| ||||||
Description: Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DOD Cyber Operations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its sixth zero-day this year. Emergency update. DRAM (now DDR5) still vulnerable to Rowhammer. Samsung kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM malicious packages found and removed. The EU is already testing proper online age verification.
High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-1044.mp3 |
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We're going to take a look at a Spanish proposal for age verification that Steve says is privacy protecting and really might just work. We'll also find out why DDR5 is still vulnerable to cyberattacks, why Consumer Reports says Microsoft, you ought to let us keep Windows 10 for a little bit longer. And DeepSeek: Does it produce deliberately flawed code for groups the Chinese government doesn't like? All that and more, coming up next on Security Now!.
| Leo Laporte: This is Security Now! with Steve Gibson, Episode 1044, recorded Tuesday, September 23rd, 2025: The EU's Online Age Verification. It's time for Security Now!, the show you wait for all week long. I know I do. Every Tuesday we get to hear from this man right here, Steve Gibson, about the latest in privacy, security, how technology works, and we all get the Vulcan salute. Hello, Steve. |
| Steve Gibson: That's right, or the shot to the temple. |
| Leo: No, don't do that. |
| Steve: No, no, no, no. Don't do that, no. |
| Leo: I'm working, by the way, because I practice my piano, and I do the Leschetizky method, which is, seriously, is a think you do with piano, I can now... |
| Steve: Leschetizky? |
| Leo: Yeah. So he invented a method for strengthening the fingers for piano players. I did not used to be able to do this with my left hand. I could do it with my right hand. |
| Steve: Well, Leo, progress takes all different forms. Look at that. You can also do - you can do shadow puppets when you next show... |
| Leo: I can now. |
| Steve: ...a slide presentation for your guests of your most recent trip. |
| Leo: We should mention for those listening only on audio, we are doing the Live Long and Prosper Vulcan salute. |
| Steve: And no one knows why. |
| Leo: Do you think we're supposed to do that with the left hand? I think that was - somebody told me, because you do it with your left, that I should be doing... |
| Steve: I do it, well, because I'm left-handed, and I've got a microphone over here. So, and it gets really confusing if you... |
| Leo: I'm left-handed, and it's easier with my right. I don't understand. |
| Steve: This looks like something else. |
| Leo: That is not the Leschetizky method. |
| Steve: No. |
| Leo: So ladies and gentlemen, Security Now! is on the air. What's coming up, Steve? |
| Steve: So the big news is that, following some stories and some links, I discovered that, I think it was two months ago, that Spain announced that they were going to be bringing an age-verification technology online. And I said, what? |
| Leo: Huh? |
| Steve: Just like that. Just like that. |
| Leo: What? |
| Steve: And, yeah, even though I was alone, which worries my wife, but that's what we're going to talk about. We're going to talk about the EU's online age verification. This was - I got onto it because of a piece of news about Brazil's, the entire country of Brazil's recent legislation, and you can imagine what that looks like. We'll talk about that and then lead into online age verification, which I'm not going to - you asked me before we began recording, is it good or is it bad? And I told you, but I'm not going to tell our listeners because they're going to have to either, like, fast-forward or wait for it. If you're live, tough. So we're also going to - oh, and I couldn't resist, Leo, I'm going to quote Stacey because she's my gal as regards Windows 10 updates. |
| Leo: Yes. She and I corresponded over that great letter that she and [crosstalk]. |
| Steve: Yeah, well, I'm going to share it with our listeners because it makes, actually, it makes a few points that hadn't occurred to me. I get, you know, a little deep in the weeds with technology, which arguably is why people keep coming back to this podcast. But there's a different take that Stacey had on Microsoft's decision to do what they've done with Windows 10 versus 11. I want to share that. Also there was an interesting article about, you know, waste. And I'm not saying fraud or abuse, but waste within DOD's cyber operations. We got some counts from the GAO, the Government Accountability Office, about, okay, like, whenever you do something in government in a hurry, it's generally not a good idea. And we see an example of that. We also have some news that China's DeepSeek is able to deliberately give bad code, depending upon who's asking. Oh. |
| Leo: I thought that was really interesting, yeah. |
| Steve: It's like, wow. Web Assembly reached version, the official v3.0. We've got a new release of Firefox with some interesting updates. And also one for Android that I'm not sure anyone cares about, but we'll cover that. Also what I would consider a nearly fatal flaw was found in Microsoft's main identity system for their cloud system, their whole cloud services Entra ID. And this brings up some interesting questions of its own. Also Chrome has hit its sixth zero-day this year with some interesting events. Turns out that DDR5 is still vulnerable to Rowhammer. Who'd a thunk? Well, we would because, you know, we're not impressed by any of these mitigations. Samsung refrigerators have surprised their owners. China says no to NVIDIA. We've got more NPM malicious packages found. And then we've got some feedback from our listeners that's interesting, and then we're going to wrap up by talking about what Brazil did that led me into discovering what Spain is doing, and a few other countries in the EU, and what we think about the way they're going to be handling online age verification. |
| Leo: Hmmm. Hmmm. |
| Steve: So maybe this podcast is worth listening to this week, Leo. |
| Leo: Maybe? Definitely. Most definitely. |
| Steve: After all, we've only had 1043 before this one, so this is 1044. |
| Leo: We'll get it right eventually. Yeah, yeah. |
| Steve: That's right. We're getting the hang of it. |
| Leo: Yeah. We will get to the Picture of the Week, which I have yet to look at. So I will join you in being shocked, surprised, and amused by it, in that order. |
| Steve: I quoted Wikipedia's definition of the word "irony." |
| Leo: Wow. |
| Steve: As our caption for this picture, yes. |
| Leo: All right. |
| Steve: Says "Irony is the juxtaposition of what, on the surface, appears to be the case with what is actually or expected to be the case." And we have a picture that probably captures the concept of irony better than anything I've ever seen. |
| Leo: Wow. All right. |
| Steve: It's pretty good. |
| Leo: That's coming up. I think I have my - I do. I keep turning these off, the Apple reactions. And for some reason they keep happening. |
| Steve: Yeah. And I was wondering is it listening to you or seeing you doing a thumbs-up? |
| Leo: It's seeing the gestures, yeah. |
| Steve: Oh, okay, yeah. |
| Leo: But the thing is, I turn it off every day, and it comes back on. |
| Steve: Oh, but Leo, they know you actually want it on. |
| Leo: I want the little bubbles and the laser light show, yeah. |
| Steve: So they - yeah. That's right. |
| Leo: Anyway, I apologize for that. All right. I'm ready for the Picture of the Week. |
| Steve: The Picture of the Week, which epitomizes irony more than probably anything I've ever seen. |
| Leo: Okay. I'm scrolling up. I'm going to leave the camera on my face as I do so. Okay. I remember I took my son, after he graduated from college, I took him on a sailing trip around the British Virgin Islands, and it was right after a massive hurricane, and there were a lot of boats in the same predicament. |
| Steve: So what we have here is a picture of a boat which is in trouble. It's a power boat, and the back end is, I mean, it's - basically it's sinking. Its back end is submerged completely, but that has pushed its bow up and out of the water, allowing us to see the boat's name, which is "No Worries." |
| Leo: No worries, man. |
| Steve: And indeed, yes. |
| Leo: Well, maybe one worry. Maybe one. |
| Steve: Yeah, yeah. Maybe one big one. Although they do say that the best two days in a sailor's life is the day he purchases a boat, and then the day he sells that boat. |
| Leo: Oh, boy. Yeah, that's true. |
| Steve: So of course - and here I liked a little bit of a pun here. It says irony - the Wikipedia's definition, "Irony is the juxtaposition of what on the surface appears to be" - it's like, well, this boat is no longer on the surface, so... |
| Leo: On the surface, yeah. |
| Steve: That's right. |
| Leo: That's very funny. |
| Steve: Anyway, great, great, great picture. Okay. So exactly one week ago, as we were recording last week's episode, the famous Consumer Reports site publicly posted under the headline "Consumer Reports calls on Microsoft to extend support for Windows 10." I was surprised to recognize the name of the author of the piece, since I didn't know that I knew anyone at Consumer Reports, especially someone whose knowledge and opinions I greatly respect. Consumer Reports' piece was written by TWiT's well-known long-time podcast co-host, Stacey Higginbotham. |
| Leo: She's a policy fellow, yup. |
| Steve: And they're lucky to have her. |
| Leo: Mm-hmm. |
| Steve: In Consumer Reports' name, Stacey wrote the following: September 16, 2025, addressed to Satya Nadella, Microsoft Corporation, One Microsoft Way in Redmond, Washington. "Dear Satya Nadella: Consumer Reports is concerned about Microsoft's decision to end free ongoing support for Windows 10 next month. This decision will strand millions of consumers who have computers that are incompatible with Windows 11, and force them to pay $30 for a one-year extension of support, spend hundreds on a new Windows 11-capable computer, or do nothing and see the security and functionality of their computer degrade over time. This latter option is particularly problematic as it risks harming the consumer, as well as co-opting the machine to perpetrate attacks against other entities, risking national security." Oh, you go, girl. "Four years ago, when Microsoft released Windows 11, it announced that support for Windows 10, which was released in 2015, would end on October 14, 2025. Microsoft also said that because of the hardware requirements of Windows 11 namely a Trusted Platform Module 2.0 and a 64-bit processor - that some consumers would need to upgrade their computers since their current machines would not be capable of running Windows 11. Despite this announcement in 2021, computers incapable of running Windows 11 were still available for sale in 2022 and 2023." We'll see why that's an important fact in a second. This is one of the things that she highlights that hadn't occurred to me. She said: "Even if Microsoft partners and retailers stopped selling machines that were not able to be updated to Windows 11 at the time of the launch" - meaning Windows 11 launch - "our research shows that many consumers would still be trying to use the incompatible machines today. Based on a Consumer Reports member survey of 100,606 laptop and desktop computer owners which was taken between January and March of this year, over 95% of all laptop and desktop computers purchased since the beginning of 2019 and owned for no more than five years were still in use when members were surveyed. Moreover, 20% of our members who owned a Microsoft laptop reported owning them for at least four years, compared to just 13% of our members who owned any other brand of laptop for that length of time. "We see similar trends when looking at all Windows OS-compatible computer brands in our sample (Acer, ASUS, Dell, HP, Lenovo, Samsung, and Intel), as 15% of our members who own a Windows OS-compatible laptop or desktop brand have owned them for at least four years, compared to just 12% of our members who own a laptop or desktop brand that is typically not Windows OS-compatible. Based on these findings, we posit that our members who have purchased Windows OS-compatible computers, on average, tend to keep them for longer lengths of time than owners of other computers. Thus it's clear that consumers purchased machines before Microsoft announced the hardware needs for Windows 11, expecting to be able to operate them through the next Microsoft OS transition. "The decision to make Windows 11 incompatible with existing hardware, and to do so with only four years' notice is incompatible with consumer expectations and Microsoft's own history. Microsoft has long focused on backwards compatibility for Windows, ensuring it can run on older hardware. This means that consumers could expect to be able to run the latest version of Windows for at least a dozen years and maybe more. If you bought a PC with Windows 7 preinstalled in 2010, you were able to upgrade it to Windows 8 in 2012 and then Windows 10 in 2015, and many of those devices can still run Windows 10 in 2025. "During the Windows 11 launch, and in subsequent announcements, Microsoft argued that the hardware requirements would boost the cybersecurity of Windows machines. Microsoft claims that 'Windows 11 is the most secure operating system we've ever built,' and noted that a 2024 report commissioned by Microsoft showed that new Windows 11 PCs have seen a 62% drop in security incidents and a three-times reported reduction in firmware attacks. This is laudable, except there are still a large number of Windows 10 users, and a large number of existing machines that are physically unable to be upgraded to Windows 11 because of the hardware-based security features. "As of August, 46.2% of people worldwide are still using Windows 10, which is about 646.8 million people based on Microsoft's own estimates of 1.4 billion people using Windows as an operating system. There are also an estimated 200 million to 400 million PCs worldwide that cannot be upgraded to Windows 11. This is an incredibly high number of stranded Windows 10 machines. Microsoft in its own blog post warns that, 'While these devices will continue to function, they will no longer receive regular security updates, making them more vulnerable to cyber threats, such as malware and viruses.' "Arguing that Windows 11 is an essential upgrade to boost cybersecurity while also leaving hundreds of millions of machines more vulnerable to cyber attacks is hypocritical, especially while charging consumers $30 for a mere one-year extension to preserve their machine's security. Microsoft has touted a free support option for consumers, but to obtain that support consumers must choose to use Microsoft products such as Bing search or Xbox gaming to earn the 1,000 Microsoft Rewards points necessary to access that free support. Tying free support to unrelated Microsoft products forces consumers to jump through unnecessary hoops just so Microsoft can eke out a bit of market share over competitors. "Consumer Reports asks Microsoft to extend security updates for free to all users who are unable to update their machine while also working to entice more people to get off Windows 10. When more consumers upgrade to Windows 11 through software updates or because they have now purchased a new machine capable of running the software, we also ask that Microsoft create a partnership to provide recycling of those machines to consumers abandoning their hardware. "For the last quarter century, Microsoft has been upfront about the 10-year lifecycle of its operating systems, but as it made the move from Windows 10 to Windows 11, it broke the backward compatibility that so many consumers have depended upon as they shopped for their computers. When Microsoft announced in late 2021 that it would require specific hardware components that hundreds of millions of PCs on the market would not have, it left consumers who had recently made a purchase of incompatible hardware behind. Consumer Reports calls on Microsoft to extend support for Windows 10 to allow those consumers to catch up. Sincerely, Stacey Higginbotham, Policy Fellow, Consumer Reports." |
