GIBSON RESEARCH CORPORATION https://www.GRC.com/ SERIES: Security Now! EPISODE: #1052 DATE: November 18, 2025 TITLE: Global Cell Phone Tracking HOSTS: Steve Gibson & Leo Laporte SOURCE: https://media.grc.com/sn/sn-1052.mp3 ARCHIVE: https://www.grc.com/securitynow.htm DESCRIPTION: Apple introduces a new Digital ID inside Wallet. Checkout.com refuses to pay a ransom demand. Google announces "Private AI Compute" in the cloud. Google backpedals on their "devs must register" demand. Win11 added a Passkeys API which 1Password and Bitwarden support. Russia tracks SIM card appearances to thwart drone usage. Google sues Chinese Phishing as a Service platform. Lots of interesting listener feedback. Global cell phone tracking is alive, well, malware free, and a distressingly common commercial enterprise. SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Apple has added a new Digital ID inside its Wallet. You can even put your passport in there. I think we're getting closer and closer to secure age verification via Apple. Steve will talk about that. Google backpedals on their demand that all developers for Android phones must register with Google. Russia is tracking SIM card appearances. Google is suing a Chinese phishing-as-a-service platform. And then we'll talk about how it's almost impossible, if you have a cell phone, not to be tracked. And it doesn't require malware. All that and more coming up next on Security Now!. LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 1052, recorded Tuesday, November 18th, 2025: Global Cell Phone Tracking. It's time for Security Now!. Ooh, everybody's been waiting all week long to see this cat right here, Mr. Steve "Tiberius" Gibson, host of the show, and our expert on security, privacy, and all good things. Hello, Steve. STEVE GIBSON: Hey, Leo, great to be with you for Episode 1052. I heard that MacBreak is about to go to the 1000. LEO: Yes, we're catching up with you. STEVE: And they weren't worried about stopping at 999. So there was none of that. There was none of that anxiety. So that would say, since we're at 1052, that they started exactly one year after we did. LEO: Oh, that's right. Yes. Assuming we do 52 shows a year. STEVE: And I think we were a few months after the main TWiT podcast. LEO: Right, that's right. STEVE: And I think I was number two. Security Now! was the second one. LEO: Right. I can't - I'm not sure where TWiT is these days. It's just a little ahead of you, I guess. STEVE: And actually the topic of my passport and our meeting in Toronto comes up today, on today's podcast. LEO: Oh. STEVE: For reasons that you will soon learn. LEO: I look forward to that. STEVE: Along with our listeners. LEO: Okay. STEVE: We're going to talk about something that actually began with a pointer from a listener in feedback from our listeners - which, again, is like so valuable to me. And I gave it a scan, and part of what it said just sucked me in because I thought, oh, this is such a perfect topic for us to talk about. Today we're going to talk about Global Cell Phone Tracking, and why it's not about Pegasus or the NGO Group or any of these, you know, high-end malware/spyware people that Apple was trying to get rid of. And there's nothing Apple can do about this, or Google, or Samsung, or anybody. It is far more pervasive then we have previously understood, and it's available commercially as a service. LEO: What? STEVE: And it is having the crap abused out of it. LEO: Oh, dear. STEVE: Oh, yeah. So a great topic. But we're going to talk about Apple's introduction of their new Digital ID, which is something that just happened on Wednesday. I got a pop-up note on my phone which was when Apple announced it. So we'll cover that. Also, Checkout.com refusing to pay a ransom demand, and what they're going to do instead with the equivalent amount of money. Google's announcement of their Private AI Compute in the cloud. Should we trust it or what? We'll kind of put that in context. Also they're backpedaling, surprise, on their "all devs must register" demand. It's not dying completely, but they got so much pushback from the world. LEO: Good. Good. STEVE: You know, we talked about it and raked them a little bit here. LEO: Yeah. STEVE: You know, and there was a whole F-Droid problem. I mean, it was just going to be a problem. So we'll update on where they are. Windows 11 with the November update has added a Passkeys API. And Leo, wouldn't you know, the top two password managers that are both supporters of the podcast are the only two which currently support the API at its release. LEO: Really. Huh. STEVE: Right, yeah. So we're choosing well, is all I'm saying. LEO: Yes. STEVE: And our listeners are, of course, as well. Russia, turns out, is tracking - this is really kind of clever - SIM card appearances within their borders as a means of thwarting their abuse for drone attacks, which kind of ties back into this global cell phone tracking topic. So we're going to get into that. Also Google is suing a Chinese Phishing-as-a-Service platform. Those are the main highlights, although we're going to then get into some listener feedback which leads me down some interesting trails. So we'll do that and then wrap up by talking about something that I wasn't aware was going on, and it turns out lots of actual cell phone providers were not either. Old technology, the oldest, which is under continuous use and abuse. So I think another great podcast for our listeners for this 1052nd episode. LEO: Sounds like it. Yay. STEVE: And we do have a fun Picture of the Week. So I think maybe... LEO: I've kept my eyes averted when loading the screen, so we shall enjoy it together. That's all coming up as this episode of Security Now!, Episode 1052, gets underway. But before we go too far, perhaps I should say hello to one of our sponsors, if you don't mind, Steve. STEVE: Hello, sponsors. LEO: I know, you know, sponsors are like your children. You're not supposed to pick favorites. I happen to like these guys a lot. In fact, we might be going to visit them in Orlando next year. I'll tell you a little more about that. STEVE: Oh, I know who. LEO: All right, Steve. I'm ready for the picture. STEVE: Okay. So this is just a wonderful picture. The picture itself tells a story. So let's show the picture first. LEO: Okay. STEVE: And then I will explain the headline, the title that I gave it. LEO: All right. Let me put the picture up big here so everybody can see it, and I'm going to scroll up, and I'm going to see it with you, everybody at home, for the first time. Okay. STEVE: Okay. LEO: You'd better explain this. STEVE: So, oh, yeah, I have to explain it. So, first of all, a number of our listeners who received the email with this yesterday morning wrote to tell me exactly where it was and what it was. I mean, it's Korean, and it's a subway hall near the Korean or attached to the Korean City Hall of some city in South Korea. LEO: Oh, okay. STEVE: And so what this shows is that somebody wanted to bring, apparently needed to bring a drain pipe down from a particular location in the ceiling to where it goes in the floor. But there was a very nice sign in the way. LEO: An advertisement, I think. I know you don't want to block an ad; right? STEVE: No, no, no, no. LEO: Oh, no, no, no. STEVE: Had the pipe simply come down from the ceiling, straight down to the floor, it would have - it would have, like, bisected this sign. It would have been in front of the sign, which would have been very unsightly. So instead, an industrious South Korean plumber decided to do a left turn above the sign, go over past the sign, then another left turn or downward turn to go down past the sign. Then he still has to get back to where the drain was originally going to go, so back around again, over to the middle of the sign. LEO: It's a little like Ms. Pac-Man or something. STEVE: Yeah, or Dig Dug or something. LEO: There was a game of this, like this, where you would route the pipes around. I remember it. STEVE: Yeah. Anyway, so I gave this one, in order to put this in the context of our community, how bad must things become before you decide to stop and refactor the code? LEO: Now I understand. I like it. STEVE: So refactoring is sort of a term that's come into use a lot more lately. I mean, I grew up coding, and I wasn't, like, I didn't feel like refactoring was a piece of jargon that was commonly used until relatively recently. The idea is, and we have talked about this, code does not evolve well. Normally the way code begins is a coder or a team lay out a specification or have a clear idea of what the code, what the overall project's goals are. And then that gets cast into code. Basically the architecture of the code reflects those original ideas. Then either management gets involved or somebody comes along later and says, hey, what about this green right angle doohickey? You don't have that. And the coders go, oh, crap, we didn't know we were supposed to do that. So something gets hung onto the existing code, an exception, essentially, to what was originally, probably, hopefully, a beautiful architecture, a structure that well represented that original set of goals. Now we have, you know, a barnacle that's sitting there. And then you know, time is also not code's friend. So time goes by, and some new features are made available that the code had no way to anticipate. But oh, we've got to support those. So more barnacles. And before long, you just end up with what can only be described as either a kluge or a mess because - and, I mean, there are consequences to this. Some of those barnacles may have knocked off some other ones, or be, you know, you might have a barnacle that's already in the way of where another barnacle is, so you can't put that barnacle where you want. I mean, there starts being a tug of war, and you get maintainability problems. You get security problems. You get reliability problems. Bugs start cropping up because of interactions. Oh, and you've got new coders; right? The coders who wrote the original system, they wandered off somewhere, or they got promoted, or, you know, refactored. So anyway, the point is, at some point you recognize, okay, just stop. What we have no longer represents the reality that is present. So it's time to refactor, the idea being basically reconceive the underlying structure so that it now supports everything which has been learned, which has happened, which has been added, which time has done, you know, all these things that are hostile to code. And so anyway, the point here being, rather than moving the sign, which might have been the... LEO: The obvious solution, yes. STEVE: Exactly. No, no. The sign, you know what, it's got lag bolts two feet into the wall or something. Or maybe there's some ugly blemish on the wall that the sign is covering up. You don't know what's under the sign. There might be a hole there or something. So rather than move the sign, which would have sort of been obvious, no, we're just going to plumb around it, very much like one of those Three Stooges episodes. LEO: Or, and Paul reminded me, the game Pipe Dream did this, too, or Pipe Mania. STEVE: Ah. LEO: Yeah. You know, it's funny, I actually relish refactoring code. I actually - I love to refactor code. There's something - because it's aesthetic, right, you're... STEVE: I get it. Yes. In fact, I did it yesterday for the Benchmark. There was a feature in the Benchmark which I originally wrote in 2008 which was slowing down the end of the Benchmark because I switched one of the pages from a bitmap, which I was able to paint quickly, to a rich edit format, which - and this thing ran on Windows 95 originally. LEO: Wow. STEVE: And so in order - so I was using my code to populate a rich edit control, which is very much like WordPad. Basically WordPad is just the rich edit control with a bunch of Chrome, you know, window dressing, literally. LEO: So you had to, in effect, manually draw the screen with new code. STEVE: Yes. And there is an API that Windows provides called - it's Stream In and Stream Out that allows you to feed, basically feed content into this. But it's really slow. Microsoft never bothered to optimize it. I don't think probably I and a couple other people ever used it, but it's there. The problem is it's so slow that I realized when I was looking at the Benchmark again that I was holding down the end, like the announcement of the completion, while I was painting this other tab that the user might not even be looking at right now. But I was, like, holding everything up. So the first thing I did was instead of doing that, I spawned another thread to do this painting in the background. And so I would be able to declare the Benchmark done immediately. But then if the user clicked on that tab while I was busy filling its contents, I needed to have a little signage that said "Please wait one moment while this tab finishes updating at the completion of the Benchmark." So I had that. Then one of our testers said, "You know, Steve, this always sorts in the way that" - we have four different sort orders now for the results. And so someone commented, "The way this tab is, is the way that the bar graph of the results were sorted when it finished. But I changed the sort order, and it'd be nice if the tabular display of all of the details would re-sort." Growl. Okay. So now that means that I need to be able to come in later. But what if the user changes it while the sort is underway, which is a time-consuming process. That means I need to be able to interrupt the ongoing sort and painting of the control, abort it, and then restart it at any time if the user changes the sort order. And while I was at it, while the Benchmark was underway, and I was displaying a bitmap, pretending to be the rich edit, which I was able to paint quickly, I gave that all the same features. Well, the point is that, as a consequence of all that, I had introduced some sort of a subtle hang in the UI. I mean, because there was a lot of stuff going on. I was setting semaphores and flags and aborting threads and checking to see whether, you know, what was going on on all this. And yesterday I just - I had that experience you have had, Leo, where I just said, okay, you know, I really want this thing to be done. I'm ready to have it be done. It's been a year. It's really good. I mean, it's gotten so good. But I can't live with it the way it is. LEO: Yeah, yeah. STEVE: So I just - I scrapped all of that code from the beginning, and I rewrote it. And, oh, it is a thing of beauty now. LEO: Isn't that nice? It's like cleaning it up. It's just, it feels good. And then it runs faster, and it looks better. STEVE: And it's understandable. I was having to, like, I was like, I mean, what does this flag do again? You know, because, you know. And I've always said, I code so that I can read it, more than so that the machine can read it. And in fact one of our listeners, I don't think I shared his feedback, but it was really, he was a neat guy, he said, "I started programming shortly before I started listening to the podcast. And at some point in the podcast you made the comment that you named variables for what they