Gibson accurately frames AI as the necessary liquidator for decades of accumulated security negligence. This shift toward automated remediation marks the end of an era where software debt could be ignored without consequence.
Install our extension to search inside any video instantly.
Vulnerability Debt Repayment - Will Mythos Change Cybersecurity Forever?Added:
It's time for Security Now. Steve Gibson is here with lots to talk about. Uh Cisco freaking out over Mythos, the amazing results Firefox is getting, finding vulnerabilities with AI, Microsoft's mitigation for the yellow key Bit Locker bypass, and a serious vulnerability in Ubiquiti routers. That and a whole lot more coming up next on Security Now.
Podcasts you love >> from people you trust.
>> This is Twit.
>> This is Security Now with Steve Gibson.
Episode 1080. Recorded Tuesday, May 26th, 2026. Vulnerability debt repayment.
It's time for Security Now. On the show, we cover the latest insecurity, privacy, computer use, science fiction, vitamin D, and more. And the reason it's so eclectic is because of this guy. He is he is a a man, a renaissance man for our time. Mr. Steve Gibson. Hello, sir.
>> Ah, yes. Add much. Well, I don't know.
We pretty much stick to security for like 90% of the show. Don't worry. Well, and and there overwhelmingly we're getting feedback from people who are engaged in the security implications of AI. I I heard from one grumpy listener who said, "I'm tired of it hearing every podcast you do now is about AI." It's like, hey, you know, if if if it weren't all about changing the entire complexion of software and security and privacy, then yeah, I would be I I would carve out a little piece to just talk about my own interest because I haven't I mean, I'm become a user of it. And in fact, something occurred to me that I'm going to share uh mid podcast that caused me to realize why the the line I almost used last week was the only way I could imagine somebody doesn't understand is if they're not using it. That is to, you know, if if you use it, then I don't know how you could not. And then I realized, oh, I do know how you could not. I know I understand what people might not have done that makes all the difference in their experience that converts it from just a search engine into something more. So we'll be talking about that. Yes, I know more AI, but actually this is a another we have another major AI episode because stuff is happening and I actually think that that's going to change in the long term, which is why today's title is vulnerability debt repayment.
And if you can imagine that that that's about the vulnerability debt that all of our software currently has, there's going to be some pain while we repay that debt. But contrary to what some people think, which and I'll talk about that. One guy from Cisco thinks that the whole CVE system is just uh you know going to be buried forever and unreoverable. I don't think that's the case, which is not to say that it doesn't need to get fixed. We're going to talk about some of the changes that need to happen. But anyway, we've got uh a bunch of fun stuff to talk about.
Cisco meets Mythos.
Can the aging CVE system survive AI?
uh patch deployment latency and what that means in the AI age. Uh Microsoft responds officially to last week's discussion, well not our discussion but the last the the the fact of uh yellow key which is the bit locker bypass uh with a mitigation which is very clean and we learn a little bit more about the nature of it uh from them. Ubiquity uh has patched five serious vulnerabilities. All Ubiquiti users need to make sure that they're current.
>> I'm going to do that right now. I'll see you later, Steve.
>> Three are critical. Two are serious, but they're bad. Um >> uh Drupal's being attacked by a uh a Postgressql infection which is causing havoc. uh Microsoft, the first major company to terminate SMS as a second factor authentication uh mechanism. So, props to them. Uh Git hack GitHub, speaking of Microsoft, uh GitHub got hacked, lost all of their source code. So, Whoops. Uh also, it turns out that >> not our source code, their source code.
That's >> right. Right. Right. Right. GitHub's own internal like 4,000 some uh repositories of internal stuff. Yikes.
>> Um and we'll look at how that happened.
>> Guess it's open source now.
>> Open open. Al also uh after the Ukraine uh r Russia's attack of Ukraine, their access to Western software was cut off largely. Turns out that's having some interesting consequences. We'll talk about also um uh I am gonna as I mentioned going to dip into a little bit of my own revelation about AI and why people may not have understood what you and I understand. Leo, uh I'm going to touch on briefly a new sci-fi show that dropped on Thursday on Netflix. And then h the biggie is what we have learned from Mosilla's use >> of mythos.
>> Mhm.
Very good.
>> And of course we have a great picture of the week.
>> And of course I'm not going to look at it.
>> Try not to because this one's got a nice punch on it.
>> It's part of the fun for me is to scroll up. I could see I could see and I'll show everybody what I can see right now because I can see the caption that you write. Yes, >> but I can't see anything below it. So, be >> because the previous do not trespass sign was often ignored and ineffective.
>> I love I, you know, so I can look at that and I go, okay, I I see where we're going here. This is going to be another weird fence or another Yeah, I mean, we had this has been a specialty of yours, the uh the oddball uh real world security.
>> Entirely thanks to our listeners.
entirely thanks to people saying I I mean and they're like taking a walk on some trail and they see something and they think oh I had to capture this for the podcast to Steve.
>> Yeah.
>> We'll tell you how you can do that by the way later in the show. If you have a picture you'd like to share for the >> if you survive. That's right.
>> If you survive that's coming up. But first a word from our sponsor for this segment on security now. Guard square.
Now this is really aimed for uh to the mobile app developers or people who are thinking about being mobile app developers in the audience today. A great space to be in, right? Okay.
Mobile apps are an inescapable part of life. They handle everything. We live on our phones these days and we do everything on them from financial services to health care, retail, of course, entertainment. And the thing is, your users are trusting your apps with their most sensitive personal data.
That's that's why the bad guys are going after you. A recent survey showed 72% of organizations experience a mobile application security incident last year.
92% of respondents reported rising threat levels over the last two years.
They've seen it. You've probably seen it if you're a mobile app developer.
Meanwhile, attackers who want your users's personal data are looking for and constantly finding new ways to attack your mobile app. Here's one way that's devastating. They take the app.
Nowadays with AI, it's very easy. Use GEDra and AI to reverse engineer it, repackage it. It's indistinguishable from the real thing. Except they have modified it. They've put malware in it or or spyware. Then they distribute the app, the modified app. They do fishing campaigns. Hey, we've got an update.
Send out emails. Uh side loading. They go into third party stores. There's all sorts of ways to get to your customers who think they're downloading your app.
Instead, they're downloading malware.
This is why it's so important you take a proactive approach to mobile app security. You got that's just one way.
Many ways they're attacking you. And you have to stay one step ahead of these attacks because the trust of your users is absolutely vital.
That's where Guardsquare comes in.
Guardsquare delivers mobile app security without compromise providing advanced protections both Android and iOS apps combined with automated mobile application security testing. So it helps you find vulnerabilities which is also nice. That's a very nice feature. and real-time threat monitoring so you can see those attacks that are incoming before they bite you. Discover more about how Guardsquare provides industry-leading security for your mobile apps. You can find out more at guardsquare.com.
That's guardsquare.com.
Mobile app developers, you need this.
Guardsquare.com.
We thank them so much for supporting security now.
So again, the caption I gave this was because the previous do not trespass sign was often ignored and ineffective. Okay. And I'm going to scroll up here. Let's see what we can see.
Now that's funny. So, uh, the do not trespass sign has been replaced with more of a consequences if you do it says in big bold all caps white letters, "Do not cross this field." And then kind of parenthetically below, "Unless you can do it in 9 seconds because the bull can do it in 10."
>> Oh lord. which of course is the old I don't have to run faster than the bear, I just have to run faster than you.
>> That's awesome.
>> So, and what I like is over on the left, Leo, the the the the center rung looks like it's been bent by somebody standing on it and like going over the fence in that location, >> climbing over.
>> So, it's like, yeah, there actually somebody did. And you can kind of see a something in the bull over here. I think that's the bull way back there. And there are some other over to the right of the sign, too. So, >> that's great. You know, that is a whole category of witicism is the don't trespass sign in our rural areas.
They're always or often very uh humorous as well as threatening.
On with the show.
>> Okay, so I titled this first short note Cisco meets Mythos. Of course, in honor of that fabulous classic cartoon uh short which was called Bambi meets Godzilla. Uh Cisco recently short very short and to the point. Yes.
Memorable. Cisco recently produced a slick eightpage PDF document titled well they borrowed a name I'm quite familiar with Shields Up. They said guidance for defending in the age of AI enabled attacks. And I'm only going to share the introductory executive summary from this piece, but I wanted to start with it because it nicely serves to introduce us to what Cisco themselves have now realized is about to happen to the industry. The executive summary says, "In early April 2026, Anthropic announced that it would be holding back on releasing their new AI model, Mythos, due to deep concerns around the offensive cyber capability of that model. Anthropic decided to work with select companies including Cisco so that those companies could use the model to find and patch security vulnerabilities.
Cisco's changing our Cisco is changing our near future threat modeling of AI enabled attackers in view of our experience with mythos. That in turn has changed how we defend ourselves and led us to develop a set of defensive recommendations for customers. While the capabilities of Mythos may not be widely available, we do anticipate that this capability and more will become widespread as AI technology advances across the board. This paper lays out what Cisco has seen so far from AI enabled capabilities and what we believe the new threat landscape will look like.
Whether these models are wielded by attackers, leveraged by researchers, or operating as agents within your own environment, the security implications are significant. subject to appropriate safeguards and controls.
We will share what we've implemented based on this new understanding and lay out our recommendations for customers.
The threat surface is going to change in some ways dramatically.
Defenders must take the time to understand what the new normal will look like and evaluate what changes their environment must make to stay secure.
Cisco is committed to being a partner through that transformation.
So, it's pretty clear reading between the lines that Cisco got a wakeup call from their experience with Mythos. Um, I have a link in the show notes to Cisco's full report. Though, you know, it's an eightpage glossy sort of thing. You know, I didn't find anything there that was really that interesting or worth sharing. Um, it appears, you know, to be far removed from Cisco's trenches where Cisco developers appear to have run out of expletives to express their degree of astonishment and concern.
So, link in the show notes toward the bottom of the second page. But speaking of running out of expletives, uh, Cisco's security blog poses some interesting questions about the future.
um and specifically the practicality of our existing time-tested CVE which we are talking about every week the common vulnerabilities and expo and exposures system uh and the impact of AI vulnerability discovery on that now my own expectation as I teased earlier differs from Cisco's so nevertheless I want to share Cisco's thoughts since they're Cisco and that matters and they're worth understanding.
So under their title, when AI finds faster than humans can patch, when AI finds faster than humans can patch, disclosure must evolve. So they write project Glasswing is an amazing initiative by Anthropic. Cisco's one of the main participants and I writes this author have been honored to work on it since it started.
And then here it is. This is not all caps. This is not hype. Claude mythos has discovered thousands of now he's not talking about his own stuff because he's you know very politic here. thousands of zeroday vulnerabilities across every major operating system and web browser.
The CVE program, already buckling under 50,000 entries a year, was never designed for this. We need to talk about what comes next before the flood arrives. As you probably have heard from many sources, Claude Mythos preview found a 27-year-old remote crash vulnerability in OpenBSD. It found a 16-year-old bug in FFmpeg that survived 5 million automated fuzzing runs. It chained together Linux kernel vulnerabilities to escalate from unprivileged user to full system control with no human guidance. And it did this in days, not decades.
Key technology providers providers are finding and fixing hundreds of vulnerabilities.
Participant organizations are also finding thousands of open-source vulnerabilities and working on a coordinated disclosure timeline. That is the responsible move. But it also forces an uncomfortable question. What happens when this class of model becomes commonplace meaning mythos? What happens when mythos level everybody can have it?
He says when the vulnerability discovery rate jumps from thousands per month to hundreds of thousands.
Okay. So, I'll just pause you to note that the title of today's podcast, vulnerability, debt repayment, uh, looks at this at the end of the podcast. And my conclusion is not the same as this author's as I said, but I thought this was interesting because this guy is on the front line of Cisco meets mythos.
>> Scared.
>> Yeah, he was. Yes. He was obviously deeply affected by what happened. If you remember Bambi well anyway since he's an employee of Cisco and obviously wants to keep his job he's not talking in detail about what they found but again how much sleep is he getting I wonder uh it doesn't take much imagination given what we know of Cisco's own rickety past with security one could just imagine I mean it's got to be similar to what Microsoft is going through anyway this guy continues writing The answer is that every piece of infrastructure between discovery and mediation, disclosure norms, the CVE system, patching pipelines, and the human workflows that connect them will need to be rearchitected, not updated. We must rethink how to scale.
The problem is that the CVE system was built for a different era. The common vulnerabilities and exposures program turns 27 this year. It was designed when the security community measured vulnerability disclosures in the hundreds per year. For example, 321 CVEEs were issued throughout all of 1999.