| Leo: Let's also give credit to the second guy because I never do, and poor guy - Justin Brookman, who's Director of Technology Policy at Consumer Reports also signed the letter. |
| Steve: And one would think that maybe Justin hired Stacey, so we certainly... |
| Leo: Yeah. |
| Steve: ...want to give him props for that, too. |
| Leo: Yeah. Give him credit, yeah. And Stacey and I have been corresponding. She's thanked us for our coverage of the letter. I said, well, you know, we talked about it a little bit on Windows Weekly, and Paul was a little defensive of Microsoft, saying, well, you know, nobody bought those computers in the last few years. But I don't know. Stacey says no, there are quite a few that were sold in the last three years that are not compatible. And I think this seems only fair to demand that Microsoft support this. They're doing, as you've pointed out, they're writing these fixes. It's not like they have to do any extra work. |
| Steve: Anyway, right. |
| Leo: They're writing them anyway. |
| Steve: They only have to stop preventing them from flowing. |
| Leo: It's actually easier. |
| Steve: Because they've been flowing all along. |
| Leo: Right. |
| Steve: And so they just - but so, okay. So everyone knows that Microsoft's claims that Windows 11 runs better on existing hardware than Windows 10 implicitly means that Windows 11 does not truly require newer, faster, and better hardware. We all also know that all of that nonsense about TPM 1.2 vs 2.0 is just that - nonsense. Many years ago, when this first arose, we spent a podcast in detail examining the differences between the two. While 2.0 contains the advances we would expect to have made over time, those are evolutionary, not revolutionary, and they are not needed for the delivery of the security guarantees provided by TPM 1.2. And Microsoft knows that. I thought that one point Stacey made was particularly important. Microsoft is once again claiming that Windows 10 is their most secure operating system ever. Well, as we learned from Windows XP, of which they made the same claim, later proven to be laughable, only time can judge the security of any system. But if Windows 10 is more secure, and if Microsoft cares about the security of their users, then user security will be severely compromised by Microsoft's plan to allow Windows 10 security updates to lapse, thus leaving those many hundreds of millions of Win10 machines unprotected, versus either continuing to offer those machines security updates, or allowing those older machines to update to Windows 11, which they can do, if it weren't for Microsoft's artificial limitations. In any event, Stacey, bravo. Thank you for using Consumer Reports' well-deserved reputation for this good cause. You know, we've watched as Microsoft's previous decisions on this matter have shifted over time. So I'd say it's reasonable to hope they might simply allow all Windows 10 machines to continue receiving security updates for the next three years. All they need to do is not flip that cutoff switch in Redmond. |
| Leo: Right. |
| Steve: And that'll keep happening. |
| Leo: I suspect they're going to cave, and they are going to do that. It seems like the writing's on the wall. They've made it bit by bit easier and easier to get it for free, as Stacey points out. I think it's just a matter of time. |
| Steve: And I did see in this coverage reference to, although I didn't pursue them, many other publications saying, you know, echoing what Stacey here in Consumer Reports has said. |
| Leo: Right. |
| Steve: So there seems to be a groundswell as this date approaches. It's like, why? What? |
| Leo: Well, it sells more computers, don't you know. But I think now in this day and age we should really be thinking about waste. And perfectly good hardware should not be cast on the landfill just because Microsoft wants to sell more products. That's just not, I mean, Apple does the same thing. Everybody does the same thing. And we need to rethink that whole strategy, I think. |
| Steve: Well, you know, and it's easy, too, because you talk about, oh, just go get a new computer. Well, all my stuff is on my old computer. |
| Leo: Right. |
| Steve: And it's not like Microsoft ever figured out how to allow us to seamlessly and smoothly move to a new machine. You have to start over. |
| Leo: Well, you and I buy lots of hardware. So, you know, we're - but it's not reasonable to ask people to buy, to replace perfectly good hardware. Right? Just because we've decided we want to make sure that everybody's on Windows 11 now. That's just not reasonable. Why throw out hardware that works perfectly well for Microsoft's economic benefit? |
| Steve: And again, if they say Windows 11 is faster than 10, well, then, it's going to be faster on the old hardware. |
| Leo: Right. Paul's point, and I'll defend it in his absence, is that newer versions of Windows 11 have started to take advantage of features in TPM 2.0 and in the subsequent processors from Intel so that they wanted people to move to this new hardware so they could start to take advantage of these new hardwares to make a better version of Windows. And, you know, okay, fine. |
| Steve: Okay. And the response is, if it's there, use it. If it's not there, don't. |
| Leo: Yeah. |
| Steve: In which case you are - the operating system you're using is taking advantage of whatever hardware you have. If you've got 2.0, use it. If you don't, don't use it, if the hardware doesn't support it. |
| Leo: The other argument is it's better if everybody's on the same version of the operating system. Right? It's easier for developers. It's easier for Microsoft. It's easier for hardware manufacturers. Of course... |
| Steve: Leo, it is... |
| Leo: ...one solution to that is not to put out Windows 11, but just to stick with Windows 10. But - all right. |
| Steve: And it is the same operating system. |
| Leo: It's the same. |
| Steve: They put a different candy coating on the... |
| Leo: It is Windows 10. |
| Steve: ...the chewy inside, you know. And you run across it. You drill in past a couple of the new Windows 11-looking screens, and you're looking at a Windows 7 dialog box that hasn't changed. |
| Leo: But why would you want the Start Menu in the left corner when you can have it in the middle, Steve? |
| Steve: And lose the choice, yes, exactly, Why [crosstalk]. |
| Leo: Yeah, I'm with you. And I do hope and I suspect this will happen. Microsoft will just relent and say, okay, okay, three more years. Or at least one more year. |
| Steve: And they could also content themselves in the knowledge that they no doubt did push many people... |
| Leo: Right. |
| Steve: ...into Windows 11 and into buying new hardware. So they came right up to the limit. Everybody who was going to do it, did. |
| Leo: Right. Good point. |
| Steve: And then they said, okay, just fooling. |
| Leo: All right. Just kidding, yeah. And I also really - often overlooked part of that letter is Microsoft should start supporting some recycling efforts, to start supporting a way to make these... |
| Steve: I like that, yeah. |
| Leo: ...obsolete computers either useful or recycled or somehow responsibly disposed of. That I agree is also part of their responsibility. |
| Steve: Yeah. |
| Leo: Anyway, thank you for giving the - highlighting that. I agree with you 100%, and I agree with Stacey. |
| Steve: Great piece. |
| Leo: I thanked her personally for writing it, yeah. |
| Steve: So the favorite targeting phrase of those who wish to trim the operating costs of the United States government is the well-known "Waste, fraud, and abuse." Last Wednesday, the U.S. GAO, the Government Accountability Office, published a report detailing the size and scope of the U.S. Department of Defense Cyberspace Operations, and it's breathtaking. While the report does not address fraud or abuse, and there's no allegation from them or from me, it's about as diplomatic as it could be on the waste front because there sure does appear to be a ton of cyber-waste. The summary in the report's subheading reads: "About 500 Organizations Have Roles, with Some Potential Overlap." Now, saying "some potential overlap" is like when our OS vendors say, well, this vulnerability could have been exploited, you know, while people are bleeding from the exploitation of the vulnerability. So 500 cyber-related organizations have sprung up within the DOD. And that doesn't count the 9,500 outside contractors who are also employed. The report said that: "According to data provided by Department of Defense (DOD) components, DOD has established organizations that contain about 61,000 military and civilian personnel, and over 9,500 contractors, to conduct cyberspace operations." So there are 61,000 people doing something about cyberspace at the DOD. You know, we've been wondering, Leo, like are we actually doing anything, or are we just getting lots of attacks aimed at us and not giving back? Maybe this is cyberdefense and not cyberwar. We don't know. And with all of those people, I have no idea how anyone would even begin to unwind that, if you wanted to. But of course before anything could happen, the will to do so needs to be present. So far, the U.S. Department of Defense has remained pretty much unscathed and untouched by the broad and sweeping cost- and personnel-cutting measures that marked the beginning of our current administration. However, the DOD's reaction to this report's recommendations were positive, even though those recommendations were quite modest. In this report, the GAO's report, under "Recommendation" the report concluded: "GAO is recommending that DOD assess whether, one, similar cyberspace training courses provided by the services could be consolidated; and, two, there are opportunities to increase mission effectiveness and cost savings by consolidating DOD cybersecurity service providers. DOD concurred with both recommendations and identified actions it will take to implement them." So mostly, I think, it's just redundancy, that is, you know, and there's always the problem that having a budget is a mark of having power. And so everyone wants their own training group. They don't want to borrow somebody else's. And so one of the things that the GAO identified was that there's just crazy redundancy of training, where training arguably is something where you could say, well, let's get, you know, four or five of these different divisions together and train them all at once, instead of having five separate training sub-organizations within each organization. And I did elsewhere see that - I didn't put it in the show notes. But there were some efforts being made to streamline DOD's cyber hiring practices saying that they were - get this - currently 22,000 people short of the number of cyber war, cyber space-related jobs that they were trying to fill. So they currently have 61,000. They're not reducing size, they're looking for 22,000 more people. So anyway, this would be, I mean, I know that the Department of Defense and the Pentagon has a special place in this country's budgeting. But at some point someone needs to take a look at this and say, wow. There seems to be a lot of overlap of responsibility and job within this cyberspace aspect of what the Pentagon is doing. Consolidating that training and the service providers would save the country presumably a lot. Leo, we're half an hour in. Let's take a break, and then we're going to look at what's been found about DeepSeek and why, depending upon who you are, the quality of your answers varies. |
| Leo: I thought this was a fascinating story. Yes, sir. Let us pause. This is the pause that refreshes for Steve, but the pause that informs for you. Let's talk DeepSeek. |
| Steve: So in a report that's both sad and predictable, the Washington Post's story headline was "AI firm DeepSeek writes less-secure code for groups China disfavors." And they had the subhead "Research by a U.S. security firm points to the country's leading player in AI providing higher quality results for some purposes than others." A summary of the Washington Post's story says: "The Chinese artificial intelligence engine DeepSeek often refuses to help programmers or gives them code with major security flaws when they say they're working for the banned spiritual movement Falun Gong or others considered sensitive by the Chinese government, new research shows." And some commentary about the coverage wrote: "The DeepSeek AI engine returns code with security flaws if it determines that the coder is associated with a specific minority group. According to the Washington Post, programmers from Tibet and Taiwan received code of lower quality. DeepSeek also flatly refused requests if queries hinted that the code could be used by the Islamic State or the Falun Gong movement." |
| Leo: I'm not surprised, actually. |
| Steve: I mean, no. As I said, like in a report that's both sad and predictable, it's like, sad. But, you know, yes, not surprising. So, wow. I guess, you know, I guess a lot of people are running the DeepSeek models locally, where they have control over what's going on. But you have to be careful how it's trained. Wow. |
| Leo: Yeah, yeah. |
| Steve: Version 3 of the WebAssembly specification is now officially live. Although our two favorite browsers, Chromium-based Chrome and other Chromium browsers, and Firefox have already been incrementally incorporating its new features as they have become formalized, that is, the various components of the WebAssembly 3.0 have been formalized. What's interesting is that the lone browser out there is Apple's Safari. It's the laggard. And I have no idea why. But it has become a trend for Safari because it's been consistently lagging behind most of the new standards as they've been evolving for years. |
| Leo: I've always wondered what you thought about WebAssembly. You're an assembly language programmer. It's not assembly language, though; right? |
| Steve: No, no, no, no, no. I took a look at it, actually. It's a stack-based architecture. So, you know, reminiscent of Forth. So it's very efficient from that standpoint. It has a procedural structure where procedures can pass arguments and also return results. It's also got traditional high-level control flow primitives. So, you know, if then else, and case statements and so forth. And I would love to have some reason to need it. But I can't think of one. Its only real performance advantage comes from processor-intensive things, you know, such as mining cryptocurrency in a browser. If I were ever to use a web browser as a front-end for some headless code, I'm certain that the heavy computational lifting would be done by me in native Intel assembly language, and the browser would just be for, like, pure user-interface. And if you were just using the browser as a UI, then regular JavaScript would be just as fast and, boy, far more maintainable. Unfortunately, although they're very cool, stack-oriented languages, and as I said, Forth being the most famous, they make for very efficient intermediate languages. Java's VM is an example. And Microsoft's .NET CLR, their common language runtime, they're all good examples of stack-based intermediate languages. So they're great for a compiler to compile to, and then they run very well. But they are not fun to write in, like, natively. And as you know, Leo, they are nearly impossible to read. |
| Leo: Yeah. |
| Steve: I've looked at some Forth code that I've written, and I was so... |
| Leo: I love Forth, but it's not - yeah. |
