SN 1059: MongoBleed - Code Signing Under Siege

It's time for Security Now. Steve Gibson is here. He's a little miffed. We actually get a rare Gibson rant over the life cycle of code signing certificates. It's going to be dramatically reduced for no good reason. Ads coming to your chat GPT. Why did they ban the Raspberry Pi from the New York City inauguration? And an astonishingly good British TV series that Steve wants you to know about. Plus, magnesium as a supplement, and then a look at a very big, very problematic flaw called Mongo Bleak. It's a jam-packed show. Stay tuned. Security Now is next. Podcasts you love. From people you trust. This is QIT. This is Security Now with Steve Gibson. Episode 1059. Recorded Tuesday, January 6, 2026. Mongo bleed. It's time for Security Now, the first show of 2026. Let's see if Steve has changed at all in the new year. No. And the answer is no, and that's a good thing. And that's a good thing. Steve Gibson is here, the man of the hour, the man every Tuesday we tune in for to find out what the latest is in the security news. Hi, Steve. Leo, 2026. It is a new year. It's going to be a new, amazing ride for our listeners, for the world, for everything. And I have to say, I'm developing another major platform feeling, philosophical thing about security is beginning to evolve. We will be seeing authentication is broken again because that's something. But I'm really beginning to get a sense of diminishing returns. I'm reminded of the fact that we can't build light rail because we have so over-regulated ourselves, you know, on the off chance that something bad might happen to something somewhere that, you know, I mean, you can't prove a negative, right? And so the insurance salesman, you know, makes his living by saying, but what if? Right. And as a consequence, a lot of people have insurance that, you know, they actually may not actually ever need because that thing, you know, didn't fall off or whatever. We're beginning to see – I'll be talking about another reduction in certificate length, which has no justification. and this new feature, SAP, smart app or SAC, smart app control that landed in Windows 11, which cannot be turned off, where you can't allow apps you trust or exceptions. All of Microsoft stuff has until now, all of the Windows Defender, you could say, okay, fine, I want to dedicate this directory to things that you don't bother me about. That's going away. So end users are being increasingly inconvenienced in the same way and for the same reason that we can't build light rail in California. It's like it's diminishing returns. It's the belief that we can apply our fancy technology to solve problems where the presence of that technology creates a bigger problem than what it is trying to solve. And I think this is the year where we're going to begin to see that signs have been there, and we've been reporting this until now. I think it's going to mature, unfortunately, like this year and next, where things are becoming increasingly constrained in a mistaken belief that we're going to be able to fix this just by being more tricky, by applying technology to where mistakes, we're not really fixing mistakes much, and the human factor is still there. Anyway, you've got a new philosophical framework building, I understand. Actually, when you said that, I was hoping you were going to write a new operating system to replace the crappy ones we have, but I guess that's off the table. Actually, you're going to see a bright light for Linux here because I have gone all in on Linux. I long ago was fed up with Windows, and I'm not happy with the direction Apple's taking with Mac OS. The only operating system out there I know of that I can really have it be exactly what I want, no more no less, without ads, without constant, hey, you want to download Chrome without any of that stuff, is Linux. But we'll talk about that in a little bit. Yes, we will. Today's podcast is titled Mongo Bleed. MongoDB, which is not from Blazing Saddles. Mongo Blade. MongoDB is, turns out, it's the fifth most popular database system in the world. We'll be getting to that in a second. But it's got a bad problem. And the cool thing is we're going to look at it. It is a problem that we can perfectly describe, that is, this bug, which has been in there for eight years. So all versions of it, all 87,000 copies, at least 87,000 have been identified by census, are vulnerable. And, oh, it's been a rocky Christmas and New Year's for those people. We're going to talk about code signing certificate lifetimes having been shortened. A vote was made late last year to shorten code signing certificate lifetimes by two years. Sadly, ChatGPT is heading toward an advertising profit model. I want to touch on that. The Python package index guys are strengthening their security. They just announced. That's great. BitLocker gets hardware acceleration. but not today. New York City's mayoral inauguration did the weirdest thing. They banned raspberry pies. And from brisheiros. Yeah. Like, what? We've got, oh, I have news. I was bending Benito's ear before we began recording about my discovery of an astonishingly good British time travel series. Oh, I love time travel. Oh, Leo, if you have not seen The Lazarus Project, there's no danger of me overselling this thing. Oh, I want to see it. Well, yeah, we'll get there. Also, we've got a news just in the news following our Vitamin D special podcast last week of a critical link between vitamin D and magnesium. You know, but our listeners don't know, that magnesium is another one of the things that I have focused on. I take so much magnesium now. Good. Actually, I had to back down a little bit because I think I was reaching a saturation. As one does. I'm going to delicately explain about that. Well, there's all kinds. There's glycinate, there's citrate, there's threonate. So, good. I want to hear more about this. Yep, and ask me things because they're things I didn't get to. I was a little self-conscious about, you know, talking a lot about supplements on our Security Now podcast, but the response I got from, like, people being reminded about vitamin D, I think probably, Leo, many of our listeners have been aging along with us for the past 20 years. And so, you know, when you're a Gen Z indestructible, you know, go all day and night person, you don't think about health in longevity. But when you're in your late 60s and 70s, it becomes something you tend to focus on a little bit more. But it's too late, of course. Yes, you do want to get, yes, you want to create as much foundation for the future as you can. And you and I both did 20 years ago. Oh, and a picture of the week. I'm so happy with my headline on this. It was a picture that had a different caption. I gave it one that I love, which I think everyone's going to get a kick out of. So I think probably we've got an interesting podcast for kicking off 2020. Well, it's about time, Steve. I've been meaning to mention that. No, this is the show. This is rapidly becoming our most popular program on the entire network, and I'm not surprised. It's all because of your stellar personality. I spent the last two days writing it. So all of Sunday and all of Monday went into... I don't know if people understand how much work you put in. I guess they probably do. If they ever look at the show notes, you basically write a novel. Today's is 22 pages long of density. I did write most of it instead of just copying and pasting stuff. You really put a lot of effort into it. So I appreciate that, Steve, and I know our audience does as well. Let's take a little break. You know who else appreciates it? Our fabulous sponsors. We're very happy to know that they've got an audience of very smart people who are working in security, working in areas that they're experts in, but they're always interested in new ideas, new products, new tools that can make their life better. This is a brand new sponsor. We're very happy to have them on. In fact, I had a great conversation with them just a couple of weeks ago. It's called Meter. They are a company that's devoted to building better networks. And actually, their history, their story is interesting. They were, of course, network engineers, just like you, working on the ground. and they said there's got to be a better way. There's got to be better hardware. There's got to be better control planes. If you're a network engineer like them, you know the headaches. Legacy providers with inflexible pricing, I'm talking ISPs even, right? IT resource constraints stretching you thin. I mean, nobody's ever got a sufficient budget. Complex