did, like, you know, 'Are we done with this yet' is like the name of a variable, of a Boolean." And he said: "When I heard that, my life changed." He said, "I was, you know, I was naming variables 'wdgt2,' you know." And he said, "I couldn't remember what they meant." He said, "Now I just name them what they are." And he says, "Life is better." So anyway, you and I both love to code. And refactoring is a necessary process. LEO: I wish you'd do a coding show with me at some point. I would love to. STEVE: That would be really fun. LEO: Yeah. STEVE: I could definitely get into that. LEO: This reminds me that one of the great books on coding by David Thomas, "The Pragmatic Programmer," it just reissued its 20th anniversary. I don't know if you've ever read this. But this is one of those books that is full of that kind of thing, name your variables meaningfully and so forth. And it's really good. They've just updated it because it was a little out of date, to be honest, with concurrency and some other things. STEVE: Yeah, cool. LEO: Coding is an art, and it's a science, and it's just really enjoyable. And there's, you know, I have the luxury as a hobbyist coder - you have a luxury, too, because it's your code. You don't have a company that - you get to do what you want, right. And so I think a lot of people who are working, you know, professionally as programmers don't get to make their code aesthetic. And, you know, they probably have rules about how to name variables, and there's all sorts of stuff that probably gets in the way. But if - we're lucky. We can pursue it as an aesthetic art and science. STEVE: And for me, I've really learned, I've talked often about what I call "switching cost," the cost to acquire a knowledge of a large code base. I now, after a year, I AM the DNS Benchmark. LEO: Yes. STEVE: I mean, and I'll tell you, when I began, I hadn't looked at the code since 2008. I didn't know how it worked. LEO: Right, right. STEVE: You know? And many times, I mean, I remember opening it up and going, wait a minute. This supports Windows 95 still? So, you know what I mean, it was jumping through some hoops in order to do that. LEO: I bet it was, yeah. STEVE: So for me, and everybody who's been following me knows this, I'm going to get this done. It is really going to be done. And then I am going to never probably touch it again. If there are bugs found, I will of course fix them because it's going to be commercial as opposed to freeware. But even my freeware, it doesn't have any bugs. This thing doesn't have any bugs. So for me, because it is so expensive for me to leave, and then pretty much quickly forget, especially at my age, exactly all of the nuances, I mean, you and I code, Leo, because it is so difficult. I mean, we do stuff which is really hard. LEO: Yeah. And it makes your brain work, yeah. STEVE: Because that's what's interesting, exactly. And so that also means that you lose the sharp edge of your knowledge of a particular solution pretty quickly. I mean, it's very complicated. So my whole point is it is so much better for me to fix something now while I am it, than it would be for me to switch over to the next version of ValiDrive and Beyond Recall and then need to come back to the Benchmark and do something. It's just - so, you know, for me switching cost is so high, I want to get it perfected so that I don't need to come back to it. LEO: For me it's just aesthetic. I mean, nobody's using my code. Nobody's reading my code except me. But it's just an aesthetic thing. It's so much prettier when it... STEVE: Yeah. LEO: And it's hard to describe. But you know what I'm talking about. STEVE: Oh, yeah. LEO: When it's smooth, the shape is right. You know when it's right, you know, and you know when, uh, that's - there's something wrong with this. There's too many lines. There's something going on. I can make this prettier. And then you've got this great satisfaction of you did it. Anyway, good on you. And I can't wait to see the DNS Benchmark. That's going to be great. STEVE: There is a beauty to it. You're right. LEO: There is. There really is. It's an art, yeah. STEVE: Okay. So last Wednesday I received a notice on my older iPhone 12 which, as I have mentioned, I had upgraded to iOS 26 because I wanted to see how bad that Liquid Glass thing was before I moved my newer phone, which I purchased out of fear for the upcoming tariffs, like earlier this year. The announcement said that something called Apple's "Digital ID" was now ready for me. The hook was that, while the announcement was focused upon using this new Digital IDs use as a replacement for the Real ID which U.S. TSA airport security guys are now requiring, the announcement also noted the app's use for age verification. So it's like, okay, Apple kind of slipped this one in under the radar. So at this time, Apple's new Digital ID, which is now available, anyone can set it up, is tied to a passport. Fortunately, I happened to have one. And Leo, I originally obtained my first passport when I was joining you Leo in Toronto for appearances on Call For Help. That's why I got my first passport. And then I later renewed it for the OWASP SQRL presentations which I gave in Sweden and Ireland. And it was still current as a consequence because passports last 10 years. So the process that I went through to establish the Digital ID was fascinating. The app required me first to aim the iPhone's camera - and this is an iPhone 12. It works, it's all the way back to iPhone 11 and forward, but you do have to have iOS 26, the latest iOS on it. So it first asked me to aim the camera at the photo page of the passport, whose image it acquired and processed. Then - oh, I love this - it had me scan the RFID chip that's embedded in the back cover of the passport. The app showed me in a little onscreen graphic how to position the phone over the back page of my passport, and it locked onto the RFID chip and made some wonderful, you know, data acquisition noises while a little blue bar ran across the bottom of the screen, sucking in the digital equivalent of the photo from the passport. Presumably that chip contains much the same data as the visual page, but in obviously digitized format. Then the app required me to follow its step-by-step instructions, sort of in selfie mode, with a screen showing my face, to prove to it that I was alive, and that I looked like the picture on my photo in the passport. So I was instructed to position my face in a frame, look at the screen. Then it told me to close my eyes until the phone vibrated. So I did that, and after a few moments it vibrated, and it was satisfied. Then it told me to give it a big smile, which I did, and the phone vibrated again. And then it told me to look to the right, which I did. So it was confirming by - I was able to follow its instructions in real time, and that my face was all doing the right thing. And presumably it was all doing that whole 3D, you know, IR imaging stuff that the iPhone has, as well. So I went through that, a verification was complete, and I poked around in the app, and it noticed that - oh, it notified me that it had finished and then offered to add it to my Wallet. Which I did. So I now have a passport authenticated government-issued identity in this new Digital ID that Apple has started offering last Wednesday. Their announcement last Wednesday was headlined: "Apple introduces Digital ID, a new way to create and present an ID in Apple Wallet," and then the tag line was "Digital ID offers a secure and private way for users to create an ID in Apple Wallet using information from their U.S. passport, and present their ID with iPhone or Apple Watch." I'm going to share two things, Apple's little blurb and then a more - less Apple-centric take from Lifehacker. So Apple said: "Apple today announced the launch of Digital ID, a new way for users to create an ID in Apple Wallet using information from their U.S. passport, and present it with the security and privacy of iPhone or Apple Watch. At launch, Digital ID acceptance will roll out first in beta at TSA checkpoints at more than 250 airports in the U.S." So it's not universal. But at launch time 250 airports do support this in lieu of Real ID. And I've not yet had a need to get a Real ID, but I recognize I probably will at some point. They said: "For in-person identity verification during domestic travel, with additional Digital ID acceptance use cases to come in the future." And again, it already talked about age verification as one of those instances. They said: "Digital ID gives more people a way to create and present an ID in Apple Wallet, even if they do not have a Real ID-compliant driver's license or state ID. Digital ID is not a replacement for a physical passport, and cannot be used for international travel and border crossing in lieu of a U.S. passport." So it's not meant to be a digitalized universally accepted passport. It's just a way of using an authenticatable U.S. government document, meaning your passport, in order to create a working domestic ID that you can use, well, and presumably international identity, not for passport use, but for age verification. We'll see. Then they said: "Jennifer Bailey, Apple's vice president of Apple Pay and Apple Wallet said: 'With the launch of Digital ID, we're excited to expand the ways users can store and present their identity all with the security and privacy built into iPhone and Apple Watch. Since introducing the ability to add a driver's license or state ID to Apple Wallet in 2022, we've seen how much users love having their ID right on their devices. Digital ID brings this secure and convenient option to even more users across the country, as they can now add an ID to Wallet using information from their U.S. passport.'" So that's the right way to think about this. And the announcement finished, saying: "The launch follows the capability for users to add an eligible driver's license and state ID to Apple Wallet. If users do not have a U.S. passport to create their Digital ID, they can still add an eligible driver's license to Apple Wallet," for those 13 states that allow that. Okay. So Jake Peterson, Lifehacker's senior technology editor, offered, as I said, you know, a little more balanced, less Apple-centric view of this. He wrote: "Back in 2021, Apple announced a new feature for the Wallet app that allowed users to add their driver's licenses or state IDs to their phones. To me, it sounded like the beginning of the end for physical wallets. In reality, it was anything but. Not only are the applications limited, but even after all this time, only 12 states and Puerto Rico actually support the feature. "While the rest of us wait for our respective states to get onboard, many might have another option for these virtual documents. On Wednesday" - meaning last Wednesday - "Apple announced Digital ID, a new initiative that lets you create an ID in the Wallet app using your passport. This bypasses the waiting period for the 38 states that don't yet support these ID features. If you have a passport, you can try this feature today. Even if your state supports driver's license and state ID uploads to the Wallet app, you'll miss out on features if you don't have a Real ID. If you have a passport, however, you can use it instead, which opens up the wallet ID feature to even more users than before. "Like previous attempts at virtual IDs, however, don't expect to be able to use this Digital ID just anywhere you'd normally show documentation. Right now, the main use for Digital ID is for flying. According to Apple, Digital ID is launching in beta at over 250 airports to be used at TSA checkpoints. Importantly, this feature only supports domestic flights, even though it uses your passport. As such, do not rely on your Digital ID when flying outside the U.S. You'll still need your physical passport in order to validate your identity. In the future, however, Apple says you'll be able to use this Digital ID for other purposes, such as booking flights and hotels, as well as opening new accounts." And it also said, all over the screens, "And age verification." Okay. So clearly we still have a ways to go. In California, where Leo and I are, we have digital driver's licenses, as do 11 other states and Puerto Rico. But as we've noted before, support remains spotty. So Jake's point, that a passport can provide Apple's Digital ID with a verified identity source means that those people who live in a state that does not yet support a digital driver's license, but who may have a valid passport, now have an alternative means to robustly identify themselves to their phone. And for what it's worth, to use that, if you don't have a Real ID license, to use that at a TSA checkpoint. Many pieces of any complete solution for online age verification still remain missing. And we've talked about that many times. We need the W3C to get going here. And those pieces are big. But we do need to start somewhere, and I was encouraged by last Wednesday's pleasant surprise of Apple's Digital ID, since this is likely the foundation which will develop into more in the future. This is a logical place for it to be. You know, from a foundation like this, Apple will be able to generate secure privacy-preserving assertions such as "over 18" without revealing a single additional fact about a device's user. And given everything we know about Apple, there is no company whose motivations surrounding the preservation of their users' privacy that I would trust more. I mean, if I were going to trust any entity, it would be Apple. You know, they've made this a feature of, you know, their own identity. So anyway, it exists. Anybody who's got an updated iPhone and who has a passport can give it a try. It's a cool process. Oh, and as I mentioned, I have two phones. Because I saw that I was able to virtually turn off all the annoying aspects of Liquid Glass, I did update my more recent iPhone to iOS 26. So I'm running it on both, although I've got the reduce motion and increase contrast features selected. Those two things basically shut down a lot of the annoyance of Liquid Glass. Just this morning I was curious to install the same identity with my passport in my other phone. I went through all the process. Oh, and interestingly, it gave me a different set of proof of life motions to go through. This time I had to open my mouth wide and also look down. So it mixes that up from time to time in order to keep it interesting and to keep people from being able to spoof this presentation in some means, although I'll bet you that they're using their IR technology to see that you're a 3D and not just some sort of a 2D presentation. Anyway, the point was, once it got all done, I hit a roadblock. It says, whoops, this ID is currently installed in another device. You can only have it in one device at a time. So I thought, okay, well, the device I'd installed it in was not the one I carry around with me. So I removed it from the Wallet in my older phone that's sort of my desk phone here, and then I went through all the rigmarole again. And it was different rigmarole a third time. And then it installed this identity