| Steve: No. I was so happy with it when I wrote it, it's like, ooh, this is so clever. And I looked at it a month later, and I thought, what the heck is this? I mean, you can't - it's like, it's impossible to read stack-oriented code that anyone has written. And the good news is you normally don't have to because a compiler wrote it for you when you gave the compiler something really nice-looking and very legible. |
| Leo: That's my sense of most - WebAssembly is almost like a P-machine. It's an intermediate, and usually people are using some other language to write to it. |
| Steve: And I made the comment a couple weeks ago on the podcast that this notion of WebAssem being useful for compute-intense jobs, you know, it's an interesting idea for users' browsers to be mining cryptocurrency on behalf of the sites they're visiting as a means of paying the site for their visit. Instead of being assaulted by ads, which the sites are getting payment for, how about let a browser that is on a site be mining currency on behalf of that site? That's, I mean, I hate it from a global warming... |
| Leo: That's kind of what Brave, I think, does; right? Brave has a... |
| Steve: There actually is a proof-of-work technology... |
| Leo: Right. |
| Steve: ...that, yes, that Brave has been exploring. So are some. |
| Leo: There are 40, according to Wikipedia, 40 different high-level languages that support WebAssembly as a target. So you can write in C or Rust or Python or Haskell or Julia or whatever. |
| Steve: And that's cool because then you get platform independence, and you get - you have code running very efficiently on our web browsers. And, you know, we've talked about it. Web browsers are becoming our operating system. I mean, you know, they're important. |
| Leo: Right. It's also a great way to obfuscate malicious code. But, eh, you know, what isn't these days? |
| Steve: Yeah. And speaking of web browsers, one week ago Firefox moved from v142 to 143. Remember, Leo, when we were on v11? |
| Leo: We've come a long way, baby. |
| Steve: We all just - and everyone decided just to stop doing these, like, okay, we're going to upgrade our browser as infrequently as possible and make each version as perfect as we can. And so we're going to go from, like, v4 to, well, IE6, of course, was famous back in the day. And it wasn't that many days ago, actually. Anyway, Firefox is now at 143. What's interesting is I have launched Firefox every single day since then. It was early last week. But it wasn't until I explicitly went over to Firefox's Help About that I was offered v143.0.1. So if you're interested, you may want to go do that because for whatever reason Mozilla doesn't seem to be in any hurry to push this update out to its, even its most loyal fans. This v143 repaired a pair of sandbox escapes that had been found and reported in Firefox's 2D Canvas rendering component. And there was one memory safety bug. Those were the only three high-priority security improvements. The rest were moderate or low. And I don't believe that those were found exploited in the wild. They were just some guy. One guy found both of the 2D Canvas rendering problems and said, hey, by the way, I found these. And they said, ooh, that's not good. Thank you very much. But they were, you know, they were not found by seeing them being exploited in order to hurt people. Probably also because Firefox isn't that big a deal anymore compared to Chrome. Chrome is the big target because that's what everyone's using. On Windows, Firefox now supports running, as of 143, the other features new in 143, Firefox now supports running websites as web apps pinned directly to the taskbar. So these are sites that you can pin and run sort of as simplified windows, just like we were talking about, like writing an app in a higher level language that compiles into WebAssem and runs very nicely like an app for your operating system. And in this case now Firefox 143 and later you can stick it on your taskbar and just launch it. So, oh, I should mention, though, that this does not work if you download Firefox through the Microsoft Store. This is only if you just get it yourself from Mozilla. I don't know why. Tabs, Firefox tabs can now be pinned by dragging them to the start of the tab strip, which makes it easier to keep important sites within reach. And I did that immediately since I am generally holding a conversation with ChatGPT as my code development buddy. I put the ChatGPT tab up at the top of my tabs. It locked in right there, and now it's there. So I'm happy to have that. Copilot from Microsoft, of course, can now be chosen as a chatbot to use in the sidebar for quick access without needing to leave the main menu. Now, it's unclear to me how many people who have deliberately chosen to use Firefox as their web browser, rather than succumbing to Edge, over and above all of Microsoft's clearly and repeatedly stated objections to use anything other than Edge, yes, you have to work at using Firefox. Why they would choose to chat with Copilot over any of the other many alternatives is beyond me. But for what it's worth, you can now choose to use Copilot from the URL search bar if you want to. Also, when a site asks for camera access, the chosen camera can now be previewed sort of "in vitro" inside the permission dialog, which allows you, if you've got multiple cameras, to choose the one that you're about to give the site permission to use. So that can come in handy, if you've got multiple cameras. The Firefox address bar can now display important dates and events. Okay. Mozilla elaborated that this gripping new feature supports displaying events like Mother's Day. Now, if it gave you adequate warning that Mother's Day was approaching, that might be useful. |
| Leo: Yeah. Just don't tell me tomorrow. Tell me next week. Tell me next month. Yeah, yeah. |
| Steve: Yeah. So anyway, okay, I guess that's good. But I would rather have them spending time on privacy-enforcing age verification. Wouldn't that be nice to have. Think about that, Mozilla. I'd rather have that than, you know, be told of important dates on the calendar. |
| Leo: Yes. I agree. |
| Steve: They also support Windows UI Automation, so that improves the support for accessibility tools such as Windows Voice Access, Text Cursor Indicator, and Narrator, so that's good. And I said that I was going to save the best two for last, and here they are. Firefox has expanded its Fingerprinting Protection by reporting constant values for several more attributes of its users' computers. That's nice. Our listeners know that I left Firefox for Brave when it turned out that Firefox really had done nothing there. And also, when downloading a file in the Private Browsing mode of Firefox, you know, its incognito mode, Firefox now asks whether to keep or delete anything you download while in that mode as the session is ending. And you can adjust that behavior, whether you want it or not, in Settings. I think that's a nice feature. You know, the presumption being that, if you're in that mode, then just as you do not wish to have your browser permanently recording where you go and what you do and the cookies that you receive, you know, you'll definitely be receiving cookies, you may also not want anything you might download to persist. But you might forget that. So this is a nice little feature of that. And I suppose it's not bad that Firefox expanded its printing protection by reporting constant values for several more attributes. But I checked. It still did not prevent the EFF's new "Cover Your Tracks" site that we've talked about before from locking onto my updated browser, now running v143, and reporting that its fingerprint was unique. It had never seen anybody else with that fingerprint. So okay, Microsoft, or... |
| Leo: I use a Firefox spinoff called Zen that does have unique fingerprint protection. |
| Steve: Nice. Nice, nice, nice. Wait, no, unique fingerprint means you're... |
| Leo: Our test indicates you have strong protection against web tracking, but it has a unique fingerprint. Ah. That's not good; right? |
| Steve: That's not good. And if you use Brave, you don't get a unique fingerprint. You look like a whole bunch of... |
| Leo: Safari doesn't either, yeah. |
| Steve: Yeah. |
| Leo: Oddly enough, given how out of touch Safari seems to be in other ways. |
| Steve: Well, but, you know, Apple focuses on, you know, some things. I have a bit of feedback from one of our listeners we'll be getting to where I spend a little more time than I did last week addressing Apple's insistence on not having their iOS compromised. Because, I mean, I have a deeper appreciation for just how much this appears to matter to somebody there. Anyway, we'll get to that. One last piece of news on the Firefox front is that last week's Firefox for Android, which is now available, offers its own native DoH, you know, DNS over HTTPS, for resolving domain names into IP addresses, which of course uses an authenticated and encrypted TLS connection and using the HTTP protocol on a TLS connection. And, okay, that's good. I installed Firefox on my Samsung phone, my Android phone, just because I wanted to see what it looked like. And sure, you can do that. It's there now. But it's not such a huge deal because native DoT DNS resolution, so that's DNS over TLS, that was added to Android natively seven years ago, in 2018. So Android's had that for seven years. And that was with the release of Android 9. Remember the Pie edition, P-I-E. And then native DoH resolution was added two years later to Android in 2020 with Android 11. So even without Firefox, or any other browser running on Android, adding its own native DoH or, for that matter, DoT support, all of the browsers' lookups would have already been securely encrypted using Android's native DNS for the past seven years, since 2018. Yes, it's nice to have it as an alternative. Maybe something prevents you from turning on Android's native, I don't know what that would be, but if that was the case, then Firefox is bringing DoH encryption for DNS lookups natively itself. So I guess that's good, too. But, you know, again, not that big a deal. The Register's headline last Friday, they couldn't resist: "One token to pwn them all," was the headline. And they said: "Entra ID bug could have granted access to every tenant." Okay. That means any SharePoint Online or Exchange Online account we vulnerable to this, until Microsoft fixed it. That includes access to other resources hosted in Azure. In other words, this bug would pretty much be as bad as it could get. Okay. Before I go any further, I'm just going to share what The Register reported. They said: "A security researcher claims" - and it's confirmed - "to have found a flaw that could have handed him the keys to almost every Entra ID tenant worldwide. Dirk-jan Mollema reported the finding to the Microsoft Security Research Center in July. The issue was fixed and confirmed as mitigated, and a CVE was raised on September 4th. It was an alarming vulnerability involving flawed token validation that can result in cross-tenant access. Mollema wrote: 'If you are an Entra ID admin, that means complete access to your tenant.'" That is, by anybody else while this bug was in place. They wrote: "There are two main elements to the vulnerability. The first, according to Mollema, is undocumented impersonation tokens called 'Actor tokens' that Microsoft uses for service-to-service communication. There was a flaw in the legacy Azure Active Directory Graph API that did not properly validate the originating tenant, allowing the tokens to be used for cross-tenant access. Mollema wrote: 'Effectively, this means that, with a token I requested in my lab tenant, I could authenticate as any user, including Global Admins, in any other tenant.'" |
| Leo: That's not good. |
| Steve: Oh, Leo. I mean, it's no authentication. It is a complete authentication bypass. |
| Leo: Not where do you want to go today, who do you want to be today? |
| Steve: For Entra ID, yes. I mean, it is horrific. They wrote: "The tokens allowed full access to the Azure AD (Active Directory) Graph API in any tenant. Any hope that a log might save the day was also dashed because requesting an Actor token does not generate a log. And even if it did, they would be generated in the attacker's tenant instead of in the victim's tenant, which means that no record of the existence of these tokens is made or retained. "And the upshot of the flaw was a compromise of any service that uses Entra ID for authentication, such as SharePoint Online or Exchange Online. Mollema noted that access to resources hosted in Azure was also possible. Microsoft's swiftness in resolving the issue is to be commended, even if it's unfortunate that it was present in the first place, they wrote. Mollema also noted that Microsoft had not detected any abuse of the vulnerability with its internal telemetry. But then we don't know whether it would have in any event. "Mollema said this is 'the most impactful vulnerability I will probably ever find.'" Yeah, you or anybody else. I mean, this is unbelievable. They said: "And it's difficult to dispute the claim. The CVE for the issue rates it as 'Critical' [uh-huh] with a 'Low' Attack Complexity metric and a CVSS score, you guessed it, of 10.0. To reiterate, according to Microsoft, the vulnerability has been fully mitigated, and users do not need to take any further action. Still, before the vulnerability was found," they wrote, "there existed, in Mollema's words, 'one token to rule them all.'" Now, what I question every time we encounter something like this, that could have truly wreaked havoc upon the world, I mean, this absolutely, this would have been unbelievably destructive, is whether those who would do us harm already knew about it and were thus quite upset by its chance discovery by a moral security researcher, and then by its unilateral removal from their secret arsenal? Did somebody know, and they were just waiting? The other question that naturally occurs is, if this was just found, what else is still lurking out there that bad guys may have found and are hoping the good guys don't stumble upon? I would feel much more comfortable knowing that there was some chance that all of the big bad problems were being found and might eventually all be discovered. That's what we'd want; right? I mean, if we accept the fact that, yes, all software that's of sufficient complexity is going to have problems, then, okay, but we have a process with all of these security researchers and all of these different groups pounding on our software. They're finding problems. But the reason that's unlikely that they're going to eventually find them all is that Microsoft refuses to ever leave anything alone. And they apparently introduce new problems at the same rate as they and others are finding and removing them. Right? We don't see it, like, drying up over in Windows land. You know, we've got Apple exploiters who have thrown in the towel and given up because they're just too hard to find now. They don't try anymore. But wow, you know, how many hundred flaws will Microsoft patch next month, is the question? So, you know, what we don't know and we never will know is whether this particular flaw, as just an example, existed from the start? Was it always in there? Or did it get introduced sometime later when someone came along and changed some things around without having a full understanding of the consequences? Where the original developer is off on some other project, or maybe is just on an island somewhere because he's got stock options, and they knew what not to do, but this other guy came along and said, oh, let's glue these things together. And, like, what could possibly go wrong? And a new flaw was born. And in this case, something that was devastating. We'll never know. But we do know Microsoft just can't stop messing with this stuff. It's like, oh, new feature, new feature, new feature. Meanwhile, wow, the consequences of a breach really, you know, escalate. Last Wednesday, Chrome was quickly updated - and, boy, I'm impressed with this. When I say "quickly," you'll see what I mean - to end the abuse of a critical type confusion bug in the V8 JavaScript and WebAssembly engine. Chrome in the Stable channel was updated to 140.0.7339.185 for Windows and Linux, and .186 for Mac. Now, this update seems worthwhile to obtain since it fixed four different vulnerabilities, every one of them designated as high. There was the CVE-2025-10585. That's the one. That's this type confusion in V8. It was discovered and reported by Google's TAG team, that's their Threat Analysis Group, get this, on the day before, on the 16th. And this patch, this zero-day was fixed, and Chrome was updated and made available the next day, on the 17th. So Google wasted no time getting Chrome updated to fix that one. Also, the CVE 10500 is a use-after-free flaw which earned its reporter, the researcher who reported it, $15,000 in bug bounty. 