeah. |
| Steve: You might need to repurpose that 2102 Intel 1K dynamic RAM chip - 1 kbit, sorry. Not even bytes. They talk about how to decipher the wiring of a random surplus keyboard to use it for the computer that of course you are building around 1975. How to choose the right microprocessor family for that computer. They've got a kit for building a working system, a tutorial on how asynchronous serial data communications is formatted, the fundamentals of assemblers and how to take the first steps toward writing your own assembler for the chip that you chose two pages earlier in the book. We find an article, even back then, on coding strategies for implementing John Horton Conway's famous Game Of Life. |
| Leo: Oh, the Game Of Life, yeah. |
| Steve: Yup. There's also some great material titled "What is BYTE?" I mean, this is the inaugural issue. So like they're saying, you know, basically that talks about what is a byte, and why they named themselves BYTE, and how it started, along with a request for contributions to this nascent magazine. I mean, it's just happening. |
| Leo: This is so long ago, Jerry Pournelle wasn't even writing for it yet. |
| Steve: Correct. Correct. |
| Leo: Eventually the Chaos Manor column became a must-read. Steve's CRC is circuit library. And did you write for Byte, as well? |
| Steve: Did not write for BYTE, no. |
| Leo: Yeah, you wrote for InfoWorld. |
| Steve: But back then, for example, hobbyist mass storage was pure fantasy. |
| Leo: Yeah. |
| Steve: So, you know, you've got to love the inaugural issue's description of implementing your own Cassette Interface, where it talks about frequency shift keying in order to store differing tones on an audiocassette tape. |
| Leo: Yeah, because it was an audio medium. So you had to turn bits into... |
| Steve: Right. It was - basically you were creating a modem that you would use to dump your program out of your solid-state memory because, you know, I mean, core existed, but hobbyists didn't have core memory. |
| Leo: No. |
| Steve: We had only a little bit of random memory. |
| Leo: Well, there was RAM. I mean, these devices had RAM in them, like the MITS Altair that's... |
| Steve: Anyway, it says, describing it as "Your key to inexpensive bulk memory." And of course the early kit machines of the time often sported cassette I/O, and that was also built into the Apple II machines. |
| Leo: And the Atari. I used a cassette interface to load and save programs from my old Atari. |
| Steve: Now, of course the lack of mass storage did not stay that way for long. Thirteen years later we all owned PCs with hard drives. I know that because, after launching that first issue, BYTE grew into the PC industry's magazine of record. |
| Leo: Absolutely. |
| Steve: I mean, it was that one. So when, 13 years later, BYTE's November 1988 issue reviewed SpinRite with, frankly, gushing praise, it ended, the review ended with the sentence: "SpinRite is what the word 'must' was invented for." I mean, and then two months later they awarded, BYTE awarded SpinRite the 1989 Award of Distinction. And of course because of what BYTE magazine was then, it really put SpinRite on the map. Anyway, BYTE's perfectly timed inception in 1975 - which, again, 50 years ago this month. |
| Leo: Amazing. |
| Steve: It was triggered by the realization that individuals, not only huge corporations, could own and use their own stored-program computers. And, you know, I think it's astonishing today, Leo, 50 years later, we're now holding conversational dialogs with these machines that are virtually indistinguishable from living human beings. And it is easy to forget that it is all still just a big pile of transistors. |
| Leo: You know what's amazing is that the SpinRite interface looks exactly the same. |
| Steve: Yes, just as GRC's website looks exactly the same. |
| Leo: I'm just teasing you. But yeah, we've come a long, a long, long way. Rich Grehan's review of SpinRite says: "I ran SpinRite on an Everex 38620's internal 30MB hard disk drive." Wow. He was pretty wealthy to have a 30MB drive back then. That was something. That was a fancy PC system. |
| Steve: Well, and remember we were taking 20 - there was a 20MB drive. |
| Leo: I remember. |
| Steve: Which could actually handle RLL. |
| Leo: Yeah. |
| Steve: So you've got 50% more storage, and that was part of Steve's Dream Machine that I had developed over at InfoWorld at the same time. |
| Leo: Wow. |
| Steve: Anyway, I created a GRC shortcut for our listeners to that first inaugural issue, which is, again, it is really worth flipping through the pages. If you go to grc.sc/byte, B-Y-T-E, that will bounce your browser to the Internet Archive's page-turning display, where it's easy just to flip through the pages of that first BYTE. You know, the ads are interesting. They've got an open frame power supply on page 4, something for, you know, because you've got to have one of those. I mean, it's just - it's just great. And I thought, wow, 50 years, Leo. |
| Leo: Amazing. |
| Steve: You know? The podcast has been here for 20 of those 50. |
| Leo: Yeah, it kind of, if you put it that way, whoo. It's a good point. Holy cow, yeah. |
| Steve: Yeah. So, wow. And for you youngsters who weren't born in '75, take a look at what your elders were doing because grc.sc/byte will take you to that first issue. |
| Leo: Very cool. Very cool. |
| Steve: It's a kick. |
| Leo: It is, I think it's good for young people to read these stories. It really is. |
| Steve: And here's asynchronous serial communications. Nothing has changed. That's the other kind of spooky thing is that it's odd how, like, the assembling your own assembler, you know, you still, sometimes you have to desolder a chip. Well, here's how to do that, back in 1975. |
| Leo: The fundamentals are still the same. |
| Steve: That hasn't changed. Yeah. But asynchronous communications has not changed since then. That's the way RS232 still operates. So, and that's one of the points that I wanted to make about the early episodes of this podcast. When we talk about how processors work, how the Internet works, all of those early episodes where we were doing a lot of tutorial stuff, it's 100% relevant today. So anyway, several years ago we spent some time examining the development and presence of the so-called SHAKEN and STIR protocols. The obvious naming follows from Ian Fleming's James Bond character who preferred to have the preparers of his martinis shake them and not stir them. I'm a neophyte on the martini front, so I can't tell you what the difference might be. But the STIR protocol existed first as a means of authenticating the originators of VoIP - Voice over IP - connections. STIR stands for Secure Telephone Identity Revisited. Again, they were stretching to get these acronyms to work. So STIR, Secure Telephone Identity Revisited. It's specified in a series of four RFC standards documents by an IETF working group. And it functions by attaching a digital certificate - we all know what those are now - to the SIP, the Session Initiation Protocol. And boy, I wonder if SIP is meant to be like part of this martini. |
| Leo: Oh, I never thought of that. |
| Steve: I never did either until I was just looking at that. |
| Leo: Maybe they're trying - wow, that's going back. |
| Steve: Anyway, so the STIR attaches a digital certificate to the SIP (Session Initiation Protocol) information, which is used to initiate and route calls in VoIP systems. The problem for authentication is that not everything is VoIP. Specifically, the bulk of especially early telephony was all just switched-network, which stayed within the telephone system network, which had nothing to do with IP, at least at the subscriber interface. So if authentication of a caller was desired, it would be necessary to somehow retrofit something like the STIR protocol for VoIP onto non-VoIP connections. Already having STIR and knowing of James Bond, the designers of this second protocol had little choice other than to somehow arrange to name it "SHAKEN." Unfortunately, not all acronyms go willingly, and this one put up a fight. The designers figured that "SHAKEN" had to stand for something, so what we got was Signature-based Handling of Asserted - we've got the A now. Now we have a problem with the KEN. So we're going to go Signature-based Handling of Asserted Information using toKENs. |
| Leo: Oh, please. |
| Steve: Yeah. It's not inspired, but it works. |
| Leo: Oh, my. |
| Steve: Okay. So together, SHAKEN & STIR add something our telephony system was never designed to provide, which is a practical mechanism to provide verified information about the calling party as well as the origin of the call. Giving service providers the tools needed to sign and verify calling numbers makes it possible for businesses and consumers to know, before answering, that the calls that they're receiving are coming from legitimate parties. However, everyone familiar with the subjects of this podcast knows the difficulties that arise when we attempt to retrofit security onto a system that wasn't designed to accommodate it, and which works even if you don't. Creating the specifications and the implementation is only the start of the battle; right? Getting everyone to adopt it generally turns out to be the much heavier lift. And so it has been for the adoption of these caller-identifying standards. There's no benefit to the carrier because the ultimate consequence of strong caller authentication will be the end of call spoofing and robocalling, which are sources of revenue for the carriers. So they're not in a big hurry to shut all that down, although it's driving their subscribers bonkers. You know, I finally had to suspend my two landlines because no one ever called me that I knew. It was all just garbage calls, which was just infuriating because I knew that didn't have to be that way. After many years of waiting for the adoption of STIR and SHAKEN, four years ago in June of 2021, the U.S. Federal Communications Commission (our FCC) began requiring large carriers to use the protocols, and Canada's Canadian Radio-television and Telecommunications Commission, kind of their equivalent, which is the CRTC, has required the use of the protocols ever since November 30th of 2021, so a few months later. What was the result? Not much. No one seemed to care. It's always a pain to make any changes, and no one in the Biden administration's FCC appeared to care enough to force the issue. We're talking about this today because, perhaps not surprisingly, the Trump administration's FCC is taking a somewhat different approach. Last Thursday, the FCC - get this - terminated more than 1,200 voice service providers from the U.S. telephone network for their failure to deploy robocall mitigations. Perhaps, you know, that order from 2021, which is now more than four years old, should have been taken a little more seriously. The text of the order, which I found and reviewed, is quite clear. At one point it states: "Removal of a Company's certification requires all intermediate providers and voice service providers to cease accepting all calls directly from the Company." No telephone network for you. That 1,200 number is nearly half of the 2,411 voice providers the FCC notified and ordered last year to become compliant. So again, they've, like, had several warnings and, like, this is it, or else, we're serious this time. No, really, we mean it now. No, like, this is it. Please take it seriously. That was in the summer of 2021. Nothing happened back then. And they renewed that last year. So I imagine that last year's refresh of the requirement was just as ignored as the previous ones and considered to be just more saber rattling. But not today's FCC. There's a new sheriff in town. So, since last Thursday, I would imagine that any companies of those 1,200 that don't just want to give up and go away, maybe like all of their business is about crap that nobody wants to receive. They're scurrying to implement the STIR and SHAKEN protocols, scrambling to add the required support to their networks so that they can get back on, into the rest of the phone network. But in the meantime, since they are unable to provide service into the U.S. telephony networks, any legitimate customers they may have are likely abandoning them in droves and switching to providers that have remained connected, those that responsibly implemented this protocol so that these unwanted calls can be identified and controlled. The near-term upshot of the fact that Trump's FCC is willing to do what's necessary is that the U.S. telephone network may finally get itself cleaned up. And THAT will be a huge win for all of its users. I think this has been long overdue, so bravo. |
| Leo: Yeah. It was scheduled as a slow rollout. So they initially did it for the largest companies, and then it was a stepped rollout for the smallest companies. And now we're at that final stage where these were the very smallest of, as you can see, I mean, there's 2,411 voice providers. |
| Steve: Exactly. It's not like AT&T. |
| Leo: AT&T went along with it early on. But obviously you have to get all of them because the spammers will just move to whoever still can get away without the verification. So I'm glad this has finally happened. I was wondering how, you know, when this was going to finally take place. |
| Steve: Yeah. |
| Leo: I don't want to interrupt, but there is a breaking story that we probably should cover. |
| Steve: Whoa. |
| Leo: It's been nearly a year since Judge Mehta ruled that Google was a monopoly. He said at that time that he was going to put out his judgment on the penalties by the end of August. Well, it's a little past the end of August, but today Judge Mehta did rule the penalty phase of the Google versus the U.S. Department of Justice lawsuit that Google lost last year. And the news is, I think, fairly good for Google. The Justice Department was asking for, as you remember, things like Google being forced to sell its browser or even Android. The judge said Google will not be required to divest Chrome, nor will the court include a contingent divestiture of the Android operating system in the final judgment. Judge Amit Mehta said plaintiffs overreached - that's the Department of Justice - in seeking forced divestiture of these key assets which Google did not use to affect any illegal restraints. Furthermore, they can continue to pay the estimated $20 billion a year they spend to Apple and many millions to Mozilla and to Samsung to preload products or to preload the Google search engine. |
| Steve: Right. |
| Leo: But in fact the only thing Google has to stop is the practice of compelled syndication, which is making deals with companies to ensure the search engine is the default choice. I don't - I'm unclear on this. |
| Steve: Yeah. |
| Leo: And we'll have to get more details whether that means they stop paying Apple. I don't think it does because I don't think it's compelled. |
| Steve: Right. |
| Leo: I think it's just a payment. The real issue was Android handset manufacturers who were using the free operating system, but then Google said, but if you want to have the Google Store on there, you've got to put Chrome on there, and you've got to use our search engine. |
| Steve: So they were tying search and Chrome. |