into my phone. So you can't stick it in multiple devices. It is very tightly bound to one physical iDevice at a time. Probably an iPhone. So anyway, cool that Apple is doing this. And again, you know, I think we're going to - I know we are going to get to a point where we have robust privacy-preserving age verification as quickly as we can. And it will be, you know, this sort of initiative that, like, has Apple completely ready to engage that as soon as there's an API for them to talk to. And for what it's worth, there is that True Age system, and it is in my Apple Wallet as part of my California driver's license, and it does allow me to scan a QR code to do some sort of magic. Nobody's doing anything with it yet. And you need to be in the True Age enclave in order to use that. I expect that that'll be opening up because we did hear that the W3C was adopting some of the True Age technology for their work in progress on online age verification. So anyway... LEO: It's kind of interesting that the Apple technique reads the RFID in the passport. STEVE: Oh, it was so cool, Leo. LEO: Yeah. STEVE: Yeah. LEO: I mean, it's the first time I've seen anything use the RFID. STEVE: Yeah. LEO: And it goes [makes sounds], it actually vibrates as you're doing it, which is great. STEVE: Yeah, it's really cool. LEO: Yeah. So now I'm going to do my live photo. And then it's going to ask me to open my mouth? Let's see. STEVE: It does different things. Sometimes close your eyes. LEO: You will be guided through several movements, and all angles of your face will be scanned and evaluated by Apple. All right. Position your face. Your movements will be recorded. STEVE: Okay, you have eyes closed now. LEO: Yeah. STEVE: And then they'll have you do something else. LEO: Yeah, I think it's going to have the mouth open thing. STEVE: Yup, mouth's open now. LEO: I guess if I were a still picture I couldn't do any of that; right? STEVE: Well, right. And it's probably watching you all the time, like, you know, I'll bet you they've done a great - did it tell you to look to the right? Or to your left? LEO: Yeah, left, yeah. STEVE: Ah. Yep. Because I saw you do that. LEO: Yeah. When you're doing the Sora thing, you know, to scan your digital thing to make AI videos, it takes a picture of you, but it also has you read three random numbers. And it's the same concept; right? It's just like these are zero-proof identity. Because if it were a fake, you couldn't read the - because you don't know what those numbers are ahead of time. You couldn't read those numbers are ahead of time. You couldn't read those numbers. So it's kind of interesting, the techniques people are coming up with to validate this. Yeah, so I just set my passport. I already have my driver's license. As you know, we set those up a while ago. STEVE: Yup. LEO: Now, you'd better get a Real ID. You might be required to board an airplane sometime in the near future. STEVE: Well, this actually is a substitute. LEO: It counts? STEVE: The airport supports it. LEO: Oh, good. STEVE: Two hundred and fifty airports at launch do. LEO: Oh, and you still have your passport is a Real ID. So you don't need a Real ID driver's license. STEVE: And I still have my passport, yes, exactly. Yeah, exactly. Okay. So Checkout.com - we'll do one more before our next break. Checkout.com says No to extortion. Last Wednesday Mariano Albera, the Chief Technology Officer at Checkout.com - who's been around. He was previously the CTO at Expedia, OVO Energy, and Thomas Cook. He posted his company's decision to say no to the - and we know these people well - the ShinyHunters extortion gang. In his posting, headlined "Protecting our Merchants: Standing up to Extortion," Mariano wrote: "Last week, Checkout.com was contacted by a criminal group known as ShinyHunters, who claimed to have obtained data connected to Checkout.com, and demanded a ransom. "Upon investigation, we determined that this data was obtained by gaining unauthorized access to a legacy third-party cloud file storage system, used in 2020 and previous years." So not for the last five. He said: "We estimate that this would affect less than 25% of our current merchant base." This is Checkout.com. The system was used for internal operational documents and merchant onboarding materials at that time. "This incident has not impacted our payment processing platform. The threat actors do not have, and never had, access to merchant funds or card numbers. The episode occurred when threat actors gained access to this third-party legacy system which was not decommissioned properly. This was our mistake, and we take full responsibility. We are sorry. We regret that this incident has caused worry for our partners and people. We've begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We're fully committed to maintaining your trust. "We will not be extorted by criminals. We will not pay this ransom. Instead, we're turning this attack into an investment in security for our entire industry. We will be donating the requested ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center..." LEO: Good for them. STEVE: "... to support their research" - yes - "to support their research in the fight against cybercrime. Security, transparency, and trust are the foundation of our industry. We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy. We are here to assist our merchants in whatever way we can. As always, we are available through your regular Checkout point of contact for any further assistance or questions you may have." So this is the way to handle a data breach, you know, if there's any way to do so. Mariano's donation is meant to have the effect of backfiring on the attackers. Not only will they not be paid, but the security researchers who work to track them down and take them down will be strengthened by receiving the money that Checkout.com refused to pay to the criminals. Nice going. Yeah, that makes lots of sense, Leo. LEO: Yeah, that's the way to do it. STEVE: So last year Apple launched their Private Cloud Compute, and Google is now offering a similar solution. Under the banner "Private AI Compute: our next step in building private and helpful AI" last Tuesday, Google said: "Today we're introducing Private AI Compute to bring you intelligent AI experiences with the power of Gemini models in the cloud, while keeping your data private to you." Okay. So I took out a bunch of the glad-handing market-speak, and I'm excerpting just the technical bits from their announcement. They said: "Today, we're taking the next step in building helpful experiences that keep users safe with Private AI Compute in the cloud, a new AI processing platform that combines our most capable Gemini models from the cloud" - and they just released three, by the way - "with the same security and privacy assurances you expect from on-device processing. It's part of our ongoing commitment to deliver AI with safety and responsibility at the core." They said: "AI is evolving to become even more helpful, personal, and proactive. It's moving from completing simple requests to AI that can anticipate your needs with tailored suggestions, or handle tasks for you at just the right moment. This progression in capability requires advanced reasoning and computational power that at times goes beyond what's possible with on-device processing." Okay, now, I suspect there's universal agreement about all of that. The thing that appeals to me about this is that AI inherently requires short but massive bursts of computation, often followed by long periods of quiescence, where you're not doing anything with it. Anyone who's been around since the days of the mainframe will recognize that this was the original brilliant concept that became known as "time sharing." Now we all just talk about it like it was nothing. But before time sharing, there wasn't any such idea. Time sharing changed the world. And the idea there was that no one needed the full-time services of a massively expensive and very capable mainframe. And mainframes was all there was back then. So instead, hundreds of people could use little time slices of that big machine's power. The result of that was massive efficiency. Later, the minicomputer, it more encouraged a one-on-one usage modem although there were certainly many minicomputers running time-sharing operating systems back then, although those really might have been called mini-mainframes. What really drove the nail in the time-sharing coffin was the microcomputer, where the costs had come down so far that it no longer made any sense to share that machine. So what developed was a truly personal computer. So the Internet, massive connectivity, and massive data storage has begun to shift this model back toward the shared-massive-resources model with cloud computing. It's pretty clear that Microsoft, for their part, would be delighted to be servicing everyone out of their data centers. And of course that would be terrific, right up until everyone suffers a massive service outage, as Microsoft and all their cloud-dependent users recently did. And, by the way, a similar outage took down Cloudflare for many hours this morning, like global outage at Cloudflare. So, yeah, the cloud is great, right up until it's not. So as I first noted, though, everything about the usage model of today's AI suggests that time sharing is back, and for exactly the reasons it was first explored in the early 1960s - massive resources used only briefly and intermittently by a great many people. This leaves us with the question of security. You know, the architecture makes sense, but what about the security? Google wants us to believe that this can be every bit as secure as running on-device - meaning locally - on some poor overworked array that we're probably pouring ice water on and which is converting into steam. Everything we know tells us that it cannot be as secure. Right? I mean, it's not going to be. Nothing in the cloud is going to be as secure as on premise, by definition. The security models are just not identical. LEO: Well, and it's in transit. Anytime there's going from one point to another... STEVE: I know. I think that's exactly right. So the question is, if it cannot be identical in security, can it be secure enough? LEO: Right. STEVE: The problem with local compute is that, to be fast enough, it needs to be super powerful. And being cost effective while being super powerful means somehow keeping the darn thing super busy. So the test for Google or Apple or any other cloud-based AI, what amounts to a time-sharing farm is not whether it's as secure as local because it's not. The question is, is it secure enough. So here's what Google says, claims, to convince us that theirs is. They said: "We built Private AI Compute to unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else, not even Google. Private AI Compute allows you to get faster, more helpful responses, making it easier to find what you need, get smart suggestions, and take action. "Private AI Compute is a secure, fortified space for processing your data that keeps your data isolated and private to you. It processes the same type of sensitive information you might expect to be processed on-device," meaning locally. "Within its trusted boundary, your personal information, unique insights, and how you use them are protected by an extra layer of security and privacy in addition to our existing AI safeguards. "Private AI Compute is built on a multi-layered system that is designed from the ground up around core security and privacy principles." And they have two bullet points. First, "One integrated Google tech stack." They said: "Private AI Compute runs on one seamless Google stack powered by our own custom Tensor Processing Units," which they call TPUs. "World-class privacy and security is integrated into this architecture with Titanium" - titanium, Leo, not iron, not steel, not diamond gold or anything, titanium - "Intelligence Enclaves." Those are TIEs. "This design enables Google AI features to use our most capable and intelligent Gemini models in the cloud, with our high standards for privacy, and the same in-house computing infrastructure you already rely on for Gmail and Search." Except I don't think it's the same, but okay. Then second they said: " No access: Remote attestation and encryption are used to connect your device to the hardware-secured sealed cloud environment" - oh, it's sealed, okay - "allowing Gemini models to securely process your data within a specialized, protected space. This ensures sensitive data processed by Private AI Compute remains accessible only to you and to no one else, not even Google." Okay, now, I don't know how they do that because the model is being trained on plaintext, which means any prompting you do has to be submitted as plaintext to the model, which means it needs to be decrypted and presented to their GPU farm. So, you know, maybe they've got an electric fence around the data center? I don't know. But does this make sense for whose application? I don't know. It's not for me to judge. What I can judge is that the concept of sharing massive AI Compute in the cloud makes all kinds of sense. The architecture absolutely. That's what rings so true here. And I would also note that doing this in a truly privacy-preserving fashion is not for fly-by-night outfits. I would stick with brand names here. You know, Apple, yes, they clearly have invested heavily in this. Google says they have. I would not do this... LEO: They seem pretty good with security. I can't think of any breach that Google has ever experienced. Can you? STEVE: That's true. It's true. We are unaware of them ever having a big data breach. LEO: Yeah, yeah, yeah. STEVE: Yeah, and so that's significant. You're right, Leo. So if you're using Cloud AI to quickly compute gambling odds for near real-time betting, then I would say it probably doesn't matter who you use. But if you're using Cloud AI to form your publicly traded Fortune 500 company's 10-year product development plan... LEO: That's another matter. STEVE: Yeah, frankly I'd have a difficult time letting that anywhere near the public Internet, regardless of what assurances are being made. But if you need to, use a security-first host. And I would agree with you, Leo, Google has a great track record. Whatever tensor processing units wrapped in titanium intelligence enclaves are, it all sounds really good. LEO: Good. STEVE: Yeah. Yeah, okay. Sounds like we're safe there. So anyway, it's there. AI, you know, Apple introduced their concept. We know that Apple is going above and beyond by x-raying the servers that come from offshore to make sure that there's no unknown components that have been added. And, you know, I mean, they are really making sure they don't get caught with their pants down. We can assume that Google has means of doing something similar. Certainly they've got the money to do that. And, you know, there is money pouring in and out of all this. There was a really cool article in Vox that I read this morning about - it's something Weave. A major third-party... LEO: CoreWeave, yeah. STEVE: CoreWeave. LEO: They're a network operations