501 was a use-after-free in the WebRTC system. Its discoverer took $10,000 home. And then the reward for the fourth one is 502. That's a heap buffer overflow in ANGLE, and the bounty for that was TBD, you know, to be determined. So that reward had not yet been set. It's interesting that the other bugs had been known by Google for as many as six or seven weeks. I checked the original reporting date, and six or seven weeks before this. But despite all of them having similar ratings, high severity, it wasn't until the reporting of that type confusion in V8 and WebAssem, which their own TAG team reported discovering due to its active exploitation, that Google essentially instantaneously fixed it and pushed out the Chrome update, which also incidentally fixed those three others that Google already knew about, apparently had already fixed, but just didn't feel were worth bothering to push out to the world because nobody was known to be exploiting them. I would imagine they may have even been watching them to see if they were going to be exploited, but figuring, eh, you know, we'll wait till something more worthwhile comes along. And, boy, did it. The moment it did they fixed it and pushed out an update to Chrome. So, you know, that's the way you want a company like Google to operate. And Leo, the way we want our DRAM to operate is not the way it is. |
| Leo: Yes. Oh. |
| Steve: We're going to take a break, and we're going to look at the still-vulnerable DDR5. |
| Leo: Bad DRAM. Bad. |
| Steve: Bad DRAM. Bad. |
| Leo: Bad DRAM. |
| Steve: And unfortunately, inherently bad. This is a child that cannot be fixed. |
| Leo: But we're all using it. Oh. |
| Steve: Yeah. Okay. So Leo, while you were telling our listeners about that, I just happened to see my email pop up. |
| Leo: Yeah? |
| Steve: And this was from our listener, one of our listeners, Walt Lemberg. He wrote, he said: "Steve, never received your current email. I checked the trash and other mailboxes. Am I still on your list?" And I floated my, you know, I'm using eM client, which I still love. I floated my cursor over his name, and it showed his email address at, which came as no surprise to me, gmail.com. |
| Leo: Oh. |
| Steve: I wrote back, "Hey, Walt. You'll find it in your spam folder. For some reason Gmail decided that this email was spam, and all of our mail to Gmail last night went into everyone's spam bucket. I sent myself one, and it went to spam. So please mark it 'not spam' to train Google. Thanks." |
| Leo: Do you think it's because it had a YouTube link in it? |
| Steve: That's the only - but it wasn't in the mail. It was in the PDF that was attached. But, you know, Google opens PDFs, I imagine, and scans through them. That was the only thing that I could think was that it had a link to YouTube. But why would they care if you had a link to YouTube? I mean, it's a public YouTube. It's not like anything weird. And the only thing that I could think is that I did send it at 8:30 in the evening. Normally I'm sending in the afternoon. But I was just - this podcast took - I don't know. I mean, so I've noted that, if I put too many question marks or exclamation points in the email, that's bad. |
| Leo: Oh, yes. That's a sign. |
| Steve: So I don't do that ever anymore now. I learned that. But that wasn't Gmail that punished me, it was some other random spam, you know, thing that some people use. Anyway... |
| Leo: Too enthusiastic. We're going to block you, yeah. |
| Steve: I wanted to tell our listeners, if you have a Gmail account, if you normally get email, and you're thinking, hey, what happened to Steve's show notes, look in your spam folder. And if you would, just take the moment to say this is not spam, bad Gmail, and give it a little bit of discipline. |
| Leo: Train it. |
| Steve: Train it. |
| Leo: If enough people do that, yes. Spank it, yeah. |
| Steve: It must, you know, maybe some people said that it was spam, and Google got annoyed. But, you know, 18,865 pieces of email went out last night, and a surprising percentage of our listeners have Gmail accounts. |
| Leo: Oh, yeah. It's number one. |
| Steve: Yeah, yeah. |
| Leo: Do you attach the PDF, or send people a link to a PDF? |
| Steve: Just a link to it. |
| Leo: Yeah. |
| Steve: You're right. So it's not embedded in the email. |
| Leo: So it's not looking at that, either. |
| Steve: No. |
| Leo: It may be that a link to a PDF nowadays is considered spammy. It kind of - who knows? |
| Steve: Every piece of email, though, has had a link to the PDF. |
| Leo: Right, all along. |
| Steve: This is the only - and many of the people who have written to me, I've heard since last night many of our listeners said, hey, just thought you'd know your email went to spam for the first time ever. And it's like, okay. I don't know why, but it's not good because that's a - but I congratulate them on even - do people, like, look in their spam folder all the time? |
| Leo: Oh, yeah. |
| Steve: Oh. |
| Leo: Constantly. |
| Steve: Because of false positive spam. |
| Leo: False positives. I review my spam folder every few days. And there's often something I want in there. It's, you know... |
| Steve: Yeah. |
| Leo: Sigh. |
| Steve: Oh, what a mess. |
| Leo: It is a mess, yeah. |
| Steve: Okay. Speaking of messes, we have a mess. Last week Google Security posted the news - which should not surprise us all that much, unfortunately - the latest DRAM remains vulnerable to Rowhammer attacks. From the start, the first time we heard about this, it was clear that Rowhammer attack susceptibility represented a fundamental and intrinsic vulnerability because it was inherent in the fact that the push for insane levels of performance and memory density had forced the reduction of dynamic RAM noise margins and cell charge capacity down to the level that, while, yes, it generally works, it can now be made to fail if you're clever about how you go about doing that. So here's what we learned from Google last week. They said: "Rowhammer is a complex class of vulnerabilities across the industry. It's a hardware vulnerability in DRAM where repeatedly accessing a row of memory can cause bit flips in adjacent rows, leading to data corruption. This can be exploited by attackers to gain unauthorized access to data, escalate privileges, or cause denial of service. Hardware vendors have deployed various mitigations, such as ECC (Error Correction Code) and TRR (Target Row Refresh) for DDR5 memory, to mitigate Rowhammer and enhance DRAM reliability. However, the resilience of those mitigations against sophisticated attackers remains an open question. "To address this gap and help the ecosystem with deploying robust defenses, Google has supported academic research and developed test platforms to analyze DDR5 memory. Our effort has led to the discovery of new attacks and a deeper understanding of Rowhammer on the current DRAM modules, helping to forge the way for further, stronger mitigations." Okay, now, I'm not going to spend a lot more time on this since we have deeply and thoroughly covered the multiple Rowhammer discoveries and, sadly, the futile attempts to solve the problems. I have a link in the show notes to Google's full posting for anyone who might want, you know, a full update on the status of this. But I'm going to skip all that and get down to Google's "Lessons Learned" at the end of this posting, where they write: "We showed that current mitigations for Rowhammer attacks are not sufficient, and the issue remains a widespread problem across the industry." Okay. That's today. They said: "Those mitigations do make it more difficult, but not impossible, to carry out attacks, since an attacker needs an in-depth understanding of the specific memory subsystem architecture they wish to target. "Current mitigations based on TRR and ECC rely on probabilistic countermeasures that have insufficient entropy. Once an analyst understands how TRR operates, they can craft specific memory access patterns to bypass it. Furthermore, current ECC schemes were not designed as a security measure and are therefore incapable of reliably detecting errors." Right? ECC is meant for catching memory failure, not deliberate malice. They said: "Memory encryption is an alternative countermeasure for Rowhammer. However, our current assessment is that without cryptographic integrity, it offers no valuable defense against Rowhammer. More research is needed to develop viable, practical encryption and integrity solutions. Google has been a leader in JEDEC standardization efforts, for instance with PRAC (P-R-A-C), a fully approved standard to be supported in upcoming versions of DDR5 and Low Power DDR6. It works by accurately counting the number of times a DRAM wordline is activated and alerts the system if an excessive number of activations is detected. This close coordination between the DRAM and the system gives PRAC a reliable way to address Rowhammer." Which is how they end. Okay. Now, PRAC, P-R-A-C, stands for Per Row Activation Counting. And if you're ever in need of a quick example for which the word "kludge" was coined, you need look no further. It's too bad that the word "DESPERATION" has too many letters to serve as the abbreviation for some means of solving this problem, since "desperation" is what it's come down to if your solution is to add hardware counters into your DRAM memory's wordline activations as a means of detecting when someone may be "yanking your line" with malicious intent. What a mess. But for what it's worth, props go to the original researchers at Carnegie Mellon University who, 11 years ago, and we covered it at the time, back in 2014, discovered the presence of this nightmare lurking in the design, the inherent fundamental operation of DRAM, and brought it to the world's attention. You know, that's the kind of research we need. Unfortunately, there seems to be no way to back out of DRAM's density. I mean, everybody now needs, you know, 128GB of DRAM and more. And the reason Google is funding the research is they've got big data centers, and they've got lots of this DRAM, and they're running other people's code on their servers, and they don't want to have people busting out of their virtualization boxes and roaming around within Google. So, I mean, this is a serious problem, and we don't have a solution for it yet. You know, and what's DRAM going to do if it signals that somebody is making excessive accesses? First of all, that will tend to false positive; right? There could be use cases where it's going to raise an alarm where there's no malicious activity. What's it going to do? Abort the process. What else can it do? Or maybe start refreshing all the adjacent rows around that area? Anyway, it's, as I said, "kludge" is what this is, and what a mess. Because of a fundamental problem that we don't have a solution for. It's DRAM noise immunity is too low, and it's been forced down by this craven quest for ever more dense memory in order to satisfy the, oh, look, we're able to do it capabilities. Wow. I've always found it interesting - and certainly depressing - that science fiction, when depicting a futuristic dystopia, invariably shows it filled beyond brimming with monstrous bright and flashing animated holographic 3D advertisements. Right? |
| Leo: Blame Philip K. Dick. I think he was the first to describe that world; wasn't he. |
| Steve: And every - yes, you're right. Like "Blade Runner"... |
| Leo: "Blade Runner," yup. |
| Steve: ...was just crazy with that. And then "The Fifth Element" we saw the same thing. |
| Leo: Yeah, yeah, same things, yeah. |
| Steve: Basically, that's like become a meme. You know, it's always way beyond garish. And those scenes show us the presumed consequences of commercial consumerism without any boundaries where he who shouts the loudest attracts the most customers. Anyone who had seen some of that sci-fi might have wondered whether the manufacturer of a residential kitchen refrigerator which touted its overly large touchscreen as a feature, might ever succumb to their baser instincts, finding themselves, the manufacturer, unable to resist the temptation to make just a few more after-sale dollars by assaulting the owners of those refrigerators, many of whom had purchased those connected cold storage boxes for as much as $2,000, with a series of unsolicited product advertisements on their devices' screens. If you answered "Yes, of course they would," sadly, you would be correct. Samsung has begun displaying unsolicited advertisements on the screens of its large-format display refrigerators. They do not give users the option of declining, so I suppose you could remove the device from the Internet. But then you wouldn't get the weather forecasts and the recipe of the day and all the other random crap that apparently purchasers of these Samsung connected refrigerators think is a good thing to have on the screen of the door of the refrigerator. Now you're also going to get ads. So that's the way it is in 2025. |
| Leo: I think Philip K. Dick also described a time in the future where every appliance you have, you have to watch an ad before you can use it, including your door. We're headed that way. We are. |
| Steve: We are, Leo. We are. There's no question. |
| Leo: I have a friend who has an older Samsung with a built-in browser, and she can't use the browser anymore because it's out of data, and Samsung doesn't update it, so it's insecure. So not only is it showing ads, the browser is useless, too. The whole thing is terrible. |
| Steve: Yeah, I ran across that a couple weeks ago, and I forgot to mention it on the show. That's right. It's like the browser is behind the times. |
| Leo: Right. It's like they put IE6 in it. Oh, my god. Late-stage capitalism, welcome. |
| Steve: Yup. China is now banning NVIDIA chips. It's somewhat difficult to keep up with the daily back and forth of current import and export policy. Right? Because, I mean, it literally changes by the minute. |
| Leo: Yes. |
| Steve: The last I heard was that NVIDIA had scored a huge win with China after NVIDIA's CEO, Jensen Huang, reported a very productive Oval Office meeting with Donald Trump. But, as I said, it's been difficult to stay current. The latest news is that China's government has now told their companies to stop purchasing NVIDIA chips. According to the Financial Times, companies were told to stop testing and to cancel any orders that they may have, now and for the future. The move is reportedly part of Beijing's efforts to boost the local semiconductor sector and cut its dependence upon U.S. suppliers such as NVIDIA. |
| Leo: You can't blame them, yeah. |