By 2023, the number had climbed to nearly 29,000.
And a 2026 forecast projects a median of roughly 59,000 CVEes this year with the realistic upperbound scenarios reaching 100,000 and that forecast was published before project glasswing was announced. So 100,000 at the high end, median estimate around 60,000 before this all happened.
At ARSAC 2026, he writes, "Cvee board members acknowledged the program needs an overhaul. GitHub reported a 224% increase in vulnerability reports over the last three months alone. Again, that's the current volume before AI scale discovery tools were going wide.
When a single AI model can surface thousands of high severity vulnerabilities in a few weeks of scanning, assigning an individual CVE to each one, enriching it with CVSS scores, routing it through the NVD, the National Vulnerability Database, and waiting for human analysts to triage it becomes illogical. not not wrong in principle but extremely challenging in practice.
The bottleneck is no longer discovery.
It's everything that comes after. The CVE system assumes a world where vulnerabilities are found one at a time by human researchers, disclosed individually, and patched on human timelines.
AI scale discovery breaks every one of those assumptions simultaneously.
Individual CVEes may no longer be the right unit.
Here's the heretical idea that needs to be said. When a model like Mythos scans a code base and produces 300 findings in a single pass, buffer overflows in some parsing library. null pointer dreferencer across related system calls use after free conditions in the same memory management subsystem.
The one CVE per bug model no longer serves defenders. It buries them.
Okay. Now again, we'll notice that this guy never said what's happening when Cisco's when Cisco met mythos. But if it had happened, if what we expect happened had, we wouldn't be surprised. He continues, "What defenders actually need is a vulnerability summary, a grouped contextualized disclosure that says, quote, "This code base has a class of memory safety issues concentrated in these five modules with these representative examples and this aggregate severity profile," unquote. In other words, a vulnerability class report, a VCR, rather than 300 individual CVE tickets.
So, it certainly does sound like this may be what exactly happened to him. And if it had, it's understandable, right?
He's down in the trenches following the original 27-year-old CVE model which requires that each and every discovered vulnerability be cataloged, described, evaluated, listed, and resolved.
It's not a big deal when you field one or two, but when 300 drop on you during the first pass scan of just one piece of one's massive code base, what are you supposed to do? I mean, really. So, I do see this guy's point. Um, the existing peacemeal approach becomes immediately impractical. So, he writes, "This is not about hiding information. Every individual finding should still be documented and available to the maintainer, the CNA and the downstream consumers who need it. But the disclosure unit, the thing that gets published, tracked, and acted on by defenders, should be the summary, not the avalanche. Think of it as the difference between receiving 400 individual package tracking notifications and receiving a single shipment manifest. The manifest tells you what's coming, how critical it is, and what you need to do. The individual tracking numbers still exist. You just don't need to process them all at once to take action. Here's the stat he writes that should keep every CISO awake. The median enterprise patch deployment time is approximately 20 days. Okay, the median that is to say the point where there are just as many quicker as there are slower that that point is 20 days. So at 20 days half of the patches take longer than 20, the other half take fewer than 20 days. He says, "But in March of 2026, right, two months ago, researchers observed active exploitation of a critical langlow vulnerability within 20 hours of its advisory with no public proof of concept code available. Attackers built working exploits directly from the advisory description.
20 days to patch, 20 hours to exploit.
That gap, he says, is already fatal. AI scale discovery makes it catastrophic.
The uncomfortable truth is that human-driven patch cycles cannot keep pace with AIdriven discovery. If models like Mythos are finding vulnerabilities at machine speed and adversaries with similar models will exploit them at machine speed, then remediation has to move at machine speed too. This means we need to use AI to scale, fix and patch.
But code changes must be carefully reviewed and tested. This must become a standard part of our lives. It also means organizations need autonomous patch deployment pipelines for the most critical categories. Not quote we'll schedule it for the next maintenance window unquote. No, not it's in the backlog. No, automated testing, staged roll out and rollout capabilities that can absorb a continuous stream of patches without human bottlenecks at every stage. The pieces are assembling.
What's missing is the operational framework to use them at scale.
Again, I believe that by the end of the podcast, I'm going to be able to make a strong case for why for the thing this guy's missing, but I think that what he says still bears hearing. He says, "The CVE program must adapt." Let's be direct. He writes, "The CVE program in its current form cannot handle what's coming. Not because the concept is flawed. A universal identifier for vulnerabilities is valuable, but because the implementation assumes human speed discovery, human speed enrichment, human speed consumption.
All three assumptions are collapsing.
The National Vulnerability Database Enrichment Backlog is already a known problem. CNAs, the CVE numbering authorities are already overwhelmed with submission volume and downstream consumers, the vulnerability scanners, security information and event management systems and risk platforms that ingest the CVE data are already struggling to provide actionable signal rather than noise. Several adaptations are necessary and they need to start now. Machine readable first, human readable second. CVE records need to be designed for automated consumption as the primary use case with human readable descriptions as a secondary output. This means structured fields for affected components, exploit preconditions, environmental factors, and critically machine readable patch references that automated deployment systems can act on.
Now, okay, actually all those things I agree with completely.
modernizing our 21 our 27y old CVE system to take advantage of everything that's been learned since its original design and the fact that you know again 1999 321 CVEEs even 2023 was tens of thousands so even pre AI just the the sprawl of software has created a far greater demand. I mean, we don't even have Adobe with Flash anymore keeping us busy. So, uh I think it makes a ton of sense to to you know revisit the CVE system on under today's world and that's what the RSA guys were looking at. It should be designed to be deeply automated to be managed, ingested and digested by machine. Why not? That's overdue already. And as I said, that's what the CVE board members who met during the 2026 RSA conference acknowledged about the CVE program needing a complete overhaul. You know, again, not specifically due to AI or mythos. That wasn't that hadn't happened during RSA 2026.
Uh just because we could now do such a better job of what has become a critical need. So this the Cisco guy considers the shape of some of those changes that we would need. He writes, "So should we use hierarchical identifiers, a parent vulnerability class report identifier with child CVEEs for the individual bugs. Defenders who need to take action at the class level can operate on the parent. Researchers and tooling that need the granularity can drill down into the children. Scanners and sbombs software bills and materials can index either level. This gives organizations the ability to respond to quote your TLS library has a family of parsing vulnerabilities unquote rather than individually tracking 47 separate advisories.
CVSS, the common vulnerability scoring system, was designed for human assessors making static judgments. EPSS, the exploit prediction scoring system, moved toward probabilistic exploit prediction.
The next step is continuous AI updated risk store scoring that incorporates real time threat intelligence, proof of concept availability, attacker tooling trends, and the defender's own environment context. So what should defenders do now? He writes, "You don't have to wait for the CVE program to reinvent itself. The practical steps for security teams are clear, even if they're painful.
Remove and migrate away from end-of- life software and hardware. Well, okay, then generic security uh advice always good. Stop treating every CVE equally.
If you're patching by CVS score alone, you're already behind. use EPSS, CISA Kev, you know, the the uh commonly or the known exploited vulnerabilities and real time thread intelligence to prioritize by exploitability and environmental re uh relevance. The volume is about to make score-based patching physically impossible.
Next, know your inventory. Yes, actually know it. You cannot respond to a flood of vulnerability disclosures if you don't know what software you're running, where it runs, and how it was built.
Software bills of materials are not a compliance checkbox anymore. You need them. They're the only way to answer, "Does this affect me at machine speed?"
And finally, invest in autonomous patching infrastructure, automated testing, canary deployments, staged rollouts, and automated roll back. If your patch deployment requires a human to click approve for every single update, your cadence will be measured in weeks when it needs to be measured in hours.
He finishes writing, "Project Glass Wings findings will flow through these normal channels as patches land. Your job is to be ready when they arrive, and the window is closing." Anthropic chose not to release Mythos preview publicly.
That decision buys the industry time, but not much. Frontier AI capabilities and open weight models will advance substantially within months. The capability to autonomously discover and exploit software vulnerabilities at scale is no longer theoretical.
It's only an engineering problem and multiple organizations are solving it simultaneously.
The vulnerability disclosure system we built over 27 years was a remarkable achievement for its time. It gave us a shared language, a coordination mechanism, and a way to hold vendors accountable. But it was built for a world where a prolific researcher might find 50 vulnerabilities in a year. We are entering a world where a single AI system can find that many before lunch.
The choice is not between perfection and action. It's between adapting now with grouped disclosures, tiered timelines, AI generated patches, federated databases, and autonomous remediation.
Okay, so if nothing else, we've just heard the somewhat panicked reaction from someone in in inside another major enterprise that obtained early access to mythos.
Though this author was careful to talk about the software security industry at large, it seems pretty clear that it was his own direct experience when Cisco met mythos that drove this posting. He's essentially saying that there are so many problems that we cannot even count them. So, at least for the first pass, we're just going to classify them by generic type because enumerating them individually seems pointless and probably, you know, really sad. So, I think the major takeaway from this is that yes, indeed, it is time to update the industry's aging coordinated vulnerability management system. And while we're at it, since AI has arrived in full force and is obviously never going to leave, let's incorporate AI friendliness into the new system. Where I disagree with this author is in the long-term effects of AI's involvement. I think it's going to be different. I'll make my case for that once we get to today's main topic.
>> Nice. And Leo, >> you know, I I it strikes me Oh, we'll go I know you want to do a break, but before we do that, it strikes me that this is just one aspect of how AI is going to change the speed that everything's happening, right? It's certainly true in vulnerabilities, but it's going to be true in software. It's going to be true in customer service.
It's going to be true in government.
It's everywhere.
>> Yes. I I'm in the process. Uh I I've talked before about how I purchased some next generation servers for GRC last year. Since one of them has 256 gigabytes of error correcting server memory, I'm glad I bought it then and I'm not having to buy it now. I don't even know you if you can buy it now. Um and this and this one will be based on hyperV you know Microsoft's you know uh class you know first class hypervisor supervisor and run whereas I now have three different machines they will be three VMs anyway my the reason I'm saying all this is that I am what happened was I was in the process of of adding some additional purchasing meth methods to GRC's e-commerce system to lower the purchasing friction because I'm going to be doing some more inexpensive software in the future and I wanted to make it easy just to click a button, you know, like PayPal or Apple Pay or Google Pay or or Venmo or whatever. Turns out PayPal would refuse to connect to my server because although I support TLS 1.2, I don't support a couple of the later ciphers and I never will. I can't on that on that server platform. So that's driven me to advance my my plan of upgrading GRC servers. The point is I'm working with Claude who that is a basically a massive knowledge base.
>> Yes.
>> To helped me in the same way that you used it to set up that Linux system from scratch, >> right?
>> Yes, I could do it myself. Amen.
>> You could have done it yourself, but I just I know what I want. And so it's like, okay, how do I do this? How do I do that? What about this? What about that? And it's I mean, again, it is it has saved hours and hours of time. I could have done it, but now I don't have to because And think about this, Leo.
This is what boggles my mind. All that there is is bazillions of of parameters in a massive matrix which contains this knowledge. It's astonishing what we have created.
>> It's read all the manuals so you don't have to.
>> Yes. the know and as I said last week a book doesn't have understanding itself because it's printed text right >> but it and it's just it it's a captured it's captured language but a book does contain knowledge because when we read it we get we obtain that knowledge and so but it's just it's just this mass of of parameters and and I'm able to ask it questions about >> it's kind of remarkable is just >> is mindboggling.
>> But his point about the speed with which this is happening, there is a little bit of a I guess an impedance mismatch because the speed the AI is operating at is a lot faster than the speed we can operate at, you know, >> which means I think and this may be not a good result that we are going to be more and more dependent on AI. For instance, in vulnerability, it's not merely detection. We're going to rely on the AI for remediation because only the AI can act as quickly as the detection can act. And I think that that's we're going to have more and more dependency on AI just to keep up. And it isn't and the the main point here is not just in vulnerabilities. It's going to be in every aspect. This is this is what computing has wrought. You know, >> before the invention of the internal combustion engine, we got on bicycles.
>> There you go. and pedled to where we wanted to go and we steered the handlebars in order to aim the bicycle and we went somewhere. Now we sit on a throne enclosed and twist a wheel and it just whisks us along. We're still driving. We're still steering. Although that's now >> well and you know what the chief danger on the road is >> less assured.
>> It's the human behind the wheel.
>> Leo, I love actually I choose bicycling.
I love to ride my bicycle. That's my favorite form of of exercise cuz you're actually doing something. You're going somewhere. But >> so much fun.
>> I watch people who on the road now who are clearly staring at their phone or their their console >> and they want they weave around and wander and I'm thinking I'm glad I'm not on a bicycle.