solution. STEVE: Yeah. And, you know, basically, providing this service as a third party to these big guys who have all announced they're building their own data centers to compete with CoreWeave. LEO: Right, right. STEVE: So it's an odd deal. But, you know... LEO: It's a very incestuous deal. STEVE: And nobody's making any money on this, yeah. LEO: Well, the stock market's crashing today because Nvidia was down hugely. STEVE: Yup. Yup, fourth day in a row that - and everyone has... LEO: I keep waiting for the bubble to pop, and I don't want it to because my entire retirement's based on the stock market. STEVE: Everybody is speculating, exactly, that we are in an AI bubble which is responsible for all the growth that we've seen recently. So... LEO: You know, I feel like - I understand why everybody says that. I really do. But I also, and you agree with me, I think, think there's real value in the stuff that AI is doing. It's amazing what it can do. STEVE: I am constantly stunned by it now. LEO: Yes. STEVE: I mean, as a research assistant it is invaluable. One thing in this article that caught me off guard a little bit was that this CoreWeave group, they own 250,000 Nvidia GPUs. They are an Nvidia-only company. They own... LEO: Wow. That must be more than anybody. That's amazing. STEVE: They own a quarter million Nvidia GPUs. And get this, Leo, they used it as collateral to collateralize a massive multibillion dollar loan. LEO: That's like gold bars. STEVE: Okay. Now, what I remember about Mark Thompson, when Mark was - because he was an early cryptocurrency miner. LEO: Oh, yeah. STEVE: He would fill his garage with racks of mining rigs. And he would mine for, like, I think it was like a year or a year and a half, until those rigs became obsolete. LEO: Right. STEVE: Because there was constant evolution in the chips. He would then resell these, you know, hundreds of GPUs on the secondary market, make back the money that he had spent, and then reinvest in the next generation of mining rigs and mine for another year and a half, and then again sell it all off on the secondary market, recapture his capital investment, and then do it again. LEO: That's a lot of work. STEVE: It's a lot of work. But what worried me about CoreWeave is they now have a quarter million aging and soon to be less valuable than state-of-the-art Nvidia GPUs. LEO: Right. STEVE: So unfortunately, you know, the world is moving forward. Microsoft is apparently building their own chips. You know, engineering and having their own chips in the works somewhere. I don't know who's going to do their fab. But anyway, I thought it was interesting that here they're saying, oh, yeah, we have 250,000 Nvidia GPUs, woohoo, and we use it to collateralize our debt. But they're getting old. LEO: Right. STEVE: And they're not going to be worth - they're not going to be what you want in five years. LEO: Right. It's an interesting... STEVE: Yeah, conundrum. Situation. LEO: Just, you know, just don't hit my IRA too hard; okay? Just... STEVE: Well, my problem, and I've said this over and over, is that - and I talked about it last week. None of this is making money yet. LEO: Right. STEVE: I think it will. LEO: That's the question. Is there value being created? And I think there is. STEVE: Yes. I think we are, we're in for a reckoning because, you know, there's just too much cash has poured into this speculatively. LEO: Right. STEVE: But long term, as I said back when I purchased my 10MB hard drive, we did not know that we would ever have a 64GB dongle on our keychain. We didn't know how to get there from here. Yet we got there anyway. And similarly, we don't know what is going to come next. Everything, every instinct we have tells us that we are going to get there, that there will - the AI will become so cost-effective that it is going to change everything. LEO: I think a lot of - and of course we talk about this on Intelligent Machines every Wednesday. It's a great subject because it's just... STEVE: Yeah. LEO: It's happening so fast that it's unknown. But I think that we had a great conversation with Kelly, Kevin Kelly last week. And his opinion is that AI will be embedded in everything. Just as computing has gone niche, the next step is for AI to go on the edge. And it will be embedded in almost everything we use. And I think that's going to be a very interesting world. STEVE: Right. LEO: That's all I have to say about it. I don't know if it's good or bad. It's interesting. I used Claude Code the other day to completely refactor my Emacs, very complicated Emacs setup, and it did a great job. It, like, understood Emacs deeply and was able to write all this code and do such a great job of it. I was very impressed. STEVE: And remember that, as I said very early on, to me code was the obvious target. LEO: Yes. STEVE: Because it is rigorous. It obeys rules. It's got syntax and semantics, and you can understand, it can be understood. LEO: Right. STEVE: And so I'm glad, I mean, I know lots of coders are threatened by AI. I'm not. It's not going to bother me. LEO: No. No, no. Yeah. Well, but it's also mindboggling that you can take something that is basically just trained on a massive text and is a sophisticated prediction model, and it can understand code and write code. I don't under - that's mind-bending. It's amazing. Anyway. STEVE: Yeah. LEO: We live in interesting times, Steve. STEVE: And I know that our listeners are following along with us and are interested, too. LEO: Yeah, yeah. STEVE: Last Wednesday, Google tacitly acknowledged that they had been wildly overzealous with their pronouncement that all Android developers would henceforth be required to register using their real-world identities, and pay for the privilege, before they would be able to publish their apps on the Google Play Store for Android devices. Their first update reiterated the crucial importance of tightening down the security of Android's apps. But then, on the subject of students and hobbyists, they began the backpedaling, writing: "We heard from developers who were concerned about the barrier to entry when building apps intended only for a small group, like their families or friends. We are using your input to shape a dedicated account type for students and hobbyists. This will allow you to distribute your creations to a limited number of devices without going through the full verification requirements." Okay. So that sounds like a terrific option to address the needs of those who are not looking or needing to reach a mass of users. Certainly there is that community. Okay. But what about users of, for example, F-Droid, who are advanced and security-aware? Google has made a carve-out for them, too, explaining: "While security is crucial, we've also heard from developers and power users who have a higher risk tolerance and want the ability to download unverified apps. "Based on this feedback and our ongoing conversations with the community, we're building a new advanced flow that allows experienced users to accept the risks of installing software that is not verified. We're designing this flow specifically to resist coercion, ensuring that users are not tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved. But ultimately, it puts the choice in their hands. We are gathering early feedback on the design of this feature now and will share more details in the coming months." So again, this sounds like the right approach, and it solves the F-Droid dilemma that we talked about previously. But so far, Google's primary goal of knowing and holding accountable the developers of apps for Android, that's not disappearing. You know, it's onerous, I get it, but I don't see any other way to deal with this problem which has admittedly grown out of control. Something needs to change. Any developer who wishes to offer apps to the wider Android user base, and who doesn't want to subject their potential users to Google's deliberately terrifying advanced installation flow will need to register. That's the way to avoid that. Otherwise, for any app published by an unregistered developer, which Google is now calling them, Google will probably be saying something like: "Please acknowledge that you understand that by downloading this Tiddlywinks-In-Space game, you may be placing your life, and the lives of everyone you hold near and dear, at significant risk." Now, of course, developer registration will prevent those notices, which would probably dramatically increase download counts. At some point it's also conceivable that the Google Play Store may even offer a filter to only show apps from "known," which is to say, registered developers. So anyway, clearly they faced a bunch of blowback from that, you know, blanket pronouncement that, you know, you've got to be registered to play in our sandbox in the future. And they said, okay, we're going to make that optional. But, you know, if you're not registered, then your user is really going to have to recognize, you know, risk and accept risk and push past a bunch of notifications. And if you only want to publish this thing for a few people, just as a hobbyist or student, then you don't have to do anything. So that was a good change. And Leo, we're a little bit past an hour in. We're going to talk about Windows 11 adding a Passkeys API, which two of our sponsors, 1Password and Bitwarden, just happen to both be the only supporters of at large. LEO: Oh. As opposed to supporting Passkeys, it's supporting the API. I'd be interested in what you do with that. STEVE: Basically, yes, it allows those two to deeply integrate with Windows 11 as the Passkey supplier for the OS. LEO: By the way, my passport was initially rejected for some reason. The verification didn't happen. But I did it again, and now I do have my U.S. passport in my Wallet. I don't know what I can do with it, but I've got it. So that's good. STEVE: That's exactly what mine looks like, too. LEO: Yeah. It's just a blue card. STEVE: Yeah. I think what will happen, what I'm guessing is that Apple now absolutely positively knows your age. So when there is an API that allows your phone to scan a QR code on a site that says you need to prove that you are an adult... LEO: They do say that online. But you have to use Safari, their browser. So there's an API. There's some sort of interaction they've built in. STEVE: Right, right. LEO: Yeah, interesting. STEVE: So at that point there will be a privacy-preserving - again, I trust Apple to do this. That's all they would allow, yes. LEO: This is what we need. STEVE: We're getting there. LEO: Yeah. Back to the show at hand, Mr. Gibson, about Passkeys. STEVE: Yeah. This month's November update to Windows 11, which Windows 11 users will probably have, added an API that allows third-party password managers near and dear to our heart to deeply integrate with Windows 11. Under the heading "Windows 11 expands Passkey manager support," here's what Microsoft explained last week. They said: "Windows is committed to making sign-in simpler, quicker, and more secure for every user. Today, we're excited to announce a major step forward in passwordless authentication: native support for Passkey managers in Windows 11. This new capability empowers users to choose their favorite Passkey manager whether it's Microsoft Password Manager" [buzzer sound] - "or trusted third-party" - wait, where did that come from? LEO: How do you feel about that, Steve? STEVE: "Or whether it's Microsoft's limited password manager or trusted third-party providers." They said: "It's generally available with the Windows November 2025 security update. By partnering closely with third-party managers, we're delivering a more flexible, secure, and intuitive experience for Windows users everywhere, starting with 1Password and Bitwarden today and other Passkey managers coming soon." But who cares about them? Okay. So I had to smile when I saw that the two top password managers we're affiliated with are the two that are enough on the ball to be participating with Microsoft on this out of the gate. Microsoft's announcement then quoted Travis Hogan, End User Product Manager for 1Password, saying: "Working alongside the Windows Security team on the development of the Passkey plugin API for Windows 11 has been a rewarding partnership. As the first password manager to offer native Passkey support in Windows 11" - and actually he's tied for first - "we're proud to give customers a seamless passwordless experience inside and outside the browser. Together, we've ensured that 1Password and other third-party Passkey providers can deliver a secure, standards-based experience natively on Windows, marking another major step towards a passwordless future." Okay, now, however, as I said, it appears that 1Password is actually tied for first with Bitwarden, since we also have in Microsoft's announcement Bitwarden quoted, saying: "Bitwarden is delighted to collaborate with Microsoft on bringing native Passkeys to Windows 11. This partnership enables more organizations and users to embrace Passkeys confidently, knowing they can manage their credentials securely on Windows and across all their devices and platforms." Microsoft then asks themselves the rhetorical question: "Why plugin Passkey managers?" which they answer: "Passkeys are phish-resistant, less vulnerable to data breaches, and easier and faster to use than passwords. With plugin Passkey manager support, you get choice and flexibility. Use your preferred Passkey manager natively on Windows. Easy authentication: Create and sign in with Passkeys using Windows Hello. Passkeys everywhere: Your Passkeys are synced between your Windows PCs and mobile devices. They go where you go." They finished: "With plugin Passkey manager support, packaged credential managers can integrate directly into Windows. Users can save, manage, and use Passkeys across browsers and native apps, thanks to the new plugin provider capability. Setting up your credential manager is part of the Passkey creation flow. Authentication uses Windows Hello whether that is a PIN, face, or fingerprint so only you can access your credentials." And then, of course, not to be left out, talking about their own Microsoft Password Manager, they remind us of its benefits, writing: "We've integrated Microsoft Password Manager [buzzer sound] from Microsoft Edge natively into..." LEO: Are you going to do that every time you say it? STEVE: It just comes out. It just comes out, "...into Windows as a plugin." So they've made their own, like a peer plugin. So they said: "That means you can use it in Microsoft Edge, other browsers, or any app that supports Passkeys. This integration of Microsoft Password Manager from Microsoft Edge comes with added security benefits: Passkey operations (creation, authentication, and management) are protected by Windows Hello. Passkeys stored in Microsoft Password Manager [buzzer sound] will be synced and available on other Windows devices where the user is logged into Microsoft Edge with the same Microsoft account." LEO: So arguably this would be better than a JavaScript password plugin; right? This would probably be more secure. STEVE: Oh, yeah. And, I mean, and if