| Steve: No. And Chinese officials again accused the U.S. of attempting to sneak backdoors into NVIDIA chips. Of course we previously covered and shared Jensen's very clear and adamant statement that it would never under any circumstances compromise the integrity of its chips with secret backdoors. And remember that in that statement he reminded the world what a disaster the Clipper Chip had been. |
| Leo: Yeah. |
| Steve: Where basically exactly that was done. And said, "We're never going to do that." But again, we're seeing the rise of nationalism in general. Certainly we're doing it. So they're doing it, too. I'm sure that I hardly need to caution any of our listeners about the dangers inherent in the use of packaged libraries found on open and open source software repositories such as NPM. We've been talking about these supply chain attacks constantly. But I just wanted to say that last week 300 more malicious NPM packages were found and taken down. So please be careful. Please. |
| Leo: Yeah, you know, it's funny because I was talking about the story on TWiT on Sunday, and I mentioned the earlier NPM hack, which we had talked about a couple of weeks ago. I didn't realize this is a whole new one. Same problem; right? That these node packages are automatically downloaded all the time, billions of downloads a week. |
| Steve: Yes. And so they're being sucked up and incorporated into other systems. |
| Leo: Without your knowledge, without the developers' knowledge, it's terrible. It's a mess. Just a mess. |
| Steve: Yeah. It is, I mean, it's a system that we evolved. If everybody was operating good - even if everybody was operating in good faith, well, you would tend to be pulling in bugs that were not yours. |
| Leo: Right. |
| Steve: And then you would need to find them. But here it's way worse than that. You know, it's deliberate malice. And all these packages are being pumped onto NPM with the hope that they're going to get incorporated and end up propagating out into the world. |
| Leo: So the first one we talked about was relatively benign and just put some bitcoin mining software on machines. This one's a worm, Shai-Hulud, which is of course the Dune sandworm. And I think it spreads itself, you know, this thing is much more malicious. |
| Steve: Yeah. |
| Leo: I don't know what the solution is. This is just... |
| Steve: No. I mean, we have built a dependency on dependencies; right? |
| Leo: Yeah. |
| Steve: I mean, these are inter-package dependencies. |
| Leo: Right. |
| Steve: And we're now dependent upon the system that uses dependencies in order to pull everything together. You know, I don't know how we unwind this. |
| Leo: Yeah. Well, I'm sure people are working on it. I hope they are. |
| Steve: Greg James wrote, saying: "Steve, I was reviewing your observations regarding post-support Windows 10 updates and 0patch. Reading the fine print of their FAQs they state: 'In case the subscription is terminated without renewal, or the trial expires without purchase, all micropatches on computers associated with the subscription get unapplied until a new subscription is established for these computers.'" |
| Leo: Oh. |
| Steve: Yes. And he gave me a link to that. And he said: "From my perspective, this is a fine example of holding us hostage. Also, their annual subscription for the 'Pro' version, required to get Microsoft's security patches beyond the zero-day that 0patch provides for free, amounts to the same $30/year that Microsoft charges, albeit 0patch is willing to hold us hostage for at least five more years for the privilege of staying with Windows 10. Just thought you'd like to know if you didn't already." Okay. So, Greg, thank you. I was not aware of the fact. And Leo, obviously you weren't either, from your reaction, which echoed mine, that the patches applied by 0patch are only in place as long as the 0patch subscription remains valid. So I'm glad to know of that. And my feeling is that fact ought to not be buried in a FAQ. It ought to be made very clear, though I don't know either way whether or not they make it clear. That would be nice to know, that is, if you do sign up, are you told upfront that your systems will only be patched as long as your subscription remains current? Now, the way that I can see it sort of making sense, at least from their perspective, is that none of the 0patches ever modify any of Microsoft's files on disk. As we know, 0patch only applies patches in RAM, and it's a clever solution. It means that they're never modifying Microsoft's files, so the digital signatures on Microsoft's own original Windows files are never broken. And it means that flaws are patched on the fly without any need to even reboot your machine. When the machine in question is a busy server on which others are depending in real-time, that can be a real win. You're able to fix problems on the fly without a reboot. So that's a nice feature of it. But it does sort of say that whatever it is that they're providing you from 0patch that enables this on-the-fly post-booting in RAM patching is transient. And if your subscription expires, so do the patches. So given that - first of all, we may well see that Microsoft is going to change their policy by this time, it will have been done by this time next month. Wait. Is next month the last? |
| Leo: October 15th is the last. |
| Steve: Is the last update. So we would have one more month until November to see whether we get past this for free in November. |
| Leo: Patch Tuesday is before the 15th, obviously. So I guess you'll get that Patch Tuesday next month. |
| Steve: Ah, of course, right. And then the 15th, whatever that date is. |
| Leo: Yeah, it's end of life then, yeah. |
| Steve: And then we're going to see. So of course, as we know, it's not that difficult to get one month for free. It turns out I'd used Bing while I was using Edge for a while, and I had, like... |
| Leo: Right, you had points, yeah. |
| Steve: ...several thousand points of Microsoft brownie points. So I'm able to get it. But I'm also an MSDN developer. So I get this stuff regardless. I'm not your normal consumer profile. But so Microsoft may... |
| Leo: Oh, Patch Tuesday is the 14th. So it's the day after the Patch Tuesday. |
| Steve: Oh, okay. Well, that was clever. |
| Leo: Yeah. |
| Steve: So they said the 15th. So that made it clear. You would get the patches on the 14th... |
| Leo: The last one, and then that's it. |
| Steve: But then, yeah, that's it. Or maybe not. We'll see. |
| Leo: Yeah. They've backed down in the past. We'll see. |
| Steve: Yeah. And there's a lot of pressure on them. And, I mean, again, they're in the wrong here. I mean, it's their OS. They can do what they want. But, you know, when people like Stacey are writing for Consumer Reports saying, you know, we're calling on you to do the right thing, Microsoft. Anyway, so the optimal... |
| Leo: The other issue with the 0patch expiration is that means the 0patch agent is phoning home periodically to check your license. Right? They'd have to do that to make sure that you still are subscribing. |
| Steve: That you have some kind of, yeah, real-time connection. On the other hand... |
| Leo: They have free patches. So you don't - those aren't, you know... |
| Steve: Yes. They're free until Microsoft offers it. So they're free - while it's a zero-day that Microsoft has not patched, you get it for free. When Windows takes over, then, well, actually then you no longer need it. |
| Leo: Right, right. |
| Steve: Yeah. It'll be interesting to see how this all pans out. You know, and everyone knows my position. I'm sitting in front of Windows 7, and it hasn't been patched in a long time, and it's working just fine. |
| Leo: Yeah. |
| Steve: So, you know. The other - there is, I mean, I understand that everybody wants to be patched against the latest vulnerabilities. But, you know, I'll be talking about Apple here in a minute. And, you know, nobody was being hacked by these targeted attacks except, you know, some targeted... |
| Leo: Dissidents, journalists. |
| Steve: Yeah. |
| Leo: Targets. |
| Steve: Yeah. I mean, so I salute Apple. But really we're not at risk, largely. So some perspective there, I think. I wouldn't get too worked up over loss of patches for Windows 10. Okay. Nic Neidenbach wrote: "Heya, Steve and Leo. While listening to Security Now! 1043 [last week]," he said, "I was compelled to send some feedback about user training in regards to phishing scams." Oh, this is a good point he makes. He says: "It doesn't surprise me that the training was proving ineffective as I regularly see employers send emails with links that the employee often has to click on. Things like alert notifications, announcements, meeting requests, and even choosing yearly benefits. Then there are emails from vendors which can have all kinds of actionable tasks that require clicking on a link. GoDaddy, for instance, sends an email about domain renewals with links for the details. Sadly, the training can't just be simple like 'don't click on links in emails.' Instead, it's more complicated. The challenge is teaching them how to recognize a safe link. Or even better. that instead of clicking on a link, go to the site and navigate to where you need to go manually." And it's like, yeah, good luck with that. And he says: "Thanks, Nic (SpinRite Owner and Listener since Episode 1)." So, as I said, I think Nic's point is a very good one. I'm glad he made it. I think he's completely correct. When I consider all the links I receive, you know, for good purposes through email, it's clear that "Don't click on anything you receive in email" is an impossible nonsense recommendation. So what we really mean is "Only click on the good links" and "Never click on any bad links." But since phishing attacks are deliberately designed to make the bad links look good, that's no help either. So this brings us back to my most recent thought, which is that networks of enterprises great and small need to be designed to be strongly resistant to these sorts of mistakes which will be made by insiders, regardless of how they're trained. Because as Nic says, and he's 100% correct, people have to click on links. Email link clicking is the way business operates now. So I think this means that the principles of "least privilege" need to be designed into the way any company's networks operate moving forward. |
| Leo: I agree 100%, yup. |
| Steve: Glenn Hochberg wrote: "Hi, Steve. I was listening to Episode 1043 today, and when you were discussing how it's impossible to train users enough not to click on potentially malicious links, I recalled that when I worked for a large corporation," he says, "I retired earlier this year, they had at least a partial solution to this problem. They employed a third-party product that would filter all the incoming email and replace all links with encoded links back to the third-party vendor's website. When a user would click a link in their email, the vendor site would look up the forwarded URL in their constantly updated database of malicious websites, and either reply with a security warning page with a link to apply to get the referenced URL added to the white list if necessary, or else they would forward the user on to the validated URL. "No doubt this is not a completely foolproof system, but it certainly helps. Thought I'd bring this to your attention if you were not already aware of this. Thanks for all you and Leo do. I'm a long-time listener, since sometime in your first year I think, and a TWIT subscriber, and look forward to listening to Security Now! each week. I've spent the last 20 years of my career in cybersecurity at a large corporation, and there were many listeners there. Signed, Glenn." |
| Leo: Nice. Thank you, Glenn. |
| Steve: So Glenn, 100%. I think the solution provided by that vendor makes a lot of sense. One thing we've seen is that something as simple as the registration age of the domain referenced by a link's URL can provide a highly reliable signal to any threat detector. And notice that the early knowledge of any new threats is provided by the links that are filtered on their customer's behalf. So if such a third-party vendor has many customers, all of the links being filtered on behalf of all of their customers will allow them to compile and maintain a central "bad links" database. It's very much the way Gmail has a huge advantage by having visibility into so many of its users. So in the show notes I wrote, "Any new spammer will be seen very quickly." And sometimes even a non-spammer will be given a false positive. |
| Leo: Mr. Steve Gibson, in other words. |
| Steve: Be given a false positive. |
| Leo: It's probably better to get a false positive than a false negative, I guess; right? |
| Steve: Yeah. Fabio in Switzerland wrote: "Dear Steve, I'm a long-term listener since Episode 1, and SpinRite owner. My 10-year-old iMac 27-inch 5K finally gave up, and I bought a new Mac Studio. I'm using one external 2TB SSD where I have all my photos stored (1.38TB used) and one new external 12TB WD My Book with my videos (5.6TB used)." He says: "I'm doing Time Machine backups and use three different drives, two offline and in two different locations. I bought the drives in different years, hoping to get different production batches, and these are all WD My Books with 14TB. I don't remember, but these drives are for sure six to eight years old, and I'm thinking of adding another drive to my backup set. "I'm thinking of buying a external WD My Book 18TB, and I wonder how you judge the different technologies used in the different drive sizes 8, 10, 12, 14, 16, 18, 20, 22, 24 and 26TB for usage as a backup drive." He said: "ChatGPT tells me that WD 8-12TB seem to be the most reliable as it is most of the time a white-labeled Ultrastar drive." He finishes: "Any comments are highly welcome and might be also interesting to your podcast listeners. Best from Switzerland, Fabio." Okay. So I don't have any strong opinion about optimal drive size based upon experience. All of those are going to be shingled drives, which I'm very uncomfortable about, just because shingling technology is what we've driven the drive manufacturers to in order to get drives that have 26 trillion bytes within their enclosure. It's just, I don't know. The only thought I really have here is about redundancy, in which I believe strongly. After all, you know, that's the entire reason for backing up our data, right, is so that we have redundant copies elsewhere. I run double-redundant RAID 6 arrays on all of my NAS systems and on all of GRC's servers. |
| Leo: Two drives would have to fail to lose the array. |
| Steve: Actually, no. Two drives can fail, and you still have all your data. |
| Leo: So three would have to fail. |
| Steve: Yes. Yeah. |
| Leo: I do the same. |
| Steve: Yeah. It sounds like Fabio has the redundant side handled with all those WD My Book external drives. But Fabio, my only thought is that it sounds as though your system of backing up has grown and evolved gradually over time, and that as a consequence it's remained somewhat manual, you know, needing to plug drives in and out, I assume, and manually run Time Machine and so on. The advantage to the way Leo and I have set up our environments is that everything is always being backed up all the time, with versions of everything, without us ever needing to do or to remember to do anything. It's all... |
| Leo: Does RAID 6 do versioning? |
| Steve: No, but RAID 6 gives you redundancy, and then you use some other software... |
| Leo: Ah, Syncthing gives you versioning, yeah. |