deployments across fragmented tools, especially nowadays with companies acquiring other companies and other properties. You know, you're going to have one Wi-Fi system in that warehouse that's not compatible in any way with a Wi-Fi system at the home office and on and on and on. You, as the network engineer, it all is on your shoulders. You're mission critical to the business, but you're working with infrastructure that wasn't built for modern demands. That's why so many businesses are switching the meter. Now, I admit I had never heard of them, so I went to the website when they first approached us, and I looked, and I said, wow, this is what people need. Meter delivers full-stack networking infrastructure. I mean, the whole stack, wired, wireless, even cellular. It's built for performance. It's built for scalability. It's built for you to manage. That's important, too. Meter designs their own hardware, writes their own firmware. They build the software. They manage the deployments, and they provide support. In fact, you can have METER set the whole thing up if you want. You can have them be a consultant. You can have them just be out there for support and do it all yourself because they know, as a network engineer, everybody's got different needs. METER will help you with everything from ISP procurement down to that level, security, of course, That's job one. Routing, switching, wireless, firewall, cellular power. They'll do DNS security, VPNs. They'll help you set up SD WANs, multi-site workflows, all in a single solution. Meters, single integrated networking stack. All of this is built on the same stack, on the same hardware, the same software. It scales. You'll see people using it in hospitals. I mean, I spent a little time in hospitals over the holiday break. Everybody's fine. But I noted that most of them, cell phones don't work. Wi-Fi doesn't work. They need meter. Branch offices. You've got the home office, then you've got the branch office, and neither the twain shall meet. No, you need meter. Warehouses, giant warehouses, or campuses, large campuses, data centers. You know who uses Meter? Reddit. Perfect example. Or I'll give you another testimony. The Assistant Director of Technology for Web School of Knoxville. He said, we had more than 20 games on campus between our two facilities. Each game was streamed via wired and wireless connections. The event went off without a hitch. We could have never done this before Meter redesigned our network. If you're just hearing about it now as I was, I really want you to look at this. With Meter, you get a single partner for all your connectivity needs. This is your dream come true. This is what you've been looking for. From the first site survey to ongoing support without the complexity of knitting together and managing multiple providers, multiple tools. The ISP says, well, it's the routers. Well, the router says it's the ISP. None of that. Meter's integrated networking stack is designed to take the burden off you, off your IT team, to give you deep control, to give you visibility, totally reimagining what it means for businesses to get and stay online. And we needed this because everything has changed. Meter is built for the bandwidth demands of today and tomorrow. We thank Meter so much for sponsoring. Go to meter.com slash security now, book a demo. That's all I ask. M-E-T-E-R.com slash security now to book a demo. The time is right. We need it. meter.com slash security now. Thank you, Meter, for believing in us. And I think you're going to have some people who are very happy to find out about Meter. Meter.com slash security now. I am prepared. I have not looked at the picture of the week. I think you should just gaze upon it. Let it soak in. I should gaze upon it. We'll share your response. I shall scroll up, and then I will explain. And you can see my face as I see it for the first time. I will share the caption. Okay. Well, I've seen this many, many times. Account verification. Oh, yes. We just sent the code. They're telling me what the code was. So I gave this the caption. I gave this the caption, the sales pitch, really. Why reinvent the wheel? Allow agentic AI to take all the drudgery out of your repetitive coding tasks. Is this VibeCoded? It probably is, isn't it? Isn't this wonderful? And then we have the agentic AI and VibeCode produced a second factor authentication screen. It has the headline, account verification. and then it says, we have just sent the code 435841 to your phone number, and then it has that blanked out with the last four digits are 8247. Please enter the code below to access your account. So, isn't that wonderful? Oh, my God. It is so good. And when you first look at it, you might not. Yeah, right. That makes sense. Yeah. Yeah. I guess I don't have to look at my phone now. It does speed up the login process. Sure does. So that's good. You don't have to wait for the code to arrive. Okay, so I want to begin this first podcast of 2026 by exploring around the edges of a recently decided and announced, and I have to say discouraging update that follows a disturbing trend which will have a significant impact on our industry. And I understand that those behind it are claiming it will have a net positive impact on security, but I question whether that's true. And I suspect that the positive impact it will most have is upon the certificate authorities' revenues and profits. Today's level of persistent cybercrime, which we know exists, right? I mean, it's out there. And the bad guys are more aggressive and, frankly, money-hungry than ever. It's the ability to get paid through cryptocurrency that has enabled this. They're pushing the world. The cybercrime baddies are pushing the world to a place where only software that is validly signed will even be considered for execution. Signatures are required for iOS apps, Linux distros, secure booting, Android APKs, browser extensions, and all of the various gaming consoles, including smart TVs, and even the firmware for home routers, NASAs, and cars. All of this needs to be signed. Linux, being inherently more open, is the only remaining OS where signing is either unnecessary or not strongly needed. It's a different kind of signing. I mean, when I downloaded an app, often it is signed with a hash, you know, an MD5 hash or a PGP key to identify the developer. But that's voluntary. That's not from the operating system. That's from the developer. There is no requirement by the OS. Windows apps can theoretically run without signing, but only now with Windows Defender there if they are very well known. The only hope any newly minted Windows app has of running today is if it's carrying a signature. And even then, only if that signature itself has previously established a strong reputation by virtue of the applications it has signed that have been previously seen that haven't caused problems. You know, it's all about reputation. but we've seen that other apps like Notepad++ which have a sterling reputation will have serious trouble if they are unsigned or as its author briefly attempted are self-signed that landed with a big thud because everybody was complaining that Windows Defender wouldn't allow their update to Notepad++ that they'd had for years to run it all You know, so if Linux we could consider is lax, but probably not necessarily guarded, whereas Windows is, then macOS sets the bar about as high as it can go. Any macOS application that's not signed is assumed to be malicious. You know, you really need to be a registered developer in good standing to have any chance of Mac OS running your software. So that's pretty much where we are today. Essentially, anywhere it's practical to require a signature on software, a signature will be required. The problem is, this is still an imperfect system. Bugs in signed software are no less prevalent than in unsigned software. So signing offers no guarantee about software quality, and bad guys are just as able to exploit bugs in signed as in unsigned software. But it is certainly worthwhile to require a signature rather than not. If nothing else, something somewhere is known by someone about the signer of the software. There's at least some modicum of accountability and traceability. So I can see that, you know, that it's not a bad thing. And if a piece of signed software is discovered to be malicious, then its signing certificate can be immediately blacklisted and is so that nothing else signed by that presumably malicious certificate will be trusted. Now, it's not unreasonable to expect a Linux user to be cautious about what and where they obtained their