you were - if you didn't have already 1Password or Bitwarden, and you were happy to be contained within the ecosystem of Microsoft Password Manager, which again you can't use it on an iPhone or Android or elsewhere, you know, you don't get all of that cross-platform support, then that would be great. Essentially what Microsoft did was they took the password manager that is in Edge, and they wanted to - the Passkeys Manager that's integrated into Edge, and they wanted to make it available to Windows natively. But the way they did this was to create an API for Windows which Edge's Password Manager can now talk to. But, being fair, so can 1Password and Bitwarden. So any of those three - Microsoft's Password Manager supports the API, as does 1Password and Bitwarden. So users get to choose. And they talk about how their solution is able to use Azure's Managed Hardware Security Modules for synchronization and tamper-proof recovery with Azure's Confidential Ledger. So, you know, there are, you know, Microsoft of course is always looking at the enterprise. So there are enterprise use cases where that may be the best solution for that application environment. But for all of our users who are not in the enterprise world, now, for the first time, after this November, after getting this November Windows 11 update, they're now able to link 1Password or Bitwarden directly into Windows 11. So I think that they probably recognized that this was going to happen one way or the other; right? I don't think they created the API out of the goodness of their heart. They must have realized that there was no way they could force everyone to use their Windows-centric solution because a lot of us are using Bitwarden and 1Password. LEO: Instead of, what was that other one that Microsoft's suggesting people use? STEVE: That would be Microsoft Password Manager [buzzer sound]. Nice. Yes. So last week Microsoft, 1Password, and Bitwarden published synchronized news releases about this appearance. Here's what Bitwarden themselves said about this. They said: "Now available in beta, the Bitwarden desktop application integrates with Windows 11 for an OS-native Passkey experience." That's what this means is that Bitwarden will be able to provide Passkeys natively to Windows 11, which, you know, itself has Passkeys as part of its structure, natively. "Any Passkey created," they wrote, "and securely stored in the vault, is synced to all your devices, providing you access from anywhere." And that's the big advantage over - get ready for it - the Microsoft Password Manager. Right. [Buzzer sound]. LEO: Sorry, a little late on the button. STEVE: This works both ways. They said: "This works both ways, allowing for Passkeys already saved in Bitwarden vault to be used in Windows 11, for applications outside the browser, and for the use of Passkey website logins inside the browser, even" - and here it is, Leo - "without needing to have the Bitwarden extension installed." LEO: Ah, yeah. I think that's probably better; right? STEVE: Better, yes. "Simply select the Bitwarden desktop application when Windows prompts you to choose a Passkey provider." So now in Windows 11 there is this new Passkey provider interface choice, and Bitwarden, with it installed, will be listed there. And they finished, saying: "Bitwarden worked closely with Microsoft to develop the Windows component required for this functionality. In this beta release, the feature requires installing the desktop application from the GitHub repository. It will later be widely available through the standard desktop application install." And Travis with 1Password wrote: "After six months in beta and working hard to address all your feedback, today's the day we finally bring desktop-level support for Passkeys on Windows 11. No browser, no problem. You'll be able to seamlessly sync and manage Passkeys on Windows, with 1Password as your credential manager. We're also introducing an improved onboarding flow to enable 1Password Passkeys on Windows 11 to better meet you where you are. "However, this integration requires the MSIX version of 1Password for Windows. It uses the MSIX" - that's their latest installer, essentially. It replaces EXEs and ZIPs and MSIs, so it's MSIX. They said, or Travis said: "It uses the MSIX technology to better support all the functionality Windows 11 offers, including system-level Passkeys. We've already begun the process of migrating nightly and beta users to the MSIX build, and we're starting to migrate those on stable today. If you'd like to get a jump start, you can download the latest version of 1Password for Windows." He said: "To try out the new Passkeys features on Windows, ensure you are on the most up-to-date version of Windows 11," meaning you have to have November's, this month's, update. "Download the latest version of 1Password for Windows here." And I've got the link in the show notes. "Enable the Passkey feature in your desktop app through the new onboarding prompt, or with Settings > Autofill and enabling the Show Passkey suggestions setting." And he says: "You should be redirected to enable 1Password as the system authenticator. If not, enable System Settings > Account > Passkeys > Advanced options. Then, enable 1Password using the toggle. As of today, the ability to use Passkeys is available to all Windows 11 users. We'd again like to thank the Windows Security team for partnering with us so closely in order to get this out the door. Try it out and let us know what you think." So I've got three links in the show notes, one to Microsoft announcement that has links to everything else, then also the 1Password announcement with their links, and the Bitwarden announcement with theirs. So anyway, I know that a lot of people have moved to Windows 11. Lots of our listeners are there. Their community is there. And now you can turn this stuff on to get, you know, really, really nice deep integration with Windows. That's very cool. LEO: Yeah. Yeah, yeah. STEVE: Okay. I ran across an interesting piece of news which was weirdly tied in with today's topic about cellular technology. Here's what the news that was published reported. This is from an organization that got kicked out of Russia, and then all of their staff moved to Europe, where they could continue reporting in an unbiased fashion as they had been. But of course you can't report in an unbiased fashion if you're in Russia. So really good reporting. They said: "The Russian Ministry of Digital Development, Communications, and Mass Media announced on Monday" - that's a week ago - "that Russian authorities have begun blocking mobile phones being brought back into the country from abroad for 24 hours in an attempt to undermine Ukrainian drone strikes. The Ministry said that the measure had been applied in test mode on Monday, with mobile Internet and SMS messages being blocked for 24 hours for anyone returning to Russia from abroad or for those who had not used their SIM card for three days, 72 hours." They wrote: "While users should receive a notification informing them of the block via SMS, the ministry did say that Internet access could be restored before the end of the 24-hour cooling-off period" - is what they're calling it - "by completing a CAPTCHA sent by individual telecom operators. Investigative news outlet Verstka said that two of Russia's largest telecom operators, MegaFon and Beeline, were already warning their customers about the temporary suspension of their mobile data, but said that the Beeline link to restore access to data services did not appear to work." So still getting the bugs out of this. "The Ministry said the measure had been introduced to avoid SIM cards being used to navigate Ukrainian drones. The cooling-off period was first reported by Russian business daily Kommersant on Friday, with some experts warning that technical glitches could mean that SMS notifications warning clients about the measure would not arrive," leaving people confused who had just reentered the country why their phone wasn't working. "Last month, the Russian authorities began blocking foreign SIM cards from accessing data networks and texting services for 24 hours after entering the country to enable them to distinguish genuine foreign SIM cards from those being used to navigate Ukrainian attack drones, according to tech-specialist media outlet Rozetked." I thought that was a pretty clever idea. It's likely to have the tendency, not surprisingly, to false-positive somewhat, but Russian citizens will just need to put up with that inconvenience. You know, it's probably better than getting blown up. And since most in-country SIM cards will be persistently connected to Russia's internal network, the idea would appear to be broadly workable. So the idea of not giving any newly appearing SIM card Internet or SMS messaging access for a period of time after it first appears, I would call that pretty clever. What's not clear, though, is how this would prevent an enemy drone from using cell towers for navigation. Navigation and communication would appear to be separate, and it was my impression from the reporting that I've seen that Ukrainian drones were using Russia's cell towers to determine their location, just by knowing where the towers were and what the relative signal strengths were from the towers. But perhaps there's also command and control happening, as well, which is required. You could begin to think of ways to get around this; right? Like how long must you be out of country and out of cell service before the boom drops, so that maybe you could take SIM cards which had been active in-country, quickly send them to Ukraine, install them in drones, and have them come back. I don't know. LEO: You can see how it would be a big problem in Russia. They are fighting this drone battle, and people are controlling these drones using SIMs. STEVE: Yeah. LEO: So I can see why they want to do it. STEVE: And the question, you know, it's like, okay, apparently voice service is not disconnected, only Internet and SMS. Which makes me wonder why you couldn't switch to voice channel control. It would take a little cleverness, but, you know... LEO: Could you do data over the voice channel? STEVE: Yeah, exactly. Like modems used to. Right? LEO: Yeah. In fact, SMS uses data over the voice channel. So, yeah, yeah. STEVE: Right. So maybe you can codify it differently. LEO: Like modems. STEVE: Why is that drone's lagging so slow? Well, 300 baud, you know, doesn't give us much control. Right. Google has filed a lawsuit against a Chinese Phishing-as-a-Service platform called "The Lighthouse." The numbers are what caught me up here. The Lighthouse is believed to be behind that recent waves, well, recent waves, many recent waves of SMS spam that targeted users across the world, posing as Google, the United States Postal Service, and other services. The service has compromised - get this, Leo - over one million victims across 120 countries. Google is seeking a court order to shut down Lighthouse's infrastructure and is seeking injunctions against 25 identified individuals with the organization. And I know this thing is out there. Every week or so, as I've mentioned before on the podcast, Lorrie will show me an SMS message and ask me whether it's legitimate. You know, and it's like, no, they never are. But, you know, more than a million victims. LEO: Oh, I see them every day. Every day. STEVE: Yes. It's just it is a flow, yup. Not good. Okay. A listener who asked for anonymity, he identified himself as Anon the Moose. He said: "To Mr. Steve Gibson," he said, "I needed to stop the most recent podcast and pen a reply because I must respond. I also must disclose that I am unable to speak for my employer, or anyone else including myself." Okay. LEO: You can speak for yourself. Speak for yourself. STEVE: "So please refrain from using my name." LEO: Oh, okay. STEVE: So I hope that Anon the Moose is not his name. But okay. He said: "I won't say I'm old, but I have been messing with computers for only five decades or so. I don't remember when I first started listening. I know I can't claim number one, but it was definitely in the low one or two hundreds. I'm also a fan of the TWiT network and several of the past and present podcasts." LEO: Thank you, Mr. Moose. STEVE: Yes, Mr. Moose. "But your rant today about the demise of XSLT technology is what made me respond. This is not the first time you talk about some format or another, about how bad it is, how great it is to have it finally going away. If I had a bingo card with the stuff I work on, it would mostly be filled in by now." LEO: Oh, dear. STEVE: Yeah. He says: "Yes, I understand that interpreters are gaping security holes. I would also like to point out that the metrics the various companies are not accurate when you talk about things in closed environments. With respect to XSLT, I work on an international standards group that has tens of thousands of XSLT code that converts files of many different formats into a HTML deliverable that describes the exchange model that is a fairly complex graph. As a side note, there is a significant amount of Leo's favorite language LISP in play, too." LEO: I bet there is, also an ancient code. STEVE: Yup. He says: "Ironically, tomorrow morning I will be in a meeting where my proposal for a new technology stack will be questioned by folks that started working on this project before XSLT was invented. The refrain I always get is, if it works, why change because it will cost millions of dollars and several years to change. In the past you spent several episodes dancing on the grave of Flash. It turns out it can create a very good UI in a PDF file. And when Adobe finally pulled the plug, it killed a set of PDF applications that were used to maintain some expensive hardware. "Even further back you had a minor go at CGM where people were hiding malware in graphic files. I work in an industry that uses those files for illustrations and know that they are only uncommon on the web. Internally, I need nine-plus digits to count them, especially when data retention and archiving is needed. I once wrote a tic-tac-toe game to demonstrate the things you could do with a graphics file. "If you want a crystal ball of what will be the next thing to be disallowed, I could look at the other things I have in my development directories to give you an idea of what the world will probably deprecate next. Keep the content coming, it might be what is keeping me sane. Signed, Anon the Moose." LEO: Nice. Well, I guess if you've been working in this business long enough, you're probably going to work on a few deprecated technologies. STEVE: Yup. I think that our think our anonymous moose intends to make the point, by way of grumbling about past work that occasionally needs to be tossed into the dust bin of history, that the world is changing, and that development is a moving target. That's probably never been more clear than with the relatively sudden rise of AI coding agents. It seems that production coding tomorrow is not going to look anything like production coding today. Matt said: "Steve, as you have stated, many listeners likely run their own