| Leo: There was tying, exactly. |
| Steve: I see, right. |
| Leo: I think that that's - I suspect, but I'll have to get more details. This just literally just came in 20 minutes ago, so this is - or not even that long, 15 minutes. |
| Steve: Breaking news on Security Now!. |
| Leo: So we've been waiting. We knew that this penalty phase had to end. Now, Google has said that they would appeal. But I think based on their success in this it seems that they may just settle. In fact, the stock market is giving them a big reward, a 4% increase in Alphabet's stock. Google will not - okay. Here's the further information. Google will not be barred from making payments or offering other consideration to distribution partners for preloading or placement of Google Search, Chrome, or its GenAI products. The judge said cutting off payments from Google would impose substantial, in some cases crippling downstream harms to distribution partners. That's true. Firefox Mozilla says, if we don't get that payment, we've got no company. So he made the right decision. In fact, it sounds like he did the right things. No, Google says, we're going to appeal anyway because as long as it's being appealed, nothing will happen, and that probably is what they want. So I think really a successful... |
| Steve: Oh, you mean as long as it's in appeal, then no change will have to be made. |
| Leo: No changes; right. So they figure, well, we might as well continue to appeal this. So in a sense I think a victory for Google. Given it was ruled a monopoly, the limitations that the judge decided to put on Google were as minimal as they could possibly be. Anyway, sorry to interrupt, but I know... |
| Steve: No, that's good, yeah, that's cool. |
| Leo: ...that everybody's been watching with interest on this story. And so the other shoe has dropped. On we go. |
| Steve: So last week we learned that a firm we've not talked about before called Salesloft, which is a sales AI and automation platform, was breached by hackers. Unfortunately, the breach of Salesloft created an opportunity for hackers to pivot to its customers' Salesforce accounts. This enabled the attackers to harvest Salesforce data from those accounts and other credentials and to then pivot to other cloud platforms. Google says the attackers pivoted to Salesforce using OAuth tokens from the Salesloft AI chat agent, after which Salesloft revoked all Drift Salesforce connections and asked their customers to reauthenticate and reconnect their apps. The industry subsequently learned that the hack was larger than was initially believed, with the attackers who pivoted from Salesloft's network into Salesforce accounts also pivoting to Google Workspace, Slack, and Pardot integrations. One of the consequences of the convenience of centralized authentication and credential reuse is - and what do we preach here with our browser extensions, our password managers, is do not reuse your credentials. Right? Unique password for every site. That's the whole point. But we're not really following our own advice here because of the way we're using OAuth today. As I said, one of the consequences of the convenience of centralized authentication and credential reuse is all of this so-called "pivoting" that winds up being immediately enabled. When I went over to the Pardot website, for example, I was presented with a "Login with Salesforce" screen. So when attackers obtained Salesloft's customers' Salesforce OAuth tokens, they were immediately able to reuse those stolen tokens to log into many other services that would accept Salesforce's authentication. Anytime we're being presented with the convenience of login with Google or login with Facebook or any of the other major identity providers, it's worth remembering that a compromise of that single credential potentially compromises our authentication at all of the other sites that know us that way. |
| Leo: That's a problem. |
| Steve: Yes. Again, it's a, you know, this is not the first time we've talked about that, but it's worth a refresh, I think. It's nearly always the case that convenience brings some non-obvious risks. And here's another one; you know? Yeah, it's convenient to be able to just reuse my Google authentication or my Facebook identity. But if that's ever compromised, it's not just Facebook that you lose control of. It's everybody who knows you through your Facebook ID. And that's what happened here. |
| Leo: Wow. |
| Steve: So after our next break, Leo, we're going to look at the question of can we control AI? And I have an interesting perspective that I think might be useful. |
| Leo: Good. I look forward to it. On we go, sir. |
| Steve: Okay. So I first want to share - we're going to talk about the question, can we control AI? I first want to share the opening of a much longer Reuters news agency piece they published last Friday. |
| Leo: Oh, I [crosstalk] so mad. |
| Steve: But I want to return - ah, yes. But I want to return to one of my thoughts about AI. So Reuters wrote: "August 29 (Reuters) - Meta has appropriated the names and likenesses of celebrities - including Taylor Swift, Scarlett Johansson, Anne Hathaway, and Selena Gomez - to create dozens of flirty social-media chatbots without their permission, Reuters has found. While many were created by users with a Meta tool for building chatbots, Reuters discovered that a Meta employee had produced at least three, including two Taylor Swift 'parody' bots. Reuters also found that Meta had allowed users to create publicly available chatbots of child celebrities, including Walker Scobell, a 16-year-old film star. Asked for a picture of the teen actor at the beach, the bot produced a lifelike shirtless image, writing beneath the picture: 'Pretty cute, huh?' "All of the virtual celebrities have been shared on Meta's Facebook, Instagram, and WhatsApp platforms. In several weeks of Reuters testing to observe the bots' behavior, the avatars often insisted they were the real actors and artists. The bots routinely made sexual advances, often inviting a test user for meet-ups. Some of the AI-generated celebrity content was particularly risqu. Asked for intimate pictures of themselves, the adult chatbots produced photorealistic images of their namesakes posing in bathtubs or dressed in lingerie with their legs spread. "Meta spokesman Andy Stone told Reuters that Meta's AI tools should not have created intimate images of the famous adults or any pictures of child celebrities. He also blamed Meta's production of images of female celebrities wearing lingerie on failures of the company's enforcement of its own policies, which prohibit such content." Anyway, the article goes on at much greater length, but everyone gets the idea. Over the course of the past year I've invested some time studying the operation of large language model generative conversational AI. And I've been using them continuously while watching and marveling at their output, which to me remains astonishing. That Reuters piece brings me back to a feeling I've expressed here before, which is that the nature of the way AI generates its output to me means that it is inherently uncontrollable - which explains why the AI industry is having so much difficulty controlling it. The information that is acquired, stored, and modeled within a large language model is almost stored holographically, with no single fact residing in any one place, so it's not possible to pluck it out from the whole. In struggling to find a useful analogy, the classic photographic hologram came to mind. What I recall about a hologram is that it's not possible to readily edit its image contents because every part of the image is stored everywhere else. Each small region of a hologram contains information about the entire scene, though with proportionally less detail. So if, for example, we were to cut a hologram in half, each half would still depict the entire scene, albeit with lower resolution and with a reduced field of view, like looking through only part of a window. This is very much the way LLMs store their information. The other inherent problem with what we want when we say that we want to control an AI is that the boundaries between what we would consider acceptable and unacceptable are beyond blurry and fuzzy. We may be able to make a go/no-go determination, but how do we describe it? U.S. Supreme Court Justice Potter Stewart was unable to define what was and was not pornographic, and was finally reduced to saying: "I may not be able to define it, but I know it when I see it." So on the one hand, it's unclear how we even describe to an AI what it is and is not allowed to produce; and, even if we could, it's not at all clear to me how we edit a hologram. Which is, I think, a very good analogy for what, you know, the way information is stored inside of a large language model, having taken some time to look at the way they are trained. I just think, Leo, that it is, you know, I talked about like maybe having another AI look at the output of the main AI before its output is made public? It's like, it just seems so difficult to me. I mean, I get how hard a problem it is to edit it. It's very much like telling the AI, okay, don't say anything that's wrong. Well, it's been trained on a whole bunch of wrong stuff. So it doesn't know what's right or wrong. I mean, it doesn't know anything. It's just producing content based on the way it's been trained. So, I mean, I agree with you. What Reuters uncovered is, frankly, it's not surprising, but it is very disturbing. And speaking of AI, last Thursday the Vivaldi browser folks took an interesting stand on the issue of AI permeating the web browsing space and their feelings about that. Their post was titled "Vivaldi takes a stand: Keep browsing human." And that was followed by their teaser intro, which read: "Browsing should push you to explore, chase ideas, and make your own decisions. It should light up your brain. Vivaldi is taking a stand. We choose humans over hype, and we will not turn the joy of exploring into inactive spectatorship." Whoa. No AI for you. So here's what they wrote. They said: "Just like society, the web moves forward when people think, compare, and discover for themselves. Vivaldi believes the act of browsing is an active one. It is about seeking, questioning, and making up your own mind. Across the industry, artificial assistants are being embedded directly into browsers, and pitched as a quicker path to answers. Google is bringing Gemini into Chrome to summarize pages and, in future, work across tabs and navigate sites on a user's behalf. Microsoft is promoting Edge as an AI browser, including new modes that scan what's onscreen and anticipate user actions. These moves are reshaping the address bar into an assistant prompt, turning the joy of exploring into inactive spectatorship. "This shift has major consequences for the web as we know it. Independent research shows users are less likely to click through to original sources when an AI summary is present, which means fewer visits for publishers, creators, and communities that keep the web vibrant. A recent study by Pew Research found users clicked traditional results roughly half as often when AI summaries appeared. Publishers warn of dramatic traffic losses when AI overviews sit above links." And I'll just interrupt to say as far as we know, that's all true, and we've been exploring the various consequences of that for the past several weeks. Vivaldi continues: "The stakes are high. New AI-native browsers and agent platforms are arriving, while regulators debate remedies that could reshape how people reach information online. The next phase of the browser wars is not about tab speed, it's about who intermediates knowledge, who benefits from attention, who controls the pathway to information, and who gets to monetize you. "Today, as other browsers race to build AI that controls how you experience the web, we are making a clear promise: We're taking a stand, choosing humans over hype, and we will not turn the joy of exploring into inactive spectatorship. Without exploration, the web becomes far less interesting. Our curiosity loses oxygen, and the diversity of the web dies. The field of machine learning in general remains an exciting one, and may lead to features that are actually useful. But right now there is enough misinformation going around to risk adding more to the pile. We will not use an LLM to add a chatbot, a summarization solution, or a suggestion engine to fill up forms for you until more rigorous ways to do those things are available. "Vivaldi is the haven for people who still want to explore. We will continue building a browser for curious minds, power users, researchers, and anyone who values autonomy. If AI contributes to that goal without stealing intellectual property, compromising privacy or the open web, we will use it. If it turns people into passive consumers, we will not. We will stay true to our identity, giving users control and enabling people to use the browser in combination with whatever tools they wish to use. Our focus is on building a powerful personal and private browser for you to explore the web on your own terms. We will not turn exploration into passive consumption. We're fighting for a better web." Okay. So I guess there will be a web browser for anyone who hates AI. I certainly am not an AI hater. I think it's a marvelous and amazing emergent phenomenon. And I make great use of it as a quick reference source while I'm coding. I actually feel a bit guilty now asking it dumb things that I could easily go look up for myself, and would have had to a couple of years ago. But if OpenAI wants to lose money allowing me to ask it why the sky is blue, I'll happily pay them 20 bucks a month for the privilege. Today, I'm still using Google. And I check out its AI Overview to see whether that's all I need while never forgetting that it can be wrong. The other day, ChatGPT produced a snippet of Windows code for me, and it just made up a Windows message that never existed. I immediately knew it was wrong. But the way it was wrong was interesting, and it made sense to me since there's nothing in there that actually understands what it's spewing out. It's just language. And that's what makes what it's able to do so miraculous. So my feeling is it certainly way more useful than not. And that's why I tend to think that Vivaldi's anti-AI stance is probably a mistake. |
| Leo: I think it's just marketing. |
| Steve: You think so? |
| Leo: I mean, notice they have a lot of things like "until it's good." "When it's good, we're going to use it." "As soon as it's okay, we'll start" - they left a lot of space for them to change their mind. |
| Steve: True. And do you think that, like, there will be people attracted to the lack of... |
| Leo: Oh, we know there are. |
| Steve: Really. |
| Leo: Yeah. Oh, yeah. |
| Steve: To the lack of AI overview. |
| Leo: Absolutely. You know, last poll I saw said 71% of people don't trust AI. I think that there is - look, Vivaldi's got a tough row to hoe. They're, like, fourth or fifth. No, they're not even that. Opera is fourth. They're way down the list of popular browsers. Chrome is like 80%. Then Edge. Then it's, you know, Safari, Firefox, Opera. I don't even see Vivaldi on that list. So having something that differentiates them is a good thing. |