software for their machines. That's more the Linux user demographic, right? But that's certainly not the case for the casual Windows user who browses around Microsoft's Windows store looking for stuff to download and run. Just because, why not? It's there. So everything and anything that comes from the Windows App Store is signed, must be, by a known developer. We're talking about what has become the crucial security topic of code signing today, because in another move that makes very little sense to me, late last year, the CA Browser Forum voted to reduce the maximum lifetime of code signing certificates for any certificates issued from March 1st of this year on. So less than two months from now, the maximum lifetime of a code signing certificate that will be issued by any certificate authority will be reduced from 39 months, which is a comfortable three years plus three months, to a far less convenient one year and three months, taking two years off. Of what has been the pattern so far. Yeah. And this is occurring for no apparent reason that addresses no apparent problem. Back in 2022, the policy was finalized that no code signing private keys could exist outside some form of hardware token or HSM, which would prevent their theft. That policy took effect on June 1st, 2023, fully two and a half years ago. From that date on, from that date forward, June 1st, 2023, certificate authorities would only issue code signing certificates in hardware. And critically, this applied not only to extended validation code signing certificates, which had long been required to reside in hardware isolation, but to all code, even of lesser verified code signing certificates. So that move made two and a half years ago ended the opportunity for code signing certs to be remotely stolen. I remember years ago, Leo, like decade ago more than, We talked about a theft somewhere, I don't know, like in Taiwan, or there was a theft of a physical facility where their certificates got stolen. Or maybe it was a remote break-in. But, you know, they have a piece of paper in a safe. How could you? I don't know. Yeah. So, but for the last two and a half years, all code signing certs of any caliber had to be installed in hardware. So there was, as a consequence of that, it meant that no code signing certificate could be exfiltrated by any remote attacker, period. You know, even the owner of the dongle, the HSM, can't get the private key. It won't. There's no API. You can't extract it. It is a write-only system by design. Nevertheless, the certificate authorities have voted and decided that even safely stored code signing certificates must be renewed now much more frequently. So I understand why this happened with TLS certificates because of issues with revocation. Right. There's nothing like that for code certificates, right? No, no. You could, you know, if so, and this is another part of the annoyance. It's not as if this is actually going to prevent maliciously signed malware. You're going to get companies posing as reputable software publishers who obtain a code signing certificate and establish a reputation. Very much the same way that people who run forums see people creating accounts that are dormant for a while in order to sort of slip under the radar, and then they start getting up to some mischief downstream at some point. Same thing is happening here. So it's not like this actually solves a problem. You can still have valid code signing certificates issued to malicious parties because the validation process cannot be perfect because, again, it's the human factor, which is where all of our security ultimately fails, whether it's humans writing code that has bugs or humans saying, you know, are you really, you know, Steve Gibson. So this raises the question, right? Why would the CA browser forum feel the need to reduce the life of absolutely theft-proof code signing certificates? What benefit could there possibly be to them? And does this have any impact upon the browser side? Remember, the CA browser forum is the certificate authority and browser forum. Does this have any effect on the browser side? Looking over the results of the ballot measure, which was voted on, CSC 31, which was titled Maximum Validity Reduction, I was struck by the mix of voters. And using the term mix would be technically inaccurate since all 10 of the yes votes came from certificate issuers. Subsequently updating myself about... That's not a conflict of interest at all, is it? Oh, it gets better, Leo. It's exactly this. What we have forming is a cabal. While updating myself about what's been going on and poking around the industry, I stumbled upon an interesting tidbit that pretty much explained what's happening. The light bulb lit for me. There's been a recent significant increase in cloud-based code signing. In other words, the push for shorter and less convenient use of the super secure hardware security modules by shortening the maximum life of the certificates they can contain and store, while providing no automation for their management. That has the indirect effect of actively discouraging code signers from obtaining and managing their own code signing certificates. It appears to be that the future of code signing will be the establishment of a subscription relationship. Oh, my God. Yes. You're right. It does get worse. It does get worse. It will be the establishment of a subscription relationship with a major provider, such as GlobalSign or DigiSearch. Remember that what code signing actually signs is a cryptographically secure hash of some code. This makes it entirely feasible for that process to be remoted with a cloud-based service. A cloud-based code signing utility takes a cryptographic hash of the code to be signed and forwards it to the signing provider's cloud service. After verification and validation of the identity of the signing party, and note, Leo, this is the glitch here because they still have to verify. The cloud provider needs to verify the person asking for this to be signed is who they say they are. Well, have we ever seen authentication fail? Uh-huh. Once that's done, though, after first verifying that, of course, their subscription is in good standing and they're all paid up, the cloud signing provider uses the customer's own private key, which the provider maintains for them, and their customer never receives or sees. Why would you watch your own private key after all? That's right. No, trust us. Exactly. That's right. We'll keep it for you. Oh, my God. They sign the hash of their code for them. The signed hash is then returned to the customer, whereupon the cloud signing utility affixes it to the end of their code to complete the signing process. So, taken in aggregate, what has happened, and this is deeply disturbing, is that to an ever-increasing degree, all code from anyone and anywhere is inherently mistrusted by default. It will probably only run on Linux, unless it has been signed by one of a diminishing number of increasingly large select few signers who are pretty much free to then charge whatever they wish for the privilege. This isn't certification exactly. Yes, it is. Yes, that is exactly what it is. What has been slowly been growing and evolving is a cabal. We've been witnessing a consolidation of certificate authorities over the past decade as the bigger fish swallowed up the littler fish, while also not surprisingly raising their rates. Today, the least expensive code signing certificate I could locate was IDENTRUSTS at $270 per year. But purchasing a three-year certificate offers a 20% discount, so that's $647 for three years. They'd like to get your money up front if they can. GlobalSign is just over twice as expensive per year at $550 with no multi-year discount. And DigiCert leads the pack at $840 per year. Think about that for a second. $840 per year for no reason other than because they can. and because we are not, we, code authors everywhere, will have no recourse, no choice. And this really impacts you because you're not running your software on Linux. You're running on Windows. So this will be a requirement, right? Yes. My stuff will not run unless it is signed. I made a mistake over the holidays because I've been producing incremental updates of the DNS benchmark. I'm going to have a really neat surprise for all DNS benchmark people in another couple of weeks. But I dropped an unsigned copy on VirusTotal, and, oh, it lit up like a Christmas tree in red. And I thought, what the heck? And then I thought, oh, thank goodness. It's just because I forgot to sign it. I signed it, zero out of 73 or 72 AV tools thought there was