| Steve: Yes, exactly. So the advantage of what we've done is that it's all established once, and then it just goes. So it's a different way of operating, but it makes sense. Or, Fabio, it might make sense for you to sort of stop and take stock in the entire approach you have and see whether moving some drives into a RAID array of some sort, putting it on the network, and setting it up for continuous background backups might be an entirely different way for you to think about solving the backup problem instead of getting yet another big external WD My Book and plugging it in somewhere and using it some of the time. Just a thought. Farnsworth sent me email saying: "Hi, Steve. You mentioned getting a Samsung Galaxy A15 for $39 a couple months ago. I have one of those, and I would like to get another, but I can't find it or anything similar at anything close to that price point. Can you tell me where you got yours?" Okay. So when I saw Farnsworth's email, I went over to Amazon, which is generally my go-to retailer, and I found what he found, which was nothing at a price like that. Then I remembered that I had purchased that phone from Best Buy. So I went over there and found it for $49.99. So no longer $39, which it was when I bought it a few months ago, but still close. However, the phone I purchased was by Total Wireless. Best Buy carries Total Wireless, Boost Mobile and AT&T Prepaid, each of them for that same $50 price, and AT&T has a rating of 4.8 out of 5. So anyway, for what it's worth. And Leo, you would know. I don't know, like, are those sponsored phones? |
| Leo: Yeah. They're what we call "subsidized phones." |
| Steve: Okay. So you've got to use those providers? |
| Leo: Usually you're under contract to them for a period of time. Lately it's been two and three years. In fact, with the new iPhones, a lot of people were getting excited because they got free iPhones that they have to pay for over three years. And if they cancel the account, they have to pay in full, you know, catch the cost of the iPhone up. So it's something to be aware of when you get a subsidized phone. On the other hand, if you're going to be at Boost Mobile for the next two years, then you get a deal; right? |
| Steve: Right. Of if you are an AT&T customer, then that, I mean, it's a lovely phone. I'm very impressed. For me it was 39 bucks. |
| Leo: That's not your main - that's not your daily [crosstalk]. |
| Steve: Oh, no, no. That's my Android, like, try stuff on it. |
| Leo: Yeah, yeah. |
| Steve: I got it because I wanted to experiment with authentication. |
| Leo: Right. |
| Steve: I was assuming that strong biometrics would be required. Turns out, as we're going to find out, not so much. Let's take a break. |
| Leo: Okay. |
| Steve: And then I want to talk about our last piece of feedback, which brought me back to looking at what Apple has done. |
| Leo: Oh, good. And we talked about the, was it MIE that we had talked about last week? |
| Steve: Yes. |
| Leo: What a big improvement that is. We talked about it earlier. |
| Steve: Memory Integrity Enforcement. And, boy, did they go over the top. |
| Leo: Yeah, yeah. I mentioned that on MacBreak Weekly. I wanted to echo your - and I told everybody to listen to last week's episode because I wanted to echo your praise for Apple. Now back to Steve. |
| Steve: Okay. So Ryan Stoops wrote: "Hi, Steve. I've been a podcast listener for about 10 years, and I am immensely grateful for all the work you put in to keep your audience informed about the latest security topics. Like other listeners, I have also used Security Now! for CPEs on my CISSP." He said: "I was very interested in the segment you did on Memory Integrity Enforcement. But I have been an Android," he said, "(currently Samsung Galaxy) user since the last days of webOS and the Palm Pre. Can the advances Apple has made be replicated or adapted to secure Android devices? Are the references to 'the unique strengths of Apple silicon hardware' just marketing fluff, or do I have to acknowledge their security prowess and grudgingly switch ecosystems? Thanks, Ryan." Okay. Nothing that Apple has done would be impossible to replace or duplicate. But Apple has a huge advantage over Google and Samsung with Android because they control all of their systems' hardware, its OS, and much of their devices' supporting applications such as Photos and Messenger and Safari. We've seen that these other apps form the attack surfaces which attackers leverage for access to deeper underlying flaws. Also, expanding upon a hint of what I said last week, because I kind of mentioned this, an argument could be made that Apple has become somewhat like Ahab with the White Whale in its obsession over these flaws. On the one hand, yes, I salute them for taking this stand and for really, really saying "NO!" to any intrusion into their system, whether it be great or small. But my lord, has this been done at great expense. It's a testament to - I'm not sure what. Stubbornness? Maybe some form of insanity? Ahab famously said, "I'd strike the sun if it insulted me." Somewhere inside Apple are people who apparently feel similarly about having their device's security breached. But I wonder whether, when they began, they appreciated what it was going to take to fully pull it off, as they now have pulled it off. And that work, I should mention, is still not finished. It never will be. This insanely high level of security requires maintenance now. It still needs to be watched, maintained, and properly extended and evolved over time. Bugs creep in, even into security systems. So my point, I think, is that in today's world, with the hardware we have, and software being created as it is, the actual cost of absolutely and utterly hardening a powerful and deeply connected consumer computing product - the way Apple has just done for us with iOS 26 and their A19 chips - and then maintaining that level of security, is astonishingly high. This goes way past the point of diminishing returns. It's a price so high that it almost doesn't make sense for Apple to pay it, and I cannot imagine that either Google or Samsung are capable of caring enough to make that same sort of investment. And it's not clear to me that they should. The payback for them would be quite difficult to justify because a strong argument could be made that their Android devices are very nice, and that their security is already good enough, and they ought to be content to keep them patched, yes, forever playing catch-up with patches, but also operating far more economically than Apple has chosen to. And I have to take my own observation also here, which is it's impossible to judge the security of a system based on its architecture or just the statements of those making those claims. Only time will tell whether this massive investment, this five-year investment that Apple has made will pay off, and that pay off will be over time with, like, no other events of this kind occurring. So we're going to see. But I wouldn't say that it's necessary to jump from Android to Apple just for this. Leo, as you and I have been saying, only really targeted individuals were being vulnerable to these Apple flaws. I mean, the bar is set so high, these flaws are now already previously so difficult to engineer that they're being sold for millions of dollars, and they're being used very judiciously. |
| Leo: Well, and you also mentioned, we talked about this last week, that these are enhancement on Arm's existing memory tagging feature. |
| Steve: Correct. |
| Leo: So it's not clear, I guess it depends on your manufacturer. But some Android manufacturers have at least enabled the MTE protections in Arm's offers. |
| Steve: Yes. And so, and Apple did have that for a while. What they found was that it was insufficient. |
| Leo: Right. This is an improvement on that, right. |
| Steve: It's a big, well, so first there was EMTE, Enhanced MTE, which Apple engineered with ARM after the release of 8.5. 8.5 is the Android version that incorporated MTE for the first time. But the question is, when is it on? And what Apple has succeeded in doing is moving enough of the technology into hardware that for the first time it can be kept on all the time. |
| Leo: Here's what Privacy Guides say, even about MTE, that Android, as Google has applied it, really only turns on MTE at an app level. So app developers can use it, but they're not required to. |
| Steve: And it slows their apps down, which is the reason why a lot of them don't do it. |
| Leo: Privacy Guides say that GrapheneOS, which is a third-party Android, uses MTE to a far greater extent than stock Android, or even iOS. Yeah, this is a good - from Privacy Guides, this is a very good description. I mean, obviously I've pointed people to the show last week because that's the best. But Google doesn't even implement this often unless you've turned on their advanced protection feature. So... |
| Steve: Right. |
| Leo: You know what, I think, you know, the answer is Apple's done it right. And Android is behind on this. |
| Steve: So I would say Apple has done it right at great cost to them. |
| Leo: Right. |
| Steve: And for, I mean, it's the definition of diminishing returns. Somebody just decided, you know, we're not going to have any more problems found. We're not going to have any more vulnerabilities that are being leveraged against any of our users. That's, you know, we want to plant our flag in that. And unfortunately, using today's architectures and today's software development techniques, and lord knows what happens when AI starts writing more of our code, we're going to have bugs. So Apple went, like, above and beyond to create an architecture that would fight against these mistakes. You know, proactively foreclose on these errors that are being made. |
| Leo: As you said, most casual users are not - don't need to worry about this. They're not [indiscernible] use a Pegasus exploit against you. But Privacy Guides do point out that the tools used by law enforcement and others like Cellebrite and GrayKey, which are tools that they can plug into your phone and extract the data from... |
| Steve: That is a... |
| Leo: They say they're often in the hands of low-level law enforcement employees or even outside of government and are regularly abused. So maybe we are more vulnerable to this than just the high-value targets; right? |
| Steve: That is a very good point. |
| Leo: Yeah. I'm glad that Apple did it. I'm really... |
| Steve: Oh, I am, too. I'll be proud to own that hardware knowing what's inside. It's just it's - somebody really, I mean, they just really said we're going to do this. We're going to keep our systems from being exploited. |
| Leo: Yeah. |
| Steve: Wow. Okay. We have one more sponsor to get to. But let's do that in a bit. I'll get into this EU Online Age Verification, and we'll take a break when there's a good point to do it. |
| Leo: Good, good. |
| Steve: Okay. So I'm sure that everyone who's been listening to the podcast for the past few years, and especially the past few months, will be well aware of my extreme interest in and perhaps even a preoccupation with solving the problem of online Internet age verification. As we know, I was interested enough in the somewhat related problem of online Internet identity authentication to have spent seven valuable years of my life developing a solution and solving the problem. While online age verification and identify authentication are somewhat related, the problem of age verification also brings along some trickier bits. In the case of identity authentication, it's not one's actual identity that's being authenticated. What it actually is, is the ability to later prove that you have returned, that you are the same anonymous identity that you previously established with a remote website. You know, to accomplish that there's no need to ever rely upon what I would call an "identity anchor." If we use the original username and password authentication, we're simply saying somebody has returned who knows the username and password secrets that were previously established; thus you should assume that it's the same individual. And when we used either SQRL, the system I designed, or Passkeys, the system that the industry has adopted, we're simply saying here's a public key for which I have the private key. Now and at any point in the future I will sign any unique random challenge you might send me to prove to you that I continue to hold that public key's matching private key. In other words, at no point are we asserting anything beyond the fact that we have returned. So even just the term "age verification" indicates that it's something more. The user of a - too much coffee - the user of a properly operating age verification system need not ever have visited a site before. So it's not about having returned to the site. The first time such a user visits any site that wishes to verify that they are of at least a certain age, such a system should be able to challenge them to prove they are above a certain age, at or above a certain age. The user should see, you know, some sort of challenge pop up on their client, and then elect to permit their Internet client to assert the truth of that minimum age assertion on their behalf - but only if that assertion is actually true for them. And that's the tricky bit. Any age verification system must be very tightly bound to them, to their real world physical identity. This is another way in which it differs from any fully anonymous Internet authentication system. If we chose to, we could give a friend our username and password, our one-time password token, or even our passkey. In other words, traditional Internet identity associations are transferable because they are not intrinsically about us; they are only about the reassertion of the possession of some secret - a secret that could be shared with anyone else, as Netflix has found out. So, to my mind, the biggest challenge to solving this problem will not be technology. As I've noted, all the technological pieces for solving this problem already exist and have for quite some time. And they can be deployed without much trouble. The challenge will be the establishment of a true identity anchor, the linking between the age verifying technology and the user's true real-world age. Okay. So let's take a look at some news to see what's been going on and where the world stands because I found out something I didn't know. So the first thing was a piece of news about Brazil. Under their headline "Brazil Enacts Sweeping Bill Requiring Online Age Verification, Safeguards for Children's Data," The Record informs us that Brazil has joined the UK because of course the UK has also just done this. The Record writes: "Brazilian President Luiz Incio Lula da Silva on Wednesday signed a law requiring digital service providers to verify the ages of users and adhere to strict new data protection and privacy requirements for children and adolescents. Brazil's Digital ECA mandates that tech companies take 'reasonable measures'" - is the term in the legislation - "to block young users from accessing content which features violence, pornography, sexual exploitation, drugs or gambling, as well as content that encourages self harm. "The law requires that 'reliable' age verification mechanisms be used to ensure users of digital services containing inappropriate content are over age 18. Self-declaration" - and this is another key term now - "self-declaration is no longer adequate as part of the law. It also orders that tech companies set up a 'parental supervision mechanism' to ensure parents can 'limit and manage the use of the service, the content accessed, and the processing of personal data carried out.' "Platforms also cannot process children's personal data in a way that violates their privacy, or use their data for targeted advertising. The measure, which overhauls a 1990 law, will take effect in March." Okay, so we have six months before this goes into effect. "Human Rights Watch organization wrote in a prepared statement: 'Brazil has stepped forward as the first country in Latin America to pass a dedicated law to protect children's online privacy and safety.' In June of 2024, Human Rights Watch reported that personal photos belonging to Brazilian children were used to create artificial intelligence systems which