| Steve: So like saying we are the anti-AI browser. |
| Leo: If you don't want AI, we've got something for you. But notice they didn't rule it out forever. They just said until it's good, until it's safe, until it's okay. Then we might use it. You know, good on them. And there are definitely people who don't want it, you know. I don't blame them. I'm with you, though. I'm in your camp. You know, there's also - I saw somebody said this is like the invention of electricity. This is, you know, you've got to - there are people who overhype it, as well. So you've got to kind of walk down the middle, I think. |
| Steve: I wonder if I can find really quickly this - I sent this to two friends of mine this morning. I was just astonished by this. Again, I just - so here's the kind of way I use ChatGPT. I was puzzled by something. So here was my prompt. "I have the vscroll style specified on a window's static control. The scroll bar displays, and its scroll thumb scales and works. I have sub-classed the control in order to manage its messages, but I'm not receiving any of the wm_vscroll messaging for mouse or keyboard actions on the static windows control. I dislike asking leading questions of LLM AI since it tends to bias your reply." |
| Leo: Right. |
| Steve: "But the only thing I can think is that perhaps the 'static-ness,'" - and I put that in quotes - "the static-ness of the control prevents its responding to the system's mouse and keyboard. What do you think?" So... |
| Leo: That's a great prompt. |
| Steve: That's the way I write these things because, I mean, I... |
| Leo: You're having a conversation. |
| Steve: Yes. Yeah. |
| Leo: What's interesting is you would have done this as a search in many, many steps. |
| Steve: Yes. |
| Leo: You know, you would have narrowed it down, narrowed it down, and you would have done the same basic kind of thing as a search. |
| Steve: Yes. So that's why I say, if they want to let me, you know, ask why is the sky blue? You know? |
| Leo: Yeah. Did you get a good answer? |
| Steve: Oh, my god. Now, just listen to the nuance, Leo. It thought for 52 seconds. |
| Leo: Wow. |
| Steve: Then it said: "You've got it: The static-ness is the issue. Static," which it highlighted because that's a token... |
| Leo: It's immutable. |
| Steve: "Static doesn't implement scrolling." Just listen to the words, though. "You can stick ws_vscroll on it, and user/gdi will happily" - it used the word "happily" - "paint and track a scrollbar in the non-client area (hence the thumb moves and sizes correctly when you call set scroll info). But the static class never routes the user's interactions to your window proc as wm_vscroll. In other words, the visual is there; the messages aren't. Subclassing the static won't help because the window class proc simply doesn't generate those scroll notifications." I mean, it is, like, how can this exist? |
| Leo: That's what an expert will tell you. That's like if you had a professor in a coding class or something. That's exactly the answer you want, and it was very nicely explained. It was very good. |
| Steve: Yes. It's astonishing. |
| Leo: Yeah, yeah. |
| Steve: And it's just language. It doesn't know what it's saying. |
| Leo: It has no idea what it's saying. |
| Steve: No. But it's like, and that's why, like last week it made up a wm_ncscroll, which is non-client, non-client scroll. The moment I saw that I thought, there's no wm_non-client scroll message. That doesn't exist. But because it's language, and it doesn't understand what it's doing... |
| Leo: It has no idea. |
| Steve: It doesn't, no. So yes, it can make mistakes. But listen to that. I mean, just the language. You know, oh my god, it will happily paint and track a scroll bar. Windows is happily doing that. |
| Leo: Yeah. |
| Steve: And I've noticed that, you know, it also remembers who I am. It's maintaining long-term awareness. So like it asks me, if you would like some MASM/Win32 code... |
| Leo: It knows. |
| Steve: It knows that's what I want. |
| Leo: Yeah, yeah. Wow. |
| Steve: Oh. |
| Leo: I know. It's pretty cool. |
| Steve: It is just... |
| Leo: I'm realizing I think part of the problem is that it's trained on so much stuff, it's trained on as much incorrect stuff as correct stuff because that's the nature of humans. |
| Steve: Right. Which is to say the web. |
| Leo: Yeah. So when I do see errors like that, I can almost always attribute it to either misunder... |
| Steve: It appeared somewhere. |
| Leo: Yeah. It appeared somewhere. And either the AI misinterpreted it or misapplied it. Or the guy who was answering the question just made the same mistake, was dumb, and the AI doesn't know any better, repeats it. So it's actually not surprising that it's making mistakes. Think about how much the Internet, how much crap there is on the Internet? |
| Steve: Well, Reddit is now charging people, charging AI to train. Well, I've read Reddit. And, boy. |
| Leo: We just interviewed yesterday for Intelligent Machines, it's going to appear on tomorrow's show, Karen Hao wrote an incredible book about the history of OpenAI called "Empire of AI." And she points out in the early days they were training almost entirely on Reddit. Reddit was a very valuable resource for them. Well, yeah. So guess what? There's going to be a lot of crap in that training data. That's part of the problem that they faced is trying to find quality information, and you can't. |
| Steve: Leo, imagine when we're looking back on this as, like, the old days. Imagine when this is working right. Like when it's factually correct. |
| Leo: You know, a lot of people think it never will get there. I'm kind of with you. I feel like we've seen so much progress, and such kind of surprising progress. |
| Steve: In a year. |
| Leo: And it's unexpected. It's like, there's almost something magical about it that I would not be the first person to say, oh, you'll never make it. I think it's a good chance that it's going to be pretty amazing in a few years. I don't know. |
| Steve: Already, again, already I ask it these sorts of questions because it saves me 15 minutes of digging around, looking for the source material. |
| Leo: If nothing else. If nothing else. |
| Steve: Yeah. |
| Leo: That's hugely valuable. That's been my point all along. But Ms. Hao had some very interesting things to say. I encourage you to, if you get a chance, read the book. Otherwise listen to the interview tomorrow on Intelligent Machines. |
| Steve: I'll read the book. I'm a big reader. |
| Leo: Yeah. Oh, and you will like it because there's a lot of detail. |
| Steve: Cool. |
| Leo: Lot of interesting - she has a Bachelor of Science in Mechanical Engineering from MIT and worked as a coder for Google. So she has an engineering background. |
| Steve: Oh, yay. |
| Leo: Yeah. So she knows what she's talking about. Then wrote at MIT Technology Review, wrote for The Wall Street Journal. She's both a journalist and an engineer. |
| Steve: What is the book? |
| Leo: It's called "Empire of AI," by Karen Hao, H-A-O. And it's really the - it's interesting because she started writing this book to kind of critique the colonialism of OpenAI. "Halfway through my writing of it, they fired Sam Altman." And suddenly, you know, her whole focus in it had to change. She said, "The good news is all the people, hundreds of people that I had made connections with in the research for the book were very willing to tell me what really happened behind the scenes." They were, like, anxious to get the story out. So she's got the story. It's quite good. It's really interesting. Anyway, sorry, didn't meant to interrupt. But I agree. |
| Steve: Well, we are, you know, sometimes when I look at BYTE magazine, I think how much I enjoy working within constrained environments. I mean, I write in assembler. I like having, you know, a limit in which to craft my solution. So I've sometimes wondered if I wouldn't have really loved, like when computers were relays, and it was, you know... |
| Leo: Chunk, chunk, chunk. |
| Steve: Like there was even less, you know, even more constraint. |
| Leo: Right. |
| Steve: But then that would have meant I was older than I am, and I might be missing now. |
| Leo: I agree. |
| Steve: And now is an amazing time. |
| Leo: I agree. |
| Steve: I mean, we get to finish off our lives, Leo, watching this emergence of maybe consciousness from this technology. |
| Leo: Yeah. |
| Steve: You know, where we used to be, like, desoldering chips from it because we were needing to reuse them. |
| Leo: That's something you said very early on. I asked you, well, do you think there's something special humans do and that consciousness reflects that is different? And you said no. We're just machines like anything else. And I think that that's the thing that really means maybe it is possible. You throw enough compute at it, enough memory at it. |
| Steve: I think it's an emergent property of consciousness. |
| Leo: You get consciousness, maybe an emergent property of complexity, exactly. Yeah. We'll see. I think we're going to be here to see. |
| Steve: We will. I think so because it's certainly not waiting for us. It's happening. |
| Leo: It's moving. |
| Steve: Wow. Okay. So we got some more detail about the exploit chain that wound up leveraging that recently patched Apple zero-day. Remember that was CVE-2025-43300. We talked about this last week. Clever bad guys had discovered that Apple's implementation of the JPEG lossless decompression and interpreter that would be called upon to display an image in Adobe's DNG file format contained a critical flaw. If the provided image files data did not match what was described in the file's metadata header, an out-of-bounds write could be triggered, which could lead to a compromise of the user's device. But how do you get the image to the user? What we now know is that an unrelated flaw in Meta's WhatsApp was also implicated as the carrier of the image. Last week Meta updated their WhatsApp messenger to cure their number CVE-2025-55177. And about this, they wrote: "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS, WhatsApp Business for iOS, and WhatsApp for Mac could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms" - and that's the 43300 CVE - "may have been exploited in a sophisticated attack against specific targeted users." And, as always, we know to immediately replace the phrase "may have been exploited" with "was definitely found to be exploited." |
| Leo: Certainly without any doubt. |
| Steve: Because I presume that every corporate attorney has made abundantly clear that vulnerability advisories are not the place to admit responsibility for anything. |
| Leo: Yeah. |
| Steve: So what we know is that representatives of Amnesty International tweeted last Friday morning that both of those two zero-days, Apple's and Meta's, had been employed in "an advanced spyware campaign" over the last 90 days. So that also suggests, tells us something we didn't know before. And that is the consequence of the exploitation of those two critical vulnerabilities was the installation of spyware into targeted phones. So again, I mean, that's the holy grail; right? All of these companies are selling their technology to governments that are wanting to install spyware into journalists' and political activists' and so forth phones. I also saw one interesting story, I didn't put it in the show notes, Leo, but I thought you'd get a kick out of it. Turns out that Israel has been very effective in locating Iranian officials because their bodyguards... |
| Leo: Oh, I saw this. |
| Steve: ...are not exercising good cell phone, good smartphone hygiene. |
| Leo: Not enough tech, no. Yeah. |
| Steve: And of course the bodyguards are always going to be physically in proximity to the people whose bodies they're guarding. And unfortunately, that doesn't help them if the bodyguard can be targeted. |
| Leo: Well, I'll give you one more story related that broke this morning. Apparently, we didn't know this, but the Biden administration had ordered the U.S. law enforcement to not use Paragon's spyware. But apparently the Trump administration has reversed that, and ICE will now have access to Paragon's zero-click exploits in the United States. |
| Steve: Yup. |
| Leo: And that's somewhat concerning. Although, frankly, I didn't realize that they were not allowed to use it. I just assumed they were. |
| Steve: Yeah. |
| Leo: Yeah. |
| Steve: Yeah. Wow. |
| Leo: So now we know they are, or will. Yeah. |
| Steve: We're at an hour. Let's take another break, and then we're going to look at this next piece, which I said at the top of the show is very spooky. This is our first example, as far as I know, of AI having been actively leveraged in an attack, in a way that will give you some chills. |
| Leo: Oh. Okay. Back to you, Steve. |
| Steve: It's interesting, I heard you use the phrase "Get it at the GitHub." You know, it's like... |
| Leo: Maybe that's just me. |
| Steve: I kind of liked it. I never thought of it that way. |
| Leo: It's a GitHub. |
| Steve: I mean, it's a hub of gits. |
| Leo: A hub of gits. |
| Steve: Yeah. It's sort of like the Ukraine versus Ukraine. |
| Leo: Yeah. Well, you're not supposed to say "the" Ukraine. |
| Steve: No, I know. |
| Leo: Apparently that's kind of a colonialist way of talking about, like it's a province of the Soviet Union, which it's not. |
| Steve: Right. Yeah. |
| Leo: But the GitHub is, yeah, we've... |
| Steve: That kind of works. It's a hub of gits. I like that. So we all knew, we talked about this at like day one, that AI would almost naturally somehow wind up being used by bad guys to further their evil ends. So get a load of this one, which just happened last week. It took the form of a supply chain attack against the users of the popular NX tool which is used to automate CI/CD development flow. CI/CD, for those who don't know, stands for Continuous Integration, Continuous Delivery and Deployment. So it's about software deployment automation. Last Tuesday, an unknown threat actor compromised the NPM identity authentication token of one of the NX developers and used their then-authenticated access to release malicious updates for several of the NX tools to the npm package repository. Now, that alone is horrifying. The NX tools are very popular, seeing around 4.6 million weekly downloads. So that was a serious breach of a trusted NPM developer which allowed malicious code to flow out of the trusted repository. But listen to what the malware did. The altered NPM packages contained a malicious script that attempted to run a prompt on a local AI command-line tool like Claude, Gemini, or Q. And the prompt instructed the local AI agents on that machine to search the local filesystem, which it had access to, for text-based files that might contain GitHub tokens, npm tokens, SSH keys, .env secrets, and wallet files. And all the data discovered locally was then encrypted and written to a file. The subsequent command then used the GitHub API to create a new public repository on the infected user's GitHub account and upload the file with all the stolen data. So, you know, you get your local trusted AI agent to scan your own machine for its secrets, then encrypt them before posting them publicly. And since they're encrypted, no one else is able to decrypt them and get a hold of the secrets. So talk about diabolical. All of the public GitHub repos which were created containing stolen data used the same prefix - which was "s1ngularity" with a numeral 1 for the "I" in singular - "s1ngularity-repository-" was the prefix. That made them easy to find on GitHub, which is probably how the attacker collected the stolen data. According to a GitHub search, there were around 1,400 GitHub repositories with that prefix, which was roughly the same number of users the attacker had infected before the malicious NX libraries were taken off npm. So around 1,400 developers had their local machines scoured by their own local AI agents for any juicy tidbit secrets, with everything found posted back to their GitHub accounts, where they were collected and then decrypted by the bad guys. Wow. |