a problem. Unsigned, not a chance. And then, of course, we have that new, that PAC, the SAC, the smart app control in Windows 11 that doesn't allow an exception. We stumbled on that a couple times. The good news is you try a couple hours later and then it works. So it's, you know, okay. Anyway, so the upshot is all of the commercial platforms now require code to be signed, and a very small and shrinking group of increasingly powerful commercial authorities have decided to follow the TLS model of continually shortening the lifetime of those code signing certificates, which they alone are empowered to issue. Today's code must be signed. Even the notepad++ guy, he's now got a global sign certificate. He had to buy one because he had no choice. Today's code must be signed. So code authors have no recourse other than to pay an annual tribute to the certificate gods in order to qualify for the privilege. It's against this backdrop that the certificate authorities all voted to take two full years off of the maximum code signing certificate lifetime that we have today, reducing it by 24 months from 39 months to 15. Why? Because they can. They all voted for it. Because there's no one to stop them. Certificates that have been locked up in hardware are not subject to remote attacker theft, period. And we know where this is headed, right? We've seen this play out already with the web server TLS certificates. We've watched as TLS certificate lifetimes gradually dropped from their original lifetime of 10 years and are now headed down to 47 days a few years from now. With certificates expiring more often than every seven weeks, as they will be, automation becomes the only practical solution, despite all of the many inconveniences it incurs in situations where the use of the ACME protocol is not practical. And there's, I mean, it's creating lots of problems for people. And so the same thing is clearly happening with code signing. Once the various certificate authorities get the infrastructure in place to support cloud-based code signing, that'll be the only practical way code can be signed. Maximum code signing certificate life is just reduced for no reason, effective this coming March 1st. Does anyone imagine that will be the end of it? In the future, it will be necessary for anyone who wishes to produce software for general use that any platform will accept, except Linux, which will be the haven, essentially, they will need to obtain and maintain an account with a cloud-based code signer. What happens when you run your own code? You can run your own code on your Windows box. No. No, I can't. What? The only way I could do it was by whitelisting the entire Assem tree on my system. Before I, when I set up a new system and I forget to do that, the code I assemble and link into an XE is immediately deleted from the hard drive. Oh, my God. That's awful. That's the world we're in now. Now, you can't disable this feature, right? Under Windows 10, I can. Windows 11 is coming with this new SAC, the smart app control. it cannot be turned off. If it's turned off and you can force it off, you can then never turn it on again. Because Windows, Microsoft has decided that, oh, well, if you're going to turn it off, we're not going to let you turn it on. You have to reinstall Windows 11 to turn it on. Oh, right, I remember that. Yeah, yeah, yeah. So, I mean, think of it, Leo. I mean, basically, all of this original PC hobby control, which you could argue built this industry, is going commercial and is being taken away from us. And this isn't really the spirit of personal computing, if you ask me. No. If you can't write your own software, it's not your computer. Right. Right. Right. So I don't know when this is going to happen. It'll be gradual over time. That is the shortening of code signing certs. But watch it. It happened just like it was with TLS certs. And we have a model for that today. No one needs to wait. DigiCert is ready today for only $1,104 per year. What? $1,104 per year. That's $100 a month. They'll be glad, but wait, there's more. They'll be glad to sign your code in the cloud. But there's one limit, Leo, a glitch. What? They limit it to 1,000 signatures per year. I'm not kidding. Unlike the past world where after obtaining a code signing certificate, we were free to exercise our right to sign as much code as we like. Once code signing has evolved into a disservice, the provider will hold not only our private key, but all the cards. And with ever few certificate authorities, we can expect this to continue increasing in cost. So what if, for what, I know. So now there's not only do you have to pay $1,000 a year or $1,100 a year, but there's a limit on how much you can sign because now it's a service and they can. But, okay, that's like 1,000 different programs, not the same program 1,000 times. Well, yeah, you would never, but, for example, right now I've been producing incremental bills. Oh, every version is a different program. Yes. Yeah, we're at release 85, all of them signed because all of the people testing have to have a signed executable or their Windows won't run it. So you could easily hit that limit, even with just one packet, one software. Yeah. Wow. So for what it's worth, anyone who's been signing their own code, who may be getting ready maybe to make that jump, might wish to grab a 39-month code signing certificate, that is to say three years and three months, while you still can prior to March 1st. you'll be able to obtain an additional two years of hassle-free, cloud-free, and also unlimited, no one's counting your signings, code signing. And frankly, thanks to our listeners' generous purchases of Spinrite and our new DNS benchmark, all of which is signed, I can afford to take my own advice, and I plan to do so. I will be refreshing my code signing certificate before March 1st so that I can get 39 months and push off for another three years and three months whatever happens next. You know, and that means that I won't need to continue to keep continually updating a hardware security module. You know, while that's not a big problem, it should not be necessary. There's no big problem. that's being solved by shortening the lifetime of any certificate that's stored in hardware. So forcing this upon the world appears to be about nothing but profit and control, because they can. I'm sure our listeners are also aware that none of our real-world experience suggests that the use of, as I said before, a remote, third-party, cloud-based signing system would actually be more secure than simply signing with the use of a local physical dongle that can remain offline unplugged, you know, when needed, until it's needed. Earlier, I glossed over the fact, you know, that the remote code signing certificate, that the service would need to be certain that the certificate's owner is the one requesting some code be given their signature. You know, I don't know that I want my private code signing key held in the cloud by a third party. How is that more safe for me? It's less safe. What if they have a breach? Yes, exactly. And it's not like that's not ever happened. Exactly. And before we leave the topic of certificate lifetimes, I'll remind everyone of the upcoming March 15th deadline, which is also approaching. That's when maximum TLS certificate lifetimes will be cut in half from around 398 days to just 200 days. So anyone who may need to be managing TLS certificates manually, and as I said, there are still many such use cases, updating close to but before this upcoming March 15th deadline will allow you to defer the need to find some better solution for another 13 months. before it gets cut in half. So, Leo, we are in a different world. And as I said, this is just, it feels so usury. Nothing costs them $1,000 for an automated service. Nothing. It used to be, what, $45 for a code signing cert. It's pure greed. It is. And we have no control. I mean, there's nothing you could do. Someone suggested, there was some dialogue of this in the GRC news groups, and someone suggested, well, what about, in fact, he was an author of freeware or charityware, I think, that supported, it was some application that supported the members of his church. and he said, I can't afford hundreds of dollars every year to have a code signing certificate. He said, I mean, I can't. But, of course, his members are all using Windows because that's the most common desktop platform still. So what does he do? You can't tell your potential customers, oh, just disable security on your system and then you'll be able to run. You can't say that. No, you can't. No, and Microsoft