>> I stopped riding bicycles. I really did for that very very reason. I just don't feel safe.
And bike lanes, you know, it's good to have bike lanes, but if they don't have a concrete barrier between you and the road, it's meaningless. They're going to veer right in that lane >> as soon as the, you know, the song ends and they got to put another one on.
>> Well, this podcast is not ending. It is continuing. And we're going to get back to the issues at hand with Mr. Steve Gibson in just a moment. But first, a word from our sponsor, Doppel.
I love this. Uh, you know, I I I I got to play it again. I have so much fun playing this. This uh is an example of why you need a Doppel. This is a um Well, see if this sounds like me. Hey Burke, this is definitely not Leo asking you to buy gift cards. But seriously, can you grab me 100 Apple gift cards?
Just kidding. This is Anthony testing text to speech. How's it sound? Anthony generated this fake fishing voicemail in about with about four minutes of my voice on his desktop with a local model. It is now that easy. So you might, you know, get that voicemail message, that urgent message from your CEO. Maybe it is from the CEO or maybe it's a deep fake trying to target your business. Burke, don't mail those Apple gift cards. Okay.
That was that was not me. AI as I mean I just demonstrated it can impersonate trusted individuals and that's why you need Doppel. Doppel and the platform illustrates they've actually did a test how frequently users fall for these fishing attempts. They did a in voice call simulation deployments on the Doppel platform. Targeted users spent on average six minutes conversing with a deep fake. Yeah. Well, yeah. and a 100% of them believed the AI was human.
If you got that message from me and it didn't say don't don't do it, you might believe it, too. It sounded just like me. You know, the other day you did the story about um uh shiny hunters putting an ad in the paper for a female because they wanted a female voice to do their fishing because they had plenty of guys who could do the social engineering, but they needed some ladies.
This is a scary world. Doppel is the AI native social engineering defense platform. Doppel strengthens human risk management by training employees to recognize deception while Doppel's digital risk protection detects and disrupts attacks across every channel.
You know, I said it's not just CVE.
Attackers are turning to AI to power increasingly sophisticated strikes.
Doppel uses it to fight back. You need AI to fight with automated takedowns, multi-channel coverage, and AI defenses that build intelligence with every fight. Doppel works relentlessly to protect people, brands, and trust.
Doppel offers best-in-class integrations and partnerships to seamlessly integrate into your existing security tech stack.
Don't worry. Doppel's industry awards and testimonials speak for themselves.
They're recognized as a winter 2026 G2 leader in more than one category. Users most likely to recommend, momentum leader, and best support.
Join hundreds of companies already using Doppel to protect the brand and people from social engineering attacks. You need it. Doppel outpacing what's next in social engineering. Learn more at doppel.com.
That's d o pp pel.com.
Doppel, you know, as in double as in doppelganger. And that was a doppelganger of me. That was pretty darn credible. d o pbel.com. Doppel. You need it. It's ter It's terrifying out there.
We found out that um we got fished in January.
Uh they broke into our Google Workspace account for fortunately they did very little.
And we got a notification from Google the other day, 121 days after they broke in. They had 121 days. But you know what I think is going on? They have so many successful breaches.
It's they are it's too fast for them.
The bad guys can't keep up. So they didn't get around. They did a little sniffing. They they read some emails and stuff, but they didn't get We have all the logs. Thank god. They didn't get around to doing anything before we caught them. Before Google caught him.
Uh we're now running uh tools to make sure that doesn't happen again. But it it's so we're so vulnerable out there, Steve.
It's just it's terrifying.
On we go with the show. Okay, so there remains one massive problem that no one is talking about. Um and this is particularly worrisome for a company like Cisco. Uh and that problem I'll call patch deployment latency. Um it seems very clear that Cisco meets Mythos was a massive wakeup call and that Cisco like probably every other enterprise any large large enterprise having a major security software presence is now or will soon be undergoing a significant AIdriven re-engineering of much if not all of their existing code base. But as we all know too well, having chronicled this for literally for years, decades now, having fresh, updated, and for the first time ever, largely if not completely bug-free code ready to deliver is entirely different from having that massively improved and far more now secure code. actually installed and running across its entire user base.
Um, it should be very clear to everyone that Mythos, Daybreak, and Codeename Mdash Scale improvements are going to be sweeping across the entire industry's software and that the result of that will be basically soup to nuts improvements in the operation and security of that software, but getting those improvements into the hands of its users. I mean this is this remains an unsolved problem for our industry. You know really what we want to do is we want to remove all traces of the previous software because in retrospect these AI tools have shown us or will are are showing us will be showing us that it should have never been shipped in the first place but we didn't know any better at the time. We do now. So this is going to be a big problem. As I said, we haven't solved this problem. Only a handful of software suppliers truly have effective software update systems in place. We know Microsoft with Windows.
Patch Tuesday, baby. Uh Apple with their Mac OS and various mobile OSS can do this. I just had the opportunity while I was waiting for the podcast to update one of my phones with a 26.5 I think it is iOS on on the phone and since the security of our web browsers is paramount and since browsers are by definition connected to the internet browsers have long had the ability to keep themselves current. So that's all great, you know, and now now the major Linux distros uh are beginning to acquire this ability. So what we've seen is that Microsoft, Apple, and the browsers and now Linux is kind of catching up uh have made it difficult to not remain current. I mean you basically it's done for you. You have to like actively say no. And I think Windows Update allows you to postpone an update for seven days and then it's hey, you're getting updated whether you like it or not. So this this tendency to update autonomously and more or less continuously for these people, it's likely to pay off handsomely, I think, in the coming months. um where we already saw Microsoft able to brag that the four critical vulnerabilities in which code name Mdash and I hope they've changed the name or come up with a good name uh which it discovered in their TCP IP stack had already been patched by the time of their disclosure last on on patch Tuesday.
But unfortunately, these few companies are the exception, right, of like having like being really patch forward. They're not the rule today. Many of this industry's network appliances, which are seriously vulnerable because we keep seeing problem after problem after problem, you know, they they inherently suffer from an attitude that's a, you know, like a decade ago. they if it's not broke don't fix it philosophy. So I have a feeling that we may be in for a turbulent transition when the and I would look at it this way. It's the difference in the security between what's running now and what should be running becomes far more significant than it you know the delta than it ever has been. It's one thing to to like patch a problem and say, "Oh, well, you know, this is a a double point release because it'd be good to have it, but it's not, you know, house on fire." Like one problem is being fixed. And you could almost understand somebody who's busy, who doesn't want to take the equipment down because it's in use, like I don't want to fuss around for some problem that is probably not going to affect me. But when this landslide, which is what we can expect to see coming from Cisco, when the landslide hits, there's a huge difference. I mean, like a huge benefit to patching. And so, it's going to be interesting to see what happens. Um uh I I am really grateful, Leo, that this podcast did not stop at 999 because we're having more fun with internet security and its implications now with AI than we have for a long time.
Um, last week we talked about the Bit Locker bypass, uh, which I was reluctant to label a backdoor despite a number of security professionals kind of teasing that description. Microsoft was quick to jump on this even though it's released by the hacker which we know was calling themselves nightmare Eclipse uh was deliberately timed to leave this exposed for the longest time possible which is to say until June's patch Tuesday. Um the bypass of Bit Locker now has a CVE.
It's 202645585 and Microsoft's executive summary for this explains it this way. Microsoft themselves now acknowledging the bypass and addressing it with the CVE says Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as yellow key. The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available.
Okay. So then the executive summary offers a breezy FAQ Q&A which asks and answers asks should I leverage the temporary mitigation and they respond and I'll be sharing what that is here in a second. They respond Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen.
In other words, yeah, implement it if you think you need to. Uh, for example, if your organization's employees take their work devices home or on business travel. Okay, so maybe if the device is at higher risk, what impact to service availability and management could be caused by implementing the mitigation? They reply mitigating implementing these mitigations will not impact service availability or management operations.
Okay, so one could imagine that that'll be part of next patch Tuesday if there's no downside. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? Answer, no. the security update will maintain the mitigation's behavior once the security update is installed. In other words, this kind of does read like a whoops. Uh we should have not done what we did in the first place and we're not going to undo it even if we fix the underlying problem.
And finally, they ask, I'm using TPM plus PIN. Am I at risk of this vulnerability being exploited? answer no. If you are using TPM plus PIN, the vulnerability is not exploitable.
So that's an interesting data point. We learn from this that among other things, as I suspected and contrary to what Nightmare Eclipse was claiming last week, there is no PIN bypass possible and anyone who is already using a PIN will be protected. Um, and the CVE description that has another FAQ, a secondary one, which is a little more interesting question. What kind of security feature could be bypassed by successfully exploiting this vulnerability? And they answer, a successful attacker could bypass the Bit Locker drive encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data. And finally, is there and this leads us to the mitigation. Is there a script that I can copy and paste to implement a mitigation? What do you know? Yes. This script is an interim security fix that helps to reduce the risk of exploitation of the vulnerability. The script is for win re you know the recovery environment winre and removes the file autofstx.exe XE from the boot execute registry value.
Since boot execute runs programs very early in boot, even in recovery mode, removing this entry prevents that executable from running in a highprivilege environment, reducing risk. Again, shouldn't have never been there. After you run the script, it won't be. It works by mounting the winre image, editing the the script. The script works by mounting the winre image, editing its offline system registry to remove the entry if present, then safely committing changes and resealing winre so bit locker trust remains intact. It's designed to be safe if the autofx.exe XC entry is not there, it exits without making any changes. So, Microsoft has provided a PowerShell script that anyone who might have concerns that a local system might be abused in this way can now run to remove the vulnerability to the hack that Nightmare Eclipse discovered and publicly disclosed to spite Microsoft. This will presumably be more formally fixed by next month's June patch Tuesday. I provided the link to Microsoft's CVE disclosure which contains the script in the show notes at the bottom of page 8. So, I didn't think it was worth creating a GRC shortcut.
It's right there at the bottom of page 8 for anyone who wants it. or just Google CVE-2026-45585 and that will take you to it that contains the script. It's also worth noting that this vulnerability does not appear to be the result, and this is significant, of a software flaw of the type that Mythos, Daybreak, or Microsoft's own code name vulnerability discovery system would detect and remediate. In other words, this appears to be an architectural design flaw where Nightmare Eclipse, while examining the mechanics of Microsoft's deliberate design, cleverly realized that a side effect of one of the systems deliberately designed features could be abused to cause the systems Bit Locker drive to be and to remain decrypted following an interrupted recovery boot. So the reason I'm highlighting this point is that while our emerging AI systems very clearly promise and I would say it's beyond promising they're delivering you know eliminating entire classes of software coding mistakes.
Not every security problem that we're going to see is the result of a coding error. So we need to remember that it's very possible for a sufficiently complex system even without outward bugs that is where the where the software is doing what the coder intended it could still exhibit unintended behavior by design. Now, I should also mention that actually since I wrote the show notes, I've run across some discussion of the next generation of a AI security, which addresses this.
It says, okay, once we've got all the bugs cleaned up, what about mistakes in design? And so, that will be the frontier after the one we're on. And I mean, who ever has a chance even to catch their breath these days, Leo? It's just >> I know.
>> Crazy.
>> I know. It's overwhelming.
>> Oh my goodness. Yeah. Um I I actually have to catch my breath.
Okay.
>> Let's take take a break and then we're going to look at Ubiquiti's uh five big problems.
>> I'm here to catch your breath for you.
And I can't I'm really I I'm sitting here looking at my Ubiquiti dashboard waiting to hear what I need to do because so this will be uh you you can bet I'll be paying close attention to the next segment. Before we get there though, pay close attention to this. Our sponsor for this segment of Security Now, Cyber Hoot. Man, you need Cyber Hoot. It's a subscriptionbased security awareness training platform that is the best. We just started using it and I can tell you it is the best. If you've ever rolled out security awareness training and thought and I know I have this feels more like a compliance exercise and actually uh teaching me security that is uh very common actually that kind of feeling.
Are we just doing this because we have to? But you should take this seriously because you do have to. We uh you know, as I said earlier, we got bit. We got fished. And uh this was before we implemented Cyber Hoot. And it's one of the reasons we did implement Cyber Hoot cuz we and I'm sure you in your business really need to keep an eye on these things. Most training works kind of the same way. You you you try to catch users making mistakes. So these platforms, they send fake fishing emails to inboxes. They wait for someone to click and then bam, you click and you're going to get assigned training a after the fact. And it can find honestly it feels pretty punitive. It is not a good way to learn. It really doesn't change behaviors. It just makes people like mad.