mail server as you do, and have ventured into the world of SPF, DKIM, and extra hoops Google and Microsoft require and all of that work." LEO: Yikes. STEVE: "As you know, having an email domain can have lots that needs done, and a great tool I found in keeping mine running is sending an email from the domain you care about to this email address: check@dmarcly.com." He said: "Even just a blank email to that domain will result in an email that will return to where you emailed from containing all of this information: The header from the Domain using RFC 5322; DMARC's Pass or Fail; DKIM's Pass or Fail, alignment, domain and your selector record; SPF's Pass or Fail, the alignment and the domain; BIMI, you know, the logo that we talked about." He says: "I don't do this one, so mine just says No Record Found. Unsure what it would show if you had it installed." I do have it installed, and it showed me my BIMI record. "MTA-STS and TLS/RPT." He said: "Again I don't do these, so mine just says record/policy not found. Blacklists: Checks your IP and mail server to see if it has hit any Blacklists. A spam score tells you what SpamAssassin sees as the score of your email." And he says: "Mine is a pleasant -0.1." And he said: "DMARCLY themselves, of course, offers paid tiers of email support, but this email check service is completely free, and I have a weekly tasker set for myself to send it an email to just see how my email server is doing in the real world. I probably should automate that to a script. That way the email just shows up once a week to me." He said: "I also think this tool could be helpful for those who DON'T run their own server, just to see how the provider they are using is keeping their email deliverability something of a priority. As we all know, setting up an email server is dead simple. Getting emails to deliver from it is a whole 'nother matter. Matt." So following Matt's suggestion I went over to DMARCLY.com - be sure to spell it DMARC, not DMARK, since that's a different email service. Don't ask me how I know that. It appears that they're wanting to collect business email accounts. I took Matt's suggestion and sent email to check@dmarcly.com, but I didn't receive a reply. LEO: Yeah, neither have I. Yeah, I'm wondering why, yeah. STEVE: Yeah. I figured that I might need to create an account, which Matt might not have known since he may have already had a free account. So I did that, created an alias email for myself, my address, you know, at GRC.com. And then I went to DMARCLY, created a free account under that alias. And then I received the expected email confirmation,, you know, "Click here to confirm your email and your free account." Then I sent another "check@dmarcly.com" email from that alias, and that did the trick. I received a very nice and thorough analysis of GRC's SPF, DKIM, and DMARC status, as well as GRC's BIMI email logo. And for what it's worth, I mean, I spent a lot of time looking around DMARC-y stuff. But I didn't run across DMARCLY. It has, that site, regardless, has a bunch of very nice tests, and some advice and educational resources. So to me it looks like a very reasonable place to learn about DMARC and to test out one's email setup. So thank you for the pointer, Matt. Oh, and what matters most to me, as I've said, is that Google, now and still, blames GRC for ZERO - absolutely ZERO - of the spoofed email that is apparently continually flowing into them from people pretending to sent it from GRC. Since I showed that flat-line, which was flat at zero in the chart last week, you know, I keep looking at it every couple days. That line is continuing to extend at zero. Not a single additional instance of spam. Yet I'm sure that the cessation of spam pretending to be from GRC didn't stop just because I updated my DMARC stuff to - I set it for strict alignment rather than the default, which was relaxed. And it made a lot of difference. So that's mostly what I care about because Google, you know, they own email, for all intents and purposes. I guess them and Microsoft. Scott Ulrich, his subject was "Still getting Windows 10 Updates." He said: "Hey, Steve, I made a point (on principle) of not doing anything Microsoft required to obtain Windows 10 updates past October: no storing settings in the Cloud, no payments, and I don't have enough Microsoft brownie points to get the extra year. I'm not in Europe, and I still seem to be getting Windows 10 updates; see attached. Curious if others are seeing the same. Cheers, Scott." So Scott attached a screenshot of his Windows update showing two seemingly contradictory things. His Windows 10 machine - I've got that, I duplicated his screen shot in the show notes for anyone who's interested. His Windows 10 machine is reporting that it's receiving a November 2025 Cumulative Update for Windows 10 Version 22H2 for x64-based systems. And it notes that it's KB5071959. So this is clearly what Scott was referring to when he noted that his machine was still receiving updates. But then below that, in the screenshot Scott thoughtfully provided, we see the familiar notice "Enroll in Extended Security Update" with the explanation "Your device is no longer receiving security updates. Enroll now to stay protected and productive for another year." Because of course, you know, you can't be productive unless you have the latest update. LEO: You've got to be productive, yeah. STEVE: That's right. Okay. So what's going on here? The key is that specific Knowledge Base number KB5071959. It turns out that's not what it might appear to be at first glance. Despite its November 2025 date, it is not providing November's security fixes for that machine. Instead, it's repairing a known set of ESU bugs that have been collectively preventing machines from successfully being able to enroll in Microsoft's ESU program, even if users want to. Some of the reports of ESU failure are somewhat comical, since Microsoft will simply report: "Something went wrong." Yeah, Microsoft. Something's wrong in Redmond. Which is not very satisfying for someone who's panicked about keeping their Windows system up to date. And who, Leo, is desperate to stay productive. LEO: It's very important. STEVE: Oh, my god. I found some terrific reporting on this over on "The Guru of 3D" site, where its author wrote: "Windows 10 users sticking with the older operating system have one remaining lifetime for security updates: ESU, Microsoft's Extended Security Updates program." I'm sorry, one remaining lifeline, not lifetime. I thought, what is that? Lifeline for security updates: "ESU, Microsoft's Extended Security Updates program. It's designed for systems that cannot move to Windows 11 or for users who simply prefer to stay on Windows 10 a little longer. ESU provides up to three years of critical security patches, but you need to be enrolled to receive them. Depending on the device, enrollment can be either paid or linked to Windows Backup, and it also requires a Microsoft account." The problem is not that everyone could enroll. Over the last few months, a mix of bugs made ESU activation unnecessarily difficult. Some users in the EU saw messages claiming the service was temporarily unavailable, even though the program was active. Others, trying to use the free activation method through Windows Backup, ran into a generic "Something went wrong" message that stopped the process entirely. These issues appeared right as Windows 10 transitioned out of standard support, which created more confusion during a time when many users were already dealing with upgrade decisions. "There were also earlier cases where Windows 10 insisted the system had reached end-of-life even when ESU was active." Wow. "The odd part was that this affected not only standard Windows 10 installations, but also Enterprise LTSC 2021 and LTSC IoT 2021 editions, you know, that's the long-term servicing channel editions that still have years of official support ahead of them, yet they stopped getting support." Microsoft really screwed things up here. He didn't say that. That's me. He said: "Microsoft patched those cloud-based configuration errors earlier, but the enrollment bugs continued to cause trouble. "Microsoft has now addressed the remaining issues with an out-of-band update KB5071959. This patch fixes the EU enrollment failures and the sign-up errors tied to Windows Backup activation. If your device could not enroll in ESU before, this update to Windows 10 is required to restore the system's ability to join the program. On the other hand, if ESU already works on your machine, the patch is not mandatory. It mainly targets systems which were blocked by the earlier bugs. "With KB5071959 now available, all known ESU enrollment problems should be resolved. Windows 10 users who rely on extended support can finally complete the process without running into misleading warnings, regional availability errors, or dead-end messages. Nothing about ESU's requirements has changed, however; but at least the sign-up path is no longer impeded by those software faults. "If you're still running Windows 10 for the long haul, installing this update is worth doing before attempting ESU enrollment again. It ensures the last security-update window Microsoft offers for Windows 10 actually works as intended especially important for anyone keeping older hardware in service." So that's what's going on. Microsoft's page for this explained that this out-of-band, somewhat emergency update not only fixed these well-known persistent ESU problems, but it also included all the security updates up through October 14th, when all non-ESU security updating ended. So I wanted to take the occasion of Scott's note to let everyone know what was going on. This fix, which became available last week, will be automatically installed into all Windows 10 machines and should then resolve any remaining ESU enrollment problems. So if that happened to you, make sure, you know, go to Windows Update, make sure that you are as current as you can be. If not, you'll get that last 5071959 knowledge base update, and then you should be able to enroll in ESU and be updated through October something or other, middle of October of 2026. And same guy, Scott, added: "P.S.: There's been talk in recent weeks about going back and listening to previous episodes. I have some experience with this. I found your podcast in 2019 while I was studying for my CISSP during a career change toward a focus on security. I started listening weekly to all fresh episodes, then went back to start listening from Episode 1 while exercising and working on projects around the house. It took several of the early episodes before I realized Leo was the same guy I used to watch in high school on Tech TV." LEO: Yes. Only much better-looking now. STEVE: All been at this for a while. He said: "The episode I started with was Episode 723 from July 16th, 2019; and I finally caught up with all prior episodes on October 28, 2023." So four years, three months, and 12 days... LEO: Wow. Wow. That's dedication. STEVE: ...it took him to get caught up. He said: "While I cannot credit you with achieving my CISSP at the time, I do thank you for keeping me interested in InfoSec and on top of the current topics ever since. Listening to all those old episodes was a great refresher on various IT topics and the evolution of security over the past 20 years. You helped to reinvigorate my career in technology, and I've been happy to support you and TWiT as a Club TWiT member since 2021." LEO: Yay. STEVE: "Keep up the great work." LEO: Yay. STEVE: So thank you, Scott, for the great backstory, and thanks for sharing it. Larry Wilson said - actually he quoted me. This is my voice: "Indeed, only about 0.02% of web page loads today actually use XSLT at all, with less than 0.001% using XSLT processing instructions." Actually, that was me quoting Google. And so that's Larry quoting me quoting Google. Larry said: "While I agree that those percentages indicate that XSLT is a small minority of web page loads, I have to imagine that the raw number of loads per day, say, is actually tremendously large. Not to say that this changes the security concerns, but I don't interpret these numbers as saying that it sees little use. It seems to me that it says that it's being used, what, hundreds of thousands of times a day? Millions?" So Larry's point is that even 0.02% of all web page loads, while representing a small fraction of the total, still represents a large actual value. And of course he's right. And Lisa Lombardo wrote: "I hate to admit it, but I'm aware of enterprise product use of XSLT. Thanks for sharing this, so I can forward this news. Thank you. Lisa." So as I noted last week, I suspected that within the reach of our listeners would be people who were actually using and still depending upon XSLT, or knew of others who were. And when I say "still depending upon," that's kind of unfair, right, because it has been a universally supported standard from the day of its original release, so there's no reason for anyone to not "still" be depending upon it - except, of course, that everyone listening is now aware that some reengineering of those existing aging solutions is going to be required. What's going to happen for those who are not listening to this podcast or who are not tapped into some similar source of information is that, come March next year, there will be a rude awakening to the coming demise of XSLT when Google flips the "default ON" switch to "OFF." Suddenly, all those facilities serving pages that are being displayed only thanks to the XML-to-HTML translation provided by those built-in browser features will fail. Those sites will fail. After some panicked scurrying around, everyone will figure out that the switch needs to be flipped back "ON," at which point those still using XSLT will have at most eight months to redesign their perfectly working system - for the last couple decades - around more modern solutions. So hearing firsthand from some of our listeners who will be directly touched by this, Google's quite apologetic announcement is a bit more understandable. I mean, they get it that 0.02% is still a lot more than zero. John G. Ata said: "Looks like Apple Podcast subscription has doubled." He said: "I'm in the business of supporting GRC, not Apple, so I cancelled. Suggest you talk about this on your next episode." I wanted to do that. I don't know anything about Apple's podcast subscriptions, Leo; but I don't know if that's anything that TWiT has anything... LEO: No, I don't think this has anything to do with us. I don't know what he's looking at. STEVE: And I haven't heard it from anybody else. Maybe something in John's world. LEO: So John, and anybody who wants to subscribe, you can just go to the TWiT.tv/clubtwit page, and there should be links there to Apple. So let me just check. But I'm - maybe Patrick is listening, too. Yeah, I think it's four bucks for an individual show, or 4.99 for an individual show. Let me see if we have it here. Yeah, single show plans. So if you scroll down at TWiT.tv/clubtwit, go to the single show plans, click on Security Now!, it's $5.00. And it should be right