| Leo: That is a very clever hack. That's really interesting. Wow. |
| Steve: Yeah, yeah. Not that it really matters anymore, since all of everyone's data has probably long ago leaked onto the Internet and been vacuumed up into a growing dark web database. But for the record, TransUnion had all of the data of their 4.4 million customers stolen by the prolific ShinyHunters hacking group which, as we know, they've recently been succeeding so well using phishing attacks. So we can now add TransUnion to the likes of Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas. |
| Leo: Of course TransUnion has everything; right? Because it's a credit reporting bureau. |
| Steve: Yeah, exactly. |
| Leo: They have it all. |
| Steve: They're like the Galactic - exactly. The vault of all of our secrets. Great. All those companies have reported breaches linked to Salesforce-connected applications. |
| Leo: Oh, this is another Salesforce breach? |
| Steve: Yeah. Yeah. |
| Leo: Ay ay ay. |
| Steve: Okay. Now, here's a weird one. Two rather disreputable websites, 4Chan and Kiwi Farms, have brought a lawsuit against the United Kingdom's Office of Communications, often abbreviated "Ofcom." I had heard of 4Chan. I had never heard of Kiwi Farms. So I asked the Internet, and now I wish I hadn't. |
| Leo: Yeah. |
| Steve: The little blurb summary that I received read: "Kiwi Farms, established in 2013 by Joshua Conner Moon, functions as an online forum for discussion and harassment. Initially targeting webcomic artist Christine Weston Chandler, the site is known for organized group trolling, stalking, doxing, and real-life harassment, often directed at transgender individuals, those with disabilities, and neurodivergent people. The platform has been connected to several suicides and has received criticism and service terminations due to its controversial content and association with harassment." Yuck. So these two disreputable websites, 4Chan and this Kiwi Farms, are suing the UK's Ofcom (good luck) over their Online Safety Act, which requires websites and social media platforms to perform age verification checks on their users. As we've been discussing, because the web industry has not yet solved this problem in a way that would be possible and practical, users are currently being required to upload an ID, have their face scanned, or otherwise give away their personal information in order to access large portions of the Internet. Any sites that do not comply are subject to significant fines under the UK's law now, regardless of where they're based - including in the United States where we enjoy strong First Amendment speech protections. However, as we also know, our own Supreme Court recently decided that asking for the same sort of proof of age would not unduly encumber our First Amendment protections. Many people disagree. Opponents of the UK's Online Safety Act note that this is resulting in an Internet where users must provide scans of their faces to access, for example, certain music videos on Spotify. The lawsuit brought by 4Chan and Kiwi Farms calls Ofcom an "industry-funded global censorship bureau," saying: "Ofcom's ambitions are to regulate Internet communications for the entire world, regardless of where these websites are based or whether they have any connection to the UK." On its website, Ofcom states that over - so they're saying that Ofcom's website states that over 100,000 online services are likely to be in scope of the Online Safety Act, from the largest social media platforms to the smallest community forum" from Ofcom. So I doubt that the Electronic Frontier Foundation would choose to have anything to do with helping these two sites in their lawsuit, but the EFF has said that the Online Safety Act "is a threat to the privacy of users, restricts free expression by arbitrating speech online, exposes users to algorithmic discrimination through face checks, and leaves millions of people without a personal device or form of ID excluded from accessing the Internet." In my research for today's podcast I also ran across some other news, which was that, not surprisingly, those websites that were obeying these new laws, by replacing their "You Betcha I'm 18!" buttons with full, strict, unspoofable age verification technology had seen, are seeing, an astounding drop-off in their site traffic. Not surprisingly, nearly everyone who is being hit with that is simply going elsewhere. And there's "an elsewhere" to go to. The same reporting noted that other famous porn sites are experiencing a doubling or tripling in their traffic. So as I've been noting, we're very nearly having all of the pieces that we need in place. We just need to get our act together as an industry. I assume that the folks who are working on this for the World Wide Web Consortium, the W3C, which is where the standard needs to emerge from, I hope they are staying up late at night and working through the weekends. You know, that TruAge system that we looked at is very close to what we need, but it needs to have all of its trackability removed. And we heard that TruAge had contributed its technology to the W3C. Okay. That's good, I guess, even though this is not a difficult problem to solve. It just needs someone in the right place to do it. So quite suddenly, nearly overnight, thanks to this legislation, which has been, you know, it's been pending, and it's been percolating, the world has suddenly become in very desperate need of privacy-preserving solutions for online age verification. And, you know, we need it yesterday. So I really hope that this is getting the attention that it needs. It must be because there's just, Leo, there's so much of this in the news now. With like, you know, Bluesky dark in Mississippi. |
| Leo: Well, I think there's some real question of if it's even possible to do that. I mean, I guess... |
| Steve: Well, somebody needs to know who you are. For example, in my case, California, I have a driver's license. California knows who I am. But it is possible to blind anybody else to an assertion of my age. So with this California digital ID, it would be entirely possible to design a system where my phone scans a QR code, and California then asserts to that site that I am of a certain age. And so, I mean, utterly possible. It is absolutely... |
| Leo: But then you have to require everybody to have a California ID. |
| Steve: I mean, I'm not saying it's simple. I'm just saying... |
| Leo: It's not even okay. I mean, there are plenty of people who will not have a California ID, especially if they're people between 16 and 18 who will not have a California ID. |
| Steve: Right. Then they're not able to assert that they are over 18. |
| Leo: Well, see, different jurisdictions have different age limits. They're not all 18. |
| Steve: Right. Right. |
| Leo: Yeah. Okay. So we're going to set up a state system that will know everybody's identity and age. I don't think that's going to happen. I certainly wouldn't advocate for it. |
| Steve: In that case, well, I mean, I guess what I'm saying is that the way to solve this is for someone to know your age, and then for that someone to anonymously assert that [crosstalk]. |
| Leo: I understand the technical solution. I'm saying politically, who would that someone be? I mean, okay, I guess you could say you have to have a driver's license in order to go to a porn site, but that... |
| Steve: Does everyone have a Social Security card? |
| Leo: Yeah. Presumably everybody has... |
| Steve: I got mine when I was... |
| Leo: Almost everybody does, yeah. |
| Steve: I got mine when I was pretty young. |
| Leo: There are laws against using - there's good reason for there's laws against using that for identification. |
| Steve: But this is not for identification. The idea would be that that would allow the government to make an assertion on your behalf of your age, and to do so anonymously. I mean, again, Leo, what is the choice? I mean... |
| Leo: The choice is not to do this. Period. It's like saying, oh, there's got to be a backdoor to crypto somehow because what's - the choice is not to have age verification. |
| Steve: Okay. I mean, I hear you. I would wish that these laws were not happening. But we know what our Supreme Court just did. So I don't know where we go. |
| Leo: Although, interestingly, we talked about this on Sunday, of course Cory Doctorow was on and is a very strong advocate on this. He pointed out the Supreme Court did not in fact say the Mississippi law was okay with the First Amendment. They just said NetChoice's opposition was improperly formed, and they threw it out on that basis. They said in fact... |
| Steve: Oh. |
| Leo: They said in fact it's very likely if this were brought to us properly we would have to uphold the plaintiffs because it is a violation of the First Amendment. |
| Steve: Yay. |
| Leo: Yeah. |
| Steve: Good. |
| Leo: I don't know if there's a good way out of it. And you're right, governments are going to want to do this. But, you know, historically in the United States we've resisted these kinds of national attempts at identification. |
| Steve: Yeah. And, you know, like why all of a sudden? It's not like anything got worse; right? I mean, this is... |
| Leo: Yeah, no. |
| Steve: We've had this around for decades now. |
| Leo: Well, what did get worse is the Internet's put it in everybody's home; right? It used to be if you went into the drugstore and you tried to read the Playboy, the guy would say, get out of here, you kid. You're too young. Now it's everywhere. It's in everybody's house. |
| Steve: Yeah. |
| Leo: And I think that's what's really irritating parents. |
| Steve: Yeah. |
| Leo: And I don't blame them, yeah. |
| Steve: Okay. So an announcement on the OpenSSH site was refreshing. It said: "OpenSSH supports a number of cryptographic key agreement algorithms considered to be safe against attacks from quantum computers. We recommend that all SSH connections use these algorithms. OpenSSH has offered post-quantum key agreement (KexAlgorithms) by default since release 9.0." That was in April of 2022. "More recently, in OpenSSH 9.9, we added a second post-quantum key agreement, and it was made the new default scheme in OpenSSH 10.0 (April 2025). "To encourage migration to these stronger algorithms" - remember that both ends of the connection, the OpenSSH client and the server, need to support, they negotiate the strongest algorithm that they can. So it's what, you know, if you upgrade one, it doesn't do any good if you don't upgrade the other end. So they said: "To encourage migration to these stronger algorithms, OpenSSH 10.1 will warn the user when a non-post-quantum key agreement scheme has been selected with the following message: WARNING: Connection is not using a post-quantum key exchange algorithm. This session may be vulnerable to 'store now, decrypt later' attacks. The server may need to be upgraded. See" - and then they give a URL for openssh.com/pq.html. And they finish, saying: "This warning is displayed by default, but may be disabled via the WarnWeakCrypto option in ssh_config." So it occurs to me that as an industry we're beginning to learn how to do this. After Pete Gutmann's recent revelations regarding the truth of how far away we still are from anything even approaching practical quantum factorization, we almost certainly have plenty of time. But now that we've developed practical post-quantum solutions, there's no reason not to get them deployed. You know? Why not? We know that this will never happen without a bit of deliberate urging, so adding a little reminder notice when connecting with old-style pre-quantum crypto will serve to provide the nudge that's needed. So I thought that was a neat thing that they were doing. Just a little reminder. And it's not like your current session is going to be decrypted. No. It's the store now, decrypt later. And that's something that should give people, you know, second thoughts and some chill. So for this week's What Could Possibly Go Wrong segment, we have Nextgov reporting under their headline: "Russia-based Yandex employee oversees open-source software approved" - and not just approved, but widely in use, but they didn't say that - "software approved for DOD use." Here's what Nextgov shared. "A Russia-based Yandex employee is the sole maintainer of a widely used open-source tool embedded in at least 30 pre-built software packages in the Department of Defense, raising potential risks of covert data exfiltration through sensitive digital tools used by the U.S. military, according to research first seen by Nextgov. "The tool, dubbed 'fast-glob,' helps software developers operate on groups of files [globs] without having to write extra code, making it the preferred method for quickly searching and organizing project files. It's used in over 5,000 projects worldwide and is downloaded some 70 [seven zero] million times per week, according to findings published Wednesday by software supply chain security firm Hunted Labs. "The maintainer is listed as Denis Malinochkin. As of publishing time, there's no known malicious code inside fast-glob, according to Hayden Smith, Hunted Labs co-founder, who added that Malinochkin appears innocuous, though his standing as the only maintainer of the popular software package raises red flags." And they're red. "Hayden said: 'A project that is popular should not be maintained by just one person. Even if you remove all of the geolocation and geopolitical atmospherics, having a solo maintainer for any project you critically depend upon is extremely risky.' "The DOD's Office of the Chief Information Officer, which advises the defense secretary on information technology, was alerted to the matter about three weeks ago, Smith added. Nextgov has reached out to the DOD, the Defense Information Systems Agency and Defense Counterintelligence and Security Agency for comment. "The fast-glob package is listed inside Platform One's Iron Bank, the Pentagon's vetted repository of" - I know, Leo, that's exactly my reaction when I read "The Pentagon's vetted repository of software building blocks used by the U.S. military's software publishers and contractors to craft digital tools and applications, according to multiple people familiar with the matter. The people were granted anonymity to be candid about its use inside DOD software systems." Okay, now, wait. What's wrong with the phrase "Pentagon's vetted repository of software building blocks used by the U.S. military's software developers," then follow that up by explaining that some of this Pentagon-vetted software also happens to be open source and being updated at will by some random Yandex employee in Russia? Do we see any problem here? |