That's where Cyber Hoot takes a really different approach. Instead of trying to trick your users, Cyber Hoots Hootish, I love the name. the the logo is an owl, right? So, Hoot Cyberhoot's Hootfish focuses on teaching them first, not in their inbox after a mistaken click, but in their browser through a trusted, realistic fishing simulation.
So, you're not trying to catch people and embarrass them and humiliate them and punish them. The goal is simple, to build instinct before the click ever happens. And actually, I I watched Lisa go through the Cyber Hoot process. I looked over her shoulder while she was doing it, and I was really impressed. I was really impressed. Cyberhoot is is is automated. Training campaigns, reminders, uh escalation to managers if you need it, reporting, all of that's handled for you. So, instead of, you know, chasing users down, you get clear visibility into who has completed what and where your risks are. And here's something interesting. Cyberhoot also adds, and I think this really is cool, a light opt-in social layer because you're going to get these little badges, right? Users can connect with co-workers and actually engage in a friendly competition around training progress. It's not forced gamification. It's just enough and people I think people really dig it to increase participation. It's not, you know, we're not building a gotcha system here. We're just making it fun. And it is G2 review. I've seen people, you know, put their little owl, their little award right there in the slack. G2 reviewers rate Cyber Hood 4.9 out of five stars. That's pretty good. That's as good as you get. Uh, what do reviewers like? They repeatedly praise ease of use, high participation, brief content, non-punitive training, full automation, and strong support. If your organization is ready to stop punishing people for being human and start actually building cybersmart employees, head over to cyberhoot.com/security now. Now do me a favor. Use the code security now at checkout. You're actually doing yourself a favor because you're going to get 20% off your first year. That's cyberhoot. Cyb ho t cyberhoot.com/security.
The promo code security. 20% off your first year. Just remember to always laugh, learn, and hoot up with Cyber Hoot. And you'll get to get a little owl. It's so cute.
It works. Make it fun. Don't make it Don't make it a chore. Make it fun. It's It's good. Just common sense. And I And I think it works. I do. All right, Steve. Back to you. Okay, Leo, since I know that you and many of our other listeners are users and fans of Ubiquiti, >> I'm sitting on my update page right now waiting to hear what you have to say about this.
>> So, I wanted to make sure yes, >> everyone knew uh that it was once again patch time for Ubiquiti. Uh okay. Okay.
Now, recall that two months ago in March, Ubiquiti patched a maximum severity flaw affecting the UniFi network application that allowed attackers to take over user accounts as well as another vulnerability that could be exploited to escalate privileges.
>> Yikes.
>> Yeah. Since Census, the internet scanner, shows that the internet currently has 100,000 publicly exposed Unifi OS endpoints with nearly half of them 50,000 IP addresses located in the US. Any known and unpatched flaws in ubiquity devices will tend to draw bad guys attention. And in fact, that has been the case. And there are some ubiquity focused campaigns.
So, uh well, and it explains why ubiquity products have been targeted by both statebacked hacking groups and cyber criminals in recent years. There's a big inventory. Um they were the the these the hijacked devices were used to build botn nets uh and proxies. So, everybody wants to stay current. Last week, Ubiquiti released security updates to patch three maximum severity vulnerabilities in Unifi OS that can be exploited by remote attackers without privileges. In other words, as bad as it gets.
>> So, so yeah. So just to be clear, the UniFi OS is what powers the UniFi consoles uh and helps manage IT infrastructure including networking, security and other services as well as UniFi applications such as UniFi network, UniFi protect, access, talk and connect.
So the first flaw which is uh CVE 2026 34908 enables attackers to make unauthorized changes to targeted systems by exploiting an improper access control weakness that exists in UniFi OS. The second one uh 34909 allows them to access files on the underlying system by abusing a path traversal vulnerability. Can you believe how we're still having path traversal problems, Leo? Um, this could be manipulated to access an underlying account. The third maximum severity vulnerability, that's 34910, makes it possible for malicious actors to launch a command injection attack after gaining access by by um exploiting an improper input validation vulnerability. So, that was earlier in the week. Then on Thursday, another critical command injection flaw uh CVE 2026 33000 uh I guess that would be easier I should say 33,000 was patched along with a high severity information disclosure and that's 34911.
So all of these affect uni all UniFi OS devices. Now there is a piece of good news here. As bad as these are, they are not known to have been exploited in the wild. So these are not zero days. Um unlike nightmare eclipses deliberate campaign of malice against Microsoft and thus sadly against Microsoft's users, right? Because users are the ones who ultimately you know uh lose. All of these flaws were responsibly dis uh uh discovered and disclosed and reported through Ubiquiti's participation in the hacker one bug bounty program. So it's not house on fire. You know, the hackers are not out there scanning, but they're going to be doing that. Um so definitely make sure that if you are a Ubiquiti user that you've updated yourself to whatever is the latest available firmware for your devices. you know, for a long time, uh, and this is years ago, Ubiquiti had a bad reputation. They had put out a few bad updates, and the advice was, >> yeah, always, oh, don't do auto updating on Ubiquiti, but I, >> uh, they've been fine and I turned on auto updating a few years ago because it is so important and I haven't had any problems at all. So, uh, I notice I'm completely up to date and I presume those are all the latest patches. So, >> nice. Uh that's a relief, you know, and I would suggest anybody who remembers those bad days of Ubiquiti's updates, they've been they've been >> very good >> and you know there are always people behind those, right? I mean and and people leave and new people come or heads roll after a problem like that. I mean, so so I mean it really is the case that I mean and look at I would argue Microsoft security has been a roller coaster. There have been good times and bad times and good times and bad. We don't I I don't know what determines like why, but it just it's like so big, right? the changing of the guard or or or they get a new VP that really understands, you know, how to do something or and then he burns out and leaves and somebody is stuck in there who doesn't and you know and and nothing changes overnight, right? It's always sort of a decay and then and then a rebuilding. So anyway, for what it's worth, um I I think you're really you're exactly on point, Leo. We were just talking about especially with what's coming. Imagine when ubiquity has access to as everybody will mythos scale daybreak scale AI finds new problems.
They want to find them before the bad guys do and they want their customers to have them. The the problem is once AI starts creating massive um blobs, you know, ma massive inventories of improvements that it's one thing for the publisher to have them. They've got to get into deployment. And so, especially for a device like Ubiquiti that's on that is internet facing. Oh, yeah.
You're right. That's what that is where you want >> to be. And they update frequently, more frequently than any router I've experienced before. And and and seamlessly. You don't even you're not even aware of the updates happening. And all my Ubiquiti devices have auto updates.
>> That's the only workable model. I mean, and people go, "Oh, yeah, but what if they make a mistake?" Well, so what? So, you know, you wake up one morning and you don't have connectivity. That's not the end of the world. It's much better not to have hackers crawling into your network, you know, because you haven't updated your device.
>> You may have missed this story earlier today. Uh HP sent out a BIOS update which bricked their high-end laptops through Windows Update. So, and it's things like this that make people turn off updates. And that's, you know, that's >> there is there is one such person right there on the screen.
>> He's he's damned if he does, damned if he doesn't. Um this was the high-end HP ZBook Ultra G1A and the Elitebook XG1.
These are beautiful laptops. These were critical BIOS updates pushed through Windows Update that that bricked the computers and apparently it's been very difficult uh to get it back online. So I understand why people turn off updates.
>> I really do. But not on my router.
I would argue that even acknowledging the possibility that a router could hurt itself. It is I mean all you are out then is a lack of connectivity until you fix it, >> right?
>> And that's not like again it's not the end of the world. What is the end is that having your router not updating itself and there being this window of opportunity for the bad guys to crawl in and that could be that's a that's yeah because >> I mean we have this thing in our homes known as a fuse and when you plug something bad in the fuse blows right >> it's like oh darn electricity is off yes would you rather have a fire >> yeah there. That's a really good analogy. Don't Don't put a penny in your fuses so they won't blow. That's a bad idea. Actually, you can't do that anymore, but in the old days, you could.
>> I don't think pennies are common. So, so consider that having auto update is like having a fuse. Yes, it could malfunction. It could blow and it could be a false positive, but that sure is better than not having it and letting the bad guys crawl in.
>> Yeah. Yeah. Well, now I'm reassured and I'm glad I had that ubiquity updates on.
>> Well, I think all of our listeners, uh, anybody who thinks they're like being fancy by turning off auto updates, not anymore. Not in not now. Not when the world is about to hit jet skis uh with vulnerabilities and and it's going to be a contest to see who wins.
>> Yeah. Now, of all the times, you need it.
>> Yeah. Yeah.
uh a Google mandant security researcher discovered and reported responsibly although it doesn't matter unfortunately because this is open source what's being described as a highly critical SQL injection vulnerability because yes Leo we're also not only have we not solved the path traversal problems but SQL injection it's never going to go away apparently >> after receiving and understanding the implications of Mandy Indians discovery.
On Monday, May 18th, so eight days ago, the Drupal project posted a public service announcement, a PSA urging, I love this, urging admins of its very popular CMS, their, you know, the Drupal content management system to reserve some time. Oh no, >> like prospectively get ready get like you know get ready uh for core updates that addressed an issue that threat actors might start exploiting they said within hours or days. Ah, >> sadly >> that announcement turned out to be preant since attacks soon followed the publication of the updates that they had warned admins to be ready to apply which repaired the problem. The vulnerability that was resolved allows specially crafted requests to trigger arbitrary SQL injection on sites using the Postgressql SQL database engine. So not all Drupal instances if you're not using PostgresQL but many are. As we've seen before, one of the mixed blessings of open source is that any repairs to its published code are trivially reverse engineered. Just you do a diff on the here was the source before, here's the source now. What did the developers change and now you know what the problem was that they fixed.
So, you know, it makes it instant for them to create an exploit. Once the resolved trouble has been identified, then you know any online sites that have not yet switched over to the newly released updated code uh which as I said is available to the attackers at the same time as everybody else will be vulnerable targets of opportunity. So in this case, the flaw is exploitable without authentication and can result in remote code execution, privilege escalation, and information disclosure.
You know, the works. So last Friday, the Drupal team updated their advisory to confirm that exploitation attempts, you know, and attempts, well, right, you know, they say attempts, we know what that means, have been detected. Drupal rated the vulnerability as highly critical, assigning it an an internal score of 23 out of 25. So they have their own scale. I guess 10 wasn't high enough. So they go to 25. So you can get really close at 23. And unfortunately it affects a wide range of Drupal versions on basically every support every still supported branch there. I there are so many I didn't enumerate them in the show notes. Uh so I'll just urge anyone using Drupal, you know who you are, to bring whatever version you may be using up to the latest release of that branch. Um, and I'll and I'll just also note that although those not using Postgress QL may not be immediately vulnerable, in their notes, they said everybody is urged to update since the latest security updates do also include fixes for other upstream dependencies, including in Symphony and Twig. So one final point is that Drupal's advisory notes that Drupal 8 and nine are both well past end of life. I think they're in the tens and 11s now with many point release branches of those >> reupgated. Yeah.
>> Yeah. So, uh, you know, as a as a consequence, you know, this is so bad that they even tweaked eight and nine, although they made they made the comment that, you know, we're doing this because oops, we're really sorry, but that the updates are being provided on a best effort basis only because they will still contain other known vulnerabilities that will never be fixed. So anyone still using 8 and 9, you're doing it on borrowed time. You know, if you for one what whatever reason you cannot move, then still update to the newest 8 and 9 to fix this because the bad guys are out there scanning for it and we'll they will, you know, hurt you.
Okay. In other news, Microsoft has announced that they will be phasing out the use of SMS for multiffactor authentication and recount. Yes, it's amazing. And account recovery for personal Microsoft accounts.
>> Um, it's time to switch to pass keys, they're saying. And so all users will be prompted to add a pass key the next time they log into their accounts. Microsoft says that SMS is a leading source not to no one's surprise of fraud and that the single mo that it is the single most targeted vector for account takeover for accounts that have you know SMS as their additional factor of authentication and what's more of course pass keys allow for higher speed login flows since there's no need to wait for an SMS message to arrive it also makes for a smoother and much more secure account recovery process since users will no longer be tied to a specific phone number. Even if you weren't using SMS normally, if you do if you need account recovery, then it's, you know, the only way to do that is by being able to accept an SMS message. So, interestingly, this move makes Microsoft the first major platform to completely abandon SMS for multiffactor authentication. Other platforms like Google, Facebook, and Twitter are pushing their users to stronger MFA, you know, multiffactor authentication alternatives, but they do still allow them to use SMS as a last resort.
Microsoft says, "Nope, no more SMS."