has made it one way. It used to be under Windows 10 with Defender that it would quarantine and you could go in and drill down and say, no, trust this. That's how it is in the Mac right now, but not probably for very much longer, I would imagine. Yes, and it's gone. It has disappeared from Windows 11. They said no. All in the name of security. We know better. It's not more secure. And that's just it, Leo. It's not. And this is, as I said at the top of the show, it feels to me like we're, because we can, we can use our fancy technology to do these things, you know, and it's like the UK saying, well, we want decryption of messaging because we know you geniuses can figure out how, and you'll make it safe, and you'll just do it because we're going to pass a law that says you have to. Just nerd harder. That's what Cory Doctorow says. Nerd harder. You're not nerding hard enough. Is it possible, Steve, for somebody to do what Let's Encrypt is done and make an open source code signing? Like free code signing? Windows would have to decide to trust. Microsoft has to support it. Yes. Yeah. Microsoft and. And Android. And Android. Google and Apple. And they would say that. And so there is a difference in the model, though. Let's Encrypt verifies your control of the domain. The only thing the TLS certificate is doing now is giving you encryption. That's why it's called Let's Encrypt. It's not saying who owns the domain. It's saying whoever owns it can have a certificate to encrypt it. That's where this is different. Code signing certs say this person owns, you know, this person or company owns, you know, is the producer of the software. So there is some work that they have to do in order to say, okay, you're who you are. So it's not automatable in the same way. If it were, then malware would all do it. So malware has to go to some lengths to fraudulently obtain a code signing certificate. But, you know, they will. And they will then use it like crazy until it becomes blacklisted. And then they get another one or pull another one out of their queue of previously acquired maliciously obtained certificates But it feels to me like all of the legitimate use cases for unsigned software are being killed in the name of trying to pursue forcing everything to be signed, even though that signed code will still have bugs. It's not like the bugs disappear because you have a signature. It's just saying we know who signed this. It's like it's creating a big barrier that doesn't actually improve security. And it's not like when are we talking about maliciously signed XEs on this podcast? We talk about everything that happens. That isn't a problem. It's like certificates being stolen from websites. It's easy to say, oh, they could have their certificates stolen. Well, that doesn't solve the problem. You still need to route traffic. You need to maliciously route traffic to a domain name to a bad server. So even stealing a certificate isn't the end of the world. You've got to somehow arrange for that domain to map to an IP, which is malicious, which also has that certificate. So we're doing all these things that really create serious inconvenience for very, very, very little gain. Again, why? Because they can. And I was reminded of something I said on this podcast earlier. I should be I as the owner of GRC Should have the ability to say My security model Is fine With a TLS certificate That has a 5 year life Or 10 year life If Microsoft Or Amazon Or eBay Want to have 47 day or 4 day continually renewing certificates. Great. Let them have them. Why force the world down to this lowest common denominator? Especially if it doesn't improve security. Yes. And it just gets in the way of people who want to own their own computer, own their own system. I mean, I understand. We've got a situation where we've got malware and bad guys rampant. But this is not the way to stop that. Yeah, we have a guy in the news group's first name is Alan, who wants to run his own email server. Well, email has to be TLS. But email isn't a web server that can accept an Acme challenge. You can't automate it. No. And so, you know, it's like he's going through all this too. It is just diminishing returns. Yeah. Well, it's good for Linux. Actually, Linux is beginning to look mighty fine. Yeah. And I did find myself wondering, although this isn't a solution for everybody, whether Wine cares about signatures. I'm sure it doesn't. I don't think it does. There's no enforcement mechanism. It's not running Microsoft Windows. It's emulating it. Not even emulating it. So you don't have defenders sitting around stomping out things before they have a chance to see the light of day. Interesting. And Wine runs a lot. I mean, look, Windows compatibility on Linux has gotten very good, partly because of gaming. Yeah. And Wine has done a great job. I mean, you can pretty much run anything now. Yeah. I've learned a lot in the last few weeks after releasing the DNS benchmark because so many people want to run it on Linux. And there are a bunch of commercialized wine packages. The wine license allows commercial reuse of all of that good work. And they round off the rest of the rough edges and create more of a drop-in solution. Yeah, it's a business model. Yeah. Yeah. Yeah, but I can't tell everyone, go get Linux and then make software. This is the problem. And if you're a business, you're going to be running Windows. Because if you're a church, you're going to have to support parishioners that run Windows. You just have to. They're so dominant. Now, somebody's pointing out, well, I guess you could install a local certificate. If you're a business, you could install a local certificate on all the businesses' computers so you could run your line of business software that you wrote without signing. Or you would sign it. You'd sign it with that personal certificate as opposed to a public certificate, right? You just add it to the certificate store and say, yeah, this is trusted. Yeah. But that's not a solution except in that environment where you control every computer in that environment. Well, yeah, try telling people who come to your website, here, install my own CA certificate in your root. That must be what happens. I mean, my Synology Nest does not have a certificate. The first time I go there in my browser, it says, oh, you sure? You sure? It still lets me get through. And once I say yes, I never have to see that again. So it must be installing a certificate at that point. Well, no, it still sees that there's a problem. It just put in an exception. It whitelisted that. You want to take a break? Oh, boy, do I. I really, for a variety of reasons, I'm becoming more and more disenchanted with big tech, big operating systems, and I really feel like I've always felt strongly that open source is the right solution, but more and more I don't want to participate in these big tech things. I want to run my own AI locally. I want to run it on a Linux box. I want to do my own thing. But that's a very, most people cannot do that. It's just that it's a privileged position to be in to say you can do that. Oh, well. All right. Well, we'll have more in just a bit. Steve Gibson, he's going to have a little coffee. He'll feel better. I hope you do too. Actually, Steve and I are very excited. We are planning a trip to Orlando, Florida. We're going to Disney World. Actually, we're going to Zero Trust World. So very excited about this. This portion of the show brought to you by ThreatLocker. They do a wonderful conference every year all about zero trust. They are the zero trust company. And Steve and I are going to be presenting at that. I'll tell you more about that in a little bit. But let me tell you about ThreatLocker first. It's certainly not necessary to tell you that ransomware is just killing businesses worldwide. But there is a way around it. ThreatLocker, it can stop ransomware before it starts. Not just ransomware that it knows about, zero days. Ransomware no one's ever seen before. Ransomware custom designed to target you. Recent analysis from ThreatLocker shows how one particular ransomware operation, I think it's Chi Lin it's called, in 2022, 45 incidents. They're just getting started. Last year, 800 incidents. And that's just one of dozens of ransomware gangs. Threat Locker's zero-trust platform stops Cheelin, stops them all, even the brand new ones, because it takes, and this is what's so great about zero-trust, a proactive deny-by-default approach. Deny-by-default blocks every action that's not been authorized, explicitly authorized. It protects you from both known and unknown threats. Threat Locker, they call it their ring fencing. Threat Locker's innovative ring fencing constrains tools and remote management utilities. It keeps attackers from weaponizing them. So even if they're in, they can't, there's no lateral movement. They can't encrypt, mass encrypt stuff. They can't exfiltrate. They can't do anything. Threat Locker works across all industries. It provides a very robust 24-7 U.S.