| Leo: Sheesh. |
| Steve: Then we see what Nextgov reminds us of next as we continue with their reporting, writing: "Yandex is a major Russian technology company that has been found to have extensive ties to the Kremlin and has promoted misinformation about Russia's war in Ukraine. The set-up, as is, could allow the Kremlin to carry out a state-sponsored intrusion into multiple projects that rely on fast-glob and force Malinochkin to make malicious, surreptitious changes without oversight from other users. The report says that Malinochkin is 'more likely to encounter Russia's Federal Security Service or state security individuals in their day-to-day duties and could be susceptible to coercion.' "In an email sent to Nextgov, Malinochkin said that he has been developing and maintaining fast-glob for over seven years, which began prior to his employment at Yandex. He said the tool's source code is fully open and auditable by potential users, and that its development or support has never been a part of his professional duties at his current job. He wrote: 'Nobody has ever asked me to manipulate fast-glob, introduce hidden changes to the project, or collect and share system data. I believe that open source is built on trust and diversity.'" Now, I have zero doubt that all of that's true, and I don't imagine that anyone doubts Denis's sincerity and integrity. But fast-glob's future may not be entirely in his hands. What is he going to do if scary Russian state security knocks on his door? I'm sure that's not a position he would want to be in. But the fault here does not lie one bit with Denis. The fault is entirely ours. The Pentagon and the U.S. Department of Defense is using open source code libraries - presumably in mission-critical applications - over which it does not have absolute control. The fact that in this case one of those libraries is being maintained by a developer located in a country with which the U.S. currently has strained political relations is beside the point, but it does help to capture everyone's attention. Nextgov's story provides some additional intriguing reporting. They wrote: "In July, Secretary of Defense Pete Hegseth signed a memorandum directing the Defense Department to 'not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishments and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the department.' That memo came after ProPublica reported Microsoft had relied on China-based engineers to support its cloud services for the DOD. Microsoft has since severed those arrangements." And of course we covered that Microsoft-China connection thoroughly at the time. Nextgov writes: "Open-source projects rely on contributions from community members to keep them updated with patches. The updates are often discussed on forums with volunteer software maintainers. Historically, community practices have operated under the premise that all contributors are benevolent. That notion was challenged last February when a user dubbed 'Jia Tan' tried to quietly plant a backdoor into XZ Utils, a file transfer tool used in several Linux builds that power software in leading global companies. "George Barnes, the former deputy director of the National Security Agency said: 'If you're a nation state, you have a bunch of stuff that you're doing fast, but you have other stuff that you're doing very methodically, slowly, or positioning strategically.'" So I think his intention was to creep us out about the potential for, you know, sleeper installation of software. "Russia's state-centered economy," writes Nextgov, also allows the Kremlin to compel firms to act on behalf of the nation's interest, including the use of hacking and disinformation campaigns. Yandex is one of several major domestic tech companies that the Russian government can rely heavily on. Barnes said: 'This piece of code has no known vulnerabilities. It's ubiquitously leveraged and used globally, and it happens to have one maintainer sitting in Russia. And the [maintainer] might be totally fine, but that situation subordinates him to a legal framework that's not under his control.' "Chinese, Russian, and North Korean-affiliated hackers are covertly working to insert backdoor hijacks and exploits into major publicly available software used by countless organizations, developers, and governments around the world, according to findings from Strider Technologies released earlier this month. Russia has continued broader cyber activities despite recent U.S. efforts to bring the Kremlin to the negotiating table with Ukraine. An FSB-linked group has attempted to spy on foreign embassies in Moscow by targeting local Internet and telecom infrastructure used by diplomatic personnel, Microsoft said in late July." And, of course, we covered that at the time, too. That was tricking embassy staff to install malicious root certificates into their machines through a web-portal attack. So I hope this news gets the attention of the right cyber people in the U.S. government. As we know, supply chain attacks present a very serious attack vector, and it sure appears as though this is a vector that's been grossly overlooked, Leo, because we're all relying on open source libraries. And they're in U.S. DOD software. |
| Leo: I have to, I mean, first of all, you'd think that this Iron Bank would only include software written by the Defense Department. But since it doesn't, it is open source, and I would think fast-glob isn't so complicated that somebody can't keep an eye on it and make sure that Mr. Malinochkin, which I don't think is how he says his name, but I like it, I like it. I think it's probably Malinochkin. But anyway... |
| Steve: Thank you. You're much better with the Russian accent than I am. |
| Leo: Malinochkin. But I liked the Malochicken. I mean, that's a guy you really don't want working on your Defense Department software. That's what I have to say about that. Would you like me to take a break? |
| Steve: Yes. We're going to take a break. Then it's time for Listener Feedback. |
| Leo: I like Mr. Malochicken. Watch out, Malochicken, I've got my eye on you. Now, back to Steve. |
| Steve: An anonymous listener - I don't know why he wanted to be anonymous; but okay, I always honor those requests, of course. He said: "Hey, Steve. Thought you and your listeners would appreciate this. There is a new Apple device backup solution called Parachute Backup Mobile. Simply put, it's a fantastic tool if you're one that has gigs of photos or files that you'd rather backup locally vs. iCloud. I have it backing up to my NAS on a schedule. You should check it out on the App Store. It's for macOS, iOS, and iPadOS. Oh, and the best part," he writes, "$3.99 for life. This app developer gets it." He says: "P.S. If you read this, I'd like to stay anonymous." So I checked it out. As an iPhone user myself, I love the idea of being able to clone my massive and growing iCloud library, mostly photos, to another storage location under my own control, just because, you know, we all have lots of storage these days, so why not? Apple provides an export option from iCloud. So if someone had an iPhone for years, collected a library of photos, and wished to switch over to Android, for example, and Google Photos, it is possible to schedule their transfer from Apple to Google. But I'm remaining with Apple, and I still like the idea of having another copy under my own control. So as I said, I checked out Parachute Backup, and I like it. I maintain a very low volume transaction Amazon S3 account where, for example, all of this podcast's audio is archived, just to have one, you know, master offsite source. It turns out that Amazon mostly charges for transfer bandwidth, and nearly nothing for storage. So it's perfect for external hands-off redundant archival storage. And this Parachute Backup supports Amazon's S3 backup. It can also back up to the user's own local NAS or external storage. In the case of NAS backup, I never realized that it's possible to use the iPhone's built-in "Files" app to connect to network storage. So you do that first, to create a folder on your iPhone that's connected to a shared folder on your NAS. Then you instruct Parachute to maintain a synchronized backup of your iCloud and other iPhone, iPad, or MacOS goodies with that folder. It looks like a terrific - it's a terrific little 6MB app. It was released at v1.0 just two and a half weeks ago on August 14th, and it's been evolving rapidly ever since, adding features and fixing bugs. So you might want to wait, let it mature for another couple months. Microsoft OneDrive support was added the day after its release. Amazon S3 support was added on August 23rd and then further refined. At the time of this writing it's at v1.3.3. And our listener is correct about the price. It's $3.99, one time, and you own it for as long as it's around. So anyway, just wanted to make a pointer to that app because it looks like it's a great solution for iPhone, you know, iOS devices. And for macOS, too. Stephen Adams wrote: "Steve, you mentioned in your section about data brokers that nobody authorized the credit bureaus to collect our information. That's incorrect. You expressly gave your permission when you applied for or continued to use credit or receive service from a utility (electric, phone, mobile, gas, et cetera)." |
| Leo: Or a credit card, for that matter. |
| Steve: Yes. "Each and every application or terms of service document states this will be done; and when you sign the application, you agree to sharing your information with the credit bureaus." He said: "Here is the language from my latest JP Morgan Chase credit agreement." And it reads: "'We may obtain and review your credit history from credit reporting agencies and others. We may, from time to time, obtain employment and income data from third parties to assist us in the ongoing administration of your account. We may also provide information about you and your account to credit reporting agencies and others. We may provide information to credit reporting agencies about this account in the name of an authorized user. If you think we provided incorrect information, write to us, and we will investigate.'" So he finishes, saying: "There is no opt-out for reporting your information to the credit bureau. The only way to clear your credit report is to have no credit and wait seven-plus years for everything to age off. As long as you have credit, you've authorized collection of that data. Signed, Stephen." So Stephen, I stand corrected, and I am glad to be. So thank you very much for that. This is certainly an important part of the whole credit bureau story. You know, in the fine print of the credit agreements we voluntarily signed with all of the many various sources of credit we use and take for granted in our modern lives. And as you said, Leo, who doesn't have at least a credit card these days? We gave these credit grantors our permission to disclose and share what they learned of us. So, you know, they need to learn about us by asking these aggregators what's known. And in return they report about us under our contractually granted consent. So unfortunately, as we know, they're not good at keeping it to themselves. |
| Leo: Yeah. |
| Steve: Which is another problem. Vladimir, I don't know how to pronounce his last name, Leo, E-L-I-S-E-E-V, Eliseev? |
| Leo: Am I going to be the Russian guy? |
| Steve: You're my Russian interpreter. |
| Leo: I'm going to say it's Vladimir Eliseev. |
| Steve: Nice. I like that. I'll just do Vladimir from now on. |
| Leo: Vlad, just call him Vlad. |
| Steve: Vlad, I like that. "Hi, Steve. My name is Vladimir. I live in Russia." And here we were just talking about last week how we have listeners in Russia and China; right? |
| Leo: Oh, yeah. |
| Steve: He says: "I live in Russia, and I really enjoy listening to Security Now!. I'd like to add to your comment in Episode 1040 about the problems with Google Meet. The reason for the blocking of Google Meet is the launch of the Max messenger, which is under state control. In this way, Russia continues down the path of Internet isolation a process that Russians themselves call 'creating the Cheburnet,'" he said, "(a blend of Cheburashka and Internet)." |
| Leo: Huh. I don't know what Cheburashka is. But I'll look it up. |
| Steve: Yeah, you should look it up. I did. It's a little furry bear creature. So Vladimir, thank you so much for your note. Just as I feel self-conscious talking negatively about China while we have so many Chinese listeners, I feel equally awkward talking about Russia in derogatory terms, and for the same reasons. But my own U.S. government's hands are also certainly not clean. So I think we can all assume that whenever we're talking about the actions of Russia, China, or the U.S., we're never talking about the actions of a country's people. Whether or not we may have voted for our various governments' representatives, and regardless of how we may feel about their actions, they are not us. So I also very much appreciate hearing from our listeners in other countries to obtain their perspectives. I poked around a bit looking for "Cheburashka," which appears to be a fictional character from Russian literature. |
| Leo: Yeah, there's a picture of it with the big ears. |
| Steve: Yes, next to an alligator or a crocodile. |
| Leo: And that's actually an official Russian 20 ruble coin. So he is - Cheburashka is beloved in Russia. |
| Steve: Okay, comrade. |
| Leo: It comes from the word for "tumble off the table." And it's a roly-poly toy. There it is. |
| Steve: So the Cheburnet is not regarded seriously. |
| Leo: Even if it tumbles off the table. |
| Steve: That's right. |
| Leo: Oh, I see. Soviet censors tried to stifle the Cheburashka films because they made fun of nitpicking bureaucrats, factory directors, and the Young Pioneers. Ahhh. So it was kind of a subversive piece. |
| Steve: So Vladimir, thank you for bringing that little bit of Russian history and background to the podcast. We appreciate it. Hans Bornich said: "Hi, Steve. Regular listener and Club TWiT member here. Thank you for all your hard work on the show and everything else you do. I especially look forward to an UEFI native version of SpinRite" - that'll be coming for Windows - "which I will be purchasing on day one. Anyway, I stumbled upon a link I thought you might find interesting. I thought I knew what a valid email" - oh, Leo, you're going to have fun with this - "what a valid email address was, but boy was I wrong, if this site is right." And I can say now that it is. He said: "I wonder what your score will be. No cheating!" He said: "I scored a measly 12." |
| Leo: Yeah. I took this a couple of weeks ago when I first saw it, and I didn't do well at all. I'm amazed at some of the things the RFC allows [crosstalk] address. |
| Steve: I am, too. |
| Leo: Yeah. |
| Steve: So, Hans is correct. It is a difficult test, and I did not do much better than his 12. I scored 15 out of a total possible of 21, and I've written more than my share of email address parsers in my time. |
| Leo: So you should know. |