And I'm sure this is not Microsoft's fault. Actually, we actually know what happened. Uh, GitHub got hacked, as I said at the top of the show.
um a Microsoft developer, meaning you know Microsoft developer because you know they own GitHub using their VS Code had the misfortune of installing a rogue extension from Microsoft's own VS Code extension library which is moderated and hosted by Microsoft. The result was that all of GitHub's internal repos, more than 3,800 internal code repositories have been exfiltrated and are now being offered for sale on a hacking forum as shown in the screenshot that I put in the show notes. GitHub says it's rotating critical secret tokens to prevent any future access to its assets.
The malicious VS code extension was identified as NX console. So in in the show notes I had this screenshot. Thank you for putting it up.
>> I like it. It says, "Hello again, breached."
>> This is obviously a demo a dummy account, but that's >> Yeah. So, hello again, breached. Hope everything is doing well. This is the uh I think it's the breached forum on the dark web. Oh, okay. Okay. Yeah. So, so, >> so it's not a joke, it's actually the name, >> right? So, so it's posted uh the it's posted under the title internal GitHub source code and the screenshot was made right almost immediately when this posting was only 8 minutes old.
>> Wow.
>> And so, hello again breached says the poster to the audience. Hope everyone is doing well. We are here today to advise GitHub's source code and internal orgs for sale. I'm sorry, to advertise. We're here today to advertise GitHub's source code and internal orgs for sale. No lowball offers will be accepted.
Everything for the main platform is there. And I'm very happy to send samples to interested buyers to verify the absolute authenticity.
There is a total of around 4,000 repos here. Then he says, "Here is a a list of all and provides a limewire.com address." Um, and he said, "Please read these carefully to understand what the breach entails." meaning your eyes are going to bug out because it is like it is GitHub.
He said as always this is not a ransom.
We do not care about extorting GitHub.
One buyer and we shred the data on our end. It looks like our retirement is soon. So if no buyer is found, we will leak it free. In other words, they're saying if somebody is willing to purchase it, then they're making the assertion that that that that purchaser will be the sole owner of the source for GitHub and nobody else will get it. If they choose not to buy it, then the world will get it. And so whatever value it might have had been ex being having been exclusively purchased by I don't know some big state actor maybe >> or GitHub or >> or GitHub.
>> I think that's what the real implication is. If you buy it well I'll destroy it and no one will have to >> interesting. So, and I guess you're right because they're saying it's not a ransom. Meaning sort of saying to GitHub, we're not ransoming this, but you know, >> we'll leak it if you don't buy it.
>> If you'd like to buy it, we will commit to shredding it.
>> Because honestly, what is the value of buying this to somebody? I don't >> I can see why GitHub would want to keep it quiet, but >> well, if you grabbed the source and then turned an AI buginder loose, >> right? then, you know, you could potentially, you know, penetrate, you know, breach GitHub big time if you do it before they do it >> and uh and and you know, maybe have access to all kinds of other goodies.
So, the person signs off saying, "If you're interested, >> send your offers to the communications below. We are not interested in under 50K.
>> The best offer will get it."
>> Huh.
>> So, $50,000. I presume it's US 50k they wrote.
>> It's kind of speculative if you buy it.
Like you think you could make something from it, but you don't know until you >> That's why I think the real buyer here is Microsoft is GitHub, right?
>> I bet you're rightly that does >> it's worth 50K to them.
>> Yep.
>> To make sure it doesn't get leaked to the public, I would say. So, uh, >> by the way, this is why I don't know if this helps, but I'm glad GitHub has pass keys anyway because I don't they don't, you know, >> well, I guess it doesn't make any difference if >> No, I think that if there are undiscovered, unpatched flaws in GitHub's function, then we're talking about cutting through it like, you know, like butter through a hot knife.
>> I don't put anything on GitHub I don't want other people to see.
>> Ah, yes. Yeah.
>> Yeah. That's crazy. So, I titled this one to Russia with love. Uh, Russians are continuing to use increasingly outdated software from Western publishers. Uh, most of which no longer receive updates or tech support, which can be a mixed blessing, especially when the tsunami of change is coming. Somewhere around onethird of all Russian enterprises are continuing to use software acquired before 2022 when Russia invaded Ukraine. The greatest concentration of Western software is in the corporate email segment with Microsoft still holding around 50% around so around half of the Russian market both through Exchange and Microsoft 365.
An interesting thought experiment would be to imagine that code name Mdash is turned loose on the internally on the Exchange and 365 code bases and uncovers a bunch of exploitable vulnerabilities.
I mean, we know it's going to at this point it's virtual certainty that that's what would happen, but Russian enterprises don't receive the benefits of these discoveries and updates because they are cut off. I would imagine that there are those within the United States intelligence community who would love to have knowledge of the things Microsoft had already found, fixed, and patched.
And really, what harm could that do? And of course, Russia is likely not alone in being a hostile foreign adversary that's continuing to use software we're in the process of fixing just as fast as we can. So anyway, uh I just thought I wanted to just note that uh Russia is, you know, we're at a time now, I mean, this this is exactly on point of me uh suggesting to everybody that there's never been a better time to turn on auto updating of anything that has internetf facing exposure that you can. so that that those who are responsible will have the opportunity to get firmware patches out to those devices as soon as they are available.
>> You you think we're headed towards an apoc apocalypse, a mythos fueled apocalypse.
>> Yes, I I there is there can be no question. Wait till you hear what happened at Mozilla. Oh, baby.
We will get there in a second. But I last week first um I shared my concern over the somewhat surprising consequences of having an AI chatbot learning about me in the furtherance of the illusion that there that you know that there's somebody on the other end of the conversation. Uh uh and not only that it's someone on the other end, but it's someone who appears to care enough to accurately recall previously shared information.
One of the things that I forgot to say was that these observations felt so strong and so self-evident to me that as I said at the top of the show, the only way I could imagine that someone might not be totally blown away by the capability of today's AI would be if they had never actually used it. Like just were just like AI deniers. Some people have only used it as a chat bot and and I think sometimes that doesn't give you the best >> right >> experience. So it could >> exactly my my I feel like to use it would be to understand and be a blown away by it if you really >> you know we also know that this is a little bit of me coming late to the party right I I wasn't sounding like this everybody knows six months ago. So 2 days after I shared that last Tuesday, I shared it with everybody. On Thursday, a light bulb lit up for me and Friday morning, I I posed the following question to Claude. And I will say my Claude because my Claude is different than anybody else's Claude. So here's what I wrote to Claude. I said, "When I've been singing AI's praises to other people, I've sometimes been met with blank stairs, as if the person I'm talking to wonders whether I've drunk the Kool-Aid." What has struck me the most is that when an AI not only answers well, but answers like an attentive friend would speaking from a growing understanding of me, specifically me, not just some generic human, that transforms the interaction from a Q&A into a much richer conversation.
And that led me to the revelation that anyone who is just using an AI chatbot without any account may not have the benefit of that long-term history accumulation.
So, I'm writing to ask, is that completely true since browser cookies could create session continuity?
And what exactly are the differences between the use of today's AI chat bots clawed and chat GPT with and without a paid for account?
So, that was my question. To that prompt, Claude replied the following.
Your observation cuts right to the heart of what makes AI genuinely useful versus merely impressive in a demo. Let me break this down carefully on the cookie question. Yes, cookies create session continuity, but that's a much narrower thing than it sounds. What a cookie buys you is that returning to the same browser on the same device might reconnect you to the same open conversation. That's not memory. That's just not having closed the window yet.
The moment a browser session expires, the cookie becomes irrelevant. And there's zero synthesis happening across conversations. So cookies keep a thread alive. They don't build a relationship.
Here are the actual tiers of continuity.
No account at all. Each conversation is hermetically sealed. The model has no idea who you are, what you care about, or what you talked about five minutes ago in a different tab. Every session is a stranger introducing themselves. This is the experience most casual quote I tried it once people have had, which explains a lot of the underwhelmed reactions or free account. This is where the gap opens up meaningfully. With a clawed account, even free, your conversations are saved. You can read them back, search them, reference them. But more importantly, both Claude and Chat GPT have memory systems that do active synthesis. They don't just archive. They extract salient facts about you and inject them into future conversations.
For Claude, what you're seeing right now in this response is a direct product of that. I know your background, your work on Spinright and Security Now, your health interests, the DNS benchmark video project, all of it without you having to reestablish any of it. And finally, paid account. The memory mechanism itself isn't a paidonly feature for either claude or chat GBT.
What paid buy you is primarily higher usage limits, access to the most capable models, longer context windows and additional features like deep research or image generation. the relationship building aspect is available at the free tier.
And he and then it finishes writing.
Okay. And again remember this is a computer. This is a thing that is producing this text which again it's like holy crap. and finishes the asymmetry nobody talks about writing here's what I think is the underappreciated insight in what you've identified the benefit is not linear with use it's threshold gated a casual user firing off three questions once a week gets almost nothing from memory because there's not enough signal to synthesize someone like you who uses it heavily and across Ross domains gets a compounding return. Each conversation adds fidelity to the model's understanding of your context, vocabulary, priorities, and working style. The person giving you a blank stare has probably only ever experienced the stateless version, which genuinely is just a fancy search box. the analogy that might resonate for your audience.
It's the difference between calling a business's general support line versus having a long-term relationship with a specific person there who knows your account history, your preferences, and how you think. Same underlying capability, completely different experience.
So, I'm astonished that we have technology that's able to answer my question like that. But I wanted to share it because to those listening who have not already figured out what Leo and I am so enraptured about, if your experience to date has been limited to anonymously asking chat GPT or Claude a question from time to time like any other search engine, what I learned learned.
>> We We should both be drinking that AI cool right there. Go ahead.
>> What I learned is that it is not necessary to pay anything to experience what happens over time, which actually is very clever, right? Because they're s they're setting the hook. You know a free account is sufficient but it is necessary to create that unpaid free account which will allow the AI to get to know you which it cannot otherwise do. I believe you'll see that it becomes transformative and as I noted last week somewhat worrisomely seductive.
Some of us have spent many many many many hours developing memory for our AI.
And in fact, that's what agentic AI really is all about is a memory of previous interactions kind of accumulating. And I'll give you an example right now, Steve. It's funny that you should mention this because uh earlier today I asked, should I buy SpaceX stock? And my uh agent, this is of my Hermes agent, said uh your own words, boss, stay away. that's what you told me to put in memory and nothing in the news changes that. If anything, it reinforces it. Now, that's good cuz I did in fact uh at at one point say, you know, let me know if uh when this when the IPO happens cuz I I want to make sure I don't have any. And then it said then I said to it, oh, you're so smart.
And then it says, funny how that happens when I'm just paritting your own good decisions back at you. But I'll but thank you. I'll take the compliment.
So the personality also has something to do with it. But that's the thing that is probably more a seductive issue and perhaps not having anything to do with intelligence. I do think memory is very very important.
>> Oh my god. One of the other things I'm appreciating is um a for example as I'm working with claude setting up this new HyperVbbased you know multivvm server um I will make a point of for example telling it the name I used for one of my VMs because then it knows what I named it where I or I I I I defined three virtual nicks on on the HyperV uh supervisor or the hypervisor gave it the names, then it just automatically was using those names as we were going through the configuration. It knew what to call them because I took the time to give it that information. I didn't have to, but I'm un I'm growing to understand how to use this amazing memory alpha system. Yeah.
>> That we have.
>> Yeah.
>> It's I actually have three memory systems running now on my agent uh to do a variety of different uh memory short-term long-term and then semantic memory so that if I ask it a question it can then query a database a SQLite database and say what have we said about this in the past because really all of it simulated it has no memory I mean that's that's the thing that's important to remember it's it's like a you know a new >> well it has no understanding >> yeah but also the memory comes because when you first load it, it the first thing it does is go out and look at the memory files and go, "Oh, yeah, yeah, yeah. Okay."
>> Well, it has memory like the guy in Momento had memory because he had post-it notes everywhere, right?
>> Except that also um in Claude, >> uh I do switch to a previous chat when I want to when when I want to continue that >> remember sessions. That's right. Yes.
>> Yes. It has session memory. Absolutely.
Yeah. Yeah. But as soon as you start a new session, >> right, it's it's all gone. And unless you have some sort of mechanism, which we both do uh for it to remember previous stuff. That's how it knew that I said never let me buy any SpaceX stock.
>> Well, and again, so my takeaway for our skeptical listeners is first of all, I >> and there are a lot of them. Yes, I completely understand skepticism. I honor it. You're welcome to it. Your skepticism doesn't hurt me at all. So skeptic away, but if again if you're wondering maybe like what you're missing or literally is there a you know a tank of Kool-Aid on perch behind me that I've you know actually been drinking instead of coffee during these these breaks.