were turned into deepfakes of other children being abused." Yuck. Okay. So this news that Brazil had joined the UK in legislating that self-declaration of one's age would no longer be sufficient, one has to wonder what the legislators who passed this new law imagined would happen? Six months from now, websites peddling violence, pornography, sexual exploitation, drugs or gambling will face fines of up to $9.44 million USD - it's some crazy number of Brazilian currency - or up to 10% of their annual Brazilian revenue, if they do not prevent underage children from accessing their adult content. So in other words, what we're seeing now increasingly is that the laws that have long applied only in the physical world, not in cyberspace, are finally starting to be applied to both commercial and free online services within the cyber realm. And, when these laws are tested with appeals to courts having final-say jurisdiction, they're being upheld under the theory that the greater good will be served by them. And, at least in the U.S., we have also seen that requiring mature citizens to prove their physical age by divulging their real-world identity is regarded as not unduly burdensome. Brazil's passing of this legislation last week while bragging that it was the first Latin American country to protect the children got me wondering what the W3C might be doing to get an acceptable solution into the hands of the world's web browsers and websites, since we need standards more than anything else. I mean, there are lots of random ad hoc solutions. If you go over to the App Store on an iPhone and put in age verification, you get a bunch of apps. But we need a standard, one single standard. We can't have any kind of a fragmented solution. So as it happens, I found a page at the W3C with the headline: "Upcoming: IAB/W3C Workshop on Age-Based Restrictions on Content Access." The page, which was posted in the middle of July, says: "W3C announced today the IAB/W3C Workshop on Age-Based Restrictions on Content Access, 7-9 October 2025, in London, UK." Which is exactly two weeks from today there will be a workshop with that title held. The announcement says the following. They wrote: "The Internet Architecture Board (IAB) and World Wide Web Consortium (W3C) are convening a workshop to examine the technical and architectural implications of different approaches to implementing age-based restrictions on access to online content. "The young are often unprepared for the sorts of things they might find online. Maturity, education, and the guidance of responsible adults can help children navigate online interactions, but age is often regarded as the best indicator of how able a person is to cope with exposure to content. "Increasing interest is being shown" - I'll say - "in the implementation of regulation that restricts what content young people can access online. A recurring theme in these efforts is that it is no longer considered sufficient to rely on self-assertions of age. A number of jurisdictions have enacted, or are in the process of enacting, laws that take steps to provide stronger guarantees that children are not exposed to certain content. "This workshop seeks to perform a thorough examination of the technical and architectural choices that are involved in solutions for age-based restrictions on access to content. We do not expect to identify a single candidate solution, even if that might be an ideal outcome. The goal is to build a shared understanding of the properties of various proposed approaches." In other words, bureaucracy. Great. They said: "In general, access restrictions are achieved by selectively blocking or filtering. RFC 7754 (Technical Considerations for Internet Service Blocking and Filtering) provides a more general framework for how to think about restrictions on communications. This workshop will build on that work. In particular, it will seek to examine the specific technical considerations that apply when content is legally accessed by some people and restricted for others, based primarily on their age. Individuals interested in participating in this activity can indicate their interest by submitting a short position paper. Position papers do not represent either the IETF or the W3C. In some cases, an expression of interest is sufficient. "Topics of interest, as identified by the program committee, include: Surveys of the common features of regulation on age restrictions. Analysis of the technical requirements that might apply. Identification of other key factors to consider in the design of a technical architecture, including, but not limited to, privacy, equity of access, market dynamics such as centralization, vulnerability to circumvention, cost, accuracy, jurisdiction/geolocation, and censorship. "Details of possible architectures, whether in whole or part: for determining the age of people; for identifying content that might need to be restricted; for controlling access to identified content. Comparisons of different technical architectures; examination of how technical architectures might interface with or rely upon regulation or other governance structures; feasibility of different approaches; and exploration of the ramifications of choosing different technical architectures." Okay, now, reading through that, on one hand I become somewhat disheartened, since it is a W3C group that will be the group that needs to produce the standards that we are, right now this very moment, in desperate need of having today, yet they still appear to be quite a long ways away from even having a rough working specification of anything. On the other hand, it looks like there may be a more farsighted approach here, like maybe a user proves to their browser that they are of a certain age, and then the browser in a secure means has a way of transmitting that at the initial communication with a website stage so that the Internet itself is filtered by their browser that now knows how old they are. So that's a horse of a different color, as we might say. It's not a matter of replacing the "Yes, I'm 18" button with some sort of interaction. It's literally a way of profiling the Internet based on the proven age of a browser's user, which is way more farsighted than the solutions that anyone is talking about today. So on that hand I'm liking this approach. On the other hand, we still need something now. So maybe that's Round 2. I don't know. Anyway, their announcement of this meeting ended by adding: "Input on other relevant subjects is welcome. Papers that are submitted will be used in developing a workshop program. Position papers from those not able to attend the workshop are also encouraged. Submissions can be made by emailing papers to age-workshop-pc@iab.org. Participants can choose their preferred format," blah blah blah. So anyway, so position papers are being submitted. They did say that they would be publishing the papers, which is good because this is in-person attendance in London, not over the Internet. It will not be broadcast or recorded. So it will only be by looking at the position papers afterwards and presumably some sort of summary of the meeting's results will be published that will get some after-the-fact sense for what happened. So anyway, we're not going to get any code out of this. This is, you know, way, like, if we had our, you know, the wishes of any kind of system we could ever design or dream of, what would it look like? So the better news came from this, which is that the EU itself appears to be somewhat ahead in this regard. They don't have this broad sweeping wonderful future vision approach that we may get someday from the W3C. They have something that they're deploying, like, now. Early last month, Spain announced that it would be using the W3C's existing system known as "Verifiable Credentials." And Leo, let's take our final break, and we're going to talk about what is going on in Spain in the EU with the W3C's existing verifiable credentials technology. |
| Leo: And then it'll be movie time because Steve brought a little film strip. |
| Steve: Yes, I did. And the good news is you can even - those not looking at the video, I made it a - it is this week's shortcut. So grc.sc/1044. But also the audio of it tells you enough of what's going on. |
| Leo: Oh, good. All right. |
| Steve: Yes. Okay. So Spain. Early last month Spain announced that it would be using the W3C's existing verifiable credentials solution. So just to be clear, this is not what the W3C appears to be talking about. I mean, I love the idea of a user establishing an age relationship with their browser, and then the browser and websites negotiating whether, you know, what the Internet looks like based on somebody of that age. That's maybe someday. What we're talking about is what we need today, and we do need something today. So they wrote in their announcement: "W3C Verifiable Credentials" - and I'll be explaining what that is in detail here in a second - "are the future of verification, with Member States continuing to embrace this powerful and versatile technology. Spain has recently released technical specifications for their new online age verification system, aimed at controlling the age of users seeking to access online adult content. "In the last few years, different specialists have come to the conclusion that the easy and free access to online adult sexual content is harming kids and teenagers' mental health and their social and relational skills. Therefore, Spain is planning to limit minors' access to this type of content by implementing an online age verification procedure. This system will use W3C Verifiable Credentials and focus on a protocol for verifying the age of majority without disclosing personal information that could identify or track the user. By applying this data model, the content providers can verify the age of the user without accessing any other personal data, thus minimizing the data disclosure and adhering to General Data Protection Regulation" - you know, the famous GDPR - "principles." Okay. So that all sounds like exactly what we want. Spain's announcement explains the basis for their decision under the subhead: "Why are W3C Verifiable Credentials the right choice for online age verification?" They write: "W3C Verifiable Credentials are a digital document format that can represent a wide range of information or claims about an entity (such as a person, organization, or device) that can be cryptographically verified. These credentials are designed to be secure, tamper-evident, and privacy-preserving, allowing the holder to present them to verifiers with a high level of trust. "W3C Verifiable Credentials are the future of verification because they offer" - and they give us three points. "First: Unmatched Security: Advanced cryptographic methods make W3C VCs tamper-proof and trustworthy. They could also comply with signature schemes of the eIDAS regulation for secure digital transactions and ensure the provenance of information. Second, Enhanced Privacy: When sharing a VC, users can choose to share only the necessary information, embedded in credentials, without revealing more than required, for example, proving the user is above a certain age without sharing the full date of birth. This safeguards the privacy of users' personal information and empowers citizens' sovereignty over their information by allowing them to govern the access to their personal data, something that until recently was not conceivable for many due to the nature of information sharing processes. "And finally, third, Portability: VCs can be seamlessly stored and linked to digital wallets and be presented when needed." They said: "The key requirement of Spain's online age verification system is the privacy and untraceability of users' activity, when presenting their age for verification online. This makes W3C Verifiable Credentials data model the perfect choice for such use-case. Their technical solution follows the OpenID For Verifiable Presentations (OpenID4VP) specification, ensuring secure and private verification of age credentials. Additionally, the framework includes trust management via whitelists, which ensures only trusted entities can issue or verify these credentials." Okay. So I have a video which was part of the announcement. It is a production of Spain's showing how this works. I've got the link to the YouTube video in the show notes. And as I mentioned before, it is also, so everyone can access it easily, because this is really cool to see, it is today's shortcut, grc.sc/ and then today's episode, 1044. And Leo, if we can run it, let's show it to our listeners. |
| Leo: Let's roll the tape. |
| Steve: Or our viewers. |
| Leo: Yeah. Well, listeners can listen to it. |
| Steve: Yeah. |
| Leo: Here we go. VIDEO: To help protect minors online, the European Commission has made available a prototype for a privacy preserving, secure, and open source age verification solution based on EU digital identity wallet technology. The solution can be deployed by a member state or another entity. They can customize the open source solution to their needs. The prototype of an age verification app will provide trustworthy evidence that the user is over a certain age. Deployers of the app can also set the proof of age to a different level, depending on national law and use cases. So how does it work? First the user downloads the age verification app from the App Store. After a short introduction, the user has to accept the terms and conditions of the app and the data protection information. Afterwards, the setting of the PIN to access the app is needed. If the user wants, the activation of the biometric access on the smartphone is possible. Now the user has to select which kind of methodology for the age verification is preferred. It can be chosen between national identity documents, bank identities, and in the future also passport reading. In the example here, the user will be guided for the national identity document into the EU DI portal and can pick there a credential for the age verification. Only the information confirming that the user is over a certain age will be saved in the age verification app. No name, no birthday or other information of the user is stored. The data privacy of the user is fully respected. The citizens can be sure that there is no traceability of their activities. No user profile can be generated. To access age restricted content, citizens simply need to share their age credentials by scanning the QR code displayed on the website. If the user... |
| Leo: I don't understand what happened. Oh, I got confused. I thought that was my screen. Okay. I thought my menu popped up. VIDEO: ...access to the online service on the smartphone [crosstalk]. No QR code needs to be [crosstalk]. |
| Leo: Apparently they use Macintoshes in Europe. |
| Steve: Yeah. VIDEO: ...will submit the proof of age to the website. Only if the user is of age, access to the website is granted. No other personal information is shared, and nobody can steal your ID to log on. If the user is a minor, they cannot access age restricted content. This open source blueprint is now available at ageverification.dev. |
| Leo: So obviously no kid is going to have this verification. Right? I mean, this is something, I mean, kids don't have national IDs. Or do they? |
| Steve: Correct. So, yes. So remember that this whole - the whole concept here is that it fails closed. That is, if you are unable to prove that you are old enough, the assumption is you are not. And so you don't get to see that content. So the idea being that people who are old enough to be able to prove their age are able to do so. |
| Leo: Okay. |