-based support, really great support, people. It works in Windows. It works on Macs. and it enables comprehensive visibility and control, which is great in a world where compliance is important too. That's just one of the nice side effects of zero trust because everything has to be approved. You know exactly who did what when. You have complete visibility and control. And this is the kind of solution that companies that can't afford to be down for one minute need to rely on. I'll give you an example. Emirates Flight Catering, you know, this is like the best airline in the world. year after year. And their food, amazing. They're a global leader in the food industry. And they're big. I didn't realize it's 13,000 employees. Just for the catering, ThreatLocker gave full control of apps and endpoints, improved compliance, and delivered seamless security with strong IT support. Just ask the CISO. It's Emirates Flight Catering. He said, quote, The capabilities, the support, and the best part of ThreatLocker is how easily it integrates with almost any solution. Other tools take time to integrate with ThreatLocker. It's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a CISO. It's not just Emirates flight catering. It's JetBlue. It's Heathrow Airport. Remember they had some problems before? They were down for a little bit. They've decided that's never going to happen again. ThreatLocker's the solution. The Indianapolis Colts use ThreatLocker. The Port of Vancouver uses ThreatLocker. ThreatLocker consistently receives the highest honors in industry recognition. It's a G2 high performer and best support for enterprise summer 2025. PeerSpot ranked it number one in application control and GetApp's best functionality and features award in 2025. Visit ThreatLocker.com slash TWIT to get a free 30-day trial. Learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's ThreatLocker.com slash TWIT. for a limited time, we've got a code for you. ZTWTwit26. Zero Trust World is ZTW. ZTWTwit26, all one word. I think it's all caps. ZTWTwit26. That's 200 bucks off registration for Zero Trust World 2026. And it gives you everything. Access to all sessions, hands-on hacking labs. You get meals. You get that after party. The most interactive hands-on cybersecurity learning event of the year. That's March 4th through the 6th in Orlando, Florida. Join Steve and me and do register to save $200 with the code ZTWTwit26. ThreatLocker.com slash Twit. I'm looking forward to this. It's going to be very, very interesting. This will be a chance to see Steve in a little bit different setting, I think. We're going to make a show out of it, so even if you're not at Zero Trust World, you'll be able to hear what we do. But I think it'd be fun to be there in person. I'll never forget. We went to years ago. It must be 30 years ago now. Chris Perillo's locker gnome in Des Moines, Iowa. You remember that? Oh, yeah. And just in impromptu, Steve and I, we went down. We were in the lobby of the hotel. They had a nice little lounge in the fireplace. We sat down. We started talking. And as you were talking, it was like the Maharishi's there. People started to gather. The crowd got bigger and bigger. Pretty soon you were holding court. Leo, I think you're being a little too generous. I was unknown at that point. You were the celebrity. You were the celebrity. Once people heard what you were talking about. Well, I was the keynote speaker, so I guess I was somewhat known. It was a long time ago. That was when I first met Mark Thompson. I had never met him. We knew of each other. Hanalong X. Yeah. And he came out for that purpose. Yeah. Yeah. It was a lot of fun. Anyway, back to the show. Okay. So, oh. No, come on. More bad stuff? Yeah, we were talking not long ago about the sad idea that ChatGPT's clean answers-only dialogue might become laden with advertising. Now, anyone who was around during the birth of the Google will fondly recall that original, super clean, no-nonsense Google search results. I mean, it was so nice. Well, those days died once Google realized how much money could be made through advertising. One of the observations I can't help making is that AI is currently a money-losing enterprise. with high hopes for the future, but it's astonishingly expensive at the moment. And that's worrisome because I, like many others, I'm sure, and I know you, Leo, have now figured out what our current AI is and how to leverage its benefits for our lives. Oh, my God, that's amazing. I don't ever want to lose access to it. No. It is really phenomenal. I'm afraid because I use Cloud Code now for everything, for configuration, for setup, anything. You know, I would say, oh, my laptop buttons don't turn the screen up and down. How do you fix that? And Cloud Code fixes it. It fixes it. I know. They used to have to go look, you know, go to Reddit, do all these things. It just knows. It goes, yeah, I'll fix that. If I lose that, I don't know what I'm going to do. I feel a little guilty sometimes asking it dumb, like obvious things just because I'm lazy. But it's like, well, there's the answer. And you know it's not judging you. And, Leo, I do despair a little bit about young ones who grow up with an AI always there. I mean, you've got an oracle on your elbow that just like why, you know, you're going to end up just learning how to steer it rather than, you know. Hey, remember, we used to have to, if you wanted to know, like, who starred in that movie in 1939, you'd have to go to the library and look it up. But now you've got all that in your phone. And we're all used to it. People don't have to research stuff anymore. This is just the next step along that road. We had to learn. We had to know what eight times eight was, Leo. Yes. That will no longer be needed. I'm sure when people first got calculators, they said, oh, kids will never learn the math tables anymore. which is probably true. You know, we had a story on Sunday on Twit. They took away the cell phones in New York City schools, and it's been a problem because high schoolers can't read analog clocks. So they keep asking, hey, what time is it? They keep asking the teacher, what time is it? And the teacher said, I'm at the point now where we're saying, well, where's the big hand? Where's the little hand? So this is just the way of the world. Yeah. I don't know how to skew a horse. If you asked a whole line of a bunch of high school seniors and said, okay, do some long division, they'd say, what? What? Why do you do that? What? Can I use cloud code? Yeah. So a couple days after Christmas, Tom's Hardware posted reporting along these lines, which I wanted to share because it contains a bunch of additional interesting detail as well. Tom's hardware's headline was, ChatGPT could prioritize sponsored content as part of ad strategy. Now, unfortunately, having the phrase ad strategy affiliated with AI, that's sad. But they opened by posing the rhetorical question, are we going to see ads in ChatGPT's answers soon? And they explained, writing, OpenAI is allegedly still working on adding ads to ChatGPT, with sources saying staff are discussing ways to bake them into the chatbot's responses. According to the information, the AI company is looking to create a new type of digital ad rather than simply copying what existing search and social media companies are running. Well, okay, maybe there's a little bit of hope. This is possible because OpenAI can use historical chat data to serve ads that are highly relevant to users' interests. Okay, now I'm going to interrupt here just to note that it's difficult to argue with that, right? You know, I mentioned that many of us have come to understand what's going on with LLMs, and we understand that one of the things we've come to learn and appreciate is the context window, that an account holder builds over time. I remember being taken aback the first time ChatGPT offered some example code to me in Intel assembly language. I was like, what? How does it know? I was quite certain that it wasn't what it would have offered most users. but I've come to appreciate the degree to which it's able to tune its replies based on our dialogue's history. So, you know, this is not to say that it's going to have any advertisers