>> It's delicious, isn't it?
>> It is. It is. It is transformative when you when this knowledge of you I mean and again if you I have things to do I'm busy I'm doing work I'm so it's useful to me because I'm not sitting around on the veranda you know reading news I I and so so you have to have something that you need to work with it on in order for that to start happen but again don't have to pay anything. You do have to create a free account. I would argue I would urge anybody who still doesn't think that this is real to just try that. I cannot imagine that you could come away not being amazed.
And Leo, we're at an hour and a half in.
Uh let's take a break. Uh we have one left after that uh before our main topic, but then I want to talk about a show that Lori and I watched since it was its release on Thursday on Netflix.
Just uh touch on it for >> always interested in stuff like that >> and then we have a bit of feedback.
>> Good. All right. But before all that uh let's talk about our sponsor for this segment on security now, trusted tech.
If you are managing Microsoft 365 for your company, that's a big job. I know you're responsible for well both the cost and whether it's set up correctly and I hope you know you probably do that but on July 1st Microsoft's going to raise prices so now any mistakes in your licensing are about to get more expensive most companies using Microsoft 365 are either overlicicensed paying for unused seats and features it's very easy to do or underlicensed creating compliance and security risks and Sometimes it's both. One department's got too much, one's got too little. But the bottom line is wasting thousands of tens of thousands a year on tools your team doesn't use. Or, I don't know, this might even be worse, missing critical security features you thought you had, you thought you were paying for. Trusted tech understands this. They can help businesses understand what they have, what they actually need, and really important right now, how to lock in the right setup before those costs go up.
Trusted tech team ensures your M365 environment is well supported and aligned with how your business actually operates. And that's one, you know, the licensing business, one part of their business, but also they do great certified support services. So, Trusted Tech also offers reactive support for your Microsoft environment through those certified support services. They do both. Microsoft licensing could be challenging. It's always changing. You got E3 versus E5 versus Business Premium add-ons, the new E7.
It's confusing and it's easy to misconfigure and overpay. And licensing mistakes again don't just cost money.
They can create compliance exposure that's going to get more expensive after July 1st. Look, even if you think your license is dialed in, it's worth a second look. It's worth going to some experts, people. This is what they do day in day out. They understand it. They know it, and they can really help you tune it. It's just like it's getting a second opinion. And and if you want an opinion, ask Kevin Turner, former Microsoft COO.
I mean, who better to ask about this?
This is what he said. He was talking to trusted tech. He said, "You guys have an incredible customer reputation. You have to earn that every single day. The relentless focus you guys have on taking care of customers gives them value and differentiates you in the marketplace."
He was talking about trusted tech. Look, after July 1st, you're stuck paying more. This is the last chance. I mean, that's like a month and a week away.
This is your last chance to fix your licensing before the costs go up. The clock's ticking. Trusted Tech right now offering a free Microsoft 365 licensing consultations right now. Visit trustedtech.te/security now365 and get a clear databacked view of your current licenses, what you're wasting, and how to lock in savings before the price increase. Go to trustedtech.team/securitynow365 team/security now365 and submit a form to get in contact with Trusted Tech's Microsoft licensing engineers. The clock ticking. Do it now.
trusted tech.team/security now365.
We thank him so much for supporting Steve and the work he's doing at security now. Steve. Okay. So, uh this is just sort of a a heads up to people who uh are looking for something to watch. Uh Time magazine uh covered this saying Netflix's The Burroughs is Stranger Things Senior. Uh they they said backed by the creators who brought us The Upside Down, Netflix's newest sci-fi horror series features an all-star cast of senior citizens. Okay, so first of all, let me say I'm not a huge fan of horror, which to me generally feels gratuitous, but that's not at all how I would describe the Burrows. Um so if you don't like horror, don't let that put you off because there's nothing horrific at all.
Um IMDb gives it a seven and a half out of 10. Uh the majority of people are giving it an eight and the second highest number is a 10 out of 10. So a lot of people are liking it. Uh it all all eight episodes became available last Thursday. Uh presumably time for bin wa binge watching over the long Memorial Day weekend. Uh and I had run across a tease of it months before stuck it on my calendar. So I was, you know, looking for it. Uh, so my wife and I, uh, Lori sat down and began watching it. Um, they do a little immediate reveal, I think, because they realized it has a little bit of a slow start. Uh, I was a little worried about it until I got to the end of the second episode. It was like, come on, is it what, you know, okay, fine. We were spending a little too much time uh, looking at it. The whole thing is set in an old folks community, you know, putting the old folks.
>> It is senior.
>> It is senior. Yes. Stranger Things senior, but uh I I enjoyed it. And there it there definitely has a theme and a concept and uh it holds together nicely.
>> Oh, so the burrows is like a retirement home.
>> Yes. Out in some random desert somewhere. Um and and we spend a little more time on, you know, senior infirmity than I think we need to, but uh uh and uh a great >> Do you think this is aimed at seniors?
Oh, it's Alfred Molina. I love him. Is this aimed at seniors or is it aimed at kids making fun of >> it? It's aimed at everybody. Uh it's it's just, you know, the the re sort of the it it the the nature of the >> Davis is in this. Oh, and Alfred Woodard. Great cast.
>> It's got a really good cast.
>> Yeah.
>> So, and you can see there a picture of a weird >> in the oven >> claw thing. Yeah. So, it's uh it's uh I I think it's worthwhile for people who I I wouldn't say go subscribe to Netflix, but if you've got Netflix, you probably want to check it out. And you have to be a little patient. Give it the first two episodes. I mean, you need to watch them, but uh by that by the end of the second episode, I think you'll be pretty hooked.
>> Okay, I'm now I'm interested. I love Gina Davis.
>> Yeah. And she's got a good part.
>> She's great. And Alfred Molina is great.
Oh, this will be fun.
>> Yeah.
>> Alfred Woodard is great. And it's the Duffer brothers.
>> Yep, it is.
>> Yeah. Okay.
>> Okay. And there's a guy in a coffin.
Okay. Sitting up.
>> So, be careful not to expose yourself to Too much. Okay, I'm going to stop right here.
>> It it is you uh you definitely uh could get spoiled, but there are some great moments and uh and there is an interesting, you know, sort of like broad concept that uh so that that holds.
>> Yeah.
>> Good.
>> Uh okay. So, uh Oh, and you're not left hanging. So, by the end of episode 8, you get closure. They tease a little bit to there maybe another season, but if so, uh you're not like left waiting. So, >> Okay. Okay.
>> Uh our a listener of ours, Dale, who who his name on his posting or his email to me was Dale LTL. Uh we'll see why in a second, but he said, "I want to share an interesting piece of or no, I'm saying I want to share an interesting piece of feedback. Uh he's a longtime listener and a follower. Um, it touches on something we've talked about several times relative to the way some future local AI agent might always be looking over the shoulders of computer users I believe to tremendous advantage.
I mean I am sure this is one of the ways AI is going to manifest. Um, I cannot overstate the value and importance I see for having that eventually. Um, chatting with an AI that grows to know you is already of inestimable value. So, we already have that and that capability is only going to grow to become more useful over time.
But as I have repeatedly observed here, the overwhelming demonstrated strength of the range of ClickFix attacks, which as we know is the number one attack technique now in the world, where users blindly I mean it the the the number of those is greater than all other attacks combined where users blindly follow on-screen instructions.
which they do not understand that lead them to paste malicious command streams into their PCs.
It serves to demonstrate that today's PC users have very little understanding of the way their machines work.
>> I mean, and you can't blame them. These things have gotten ridiculously complex.
I mean, have you looked at PowerShell on Windows? It's like, holy, what what? So, that's that shows no sign of changing.
It's not as if users are suddenly going to start reading the manual. That's not going to happen. In fact, they're probably going to use AI to distance themselves even further.
But what could change is adding the ability to the PC operating system andor its web browsers to proactively prevent their users from self-inflicting harm.
Okay. However, notice that I specifically said future local AI because these services when they exist in the future will need to cost nothing.
They'll need to be part of the OS or the browser and be able to run on the local machine's AI engine. It's pretty clear to me that future PCs and smartphones will combine local with cloud-based AI and future computing engines will have what some sort of we can call it a neural processing engine just as you know part of its capabilities. Okay, so here's what our listener Dale shared. He wrote, "I very much enjoyed your last podcast admitting to offering your thanks to your AI of choice. I also thank Google Gemini, my current AI of choice, at least until it becomes another killed by Google project. I would like to offer a way of using AI that I haven't heard anyone speak about.
Determining whether or not an email is fishing.
My wife and I have several websites and corresponding social accounts online.
Mine is mostly YouTube with almost 12,000 subscriptions and hers is a mostly Facebook and Instagram to boost her real world sales. As such, we get a huge amount of spam and fishing emails collectively. I've attached a screenshot of a recent scary email my wife received through her business email. It doesn't have any of the obvious spam fishing email indicators like an email address of, you know, random letters and numbers at scammingyou.com.
Um, and so Dale attached the image of the email, but since it contained identifying information, I've repro I just um I've reproduced the relevant text to give everyone a sense for it. So, here's what this email that his wife received says. It says, "We're contacting you regarding content associated with your account that has been identified during a recent intellectual property verification process. Our review indicates that certain materials may contain copyrighted content protected under United States law, including Digital Millennium Copyright Act, DMCA.
These materials may have been published or shared without documented authorization from the Applicable Rights Holder. To assist with your review, we've attached a document containing the relevant content references and supporting information. Then there's a PDF icon and a link with the text evidence of copyright infringement. PDF.
It goes on, we kindly ask that you review the attached file and verify whether the referenced materials are being used with proper authorization. If necessary, please update, remove, or restrict access to the identified content across websites, social media platforms, and other distribution channels.
Okay. Well, as we know, AI can now be employed to write highly convincing English. And you know, we've been expecting to see an increase in the apparent veracity of spam.
This is likely an example of that. I mean, this reads very well written, very authoritative. Doesn't I mean, we know in advance, right, that it's spam, but if you receive this and if you were a person with on with like a website and lots of content, there's nothing obvious that tips this as being bogus. So, you know, I have to say that anyone who didn't have their guard up could be excused for falling for this. And even if someone who was being cautious, you know, it evidences none of the common telltale signs we've all been comfortably able to use until now to quickly identify junk email. Dale's note continues. He wrote, "So I asked Gemini, my prompt was email of copyright content from Shady Records. Email says from no replyappsheet.com legit or fishing. Gemini replied with quote this is 100% a fishing scam.
Do not click any links, download any attachments or reply to the email.
>> Good.
>> Here is exactly what is happening, writes Gemini, and why it looks so convincing. First, the legitimate sender address. No reply atappsheet.com.
Gemini says appsheet is a legitimate noode application development platform owned by Google. Cyber criminals have figured out a loophole where they can create a throwaway app on the platform and use its automated workflows to send emails. Because the email physically originates from Google's infrastructure, it easily passes security checks like SPF, DKIM, and DMARK and lands directly in your main inbox instead of your spam folder. While the email address no reply atappsheet.com is real, the content inside it was written by a scammer. Two, the shady records scare tactic. Scammers frequently use urgent legal threats like copyright, trademark, or intellectual property violations to trigger panic.
They want you to act quickly without thinking, so you'll click their link to quote view the evidence unquote or quote dispute the claim unquote. If you click the link provided in that email, it will likely lead to a fake login page designed to steal your credentials, a malicious download like a zip or doc file that can infect your system with malware.
And then he he he he finishes writing.
Dale does says, "So after fussing at Gemini for parent company Google, knowing about this and doing nothing about it," he says, "I followed up with a heartfelt thank you, Gemini. I also have no doubts that the PDF link was hotwired to a nasty little payload and I'm glad we didn't get it. Thank you."
And then then he says to us, "Thank you for all you do, Mr. Steve and Mr. Leo.
Been a fan since early 2000s. Call for help and the tech guy on my 12 foot mesh satellite dish.
>> Oh, signed off Dale Low Tech Linux at uh Tech Linux everywhere open susi tumblewood tumble weed KDE plasma fanboy.
>> Nice. So Dale was clearly annoyed that Google allowed this crap to be generated and sent from their own domain while their own Gemini AI knew all about it in detail. It's like oh yeah our service is being abused like that and this is an example of it.
So the good news is more broadly I think another huge aspect of our lives which AI has the promise to improve are all those aspects of fishing and spoofing and generally unwanted conduct which bad guys have been getting away with for the past several decades. I think that the widespread use of AI agency for crime prevention is going to be one of for cyber crime prevention, one of the biggest things that's yet to happen.