| Steve: So before I go any further, I got a kick out of the comments that were left on this video. One said: "Orwellian government, here we go..." The next was "Due to local laws, we are temporarily restricting access to this comment while the EU estimates your age." Someone said: "Whoa, amazing. I love censorship in the Western world, so progressive." Or how about "Didn't realize I was living in North Korea all along." "I love having to deal with this garbage because parents can't just be good at being a parent." Another one was: "Please, no. Stop with this nonsense. 1984 should be a warning, not a blueprint." Someone said: "Does anyone have a link or petition to vote against this?" Someone else: "Hell, no! I hate this! Any petition to sign against this?" And then "Age of no privacy. The cyberpunk timeline might be real." And finally: "Perfect. Restrict most of the Internet and create a surveillance state because some parents are too dumb to watch their own children." Okay. So at some point I would imagine that some of these outraged comment-leaving people are going to wish to go somewhere on the Internet containing content that cannot be legally viewed by minors within their country, province, or state. Without something like what this video shows us, the laws have changed and are changing to now require all such websites to proactively verify every single visitor's age. As we've seen, so-called "self-declaration" no longer cuts it. The "Yes, I'm 18" button, ridiculous as it always was, is now being tossed into the wastebin of Internet history. So this change in the law will require these commenters, who are all upset over what they don't understand here, to produce some form of proof of age. That's tomorrow's reality. I mean, that's what we're seeing happening all around us. UK's done it. Brazil's done it. Our own Supreme Court just said yeah, no problem. So the problem with that is that anything we have today requires the disclosure of a true real-world identity. You know, that is, except for this. You know, within the EU, the UK, and the U.S., one must be at least 18 years old to obtain a credit card. So it might be that until we have something better, providing proof of age with a valid credit card would work. But that's certainly not anonymous, and I would never want some sleazy website to have my credit card information. So my point is, while I completely understand and sympathize with the sentiments of these people - yes, sometimes change is hard - the truth is that the Internet has been a cyber-world exception from the laws and responsibilities of the real world, and cyber is finally catching up. This is changing. So these people are likely living within democracies in which their elected government legislators have recently decided that if they want to continue to have access to adult material online, they're going to have to prove that they're old enough to do so. |
| Leo: Yeah. And by the way, somebody in our chat, who I guess is Spanish, says you get a National ID in Spain at birth. And everyone in Spain has a National ID. You don't have to legally carry the card until you're 12. So everybody, even kids, have National ID in Spain. So this makes sense. |
| Steve: So it's very practical for them, yeah. |
| Leo: Yeah, yeah. |
| Steve: Yeah. Now, you have to have a device, on the other hand. You know, you can't be on the Internet without some sort of device. |
| Leo: Right. |
| Steve: It's not like it directly beams into your brain. So... |
| Leo: So the only thing that sees the ID and verifies it is the app. It doesn't connect to a server at all? |
| Steve: No. So I'm just about to explain exactly that. |
| Leo: Okay. Go ahead. I'm sorry. |
| Steve: So I am, for what the video showed, I am very impressed. To the EU's credit, they got it all exactly right. What we saw was a system where a website shows a QR code, which your smartphone scans. A process occurs, which I'll explain, and you are then verified of being of sufficient age to view that site's content. So, you know, they got that right. And apps for Android and iOS are available at that dev site for download and testing by people who want to start deploying this technology. So, okay. So the way this thing works is that it's all based on this verifiable credential. The verifiable credential is just a JSON object. You know, a JavaScript Object Notation object. I've got a sample of one in the show notes here on page 21. It's just a, you know, a text file with a bunch of stuff in it. It identifies the data as being a verified credential and an overage token credential, that is, an overage token credential information. It indicates the issuer of the credential, the issuance date, and the expiration date. And the credential's subject is listed as overage, and it's 21 or 18 or whatever. Now, at first I was annoyed at the syntactical term "overAge." My first thought was that it should be "AtOrOverAge," if they're going to say, like, over age 18. It's actually at or over age 18. But then I realized that technically it's correct. Birthdays are anniversaries. So when someone reaches their 18th birthday, they're not 18. Each birthday marks the END of that year of their life. So anyone who is 18 is over 18 since they're now into their 19th year. So technically that's correct, even though you kind of stumble on it if you're someone who's used to coding. So after specifying the context, the issuer, the issuance date, the credential's expiration date and the credential's subject being an assertion of age, the remaining information contained is just the proof of validity. Significantly, nowhere, anywhere, in the credential is there anything that identifies the individual. There are some serial numbers. And as we know, anytime we have a serial number and a digital signature, we need to have some sort of unique entropy data. So basically, Leo, this is a certificate. This is, in every way, it's like a certificate that we've been talking about for years. Web servers have certificates which have been signed by a certificate authority which they maintain to assert their identity. This is a certificate which individuals can obtain, which is - and that process of establishing your age with the portal, the portal in Spain that this works with is the process of this individual presenting their ID. It is signed by that authority, and then it is held by the app. So that's all there is. There is no name. There is no other identifying information in that certificate. So when the app is used, the website presents some entropy. You saw how crazy big that QR code was. There's a lot of data in there, in their sample. So there's some entropy there that's combined with their certificate, which contains the verification of its validity. The app then signs it, and the site is able to verify that they are holding a valid certificate because it's able to check against the public key of the entity which signed the certificate. Basically it's exactly the way web certificates have functioned where there is some limited number of trusted certificate authorities in a root. There will be a similar root of trust for these, and the issuer of the age assertion certificate's public key will be available to verify the signature of the certificate. And it means that people are then able to go to sites, scan the QR code that is presented, and without revealing anything other than the assertion of their age, prove that to the site and then be permitted in. So I'm very impressed. They got it right. Now, what did surprise me, as I mentioned at the top of the show, is that the use of the smartphone's biometric was a convenience rather than a necessity. So all you're doing to reassert your use of that is using a six-digit PIN which isn't biometrically locked to you. So it seems to me that that's a little weaker than we might be able to have, but it also, you know, I guess not everyone wants to be tied to a biometric. Some may consider that more of a privacy concern. So you establish your identity with a phone. You set a six-digit PIN. And you're then able to assert your identity as a Spanish citizen, as Spain begins implementing this. And so now the question will be, what do websites do? Websites that want to have availability of their content to Spanish citizens because presumably sites that don't do this are subject to fine of $9.44 million or 10% of a site's annual revenue. So still a lot to be done, but I'm hoping that people are now going to be pointing at Spain and saying, hey, let's do what they did because it works. |
| Leo: Interesting. All right. And are they implementing this? Or is this just a proposal at this point? They are actually implementing it. |
| Steve: Yeah. It is being used in - there was a bunch of countries beyond Spain, I think I had it somewhere. I don't see it. But so yeah, I mean, it is - I would say it's on the way. At this point it's ageverification.dev. If you go there, you are able to get the code for this for iOS and Android on GitHub. So it is available. |
| Leo: But you would have to have the app be signed in order for it to be trusted; right? |
| Steve: No. And that's the beauty is that the JSON certificate is signed. The app itself doesn't have to be. And in fact the app cannot spoof your identity. So it's that JSON object which you have is what's signed. Now, if it turns out that it's possible to export that JSON object to somebody else, then that would be a problem. |
| Leo: Right. |
| Steve: Because then that, you know, because that's making the assertion. So the presumption is that that object is locked to the phone in some fashion. |
| Leo: Hmm. It's very interesting. |
| Steve: Anyway, so the W3C has been doing some work. This whole verifiable credentials thing is basically a very - is a flexible textual format that's able to be used for all kinds of assertions. It's just that Spain is only using this thing they refer to as an "over age token credential" as one flavor of this. |
| Leo: Yeah. Now, I don't see this being adopted in the U.S. at all because, A, we don't have a national identity card. |
| Steve: Well, no. But we do have drivers licenses. And for example, in California we have a digital ID. I've got it installed on both of my phones. |
| Leo: Right. |
| Steve: And that did have the true age facility in it already. |
| Leo: Ah, interesting. |
| Steve: So Californians, I think there are about, what, it looked like - I remember running through the list of states. It was about maybe 10, or 10 to 15 U.S. states do have digital IDs. And, you know, states are going to have to provide some means for allowing their citizens to assert their age online. |
| Leo: Of course, not everybody has a driver's license or an ID. |
| Steve: So we're getting there. No. |
| Leo: That means they would have to... |
| Steve: I mean, apparently... |
| Leo: You can't acquire it, but I guess you could say if you want to look at adult content - the secondary issue in the U.S. is what is adult content, and who decides? |
| Steve: Right. |
| Leo: And that's another matter entirely. |
| Steve: Yeah, yeah. And unfortunately, yeah. |
| Leo: Yeah. Okay. |
| Steve: We're getting there. |
| Leo: If that's where we need to be, I guess. |
| Steve: Well, Leo, it's happening. I mean, unless we get a different Supreme Court, and right now they're there for life. |
| Leo: Well, they didn't rule it was legal. They ruled - they put it off, basically, so... |
| Steve: They said that it was not a First Amendment burden to ask somebody to identify themselves to a website to prove their age. |
| Leo: Yeah. |
| Steve: And a lot of people feel, whoa, that's a breach of our privacy rights. |
| Leo: Yeah. |
| Steve: I mean, the battles are not over. |
| Leo: Yeah. Yeah. Okay. Okay. We shall see. |
| Steve: Yeah. Just reporting the facts. |
| Leo: The court said that the Mississippi law is likely unconstitutional. So by the way, this is the court's decision. |
| Steve: Which court? |
| Leo: U.S. Supreme Court. |
| Steve: Okay. I was talking about Texas, but okay. |
| Leo: Well, okay. But this is the Mississippi law, which this is the Supreme Court decision that let it go forward. But they said it's unconstitutional. The problem was that NetChoice, which was the plaintiff in this, has not sufficiently demonstrated that the balance of harms and equities favors it at this time. So they didn't block it. It's a temporary approval. I suspect NetChoice will go back to the Supreme Court because in the decision they said it's clearly unconstitutional. It violates the First Amendment. But it was more of a standing issue or something. It was a technical issue, and it's temporary. The proceedings will continue in the lower courts. |
| Steve: When was this ruled? Because I missed... |
| Leo: This is the Mississippi decision, August 14th. This is the one you were talking about. |
| Steve: Okay. I thought that Bluesky was blanked out in Mississippi because the Supreme Court ruled on Texas, that was HB 1181, the Texas House rule. |
| Leo: Oh, yeah, yeah, there was, you're right, no, this is an earlier decision in from June. They upheld the Texas law. |
| Steve: Right. |
| Leo: Okay, yeah. So it's weird that the Mississippi law was unconstitutional, but a Texas law was not. |
| Steve: Right. And it was, I can't remember which justice it was. |
| Leo: Yeah, they said it only incidentally burdens the protected speech of adults. |
| Steve: Right. Incidentally meaning showing your driver's license is not a burden. |
| Leo: Right. |
| Steve: It's like, well, okay. |
| Leo: Right. I feel like it's still a little bit up in the air. The Supreme - the Mississippi law's... |
| Steve: Oh, I agree that all of this is up in the air legislatively. Everybody is fighting this. But, you know, the UK has passed the law, and now Brazil has passed the law. |
| Leo: Ah. Here's the difference. In Texas, adults are required to verify their age. In Mississippi, all users must verify your age... |
| Steve: Correct. |
| Leo: ...before using social media sites. That's why Bluesky withdrew. |
| Steve: Actually, the difference is that in Mississippi, all social media. And in Texas it's only the adult content. |
| Leo: Adult sites. I guess that's the difference. |
| Steve: Yes. Yes. |
| Leo: Okay, interesting. |
| Steve: And so elsewhere, Bluesky, I think it was - was it Montana? I talked about it last week. Somewhere else Bluesky was doing the same thing they're doing in the UK, where they only require proof of age for Bluesky's adult content because that state had a reasonable law. Mississippi's is nuts. Mississippi is anti social media, regardless of age. |
| Leo: Right, entirely, right. |
| Steve: It's not about porn. It's about, you know... |
| Leo: Social media, yeah, yeah. |
| Steve: So, yeah, broadly. Because it was Instagram that caused the suicide back in 2023. |
| Leo: Right. |
| Steve: Yeah. |
| Leo: Well, we'll watch with interest. I don't know where I stand on this. I mean, you're right, it sounds like there's a technical solution, a privacy-protecting technical solution. |
| Steve: I guess I feel like this is another instance where we've had it easy in cyberspace because nobody understood it, and nobody was worrying about it. And so things that would not have been okay in the real world were being allowed to happen. You can't have children walking into a strip club. |
| Leo: Right. |
| Steve: I mean, that does not happen, it's not allowed to happen in the real world. |
| Leo: Right, it's not allowed, that's right. |
| Steve: Yet children are allowed to walk into the equivalent of strip clubs times a thousand, you know, online. So what was not allowed in the real world was being allowed by, you know, just de facto in cyberspace, and we're beginning to catch up. |
| Leo: Right. |
| Steve: You know, legislation is going to say that's not okay anymore. |
| Leo: Right. Steve Gibson, always fascinating. That's why we love this show. |
| Steve: Bye. |
|
 | Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2026 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |  |
| Last Edit: Sep 29, 2025 at 16:25 (195.25 days ago) | Viewed 6 times per day |