in its bag that will necessarily match up with my particular interests. That's going to be a problem, right? It's got to have somebody to offer to me. But, you know, I certainly understand the notion of an AI that's been working with someone for a while being unusually well-suited to matching them with relevant advertisers. That idea, I think, has clear merit. And we know from our previous study of advertising, tracking, and profiling that much more accurate matching means much more revenue for every highly targeted ad. Anyway, Tom continues writing, OpenAI told the information, quote, As ChatGPT becomes more capable and widely used, we're looking at ways to continue offering more intelligence to everyone. As part of this, we're exploring what ads our product could look like. People have a trusted relationship with ChatGPT, and any existing and any approach would be designed to respect that trust. Okay, let's hope. Anyway, Tom's Hardware wrote, Staff discussions on ad implementations have ranged from prioritizing sponsored content in the chatbot's answers to adding a sidebar that shows ads related to the user's query. They've also considered showing them only when the conversation moves toward shopping or similar activities or as a secondary step where ads are displayed only when someone clicks a link in ChatGPT's results. It's been reported that OpenAI is shifting its focus away from ads, especially after CEO Sam Altman declared a code red for the company following the latest version of Google's Gemini, which outpaced ChatGPT in several benchmarks. Altman said that OpenAI needed to improve the AI chatbot's personalization, speed, and reliability, and cover a broader range of topics. So the company is pausing work on all other projects to focus on these capabilities. However, it seems to be continuing progress on ChatGPT ads, despite the recent change in focus. ChatGPT has three main revenue streams at the moment. subscriptions to ChatGPT Plus Pro and Business, API access for developers, and enterprise solutions. Aside from that, writes Toms, OpenAI said it will start earning revenue from non-paying users by 2026, projecting $2 per user per year, which will grow to $15 per user per year by 2030. I'm sorry, by 2030. Despite that, OpenAI has yet to turn a profit since its founding in 2015. Even though its annualized revenue hit $10 billion earlier this year, it's still expected that the company's operating losses will hit $74 billion annually by 2028. Nevertheless, investors continue to pour money into the company, even as some are starting to ask how its long-term profitability will look. For comparison, they finish Google's ad business accounted for $237.8 billion in revenue in 2023, representing 77% of the company's total revenue. This amount is more than enough to cover OpenAI's estimated losses, and it seems it wants to follow the search giant's playbook by baking ads into its results as well. However, this also raises privacy concerns, especially since ChatGPT likely has much more information about its users than Google does. Furthermore, there's the question of how OpenAI will ensure its LLM gives the best answer to the user, especially if it stands to make money by showing ads instead of organic results. And to that I will say, oh boy, nobody wants a skewed reply from an AI that's trying to lead its user down one commercial path because of a hidden kickback that the AI receives. So Leo, what do you think about ads? Well, it's all in how you do it, right? And, I mean, the worst thing, of course, would be, as you say, if you included the ads in the results. Yes. And it's not clear that it's not an ad. I mean, look, we have ads, and I think that's how we support ourselves. I think ads are okay as long as they're clearly identified. Advertisers, of course, always want you to somehow hide the fact that that's an ad. They love that. There's a great publication called The Hacker's News. I love it. In the last couple of years, they began slipping in interstitial, like, you know, paid for insertions. Yeah, that's not great. That looked, that were made, you know, there was no way to look at them and know that's what it was. And you had to read a little ways in and you go, oh, wait a minute. And it's sad. Yeah, they call that advertorial. Or sometimes if they don't want the word ad in there, they'll call it, what was it? something content, create custom content or something, it's not okay. We don't do it, and your AI should not do it either. But if it's a little thing, and, you know, I understand why they're saying shopping, because if you go to an AI and you say, I want to buy running shoes, and they put a link to a place to buy running shoes, and it says add, I think that could even be helpful, right? Yeah, yeah. I know that, you know, Lori and I are sharing an account, which makes me a little uncomfortable because I wonder if chat is confusing. We have a split personality. But I look at the dialogue history, and, I mean, she's using it for all kinds of things, which are definitely commercial front end. So, you know, she's asking it for, like, you know, give her a table of, you know, we're in the process of getting ready to set up a new household. So there's like all these things that she's like, you know, exactly. So I mean, we're going to have to pay for it one way or the other eventually. Yes. And I'm glad you said that because it did say in Tom's reporting that that non-paid users would be generating ad revenue. I would I'm you know, I'm I find ads abhorrent. You know, there's not an ad on GRC. I could have ads on GRC and we'd be making money from all of the page views we get. There's not an ad there because, you know, I practice what I preach. And so I wouldn't have a problem paying more than, what is it, 20 bucks a month or something that I'm paying 20 plus. Yeah. I mean, I'll pay 50 for what I'm getting. You know, by the way, I did see my little my little ten dollars from Bitwarden. I got my little receipt at the beginning of the year. Oh, good. Yeah, I like paying for it, Warden. So we do pay, you know, we pay for the things that make sense. That's what we have to get used to is that this whole idea, this feeling that things are free has always been not true. And you've got to pay for the stuff you use. You just do. And that's just the way it is. It's not free. It can't be free. And the ad revenue model has shown that it works. As you said, that's why Twit is still here. And I'm here indirectly because Twit is still here. It's what broadcast TV survived on. And the problem is it could be a slippery slope, right? Because if you have some number of ads in your TV show, there's just so much temptation to squeeze another one in because, you know, at the expense of content. It's like, don't, you know. Just don't. Okay. Stop. So anyway, it's going to be interesting. But again, I think this needs to get paid for. I'm reminded of your comment that the cost that OpenAI is expending is in training, not in querying. So I'm hoping that, you know. It's getting cheaper, for sure. Yes. Because, I mean, generating $10 billion and losing $74 billion, that's not the future. No. In fact, at CES, NVIDIA announced chips that are considerably more powerful at a lower price. So you're going to see this. This is why I think it is so stupid to be building up data centers and, like, using your GPU inventory as the asset against the loan that you took out because you have rapidly depreciating inventory. Oh. Not so. This is going to be an interesting year. I think that's probably the best way to think of it. We went a long time to our first break. Let's take one now, and that will kind of put us back on track. Gladly. And talk about Python package indexes increase in security. I have a sponsor that should interest you and everybody who's listening, because we're all nowadays working in the cloud. We use Google Docs or Microsoft 365. Most businesses, our business is completely Google Workspace. Well, let me tell you about our sponsor for this segment of security now, Material. They are the cloud workspace security platform built for lean security teams. Managing security in a cloud workspace is a challenge, right? And by the way, phishing is far from the only way in. today's email security basically ends at the perimeter. It's assumed, well, the email got through, it must be okay. But new attacks are so hard to detect, not just in the email, but, you know, you've got siloed email, but you also have data. You have identity security tools. Material protects. They protect the email. They protect the file. They protect the accounts that