And given the speed at which all this is moving, we may not have long to wait.
>> That's a really good tip to pass it through to an AI and have it examine it.
>> Yes, good.
>> Why don't we have AI right now doing that?
>> Yeah, it should be. Well, there are plenty of companies offering this kind of uh scanning. Yeah. Yeah. This is a very hot area right now.
>> Okay. So, we're going to talk about our main topic, vulnerability debt repayment. Uh we're a little early for our final, but let's take our final break and then I'm going to talk about uh Firefox 151 and what I learned from their announcement update. Somebody is pointing out, and I think this is true, that probably all of the LLMs have been trained on all 10,080 episodes of Security Now. So, they at least know that much. They've learned everything you can possibly learn from this show.
Uh, you know, from day one, we've, uh, long before we we even considered AI might ingest our content, we've made our content creative commons, uh, and allowed people to, uh, you know, ingest it and encourage that. Uh be and I'm glad, you know, I think that's really great. I'm glad that there's hundreds of thousands of hours of uh great uh some of it dated technology information uh on the on our uh on our pages. Let's talk about our sponsor and then we'll talk about vulnerability debt repayment.
I'm dying to know what that means. Steve will explain. But first, a word from Expo. Xb like bow and arrow, right? Expo AI has changed the pace, we were just talking about this, of everything from how fast software gets developed to how quickly it gets attacked and engineering teams are moving faster than ever, creating more and more applications, but security has not been able to keep up.
This is exactly what we were just talking about. Pentesting is still one of the most trusted ways to understand real exploitable risk. The problem is in an AIdriven world with everything happening so fast, pentesting can be a bottleneck. Security teams are forced to choose between slowing down development to stay secure or moving fast and accepting that there, you know, they're going to be gaps in coverage.
They don't have to be because Expo eliminates that trade-off. Expo. This is exactly what we were just talking about, Steve. Is an autonomous offensive security platform that runs continuous AIdriven pen testing at the speed of AI, mirroring real world attacks, hammering on your vulnerabilities. Expo doesn't just scan for vulnerabilities, it discovers, it exploits, and it validates them. So, so you know you're only dealing with issues that actually matter. real exploits.
That means dramatically fewer false positives because we humans, you know, we don't want to waste time, right? And a clear view into real attack paths.
This is exactly the kind of pentesting everybody needs. With Expo, tests run in hours, not weeks. You get complete visibility into how an attacker would move through your systems and the ability to uncover issues the traditional tools miss, including zero days and novel attack paths. Expose results speak for themselves. Just ask the application security lead at saysnam.cz.
He says, "Even right now, after a year, I don't know any other company that is at least close to Expo in terms of agentic pen testing. They've pioneered this. They're the They're the leaders here. The result, predictable cost, consistent quality, and stronger security without slowing down your engineers.
Expo helps security teams keep pace with innovation and cover more apps more often with the resources they already have. Xbogw.com.
And uh you know, the heritage of this company is pretty impressive. It was founded by the team behind Microsoft Copilot. It's already trusted by companies ranging from fast growing startups to Fortune 500 enterprises.
You're probably already seeing articles and news about Expo. They're quickly becoming a missionritical layer in modern security stacks. So to keep up with the speed of vulnerabilities, you need the speed of AI pentesting from Expo. Go to xboww.com to start a pentest today. That's expo.com.
I didn't plan it, but that's exactly what we were talking about, Stephen.
This is exactly the way it's going to have to be solved, right? The speed of AI hitting these vulnerabilities as fast as they can be discovered. Well, and we have a perfect case in point. When I fired up my PC and then Firefox 151, I was greeted with a your Firefox has been updated notice with a bunch of new features being called out. The top of the new stuff list was their promotion of Firefox's newish VPN feature as a means of geo relocating its users. Under the banner of your VPN has places to be, we're told, "Our free built-in VPN now lets you set your browsing location, giving you more privacy and control when you're away from home or office." Now, I'm just sharing that because I thought that was interesting and I knew that that would be of interest to our listeners. I understand Mosilla's motivation for promoting Firefox's new free VPN as an easy to use geo relocation capability, but at the same time, I was also taken a bit of back since VPNs are already in the crosshairs of politicians um who have been rattling their sabers over the idea of and we're not sure how, but somehow preventing their use and even outlawing them for accessing age restricted websites. Now again, how exactly that's going to work, no one knows. So this seems like needlessly rubbing our politicians faces in the issue to make a point of saying, "Oh, look, you get to choose from a drop- down list, Canada, France, Germany, the UK, or the US." But okay, you know, making geo relocation much easier and more accessible promises to increase its use, right?
uh and make its issue unfortunately even more prominent. So anyway, since any attempt to curtail VPN use is going to create another big mess, uh it would be nice if we could just kind of let this one slide by. But on the same page was another section titled a new era of Firefox security with the note, Firefox used advanced AI to uncover and fix hundreds of hidden security vulnerabilities before they could become threats.
Now, that note linked to a Mozilla post made last Thursday with the great title, "The zero days are numbered."
Love that. What we learned from Mozilla is kind of amazing. They write, "Since February, the Firefox team has been working around the clock using Frontier AI models to find and fix latent security vulnerabilities in the browser.
We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, six, which led to fixes for 22 security sensitive bugs in Firefox 148.
Okay, now let's just pause for a moment.
They used Opus Anthropics Opus 4.6 six to and gave it Firefox's source and it found identified 22 security sensitive bugs in Fire and which and it fixed in Firefox 148.
Okay. Opus 4.6 six.
They continue as part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos preview to Firefox. Okay. Now, this is the same Firefox which a couple of months before had found 22 vulnerabilities.
Looked clean then, right? Problem solved.
They wrote, "This week's release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation."
They write, "As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus." For a hardened target, just one such bug would have been red alert in 2025.
and so many at once makes you stop to wonder whether it's even possible to keep up.
Our experience is a hopeful one for teams who shake off the vertigo and get to work. You may need to repprioritize everything else to bring relentless and single-minded focus to the task, but there is light at the end of the tunnel.
We are extremely proud of how our team rose to meet this challenge and others will too. Our work is not finished, but we've turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win decisively.
Okay, there's there is so much here, but the phrase that caught my attention was you may need to repprioritize everything else to bring relentless and single-minded focus to the task.
This is very interesting because what we've been hearing more broadly and with generalization was that the arrival of this new vulnerability capabil vulnerability discovery capability was likely to stun development teams who would be thrown from complacency into overdrive and overtime.
Mosilla continues writing, "Until now, the industry has largely fought security to a draw. Vendors of critical internet exposed software like Firefox take security extremely seriously and have teams of people who get out of bed every morning thinking about how to keep users safe. Nevertheless, we've all long quietly acknowledged that bringing exploits to zero was an unrealistic goal. Instead, we aim to make them so expensive that only actors with functionally unlimited budgets can afford them and that the cost of burning such an expensive asset disincentivizes those actors against their casual use.
This is because security to date has been offensively dominant. The attack surface is not infinite, but it's large enough to be difficult to defend comprehensively with the tools we've had available. This gives attackers an asymmetric advantage since they only need to find one in the armor. We use defense in depth to apply multiple layers of overlapping defenses, but no layer is bulletproof. Firefox runs each website in a separate process sandbox, but attackers try to combine bugs in the rendering code with bugs in the sandbox to escape to a more privileged context.
We've led the industry in building and adopting Rust. But we still cannot afford to stop everything to rewrite decades of C++ code, especially since Rust only mitigates certain very common classes of vulnerabilities.
We pair defense in-depth engineering with an internal red team tasked with staying on the leading edge of automated analysis techniques. Until recently, these have largely been dynamic analysis techniques like fuzzing. Fuzzing is quite fruitful in practice, but some parts of the code are harder to fuzz than others, leading to uneven coverage.
Elite re security researchers find bugs that fuzzers cannot largely by reasoning through the source code. This is effective but timeconsuming and bottlenecked on scarce human expertise.
Here it is. Listen to this. Computers were completely incapable of doing this a few months ago and now they excel at it.
Wow. We have many years of experience picking apart the work of the world's best security researchers and Mythos preview is every bit as capable. So far we have found no category or complexity of vulnerability that humans can find that this model cannot.
This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine discoverable and human discoverable bugs favors the attacker who can concentrate many months of costly human effort to find a single bug. Closing this gap erodess the attackers's long-term advantage by making all discoveries cheap.
Encouragingly, we also have not encountered any bugs that could not have been found by an elite human researcher.
Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension. But we don't think so.
Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex but not arbitrarily complex.
Defects are finite and we are entering a world where we can finally find them all.
And all I have to say here is wow. I hope everyone understands how much it means for Mosilla to be feeling the way they obviously do after their close encounter with Mythos.
Firefox is already hyper secure. I mean it's security is its by word. It it it is about security.
271 previously unknown vulnerabilities discovered during their initial evaluation. And this is in Firefox's deeply scrutinized codebase, which so far as they knew had not a single vulnerability. I think this is the most significant statement made from the front lines of the security battle that we have seen to date. No one should make the mistake of assuming that Anthropics Mythos preview has some magic fairy dust that no one else has. There's no reason to believe that anyone has magic fairy dust or that it's even possible to have it. This is why I think the whole idea of regulating AI is a fool's errand.
It's the politicians knee-jerk reaction to change and it could not be more wrongheaded. We've often noted that it's not possible to regulate the use of cryptography since the knowledge of it has previously escaped. There's no longer any mystery about how to do crypto. Exactly the same is true of large language model technology. It's spread all over YouTube. It's all over GitHub. It's already everywhere. At this point, all we can do is be as prepared as possible for whatever comes next. And Mosilla's statement of optimism contains what I was hoping and expecting to hear.
They clearly understand that this new tool has for the first time ever given them a true advantage over the bad guys.
They alone decide when to release new code to their user base. Nothing forces them to do that. This means that now armed with AI enabled pre-release vulnerability discovery, no discoverable vulnerabilities ever again need to be released to the public.
I want to highlight another aspect of this just to put a fine point on it.
Mosilla wrote, "Computers were completely incapable of doing this a few months ago and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers and Mythos preview is every bit as capable. So far we have found no category or complexity of vulnerability that humans can find that this model cannot.
So again, so far we have found no category or complexity of vulnerability that we can find that this model cannot.
Now I understand that this is attempting to prove a negative, right? This does not say that there is no category or complexity of vulnerability that a human could find that the clawed mythos preview cannot. Only that so far they've never found one. All by itself, that's a hugely significant statement. But what's also significant is that this is not anthropic saying this about their own marketing.
Right.
>> Right.
>> This statement from Mosilla, this is this it's a from Mosilla about Firefox is as much from the front lines of missionritical vulnerability discovery as it gets.
>> You know what's interesting about this?
The other capability that's really key with Mythos, we're getting back to memory is that it is able, it has such a large context apparently. We don't know the details. We haven't seen the system card, but it's clear from the output because it can chain exploits. And the thing that's been holding previous models back is they could come up with individual exploits, but they didn't have sufficient context to say, okay, now I got this, then what? Then what?
and they're able by that means it has enough memory and enough context to chain those exploits and I think that's one of the key capabilities of mythos just reading between the lines a little bit >> right >> it's very interesting >> so for what it's worth six weeks ago during our April 14th podcast number 1074 I noted that my first working title for that podcast was mythos marketing or mayhem but once I brought myself up to speed it was obvious to me that this was not marketing hype despite what jaded cynics who were claiming without ever taking the time to inform their opinions with facts. You know, it was like, ah, well, they're about to have an IPO, blah, blah, blah. Anyway, once I understood it, the podcast got the title, what mythos means. And now just a scant six weeks later, we're seeing the consequences of its application in one of the places it matters most, in a modern web browser.
So, is it going to be a tsunami? There's something I see missing from some of the public disclosure over automated AI vulnerability discovery, like this guy from Cisco, for example. at the end of that recent posting by the Cisco guy about the strain AI vulnerability discovery is placing on the aging CVE system, right? Uh uh we all remember what I said. I I I I'm repeating it here for some reason. You know that that you know uh he was saying that they chose not to release it publicly. uh 27 years of remarkable achievement in the CVE system, but uh you know we it's going to be completely overwhelmed and wiped away. You know, we need something completely different.
But Mozilla turned Mythos loose on their Firefox code base and yes uncovered 271 previously completely unknown or unsuspected vulnerabilities.
This blew their minds, but they recovered from what they described as the vertigo that this introduced, brewed fresh pots of coffee, called called their significant others to explain that they would be working late and early, and got to work. Once they had caught up with Mythos, they shipped Firefox 150 with those newly discovered problems all resolved. So, here's my point.