| Steve: There are some very worthwhile and tricky examples on the test. So for anyone who's listening, it's e-mail.wtf. And it's a great site. |
| Leo: You can't have spaces in the first part of an email address, but you can have spaces before and after. |
| Steve: Who woulda thunk? |
| Leo: The spaces get ignored. |
| Steve: Yup. |
| Leo: But I think email clients may not behave properly. |
| Steve: We know about dots, but it turns out there's a subtlety there, also. |
| Leo: You can't have a dot at the end. |
| Steve: It's one that I missed. |
| Leo: Yup, yup. |
| Steve: Nor successive dots. |
| Leo: This is hard. |
| Steve: But we're also giving it away, Leo. So we have to be... |
| Leo: Oh, yes. Okay, I'll stop now at question 9 and let everybody fail on the rest of them, yeah. |
| Steve: E-mail.wtf. |
| Leo: It's very good. Yeah, really... |
| Steve: Anyway, and they've got another one. When you're done with that, there's the link to something else. They have another test. I didn't - I don't remember now what it was. |
| Leo: Oh, okay. But you have to get to the end, huh? |
| Steve: I think so, unless you scroll - is there something at the bottom of the page? |
| Leo: No. You have to get - you have to finish it to see it. |
| Steve: Okay, yeah. I did see a link to yet another test you can take. Matthew Turner shared the thinking that I'm sure we've all had. He wrote: "So would recording a TV program and fast-forwarding the ads be illegal? What about stepping out of the room during an ad? Or what about watching live TV and muting the ads because they are so much louder than the program? Although charging AI for content would likely make the AI much more accurate." So I wish charging AI for content would make it more accurate. But as we noted, Reddit has been licensing its content now for AI modeling, and it's not as if AI is only being trained on the Encyclopedia Britannica. Which is, you know, a highly credible source of actual information. And as for the whole question of any implied obligation to be exposed to a show's advertising, I think Matthew's examples help to highlight the dilemma. You know, we may have signed a contract with a lender to allow them to obtain our credit data and return anything more they learn about us to the credit bureau. But no one watching live TV ever agreed not to get up and pee during commercials. |
| Leo: That's what they're for; isn't it? |
| Steve: That's - exactly. Not only do we have no obligation to sit still during commercials, but they're widely regarded as conveniently placed opportunities to transfer the clothes from the washer to the dryer, to feed the dog, to make sure the front door is locked, you know, and to take care of numerous other things that make up our evenings. You know, when I use a web browser, I'm rarely confronted with a site that notices my browser is not displaying all of its advertising and asks me to please disable my ad blocker. But it has happened. When it does happen, I am more than likely to just leave and go somewhere else. So I suspect that most sites that may have tried that for a while noticed that the practice resulted in a drop in their revenue, rather than the reverse, so they decided to take the high road and accept what revenue they can get without attempting to force the issue. Anyway, yes, Matthew, it is a mess. And again, it's unresolved at this point. Tom Apalenek said: "Hi, Steve. Great show as always. A couple of observations on copyright and ad blockers or AIs." He said: "The ad blocker's 'modified' code and display of a web page is only being displayed to the person who bought or is using the ad blocker. It is not being re-published to anyone else. Books are also protected by copyright law. By the German court's logic, highlighting or underlining passages in a book that you own, and the purchase of pens or highlighters for that purpose, should also be illegal." Okay. So I had to reread that and think about that a bit to obtain all of Tom's logic. But I can see his point. It would be illegal to make a few changes to a copyrighted novel, for example, and to then resell it as one's own work. But it's certainly not against the law to rewrite a novel, tear out pages, or do whatever you wish to a copyrighted work that you own. So Tom is suggesting that having a web page displayed is the delivery of a copyrighted work that its recipient has every right then to change however they may wish. What they cannot do is capture and republish that modified work for their own benefit. And of course no one's doing that. We're just choosing to modify that web page which we received for our own consumption. That feels like a pretty sound argument to me. |
| Leo: Yeah, it does. |
| Steve: Yeah. |
| Leo: Well, somebody should write to the German court. |
| Steve: Yeah. His email continues: "Also, you described AIs as the ultimate super ad blockers. Given their need to eventually show a profit" - ooh - "I fear this is probably short lived. I suspect that AI dialogs will start changing in the near future to something like this. The prompt says: 'How can I get my WiFi to reach to the end of my backyard?' The answer from the AI: 'There are several options, including WiFi extenders, long-range routers,' blah blah blah. 'By the way, did you know that Best Buy has the model XYZ router on sale this week for $69? Would you like me to provide you a link to the ad on their website?'" He says: "Or maybe it will just show you the ad directly at the end of the answer. In any case it will be interesting, if not disappointing, to see how this all shakes out. Thanks to you and Leo for a great show and for keeping is all up to date on the latest security news. Tom." And he signs off, Leo, with wa2ivd, his call sign. |
| Leo: 73w2ivd3a2. Very nice. |
| Steve: And so that made me remember. Remember how super clean and simple and straightforward and frankly beautiful Google's original search results were in the beginning? |
| Leo: Mm-hmm. |
| Steve: Just a white page with wonderful links to exactly what we were looking for. But those days are long gone. Now the page is encrusted with sponsorship barnacles. And the link you'd love to have, instead of being right there at the top of the page, is buried beneath AI overview, a bunch of sponsored and not always on-point tangential references that are trying to take you somewhere else, and eventually you may find the link you're seeking. Sadly, I would bet some money on Tom's vision of the future of AI chatbots turning into a massive advertising revenue generator. Or maybe the free version will be that, and we're going to have to pay probably more than we are right now in order to get one that isn't, you know, advertising barnacle encumbered. I probably would do that, I think, because I'm finding this so useful. But, yeah, I do imagine, I mean, Leo, can you imagine a better, more potent vehicle for ad delivery than an AI chatbot? |
| Leo: I'm convinced that this is just around the corner. |
| Steve: Yeah. |
| Leo: I think Perplexity will do it. I'm surprised they haven't done it yet, to be honest. |
| Steve: Yeah, yeah, yeah. |
| Leo: Because it's exactly what advertisers would love. |
| Steve: Yes, because you get all the context of the user. |
| Leo: Right. |
| Steve: You know what the person is asking about. I mean, it's made, nothing has ever been more made for delivering, you know... |
| Leo: Right. |
| Steve: ...context-aware advertising. |
| Leo: Yeah. |
| Steve: Yeah, I do think it's inescapably our future. Someone calling himself Zaphod Beeblebrox... |
| Leo: Zaphod Beeblebrox. |
| Steve: Zaphod Beeblebrox, yes. Oh, but... |
| Leo: This is from "Hitchhiker's Guide to the Galaxy." |
| Steve: Yes. He's Zaphod Beeblebrox I. |
| Leo: Yes. |
| Steve: So just to be clear. Not a descendent. |
| Leo: He made an amazing Pan Galactic Gargle Blaster and was the coolest frood in the Universe, just so you... |
| Steve: It's not fair, Leo, because you listen to audiobooks so you know how these things are pronounced. |
| Leo: Oh, you knew it was Zaphod Beeblebrox. You just didn't know how to pronounce it. I get it. Oh, yeah, yeah. |
| Steve: Correct. Oh, I knew exactly who it was. You betcha, baby. |
| Leo: President of the Universe. |
| Steve: So he says: "Hey, Steve. Re: Ads on websites. As you switched to Brave, their 'BAT' (B-A-T) idea may interest you. It stands for Basic Attention Token. Basically, a crypto mined with attention. Something like this could make sense. It was also used years ago, but called 'cryptojacking,' and now most browsers block it. ASIC resistant coins like Monero, which you may like for its privacy features, can be CPU mined and therefore paid directly to the websites with no tracking. AI companies could also do something similar and pay every time their AI uses data scraped from that site. "The economics could be tricky, and beanie babies aren't the best example, but if people really want BAT, the price will go up. Same way if people want USD, the value goes up. It could be a good way to pay without paying. I don't think they could require a specific amount to go to a site, though, because phones would generate minimal amounts." Okay. So to take his concept, we've touched on this before. It's truly, if nothing else, academically interesting. Cryptocurrency is here, and it's not going away anytime soon, if ever. Any cryptocurrency that can now be mined can be exchanged for actual government-backed non-crypto currency, you know, fiat currency. So imagine that while visiting a website, the visiting user's PC is tasked with performing mining work that directly yields value to the site. Viewed from the perspective of a website, all of the potentially tens of thousands of visitors who are currently there looking at a site's content are also collectively mining crypto for the site. No single browser mines much; but collectively and continuously, it adds up. From the standpoint of the user, what's going on is that some of their electricity is being inefficiently converted through the process of micro-mining into currency that serves to reimburse the site for the cost of the visitor's presence and for the information they obtain. So this forms an interesting channel for moving some money web surfers pay for electricity, by using that electricity to spin up more cores inside their CPUs, which is used to perform work on behalf of the site, which that site is then able to liquidate back into fungible cash. I haven't examined the economics of the idea to see whether it actually might make sense, but Zaphod tells us that the Brave browser folks have done the math. So if nothing else, it's kind of interesting. Leo, we're at two hours. Let's take our last break, and then we will continue with feedback from our listeners. |
| Leo: Yes, indeed. Gladly. All right, Steve. Your turn. |
| Steve: Ian in Ottawa, Canada, says: "Hi, Steve." He's referring to a feedback from last week. He said: "Just like Joshua, I, too, have had some AI realizations; but I reached two opposite conclusions from what I've heard. We have a few low-traffic WordPress sites hosted with a correspondingly small hosting plan, but recently many AI crawlers have been ingesting 20-plus years of blog posts, with many dozens of page loads per second. Of course this periodically maxes out our CPU quota, as the pages are dynamically assembled by the WordPress site, and also consumes our bandwidth quota. If it were just one crawler, fine. But there now seems to be a continual parade of crawlers sucking up everything they can find. "So opposite conclusion #1: AI is not good for small sites." He said: "(I'd be more inclined to move to a simple static site on AWS with their CloudFront CDN for publishing contact info and self-aggrandizement.)" He said: "On the topic of AI summaries taking over, I see a silver lining: If I have a product or service that I want people to be able to understand, perhaps now I can just write one big pure-text authoritative document, hopefully with a way to draw attention of the AI crawlers. No need for hi-res images of happy people, or acres of whitespace, or a designer to tell me to use all lowercase headings with an exotic downloaded font displaying in medium grey on a light grey background, or any of the other fluff that a 'good' page needs nowadays. Which leads us to opposite conclusion #2: AI summaries can free many of us from the burden of visual site design." At this point I imagine that some of our listeners are thinking that GRC's site was never very much burdened by the exigencies of visual site design. And they would be correct. I very much like solid red and blue on white with lots of rule lines and boxes. |
| Leo: And you use Google fonts, right, for all your fonts. |
| Steve: And I just use, like... |
| Leo: You won't even say. |
| Steve: I think it is, yeah. |
| Leo: Just whatever font they've got is fine. |
| Steve: Whatever it is, yeah. Ian finishes: "Am I just being provocative, or could that be in our future? I'm not sure. Thanks for all the work you and Leo do. Best regards, Ian in Ottawa, Canada." So Leo, you guys had a guy from "Common Crawl" on your... |
| Leo: Oh, yes, Rich Skrenta, yeah. |
| Steve: On your Thinking Machines podcast. Their mission is to deal with exactly the problem that Ian is having. While the web is operating as "Every Bot for Themselves," our websites are being redundantly visited by every bot of every company in single file. The idea of Common Crawl is to "crawl" all that data into a series of online Internet web snapshots that anyone is able to obtain. |
| Leo: It's kind of like the Internet Archive, but it's for AI. |
| Steve: Right. |
| Leo: Or for researchers, certainly, yeah. |
| Steve: Yeah, CommonCrawl.org. So their home page explains. They said: "Common Crawl maintains a free, open repository of web crawl data that can be used by anyone. Common Crawl is a 501(c)(3) non-profit founded in 2007. We make wholesale extraction, transformation, and analysis of open web data accessible to researchers. Over 300 billion pages spanning 18 years, free and open corpus since 2007, cited in over 10,000 research papers, and 3-5 billion new pages added each month." They said: "The corpus contains raw web page data, metadata extracts, and text extracts. Common Crawl data is stored on Amazon Web Services' Public Data Sets and on multiple academic cloud platforms across the world. Access to the corpus hosted by Amazon is free. You may use Amazon's cloud platform to run analysis jobs directly against it, or you can download it, whole or in part. You can search for pages in our corpus using the Common Crawl URL Index." So in this era of Big Data, data storage is so plentiful and vast that there's no longer any need for individual companies to redundantly crawl the web. Doing so oneself is not simple, and it requires the assembly and maintenance of a sophisticated web crawling infrastructure to pull all of that widely distributed data from across the globe. And as we've noted, having everyone rolling their own separately is expensive, it's time consuming, and it's redundant. It makes so much sense to have a single centralized non-profit that everyone can easily reference as a single stored database. I think it's kind of brilliant. So I wanted to... |
| Leo: Yes, I agree, yeah. |