there, everything you need. So just do that. You'll get a special URL to add to your podcast client, which works with Apple Podcasts, and that'll be that. That's a direct way to support us, as opposed to I don't know what Apple is doing. I think he's mistaken. STEVE: Okay. LEO: Yes, I think we would hear about it if Apple doubled the cost. STEVE: Yeah, yeah. David Lemire said: "Hi, Steve. Your recent coverage of AI-related topics caused me to realize I have zero clue how an AI shopping agent works (full disclosure: I've yet to deliberately try out any AI tools). I found this brief article about a Columbia Business School study that offered some interesting insights. A paragraph that stood out," and he quotes it: "One of the study's most striking conclusions is how different AI models behave. Claude Sonnet 4, GPT-4.1, and Gemini 2.5 Flash frequently made divergent choices when asked to choose among identical assortments. For example, Claude favored one brand in the fitness watch category nearly twice as often as the other models. These preferences were consistent and measurable, suggesting that each AI model effectively creates its own miniature market with its own demand patterns. Always love your work. David." Thanks, David. His quote from Columbia and the surprise that might first be felt causes me to note that with AI we're no longer working with the sorts of "computers" that we always have before. With a computer, we assume that there's one right answer. So we might at first be inclined to imagine that asking three different AI models to select, for example, the treadmill that offers the most value for the price, they ought to all converge to the same conclusion. But of course we know better. If we ask three different people the same question, we'll likely get three different answers. Today's AI models are individually hand crafted by their designers. And the modeling data they train on, and the details of the way they train and are reinforced may be similar, but in detail they're all different. And we know that even if they were all given the same identical training data, the differences in their internal design and operation would likely still cause them to reach different conclusions, just like those three different people we might have asked. So, yeah, you're going to, you know, the AI models are going to be different and are going to have divergent results. And finally, Simon Zerafa, a frequent contributor to the podcast's feedback, says: "Hi, Steve. For podcast listeners who are tech support for their non-techie friends and family, it is possible to disable the Windows Run dialog through Group Policy or the Registry." Okay, now, he's talking about that very high-profile, very active new phishing attack where people are being asked to hit Copy in a CAPTCHA, which puts a malicious string on their clipboard, then being told to paste it into the Run dialog and hit Enter. Which then moves them, you know, breaks out of the browser's confinement and containment. And it's like, there's like a huge, it's called the Click Fix Campaign, and it's going crazy. So Simon says: "Navigate to HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer. If you don't have the Explorer key under 'Policies,' right-click on Policies and create New > Key and name that key Policies. Right-click on it on the right side and click New > DWORD (32-bit Value), and name it NoRun (N-o-R-u-n). Double-click NoRun and change the Value Data to 1." And he says: "Or you can change the Value Data to 2 to reenable the Run dialog or delete the NoRun registry key if you no longer need it." Anyway, he says: "Users who don't need access to the Run dialog (many don't), for them this might be an effective solution to the problem of pasting CAPTCHA commands and unwittingly compromising their systems. Of course, this will disable the Run dialog for maintenance purposes to ensure you have access to the tools you might need via some other route." You know, like launch a command prompt. But it's unlikely that the CAPTCHA instructions would do that. So anyway, I thought that was a cool tip. If you know people who might get themselves in trouble, or you can certainly do this through Group Policy, as Simon also noted, so it could - the Run dialog could be disabled enterprise-wide to keep people from getting in trouble by using it for things they shouldn't. I thought that was a great tip. So thank you, Simon. And Leo, it's time for our main topic. Let's do our last commercial break, and then we're going to talk about Global Cell Phone Tracking. LEO: And I have checked on Apple Podcasts, and the good news is it is still $5 a month. So I'm not sure what he was seeing. But maybe you should be careful, if you saw a doubled price. That might not be the place to go. Do it through our web page would be my recommendation: twit.tv/clubtwit. All right. Now, back to Steve. STEVE: Okay. So I need to credit today's topic to a listener of ours named Amir Katz, who wrote the following. He said: "Hello, Steve and Leo. Longtime subscriber and SpinRite owner, et cetera. This is about a different type of phone hacking, so you may find this story very interesting." And he sent me a link, it's in the show notes, to lighthousereports.com, blah blah blah. He says: "It was pointed out in Bruce Schneier's monthly newsletter, to which I'm sure you subscribe as well. Thank you." So I do subscribe. But I subscribe to more than I can consume. And when I'm intensely focused on coding I fall much further behind. So I didn't see Bruce's pointer to this, but I did see Amir's pointer to where Bruce was pointing. So as usual, I'm primarily driven by technology. That's what I find most interesting. And that appears to be the main reason our listeners keep listening and find this podcast worth their precious time. So when I understood the enabling technology underlying this global cell phone tracking, I just closed my eyes and shook my head. It was so insidious and obvious in retrospect. And I knew that everyone would feel the same way and would "get it," as I did. So I've trimmed the original report where I could to keep its length under control, but it does contain a bunch of interesting detail that I'm sure everyone will find as fascinating as I did. The piece's title is "How First Wap" - First Wap is the name of this bad company - "First Wap Tracks Phones Around the World." It's a private company. And the article's teaser reads: "From telecom providers to a" - get this - "a 1.5 million row dataset" - that is, of tracking results - "here's how we uncovered the reach and tactics of a mercenary phone-tracking company." Okay. So before I share the edited-down version of their reporting, stop for a moment to ask yourself exactly how something that we all take entirely for granted works. How does the global telephone network "know" where everyone is all the time? Sure, we know that as we roam around, our handsets are pinging and logging into various nearby cell towers, and that relative signal strengths are compared to determine which cell tower base station should handle our connection. But what underlying protocol is used; and who, exactly, has access to it? And more importantly, can anyone, anywhere, query the instantaneous location of anyone else? And by now you know where this is going. We talked about that instance last June where, as a security precaution, senior Iranian officials were deliberately not carrying mobile phones because they were acutely aware of their trackability. But they failed to insist upon the same level of care from their bodyguards, who were carrying cell phones and who were, being bodyguards, in close proximity to their bodies. We assumed at the time that the bodyguards must have been practicing poor personal phone security hygiene and had their phones infected with some form of tracking spyware. But what if the reality is far worse? What if the underlying global cell phone network itself is so poorly designed and so insecure that anyone's location can be known at any time by anyone else, without the aid of any spyware of any kind, just by virtue of it being a cellular phone? So here's what the team at Lighthouse Reports wrote. They said: "In the spring of 2024, Lighthouse found a vast archive of data on the deep web. It contained thousands of phone numbers and hundreds of thousands of locations from nearly every country in the world." What was it? "The data came from a little-known surveillance company called First Wap (W-A-P). Headquartered in Jakarta but run by a group of European executives, First Wap has quietly built a phone tracking empire spanning the globe. There have been leaks of telecom network targeting data in the past, but none of them has included this amount of successful targeting of individual phone numbers. "The team found material inside the archive for dozens of stories, including how the company's tracking tech was used against Rwandan dissidents targeted in an assassination campaign, a journalist investigating corruption in the Vatican, and a businessman being investigated for compromising material. Unlike top-tier spyware firms, such as the notorious NSO Group, phone-tracking firms like First Wap have flown under the radar. "It's possible to view the surveillance industry as a pyramid. At the top are the elite spyware companies selling expensive, highly targeted and invasive tools like NSO Group's Pegasus or Intellexa's Predator. At the bottom sit the preliminary tools that help enable surveillance operations: OSINT (Open Source Intelligence) and social media scraping tools to develop profiles of targets, Internet infrastructure to spin out lists of honeypot domains, and vulnerability vendors trading identified weaknesses in operating systems and other software. Sandwiched in between these is the middle layer firms that track locations or intercept communications at scale, like First Wap. "With the top of the pyramid grabbing the most attention, the middle tier has managed to operate with less scrutiny, despite enabling surveillance on a far broader scale. A key player in this middle tier is First Wap, a little-known phone-tracking firm headquartered in Jakarta. "First Wap's primary product is a surveillance tool called Altamides, an acronym for 'Advanced Location Tracking and Deception System.' While Altamides boasts a number of capabilities, its flagship feature is the ability to track a phone number anywhere in the world without leaving a trace on the device. Besides location tracking, Altamides also has the ability to intercept text messages and phone calls, spoof messages, and even breach encrypted messaging apps like WhatsApp." Okay, now, they rattled off all of that, but the key quote here: "Its flagship feature is the ability to track a phone number anywhere in the world without leaving a trace on the device." In fact, without anything installed in a device whatsoever. It leaves no trace because it's leveraging the fabric of the global telecom system itself to do all the work. As I noted earlier, though it's obvious once you stop to think about it, the global cell phone network somehow always knows where every cell phone in the world is located. It has to in order to work. Their report included a snippet from the First Wap brochure describing Altamides. It says, for example, under "Location Tracking," I've got it at the bottom of page 18 of the show notes: "Monitoring and Profiling multiple suspects and groups of suspects is a time-consuming and arduous undertaking. Altamides facilitates location profiling of suspects and groups of suspects to detect and analyze movement patterns, potential meeting locations, and times and the like." And then they have this thing called RapidTrax: "An organized crime investigation requires the immediate localization of several suspects in order to coordinate a concerted action of law enforcement personnel. Monitoring Center staff utilize the Altamides module RapidTrax for ad-hoc location interrogations and forward the results directly from RapidTrax to individual law enforcement officers in the field." And under Selected Key Features: "Quick and simple single Mobile Number Location Interrogation. Detailed Location Information on Maps and in Textual Format. Retrieving of" - it's blurry, so I'm having a little trouble reading. LEO: I can read it for you. "Retrieving of call forwarding number, mobile phone status, IMSI, IMEI with phone model and brand" - oh my god - "et cetera." STEVE: I know. LEO: "Location Result Forwarding by SMS. Scheduling of interrogations." Of the phone. STEVE: Interrogations of the location. LEO: The location, yeah. "Display and download of Historical Reports. Fixed Line Number Location Lookup Capability." Yikes. STEVE: Yeah. Yeah. So they said: "The investigation started with a 1.5 million row archive" - basically their log - "of all previous surveillance operations carried out via First Wap's systems. Within the dozens of columns we found a relatively straightforward taxonomy of data - times and dates, latitude and longitude, phone numbers, country and phone operator names, map URLs - alongside fields that were at first glance less obvious, such as query methods, cell identifiers, and other technical details. Numerous internal references in the dataset demonstrated its ties to First Wap and the Altamides tool. What was clear was that this was a record of years of location tracking, targeting thousands of phone numbers in a vast range of countries. What was less clear at first was how to make sense of this mass of data. "On any given day the dataset might exhibit activity in dozens of places. On initial analysis, we saw that the majority of targets were tracked a small number of times, while a minority were tracked heavily or regularly. Similarly, while nearly every country in the world featured in the dataset, certain regions emerged as clear hotspots, either in terms of total volume of tracking, or in terms of number of devices being tracked. "We wanted to understand who was being targeted. So we ran all of the more than 14,000 phone numbers through a combination of Open Source Intelligence tools which link phone numbers to Internet accounts. We mapped the links between numbers and people using Maltego, and then connected this to the diachronic tracking data with an interactive user interface developed by team member Christo Buschek." Now, okay. This "Maltego" they mention is a potent Open Source Intelligence and link-analysis tool which is used to discover interrelationships among people, organizations, websites, domains, social media accounts, IP addresses, breaches, and many other entities. It's able to integrate with Shodan, VirusTotal, HaveIBeenPwned, Whois, social media lookups, public breach databases, and many cybersecurity tools. In other words, it automates all of this legwork now. I wanted to point out, this is the kind of tool that now exists which is available to law enforcements and anyone wanting to do intelligence gathering. It is somewhat stupefying to appreciate all the little bits of leakage that we have, and the idea that there's something out there able to vacuum it all up and then pull it all together and make sense