What's going to happen now? The next time they turn Mythos loose on Firefox's codebase, perhaps a big nothing. Maybe something, but it won't be much. It's not as if those 271 vulnerabilities will need to be rediscovered each time. There were hundreds of previously unknown problems with Firefox's code base, which it had acquired over its entire lifetime. All of those are gone now. And while mistakes and regressions can happen, they're not going to suddenly come back overnight.
The way to phrase this is to say that Mozilla's Firefox codebase had a previously unrealized large amount of technical debt to repay.
The Claude Mythos preview revealed the exact nature of that debt to which the Mosilla team having recovered from the shock got down to the work of repaying those years of debt. And now they have the ledger is balanced and all they need to do now going forward is deal with whatever occasional mistake they might make with prudent use of AI to check their work. They might never ship anything again with a discoverable vulnerability.
As the guy from Mos Mosilla himself said, a zero zero flaws future is now possible.
Uh we know that Microsoft must now be facing an even more daunting challenge since their code base is far more massive, just as old and seemingly less well-maintained than Mozilla's. The fact that every single month sees a hundred or so bugs resolved in Windows and Microsoft's other software suggests to me that they are likely facing a great many thousands, tens of thousands of newly discovered problems. We know that thanks to their early access to Anthropics project Glass Wing, they had access to Claude's Mythos preview and also to their perhaps even dramatically more powerful code name Mdash system.
Can you imagine what a catastrophic disaster they must be discovering for themselves? They shared the critical vulnerabilities discovered and resolved in the first and most obvious place they looked, which was Windows TCP IP networking stack, a critical component that likely received a lot of prior attention. As far as they knew, just like Firefox, they thought the TCPI stack was bulletproof, problem free, four critical, remotely exploitable problems found. So those networking stack bugs which were somewhat obscure.
I mean like I worried do I have a problem because I'm using Windows Server? No, I'm not using any of the weird stuff that you know the edge cases that that that could have leveraged. And but even so they were all zapped two weeks ago with this much this month's patch cycle. So they too are gone and put to rest. There's no doubt that Microsoft would have immediately aimed code name Mdash at it at its next target, whatever that is. I'm sure that's what they're doing right now and that they got to work. And here's the interesting bit of psychology that's at play. As a developer in charge of security, as long as you do not know that there are any problems, you get to sleep soundly through the night. But once you've been handed an extensive list of vulnerabilities and realize that the software you believed was secure is actually and provably Swiss cheese, it will be quite difficult to get any sleep until every one of those problems have been resolved because any one of them could be exploited at any moment. The source of all this angst is the awareness that especially for an open-source project like Firefox or Linux or Chrome with Chromium and to some degree Android, the bad guys also have the same access to the same code.
And if they do not yet have vulnerability discovery tools of equal strength and power, we can be absolutely certain that they're working as hard and fast as they can to develop them. So there's an almost there's almost a certainty um of a very limited window of opportunity to get those problems resolved to push updates out into the field and into users hands so that the flaws are pushed out of their hands before malicious actors have the chance to attack. So the bottom line is LLM technology has already driven a massive change in the practice of software security almost overnight.
It has revealed the size of the software security debt which many of us adjacent to the industry have long sensed with a dull ache. And we are now in the midst of an industrywide rush to pay that debt down, using LLM technology to locate and repair each and every problem before it can be used against us by others who will doubtless be attempting to leverage the same technology against us. But the crucial point to appreciate is that this will be a transient event. Once that debt has been repaid, just as Mosilla did, the entire industry will again settle down to a new hopefully boring norm with the world never being the way it has always been until now. It will never again be the same because our software will finally be working the way we always intended and hoped it was. It was just too complex and thus too expensive to make perfect. That's what has been forever changed. As Mozilla themselves explained, LLM technology dramatically reduces the cost of problem discovery. This means that we can and will now afford to fix and will find and then fix all of the longstanding problems. And we must afford it since it will soon be just as inexpensive for the bad guys to find and abuse any problems that remain. Everyone listening to this podcast has heard me use the analogy of a sponge to describe our industries somewhat sad state of software security.
I've said that that that all of the objective evidence shows that security is porous and that the more pressure that's put toward penetrating that security, the more penetration will occur. The application of this new LLM technology will finally put this analogy to rest. Other non-software vulnerability problems will certainly remain. Spoofing and fishing and social engineering attacks will not go away or at least they will require a different form of AI aided remediation which I spoke about before. But the exploitation of vulnerable software finally has the chance to come to a welldeserved end. We are entering, we are in a new era.
>> And I love this notion that it isn't going to be this way forever. We are eventually going to perfect this stuff.
>> Firefox is fixed, Leo. It's done. It's fixed.
>> Really?
>> Yeah.
>> Wow. And I think the cho I mean admittedly as they said rust doesn't fix everything but the choice of tools that don't allow buffer overflows and some of the dumber obvious mistakes the you know type miscasting and stuff will really help as well right we're going to use better tools now. So, so c certainly uh you know engineering using prudent uh known uh systems is a good thing but as they said we've got decades of C++ we can't rewrite it there's just too much there so they turned mythos loose on it and it said uh guys you know uh here's 271 problems I'm sure they fell off their chairs I mean they thought they thought there was it fine. They like no problems. We we we shipped out 148. We fixed 22 things that Opus 4.6 found. We shipped out 149. Fixed a few more things. Then along comes Mythos and wham, 271.
>> It is amazing. It is amazing.
>> And and if in fact Microsoft has further advanced the state-of-the-art. Sounds to me based on what we talked about last week that code name Mdash and I hope they give it a good name. I don't care what they call it, but just not don't make me say code name Mdash every time.
>> Ethos is a good name. It's a little >> It's a great name. That's wonderful.
>> Maybe Microsoft call it Zeus or something.
>> And so far daybreak is just a daydream.
>> Yeah.
>> So, you know, it's like, oh, Open AI caught got caught with their AI pants down. But >> I think what's really going to happen by the end of this year is that all the frontier models will be good enough to do this kind of stuff. Yeah. And so then it won't be anything special. It'll just >> at the rate we are running uh and the amount of resources that are being poured into this uh it it's going to be astonishing. But this really th this is the thing that has the chance to end software vulnerabilities. That won't that doesn't mean you can't leave a management port open on your on your >> still human error. Yes.
>> There's also still things like rowhammer, right? There's hardware flaws that cannot be fixed. Yeah.
>> Absolutely. So, this is just it's not not like we need to say, okay, well, we did the Security Now podcast until there was no more problems.
>> No, we'll still be doing the show.
>> We got plenty left to do. But it but it won't be like some random buffer overflow or a authentication bypass where you do something the developer never expected and you know cause a a problem somewhere, flip some state and then inject a file and now you're in >> that's an important distinction because uh when we first were talking about mythos uh that was right about the same time that the clawed uh source code got accidentally released and Paris said well wait a minute if mythos is so good.
How come that happened? They said, "Well, you can't fix stupid. I mean, you got you're going to still have humans in the loop." Uh, there's nothing that Mythos can do about that, unfortunately.
Uh, really good stuff as always, Steve.
I love this show. We look forward to it every Tuesday. I know all the geeks are going, "Yep, Tuesday's here. It's time for Steve." Uh, we do the show security now every Tuesday round about right after Mac Break Weekly. So that's right around about 1:30 Pacific, 4:30 p.m. uh East Coast time, 20:30 UTC. We do stream it live if you want to really be get the latest, freshest version if you're in the club, and I hope you are because the club supports this uh effort. We have advertising. Yeah, but it doesn't cover all the costs. Only about 70% of the cost, maybe less. So it's very important to us that people join the club and support us. Uh if you're not a member, please twitch.tv/club twit. Members uh are in the Discord right now. They can watch in the Discord. You can chat with us in the Discord. Uh that's one of the benefits you get out of free versions of the shows as well. And you won't get this plug either. Uh if you are not in the club, there are still live streams you can watch because I'm not a big payw wall kind of guy. I I you know, as much as possible, we want to make sure everything is available to everybody for free. Uh it's just we we ask if you like it to support it if you can, if you can afford it. Uh we stream this on YouTube, Twitch, x.com, Facebook, LinkedIn, and Kick. After the fact, uh there are on demand versions of the show because it is after all a podcast. Steve's got uh unique versions of the show at his website, grc.com. He's got a a 16 kilobit audio version. Doesn't sound great, but is small, 64 kilobit. That's full audio fidelity. He also has transcripts written by an actual human, Elaine Ferris. Those take a few days after the show, but they are really good and they are very detailed. A great way to read along or to search. Uh he also makes his show notes available, 20 pages, 22 pages usually of uh all the all the stuff we talk about, links, images, everything. Uh those are all at grc.com.
Now, if you want to get the show notes ahead of time, Steve usually mails them out on a Sunday or a Monday. Uh go to grc.com/email.
Give Steve your email address. That does two things. Remember I said earlier in the show that if you wanted to send Steve pictures of the week, you could do that. This is how. grc.com/email.
Give them your email address. Once he whitelists it, you can send him email.
Uh, and then at the bottom below that, there are two boxes unchecked for those newsletters. One is the show notes. The other is just an announcement newsletter that goes out never when Steve has very rarely when Steve has new software. His software though really is something you want to keep up on. uh Spinright, which has been around for how many 20ome years now, right?
>> Long time.
>> No, way before the podcast since uh late 80s.
>> So 89.
>> Let's put it this way.
>> It was so good that uh Norton copied it >> because uh after he couldn't after Yeah.
I declined to let to sell it to him. So he said, "Okay." And he sent a coder home with a copy.
>> Wasn't as good. Wasn't as good. wasn't as good. Uh so, but it of course been much updated since then. In fact, version 6.1 is really amazing. Uh that's available at grc.com as well as the DNS benchmark pro which allows you to figure out which DNS server is best for your particular situation. It's different for everybody. It's very useful tool. It's only $9.99. You'll get them both at grc.com. Plus a lot of other stuff that he gives away for free. like as he mentioned, Shields Up, which is uh you know, I don't set up a network without testing it with Shields Up. So many other great utilities. grc.com. We have copies of the show at our website as well. We have unique versions for some reason, a 128 kilobit version, which uh is more bits than anyone should ever have, but that's how many you get. We also have video, which is even bigger.
Uh but you get to see Steve's mustache in action, and that's worth, I think, the price of admission. Uh, both of those are at twit.tvsn.
There's also a YouTube channel dedicated to security. Now, we do that for a couple of reasons. One, because YouTube's where, you know, everybody goes, and we want to make sure we spread the word about, uh, you know, security.
So, you know, we make sure that show is there, but also, it's great for sharing clips. And I know a lot of IT professionals are listening and thinking, I got to send this information to my boss or my my, you know, my family needs to know about this ubiquity issue, whatever. Easy to do that with YouTube.
You can start the video right where you want it to be. You can send it as a link. Everybody can see YouTube. Makes it really easy. Uh and then finally, the best way to get it really is subscribe.
You can subscribe to the audio or the video whenever podcast client you like.
And uh that way you'll get it automatically the minute uh it's available. Steve, I will see you next Tuesday and I'm going to watch the burrows tonight. Thank you.
>> I think you'll I I think it's I think you'll like it. It's not I mean it's not unbelievably amazing, but a it is really fun to watch these actors. I mean they're it's a great a great cast.
>> Uh and there's there's a solid storyline behind it.
>> I will watch anything with Gina Davis in it. That's that's that's a given.
>> Thanks, Steve. Have a wonderful week.
We'll see you next time on Security Now.
>> Bye.
Security now.
Related Videos
Agentforce NOW AMA: Build with React and Salesforce Multi-Framework
SalesforceDevs
490 views•2026-05-28
How agent o11y differs from traditional o11y — Phil Hetzel, Braintrust
aiDotEngineer
450 views•2026-05-28
WEB TECHNOLOGIES UNIT-2 | Degree 4th sem BCOM Computers web technologies unit-2 full explanation💯✅
LearnwithSahera
1K views•2026-05-29
More tests are always better? How to use AI to identify tests that bring little value
Alliance4Qualification
335 views•2026-05-29
Search Algorithms Explained in 60 Seconds! 🤖💨
samarthtuliofficial
218 views•2026-06-01
People of Game of Thrones using JavaScript DOM
AltCampus
296 views•2026-05-30
Introduction to Problem Solving Part - 1 | Lecture 1 | Intermediate DSA
ascensionix
107 views•2026-05-29
So What's Odin Lang Even Good For
TechOverTea
131 views•2026-06-01