| Steve: ...to note Ian's observation and also to note that the guy you had on last week was, you know... |
| Leo: Rich is really cool. Yeah, yeah. |
| Steve: ...a neat solution for this. |
| Leo: Yeah, yeah. |
| Steve: Ed Hands said: "Hello, Steve. As an IT Manager, security is always our top priority. I recently listened to Security Now! podcast 1040" - last week - "and found the discussion about Germany possibly banning ad blockers particularly compelling. I share your concerns regarding privacy and third-party cookies. However, my primary concern extends beyond those issues. In managing approximately 2,000 endpoints and users, our network has been hit by ransomware twice. Thanks to comprehensive policies, procedures, and security software, we were able to prevent significant damage. What concerns me most" - get this - "is that the ransomware was introduced through advertising delivery networks." |
| Leo: Malvertising. We were just talking about that. |
| Steve: Yup. He said: "You may have heard me yelling at the radio in the car about this." That was probably while he was listening to last week's episode. |
| Leo: Yeah. |
| Steve: He said: "Given this context, if Germany passes legislation banning ad blockers, it seems to me the case could be made that the advertising networks could (or should) be held financially liable for any malware distributed through their platforms. It seems that such accountability would be appropriate. Thank you, Steve and Leo, for all you do with Security Now!. Here's to the next 20 years of Security Now!." Oh, boy. "Best regards, Ed H." So, yes, malvertising. We've talked about it, its possibilities and dangers. But it's still sobering to hear from a listener who has actually had firsthand field experience (and now more than just once) with advertising being used as the entry vector for a ransomware-scale compromise. It doesn't seem as though that's something that receives sufficient attention. Accountability, however, you know, the accountability chains, essentially, are difficult to manage, and they become near to impossible to litigate when it's possible for multiple parties to point fingers at each other. I've served as an expert witness in a few technical jury trials, and it's been quite disheartening to see clever opposing counsel spin a jury and leave them unsure of their own names. In these he said/she said cases, juries often choose not to award damages since they're unable to determine fault. So I don't have much faith in the practical ability to hold an advertiser accountable, though I love the idea. You know, they'll just say, well, we're just the conduit. We're not responsible for the ads we show. You know, we get those from someone else. It's like, okay, yeah. Great. Tom Herrmann said: "Hello, Steve. As probably others already said: Syncthing supports encryption of the data on 'untrusted' peers already." He said: "I've been using this for many years for syncing to my own NAS (and other peers), as I'm a bit paranoid and want to prevent any unencrypted data at rest. You can see it in the settings of every folder when selecting the sync peers. Peers can be marked as untrusted, and then a strong password needs to be set. Untrusted peers can even sync encrypted data among them, if the same password is used with all untrusted peers. Also, peers themselves can be marked untrusted in the settings, and then the UI forces a password to be set when you want to share any folder with those peers. Regards, Tom, listener since day one." And Tom is absolutely correct. I went and looked. The option to set a password is right there, staring us in the face, at any Syncthing user. At the same time, our previous listener may have been referring to the fact that at the top of the Syncthing documentation page it states: "Warning: This feature should still be considered beta/testing only." And what that untrusted peers documentation page says is exactly what Tom just explained, and it's what the UI shows. So, okay. So first of all, the operation is quite cool. And in fact I sat down, first thing I did this morning, I looked at my Windows 7 Syncthing whose version I froze because it's Windows 7 back in July of 2021. So it is more than four years old. It is at version 1.18.1. And it has this. So this ability to encrypt the peer has been around for more than four years. I suspect they just - nobody's taken that warning message down from the documentation page because it got old, and it didn't expire. So anyway, this is very cool. What happens is the Syncthing always uses a folder ID, which is a little - it's a short little random token. It's not cryptographically strong, but it does provide uniqueness for every folder name. Instead of human folder names, it's the way Syncthing knows the folder. Your password and that little blurch of pseudorandom stuff are combined and hashed into a symmetric key which is used by your client to pre-encrypt the data that goes to the peer that it's syncing with. In this case, probably a NAS or, in Joshua's use case from last week, his friend's storage where he wants to back up all of his data at home, but not worry about it getting out of control over there. So that store never has the key. All it's storing is complete pseudorandom noise. And it's his syncing peer that knows, that holds the access password and the Syncthing name of the folder which it's syncing with, which then allows it to always recreate the static symmetric key, which is used to encrypt and decrypt the data. And multiple clients can all peer to that common store as long as they have the same password. And you're even allowed to have, for example, in my use case, two NASes synchronizing this pseudorandom data without ever knowing what it is, and peering to those two NASes. So this is completely supported. It has been for more than four years, and it works wonderfully. So just another reason that Syncthing is, as they used to say, and I'm sure they don't anymore, Leo, the cat's meow. |
| Leo: Really? That was their slogan? |
| Steve: No. |
| Leo: Oh. |
| Steve: But, you know, like, I don't know, Beach Baby Barbara or Bingo or whatever that was. |
| Leo: I didn't know that was - I just thought maybe you say that was their slogan. I believe everything you say, Steve. I just, you know. The cat's meow. |
| Steve: I try for accuracy where I can. And clarity. Dave in Seattle said: "Hi, Steve. Thanks for the tip and the free gig upgrade on Sync.com. I've been looking for just such a solution, wanting to avoid the big cloud and cloud services. Plus Canada, what's not to love? I thought you'd like to know that opt-out of email-based forgotten password recovery resets is the default, and a visible choice on the account creation section of their top landing page. That's so cool, so smart, and something I've not seen anywhere else." And Dave attached a screenshot to his note showing that the option to enable email-based password recovery is set to "off" by default. I didn't recall that. I just knew that they offered it as an option. And I agree that, you know, having that off is just the way to do it. You know, you're going to - if you're syncing to the cloud, you take your security seriously, you can set up multifactor authentication as I have on my Sync.com account. You know, on my device which is not sharing its data anywhere else, so it's a fully separate device. And you've got the best security you can, along with a super strong password, of course. Finally, Dan Dapkus wants to defend Microsoft, and I'm all for hearing his defense. He said: "Hi, Steve and Leo. I've been a software engineer/database administrator/dev team manager/director of app dev for over 30 years, and a fan of your show for about 10. I hadn't heard of it before then. I think yours is the only podcast to which I've consistently listened for such a long period of time. I'm not sure where I'd begin if I were to go on complimenting both of you. Steve, your deep technical/mathematical knowledge is remarkable; and, Leo, your broad industry knowledge and experience are a perfect complement. I look forward to the show every week, including the commercials because they are too often interesting and informative. "I've been thinking about writing this email," you know, this criticism, "for years, and Episode #1038 finally knocked me over the edge, and so I'm writing. Cutting to the chase, you both qualify as 'Microsoft Bashers.' Throughout my career, I've observed this phenomenon of IT pros who take various opportunities to rant and rave about all the deficiencies of Microsoft without acknowledging the (blatantly obvious) essential exculpatory context. The following is the exculpatory context to which I refer." He has in all caps for the first one: "MICROSOFT CREATES AND SUPPORTS MULTIPLE BUSINESS AND PERSONAL OPERATING SYSTEMS AND SOFTWARE FOR MUCH OF THE WORLD, AND HAS DONE SO SUCCESSFULLY FOR DECADES." Okay. That was all caps. Then he turned his caps lock off for the following points. And first of all, of course, he's right about that. "Monthly, Microsoft rolls out cumulative updates to over 1.5 billion Windows 10 and 11 endpoints worldwide. There are roughly 1.65 billion Windows Servers installed around the world, and Microsoft also patches those every month. Over 3 million websites use Microsoft IIS - mine included - as their web server. Hundreds of thousands or millions more host their websites on Azure. Microsoft .NET, which is now cross-platform, is used by millions of developers worldwide - 34% of all websites run on .NET technologies - and Microsoft patches it monthly. "Microsoft secures one of the world's premier database systems, SQL Server and its PaaS version Azure SQL Database. There are an estimated 8 to 10 million instances worldwide. Microsoft secures one of the world's dominant office productivity suites, Microsoft 365. There are 345 million paid subscribers. Microsoft has a uniquely large attack surface, and they diligently patch it. It's inconvenient for everyone involved. No one forces anyone to use Microsoft products. If some perfectly secure, inexpensive, wonderful alternatives exist, companies and individuals are free to adopt them (and then shall be liberated of the need to complain about Microsoft)." |
| Leo: Well, I will say that not everyone who uses Microsoft products has a choice because they work for companies that mandate what they use. |
| Steve: True. |
| Leo: The vast majority of people who use Microsoft Windows and Microsoft products are not given the choice. |
| Steve: Right, it's just there. |
| Leo: Yeah. |
| Steve: And then he said: "Steve, one tangential tidbit. You mentioned SonicWall's Geo-IP Filtering. From the transcript, you said, 'So, I mean, it is the way to do this. But no one's doing it yet.'" And he said: "Microsoft, however, has been doing 'it' and more for years in Azure with its Web App Firewall which supports, not only geo-filtering, but also OWASP threat detection and blocking at the network perimeter. Read about it here." And just for the record, what I was referring to was requiring it, not having it available somewhere in the background, like putting it on the UI and asking, you know, making developers do something about it. So he finishes, saying: "Microsoft's task is herculean, and I think they generally do a good job. Can you think of another company that you'd trust and would expect to behave more responsibly and competently (and less greedily) with Microsoft's responsibilities? Thanks again for your hard work and for many more episodes of Security Now!. Best, Dan Dapkus." So Dan, I think, makes some valid points, which I wanted to share with everyone on the podcast. |
| Leo: You are a very fair man. |
| Steve: I know I am hard on Microsoft. And I do acknowledge that GRC runs on Microsoft servers with one FreeBSD Unix exception, and we all know that I'm exclusively a Microsoft software developer. So I'm very aware that I beat up on them weekly - and that's W-E-E-K-L-Y - while at the same time choosing to use their solutions for my company and for myself. That said, there are decisions (not mistakes, which anyone can make) that I have great difficulty swallowing, which are their choice. We're told that Windows 11 will run faster than Windows 10 on the same hardware because it's more efficient, but that Windows 11 won't run on all of the same machines that are handily running Windows 10 today. And that TPM 1.2 versus 2.0 requirement is pure nonsense. TPM 1.2 has always been just fine, and it still is. And we all know that Windows 11 can be tricked into running on older "incompatible" hardware. This promises to create a huge problem for the next few years for many people who would just like to keep using Windows 10, but Microsoft says no. That's by design. And the idea of charging some users to receive patches for flaws for which perfectly well-working patches have been created is just wrong. If a patch exists to repair a product defect, Microsoft's product defect that they created, it should be provided to that product's users. Period. Full stop. Charging anyone extra to fix product defects is never going to sit well with me. So I suppose my overall complaint is that while Microsoft has every right to be self interested, they are so ridiculously massive that for most companies there really is not any effective alternative. And I'm certain that's something that our listener appreciates. Given that, and the nature of capitalism, Microsoft will - not may, will - abuse the power they have for their own self interest, they're going to do it just because they can. I'm not leaving Microsoft and Windows. I can't, and I don't want to. But I'm VERY glad to see that large European countries are becoming fed up with Microsoft's shenanigans - I mean, just as Dan said, people can leave - and are beginning to pull away. Perhaps if enough of that happens, Microsoft will have a bit of the wind taken out of its sails and might consider perhaps not pissing off so much of the rest of the world that has no effective alternative. Microsoft is in an enviable position. They've earned it. But it takes a great deal of institutional ethics to resist abusing it. They're walking a fine line. |
| Leo: And I would defend the fact that it's our job to talk about the issues that occur. And everybody recognizes that Microsoft does a massive job. But are you saying we should just give them a pass because of that and not mention anything that they do wrong or we think they could do better? I think that's part of our job is to say what they could do better. And unlike you, Steve, I refuse to use Microsoft products. So I do not. And I think I've found better alternatives. But I'm not required to by my company. I used to be. I also used to have to use Lotus 1-2-3, or no, Lotus Notes when I worked at Ziff Davis. That was a nightmare. I think this is our job is to say when something's good and to say when something's bad. The fact that billions of people use it is not persuasive. Billions of people eat McDonald's hamburgers. Doesn't mean it's the best beef out there. |
| Steve: Or Starbucks is the best coffee. |
| Leo: Well, you think it is. I may disagree. |
| Steve: No, no. It's what I drink. |
| Leo: It's convenient. |
| Steve: But everyone tells me how bad it is. It's like, okay. |
| Leo: It's perfectly fine, Steve. As is Windows. |
| Steve: And I often compliment Microsoft when they do the right thing. |