of it. It is a commercial tool used by professionals, but there is also a free rate-limited Community Edition that is available. Maltego, M-A-L-T-E-G-O. They said: "Although this automated process surfaced thousands of potential matches between phone numbers and names, we only considered identifications to be valid if more than one data point connected the number to a person beyond simply a matching name. A team of more than 10 reporters at Lighthouse and Paper Trail Media spent months building up a high-confidence list of targeted individuals, which at time of publication included over 1,500 phone numbers." So they had, out of that 1.5 million record database, they positively and confirmed the phone numbers of 1,500 individuals that that database represented. "Looking for outliers in the dataset led us to cases of harm and obvious misuse. Among the most heavily featured numbers we came across Anne Wojcicki, co-founder of 23andMe, and at the time married to Google's Sergey Brin, who was tracked more than 1,000 times as she moved across the San Francisco Bay Area. We also detected cases where tracking was automated, with timestamps at the same time of each hour, as was the case for Gianluigi, a well-known Italian journalist who had uncovered a corruption scandal inside the Vatican. While we could see who was being tracked, we could not determine which Altamides user was carrying out the tracking." So no way to know on whose behalf these individuals were being spied on, essentially, and tracked just by their phone, the fact that they were carrying the phone with them. No spyware installed. "Understanding the broader patterns of surveillance, and ultimately their motivation, required searching for 'clusters' of targets networks of people whose tracking was connected in time or space. A series of Nigerian election officials, for example, were all tracked in the city of Bauchi ahead of Nigeria's 2011 election. In 2012, meanwhile, the wife of General Faustin Kayumba and the bodyguard of Patrick Karegeya, two founders of the Rwanda National Congress an opposition movement operating in exile in South Africa were tracked within minutes of one another. Both men had been targeted for assassination, with Karegeya found strangled in a Johannesburg hotel room 18 months after his bodyguard was targeted by Altamides. "As we continued to identify phone numbers, we homed in on a portion of the dataset that indicated use in customer demonstrations. This data showed how First Wap's executives, or middlemen they had contracted to market their technology, tracked themselves and their associates so that potential clients could experience Altamides in action. In turn, these records allowed us to see the movements of First Wap's salesmen as they hop scotched the globe, interacting with potential customers - who themselves were sometimes exposed in the data, either by identity or location." Okay. And now we come to the technology, answering the question, what made all of this not only possible, but feasible and functional. They said: "So how did First Wap connect the numbers in the dataset to locations? And why did some of the data contain blank locations or unsuccessful location attempts? In contrast to top-tier software like Pegasus, First Wap's Altamides does not infect a phone. It operates entirely at the level of the telecom network. First Wap's late founder, Josef Fuchs, realized before almost anyone that by exploiting an antiquated communication system, he could trick phone networks into revealing the locations of their users." And here it comes. "Signaling System 7, SS7..." LEO: Of course. Of course. STEVE: Of course, "...is a decades-old set of protocols that allows phone networks to communicate with one another, routing messages and calls across borders." And here comes the phrase we have so often mentioned on this podcast: "It was never designed with security in mind." LEO: Right. STEVE: Right. Just like the Internet that came later, in the early days it was a miracle that it worked at all. LEO: Yes. STEVE: Right? It was like, wow, this stuff works. LEO: It works. STEVE: It's amazing. The fact that it doesn't work securely, you know, there were only four people using it at the time, so who needed it? Wikipedia tells us, they said: "Signaling System No. 7 is a set of telephony signaling protocols developed in the 1970s that is used to set up and tear down telephone calls on most parts of the global public switched network (PSTN). The protocol also performs number translation, local number portability, prepaid billing, Short Messaging Service (SMS), and other services. "The protocol was introduced in the Bell System in the United States by the name Common Channel Interoffice Signaling in the 1970s for signaling between No. 4ESS switch and No. 4A crossbar toll offices. The SS7 protocol is defined for international use by the Q.700-series recommendations of 1988 by the ITU-T. Of the many national variants of the SS7 protocols, most are based on variants standardized by ANSI and the European Telecommunications Standards Institute (ETSI)." Then Wikipedia adds, right on cue: "SS7 has been shown to have several security vulnerabilities, allowing location tracking of callers, interception of voice data, intercept two-factor authentication keys, and possibly the delivery of spyware to phones." In other words, First Wap, the company First Wap, has weaponized and commercialized the world's dependence upon the original insecure telephony system, which is still in use and will always probably be because it's the lowest common denominator. And one of our lessons of this podcast is these things never die. So what about improvements to the security since then? The report says, starting with "It was never designed with security in mind," they said: "And while operators have moved to more secure evolutions with 4G and 5G, they still need to maintain backwards compatibility with SS7. This is likely to remain the case for years, if not decades to come. "Phone networks need to know where users are in order to route text messages and phone calls. Operators exchange signaling messages to request and respond with user location information. The existence of these signaling messages is not in itself a vulnerability. The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose." LEO: Now, the requests you would get would be merely - the information you get would be merely which cell tower is this phone on right now. Right? STEVE: The request would be where is this phone number located. And the response is... LEO: Right. It would be by cell tower; right? STEVE: Yes. The response is by cell tower, exactly. LEO: Not triangulation, which is important. STEVE: No. LEO: Yeah, okay. STEVE: Right. So "These signaling messages," they said, "are never seen on a user's phone. They are sent and received by what's known as GTs, Global Titles, which are phone numbers that represent" - they're like pseudo phones - "phone numbers that represent nodes in a network, but are not assigned to subscribers. Surveillance companies have often leased GTs from phone operators..." LEO: Ah. STEVE: Yup, "...and used them to send unauthorized signaling messages into other networks, benefitting from the fact that the signaling messages appear to be coming from the legitimate operator which owns the GT." LEO: Ah. So you don't even need a Stingray. You just lease a legit GT. STEVE: Yup. "First Wap primarily works via in-country installations of Altamides. In this setup, a government client uses Altamides via an SS7 link belonging to a local phone operator. The local phone operator provides the GTs, and Altamides uses these GTs to conduct location tracking domestically and internationally. "But the company also offered customers SS7 connectivity through Liechtenstein's national operator, Telecom Liechtenstein, formerly Mobilkom. The First Wap archive shows Altamides using GTs from Mobilkom to carry out hundreds of thousands of location tracking queries," meaning from Liechtenstein Telecom. Their report then digs into the details of the data they obtained, explaining the operation of the various commands that were issued to the global network. They address the question of abuse of the system by writing: "Over time, more phone operators have started to install firewalls to counter this type of threat. But maintaining them is complicated, and spotting this type of location tracking request within the millions of legitimate queries sent to an operator's subscribers on a daily basis is challenging. The more legitimate the source, the more likely it is that the operator on the receiving end of the query will let it through. Examination of the dataset shows that a considerable proportion of the activity in it was sent via Mobilkom Liechtenstein, which has excellent worldwide links to other networks and, operating in the heart of Europe, also appears to be a trustworthy traffic source. "In response to this investigation, Telecom Liechtenstein (formerly Mobilkom Liechtenstein) said it was unaware of any misuse of its network by" - what? Who? LEO: I don't know, what are you talking about? STEVE: How much money are we making from them? "The phone operator said it had immediately 'suspended its business relationship with First Wap' and that, 'If the allegations are substantiated, the collaboration will be terminated without notice'" - wait, I thought they already did - "'and the company reserves the right to take legal action.'" Oh. We have no idea. First Wap stated in response to this investigation that it has - "First Wap said it has 'fully complied with the statutory and legal requirements and have also imposed this on our business partners.'" Of course we hear that every time, and you ask anybody about malware. "The company stated that it has 'never attempted to hack an SS7 stack or similar' and has 'not offered or sold our products and solutions to repressive systems or sanctioned countries or individuals.'" 1.5 million data records to the contrary. As for the determination of location, they wrote: "The SS7 commands used do not themselves return longitude and latitude coordinates. Instead, they return a Cell ID, which is a unique number assigned to a cell in a mobile network and physically designating a tower or base station. A complete ID is made up of four parts: the country, the network, the area, and finally the cell. "Cell IDs can be mapped to a longitude and latitude using proprietary or public databases. Governments and operators will maintain their own lists, while there are also publicly available crowd-sourced databases such as OpenCelliD. When First Wap installed a system in a country, it requested the client to provide an up-to-date mapping of its domestic cell towers so that Altamides could convert Cell IDs into locations. But as a brochure we obtained demonstrates, the company also offered to facilitate foreign Cell ID mapping for its customers, thus allowing them to carry out tracking operations abroad. "In the case of the First Wap sales representative cited in the data, the Cell ID was successfully mapped, and the phone was tracked right next to the headquarters of Nigeria's State Security Services. The accuracy of such mapping depends on the density of cell towers in an area. In urban areas, such as Union Square in San Francisco, the high density of towers means that individual Cell IDs can be quite precisely located. In rural areas, there might be only one tower servicing a much larger area. So the accuracy of the map data depends on real-world physical context as well as technical issues of signaling queries. "Across the span of this archive, it is clear that First Wap's database of Cell IDs was still evolving. This meant that in many cases Altamides successfully obtained a Cell ID but was unable to map it into longitude and latitude. In these instances, the tool would either provide no coordinates, or would provide an estimated center of a much larger area." And they conclude their investigative report, writing: "Most countries have a legal mandate to carry out domestic phone network surveillance. The First Wap archive demonstrates, however, how phone network connections can be leveraged to allow tracking all over the world, without authorization from the targeted networks. "In recent years, a number of investigations have explored the ways in which surveillance companies gain access to phone networks to enable this type of tracking. Lighthouse and its partners have previously written about how SS7 abuses were linked to the murder of a reporter in Mexico and a crackdown on an activist in Congo, and how they were enabled via leasing of Global Titles." So anyway, today we've learned that without ever having to have any prior access to someone's cellular phone, and without any necessity of installing any sort of spyware or malware, once someone's cell phone number is known, which can often be accomplished through some digging or a bit of skullduggery, it is then possible to track their global movements with the granularity of cell phone towers. So, wow. In past podcasts we've seen how much damage this form of metadata can do, even lacking any communication content. For example, by simultaneously tracking multiple individuals who may be affiliated, it would be possible to determine when and where they meet by monitoring the convergence of their locations. And as individuals, there's likely, well, there's very little that we can do, though I doubt that there's little we really should do; right? It's only very high-profile people who probably have anything to worry about, though the wake-up call here is that no amount of cell phone hygiene will prevent this tracking. Nothing can prevent it. It's part of the fabric of the cellular radio-based system we all use today. And I suppose this really does argue for the use of cheap burner phones by anyone who wishes to have a phone with them while preventing any subsequent forensic analysis of their movements. We don't know how much logging of our locations is being done by the providers in our area for after-the-fact forensic data mining. In any event, I wanted to make sure that everyone listening was at least aware that a malware infection is not a prerequisite to being tracked on the Internet, and that there's nothing Apple or Google or Samsung or anyone else can do to prevent it. Rotating WiFi MAC addresses or using ephemeral MAC addresses, you know, associated with a WiFi access point will not help. Switching a phone to Airplane mode, or completely switching a phone's cellular radio off, so that it drops from the global cellular network, is the only way to disappear. LEO: Wow. STEVE: And tracking really is happening. LEO: Again. You've done it again, Steve. I'm going to let you know because I know you've got an appointment. STEVE: Thank you, yeah. LEO: You've got to get out of here. I will take care of the final duties. STEVE: Sign off for me, and then we will be back next week. LEO: Thanks, Steve. Take care. STEVE: Bye, everybody. LEO: Bye-bye. STEVE: Thanks, buddy. Copyright (c) 2025 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: https://creativecommons.org/licenses/by-nc-sa/2.5/.