| Leo: For instance, you're much nicer than - well, maybe you're not. I have to say our Windows Weekly team... |
| Steve: Oh. |
| Leo: But again, I think that that's appropriate. |
| Steve: Yes. And frankly, Leo, sometimes I listen to Paul, and I think, okay, I'm not so far out [crosstalk] because... |
| Leo: He's saying stuff. |
| Steve: Yeah. |
| Leo: But we're not - this is not a - I think maybe sometimes people, certainly on the Mac side, wish this was a fanzine, a fan operation. We're not fanboys. That's not our job here. We're users, and we represent users, not these companies. And so when a company could do better, we say "You could do better." I don't think that's unfair. I think that's our job. |
| Steve: Well, I really took them to task when XP was going to be shipped with raw sockets. I mean, I went nuts trying to prevent that disaster, and it wasn't until Service Pack 3 that they finally turned it off, after they got attacked by their own raw sockets. |
| Leo: And you got roasted for that. |
| Steve: I got raked by The Register and Microsoft themselves. |
| Leo: And you were right. You were absolutely right, as Microsoft ultimately had to admit. |
| Steve: Yeah. |
| Leo: So, look, you don't want us to sit here constantly praising everything. Certainly not on Security Now!. This is a show about things that aren't going well. |
| Steve: We talk about mistakes here. |
| Leo: Yes. |
| Steve: Yeah. And Microsoft makes their fair share because they're, like, the platform to make them. |
| Leo: [Crosstalk] Tell them what to do. |
| Steve: They're what everybody uses. |
| Leo: It's nontrivial to make a perfect platform for such a heterogeneous bunch of hardware. I completely acknowledge that. It's a very hard thing to do. |
| Steve: Yeah. I don't want that job. I couldn't do it, no. |
| Leo: No. |
| Steve: Okay. And our last piece, an update. And I'll be interested to hear about you and Amazon here in a second, Leo. But first, on Sunday, while I was assembling today's podcast, two days ago, the iPhone that I have resting on a stand next to me alerted me to a Facebook posting by Ryk Brown. And by the way, Leo, we need to get Jeff some meds, I think. |
| Leo: Why? |
| Steve: Because his postings, I mean, I'm afraid he's going to give himself an aneurism. Or, I mean... |
| Leo: He has heart - he has a bad ticker. He has a bad ticker. And yet he... |
| Steve: Tell him just turn off the TV. Stop watching "Morning Joe." |
| Leo: I know. I know. I know. |
| Steve: Oh, my god. Because I see, I get little notices of his Facebook postings, and I think, oh, Jeff, you're going to hurt yourself. Stop this. |
| Leo: I'll tell him. I will tell him. Be nice to yourself, Jeff. |
| Steve: Oh, god. |
| Leo: I don't - look, I gave up on watching the news. Unfortunately, it's kind of part of my job. And it bleeds over into the news, the tech news that I have to research and cover. But, yeah, it's hard. |
| Steve: Anyway, my phone lit up with a Facebook posting by Ryk Brown. |
| Leo: Yes. |
| Steve: I've spoken of Ryk - and remember his spelling is R-Y-K - many times before since he's the prolific author of one of my most favorite long-running science fiction series, known as the Frontiers Saga. That's plural, Frontiers Saga. When he embarked upon his writing, he conceived of five long story arcs, where each one would receive a 15-novel treatment. He's currently one novel away from finishing the third story arc, which would make that next novel his 45th. And he's near to finishing Novel 45. I have read them all, waiting for the 45th one. And because I've had to wait through some periods, I've read much of them three or four times. I mean, they're just great stories. And it's the characters that he's created that makes this so fun. They are absolutely character-driven sci-fi. So once that last book of his third series is finished, he will have two story arcs remaining, and there have been strong hints that our intrepid group of explorers may be encountering their first non-human aliens. So far, each arc's nemesis have been various groups of power-hungry humans. But I have the feeling that may be changing next, and I cannot wait to see Ryk throw our group of now very well known, well developed, and wonderful characters into confrontations with non-humans. That's going to be something. So I know that Ryk has many fans among our listeners because I often hear from many of you who are enjoying the many characters he's created every bit as much as I am. So I wanted to share Ryk's Facebook posting from two days ago since he's soured on Amazon's Kindle Unlimited service, and things will be changing for the two final story arcs. Ryk wrote: "When Amazon first started Kindle Unlimited, I was still being compensated for reads through Kindle Unlimited at a rate of about 70% of what I would make on a purchase. The entire system is rather arbitrary and has become so polluted and gamed over the years as to be laughable. The amount of compensation for reads through Kindle Unlimited is now down to a mere 30%, which means that every time someone reads one of my books through Kindle Unlimited instead of buying it" - and they're not expensive - "I am losing on average about 60-70% in sales revenue. "While I do not begrudge anyone for using the least expensive way to satiate their need to read, in the end I'm running a business, and my family depends on me to pay the bills. Therefore, starting with Part 4 of the Saga, my books will no longer be available in Kindle Unlimited. I'm hoping that if you've read this far in my series, you won't mind spending a few bucks" - and that's all they are - "every three to four months for a new episode. If you have been reading Part 3 through Kindle Unlimited and are not up to date, I would suggest you download them as soon as possible, as they will begin dropping out of Kindle Unlimited as soon as September 2nd." That's today, by the way. "I will put the final episode of Part 3 in Kindle Unlimited for three months after publishing so that those of you who must use Kindle Unlimited in order to afford reading my stories will at least be able to finish through Part 3. But by the end of 2025, all Parts 2 and 3 will no longer be available through Unlimited. Although I will be leaving all of Part 1 in Unlimited for now in order to attract new readers, eventually most, if not all of those titles will also be taken out. "This is not without risk, as Amazon unfairly weights Unlimited reads toward sales rankings, even though a Kindle Unlimited read is NOT a sale, and it could cause my rankings to tank and for me to lose revenue, but it has to be done. Amazon is ripping us off, and the only other way I can combat this is to write faster (which means poorer quality) and/or to raise prices. Now is the best time for me. With my new Astra Nullus project, and a small inheritance from my late mother, I have the best chance of weathering the storm that will without doubt be created by removing my books from Unlimited. However, if I can successfully reach calmer waters, I can then publish my works on other platforms, as many of you have asked me to do. To those of you who purchase my books even though you could read them through Kindle Unlimited, I thank you. Without you, I would not have made it this far. Ryk." |
| Leo: Yeah. |
| Steve: So Leo, I know that you've soured on Amazon and you're no longer wanting to support them. |
| Leo: We knew this would happen. We knew that the - and this is what Cory Doctorow talks about in his book "Enshittification." We knew that Amazon, which, you know, in the early days said "Our entire focus is on customer happiness." And they really did seem to act that way. But as soon as they lock in customers, then they turn the screws, and it's all about milking the customers. And they've become such a monopoly. They're an absolute monopoly in audiobooks. And, you know, so it's funny because one of the people we love, Dennis E. Taylor, the Bobiverse guy, is an Amazon exclusive. And he says, you know, that's one of the problems with Kindle Unlimited is you have to agree you won't be anywhere else. A Kindle is your exclusive. |
| Steve: Ah. That's not okay. |
| Leo: Well, but interestingly, he said: "So I tried." He said: "When I self-published 'Outland,' I went wide - Kobo, EPUB, Google Play." He say: "But I didn't make any money. I made money with Amazon exclusivity and Kindle Unlimited." And this is the issue is it's a monopoly. And it's not good for us as users. I would like - I prefer to use Kobo. I buy my audiobooks from Libro.fm instead of Audible, even though the Bobiverse is not available anywhere but Audible. Same thing. It's an Audible exclusive. I wanted to read "Dungeon Crawler Carl," which is a very popular sci-fi series right now. And it's only on Audible because Amazon insists on these exclusives. And I think those authors maybe, you know, are well compensated. But in the long run it's bad for users because we can't - I like to buy them on Libro.fm because it supports our local bookstore. And, you know, it's the same price as Audible. The problem is the monopoly. And Amazon is squeezing really hard to make sure that they're the only place you can buy these books or listen to these books. And I don't think in the long run that's good. And as soon as they do have that monopoly, of course, the price goes up and the author payments go down. The other problem a lot of people reported with Kindle Unlimited is the amount of AI stuff that's on there. And even non-Kindle, and Ryk's going to experience this, even if you're not a Kindle Unlimited author, your royalties are tied to the royalties paid on Kindle Unlimited to other authors. And when there's a lot of AI slop on there, it hurts you even as a non-Kindle Unlimited author. |
| Steve: By "AI slop" you mean AI writing garbage books? |
| Leo: Yeah. If you look at Kindle Unlimited, I don't know what the percentage is, many of the books are not written by humans. |
| Steve: No kidding. |
| Leo: Oh, yeah. And Amazon does nothing to, you know, to stop that. |
| Steve: Huh. |
| Leo: I mean, there's a human behind it. It's not - the AI's not doing it on its own. |
| Steve: Go baby, go. Write a good book. |
| Leo: But they [crosstalk] writing it. It's not good. It's not good. They're not good books. That's going to become more and more of a problem, too, as we search for books to read about topics. I've run into this. I've been looking for stuff to read about the Mississippi River. There's a lot of nonsense. It's not real history. |
| Steve: Wow. |
| Leo: But it's hard to distinguish it. |
| Steve: Wow. |
| Leo: So, and this is, I think, this is my biggest problem is that it's just the sheer power, the sheer market power that Amazon wields. |
| Steve: Well, I'm, as we know, I believe in capitalism, but I also maturely understand that our system is not stable. |
| Leo: Right. |
| Steve: Because big companies tend to get bigger. And as I finished, when I was just there talking about Microsoft, I said, you know, Microsoft is in an enviable position. They've earned it. But it takes a great deal of institutional ethics to resist abusing it. |
| Leo: Right. |
| Steve: And that's what ends up not happening. And when you've got a board of directors and C-level officers and a hierarchy... |
| Leo: And stakeholders. |
| Steve: It's no one's fault. |
| Leo: Shareholders are pushing you, yeah. |
| Steve: Right, exactly. |
| Leo: They want their profits, their quarterly payouts. They want their dividends. They want the stock buybacks. But in the long run all of this is bad. And this is, I mean, we've known this for a hundred years, since the Sherman Antitrust Act, that... |
| Steve: Yes. |
| Leo: ...capitalism is good until it becomes a monopoly. And then it needs to be regulated. |
| Steve: Right. |
| Leo: And unfortunately... |
| Steve: It's competition. It's competition that makes capitalism good. |
| Leo: Exactly. |
| Steve: And a monopoly kills competition. |
| Leo: Yes. It's the one bad side of capitalism, unfortunately. Anyway, yeah, I've - you can't wean yourself off of Amazon, despite, you know, as much as I can. But there's stuff I can't - for instance... |
| Steve: Because the things you need are only there. |
| Leo: Yeah. Or it's very convenient. So you mentioned I should be taking this lithium orotate, and it would have been very easy to get it on Amazon and have it arrive the next day. But I decided, no, I'm going to go to someone else. I'm going to go to a vitamin shop and order my vitamins from them. Moved everything off subscribe and said "as best I can." But I acknowledge it's very difficult because they're so dominant. It's very hard. Now they're offering same-day grocery deliveries in 2,300 markets in the United States. What do you think that's going to do to grocery stores? |
| Steve: Wow. |
| Leo: And how are you going to feel if you can't go to a grocery store? |
| Steve: And it's astonishing. Sometimes we'll need something, Lorrie or I, and we joke now, saying that you look it up on Amazon, and then you just go to the front door. |
| Leo: Exactly. |
| Steve: I don't know how they do it. It is amazing. And so it spoils you. |
| Leo: It spoils you. |
| Steve: It's like, you know, I need a left-handed... |
| Leo: I don't want to get in the car, drive to Target. |
| Steve: I need a left-handed, you know, slime widget, and there it is in a bag, you know. Would you like it in an hour? Or two hours? Like, what? What? |
| Leo: The slime widget's two hours. It's a little - takes them longer. Has to come from China. Yeah, I feel for Ryk. I wish him well. I hope so. I hope everybody who is like Ryk Brown, these great authors like Dennis Taylor and Ryk Brown, are able to create and get paid properly for the stuff they create. We work really hard to make sure that, you know, our hosts get compensated and our employees get compensated. We pay a living wage. We try very hard to do it. It's not easy. |
| Steve: For what it's worth, Ryk Brown's Frontiers Saga, it's one of my favorite, favorite series. I mean, we've done... |
| Leo: Buy the books. |
| Steve: ...Honor Harrington and the Lost Fleet series. We've done a bunch of, you know, fleets. And if you like to consume a lot of sci-fi, there's 45 books now. I always tell myself I'm not going to start until one of his arcs is finished because I always outpace him, of course. So... |
| Leo: We're still waiting for Peter Hamilton's second volume. |
| Steve: Yes. And I don't really care. That was so complicated with all those weird... |
| Leo: Kind of a slog. |
| Steve: ...creatures and far future. And I have a problem when it's like so far in the future that, like, they're not even human. They're like trans-humans. And they're still using contemporary idioms. It's like, come on. Like it throws me out of the... |
| Leo: It's hard to identify with, yeah. It's so different. Well, that's all right. You know, some people like it. We get to choose. |
| Steve: We do indeed. And we will recommend what we love and warn people away from what we don't. |
| Leo: It's just our opinion. We're just some guys with a microphone. |
| Steve: Yup. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2026 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Sep 09, 2025 at 09:29 (137.05 days ago) | Viewed 5 times per day |