live in Google Workspace or Microsoft 365. If your business runs on those cloud systems, you need material. because effective email security today needs to do a lot more than just block phishing and other inbound attacks. It needs to provide visibility. It needs to provide defense across the workspace. Threat surface, that's material. Material ingests your settings, your contents, and your logs to give you holistic visibility into the threats and the risk across the workspace along with the tools to automatically remediate them. Material delivers comprehensive workspace security by correlating signals and driving automated remediations across the environment. Yeah, automated remediations. So even when you're not on duty, material is. Phishing protection and email security combining advanced AI detections with threat research and user report automation, because we're all in this together, detection and protection of sensitive data across inboxes and shared files. You get account threat detection and response. People are trying to hack. I don't know why, but everybody's trying to hack Lisa's Google Workspace account pretty much all the time. You need material, account threat detection and response with comprehensive control over access and authentication of people and third-party apps. If you're living in the cloud, it puts your attack surface out there. You need something that's smart about cloud security. Material, it empowers organizations to rapidly mature their ability to detect and stop breaches. With step-up authentication for sensitive content, it's got something I love. You've got to take a look at this on the website. Blast radius visualization for accounts. And the ability to detect and respond to threats and risk across the cloud workspace. Material enables organizations to scale their security without scaling their team. Material drives operational efficiency with its simple API-based implementation and flexible, automated, and one-click remediations for email, file, and account issues, including an AI agent that automates user report triaging and response. And we all need help, right? Give me all the help you can give me. Material protects the entire workspace for the cost of email security with a simple and transparent pricing model. Secure your inbox and your entire cloud workspace without adding more toil to your day or costs to your balance sheet. See material.security to learn more or to book a demo. That's material, M-A-T-E-R-I-A-L, dot security. This is an idea whose time has come. We are living in the cloud. Now let's have some cloud-based security for everything we do there. Material.security. We thank them so much for supporting. Security now, Steve. So there's finally some good news. Oh, I've been waiting. Oh, my goodness. Oh, my goodness. On the Python Package Index, the PyPy repository front, PyPy posted in their PyPy in 2025 year in review, they said, as 2025 comes to a close, It's time to look back at another busy year for the Python Package Index. This year, we focused on delivering critical security enhancements, rolling out powerful new features for organizations, improving the overall user experience for the millions of developers who rely on PyPy every day, and responding to a number of security incidents with transparency. Let's look at some numbers that illustrate the sheer scale of PyPy in 2025. And I put them in the show notes because they're like, wow. So they have more than 3.9 million new files published during just that year, 2025, last year. 3.9 million new files. More than 130,000 new projects created. 130,000 new projects. 1.92 exabytes of total data transfer. I don't even know what that is. That's a big number. Gigabyte cake. All right. It's gigawatts. It's gigawatts. Many, many, many, many bites. 2.56 trillion total requests served, which is an average of 81,000 requests per second. So think about that. 81,000 every single second of the day, 81,000 pulls from the package repository. So that really does give some sense for the scope and scale of today's repositories. And PyPy is not even the big one. NPM is the biggie on the block. So it becomes very clear how rapidly, and here's on the security front, how rapidly a popular package, if its developer's account were to become compromised, would have the ability to spread. I recall when the notion of a supply chain attack was a new term for us, and a new concept on this podcast. Oh, supply chain, that's interesting. Let's talk, what's that? Now, sadly, it's become one of the most prevalent and worrisome security classes that there is. Their posting noted, these numbers are a testament to the continued growth and vibrancy of the Python community. Then they said, let's dive into some of the key improvements we've made to PyPy this year. And I'm just going to do the top lead one, which is security. They said, security first, security always. Security is our top priority, and in 2025, we've shipped a number of features to make PyPy more secure than ever. Enhanced two-factor authentication for phishing resistance. They said we've made significant improvements to our two-factor authentication implementation, starting with email verification for TOTP-based logins. This adds an extra layer of security to your account by requiring you to confirm your login from a trusted device when using a phishable two-factor authentication method like TOTP. And I'm going to come back to this in a minute. They said since rolling out these changes, we've seen more than 52% of active users with non-phishable two-factor authentication enabled. Okay, so wait a minute. What we see on this podcast over its 20 plus years is evolution. Recall when the concept of a continually changing six-digit code was going to be the end-all, be-all of security. Remember the little eBay football, the PayPal or whatever? Oh, yeah, PayPal football. Yeah. The football is, oh, look at that, Leo. It changes its digits every 30 seconds. No one's ever going to be able to hack that. Okay, it was exciting because even if some site were to lose control of its static passwords, no bad guy would be able to produce the one-in-a-million six-digit code that was correct for that moment but changed every 30 seconds. Well, that was a nice theory while it lasted. But then reality struck. We learned that practical applications of time-based one-time passwords actually needed to open a surprisingly large acceptance window for codes. Remember, Microsoft was like five minutes or something. It's like, what the heck? You just, you know, I mean, you could email it to somebody or almost postal mail it. Anyway, it turns out they needed to accept many minutes worth of code on either side of the optimal code in order to minimize false negative failures caused by desynchronized clocks or communications delays, you know, or even maybe, you know, the users cutting and pasting or emailing themselves the codes or, you know, who knows what, why, but that was the reality. But the real death knell sounded when the bad guys realized that those larger acceptance windows meant that users could be readily phished by having them attempt to log into a fraudulent website, which they might get to by clicking on a link in email, which, of course, is able to obscure its actual domain. They would provide their username and password and then be prompted for their one-time password. The bad guys would collect all of that and log into their account on their behalf. And imagine then if that might be a corporate VPN they were logging into or a remote access portal or who knows what. Maybe credentials for API access that the bad guy would then be able to acquire. Much damage could result. So what the PyPy folks are saying is that, sure, by all means, use two-factor authentication. But so many of our past PyPy, and I'm putting words in their mouth, so many of our past PyPy package submitters' accounts have been hacked. even when they were protected, in air quotes, by time-based password one-time passcodes, that we are strongly now urging all developers to allow us to require that they also, on top of all that, respond to a link emailed to their account's registered email address. The requirement of an email loop authentication slows down the whole login process, no doubt about it. It's not as convenient. But the demonstration of control over an email account remains a strong, useful, and intuitive authentication factor, which displays every sign of being with us for many years to come. So it's great news that PyPy is actively working to strengthen their authentication. And I hope everybody else follows suit because, as we know, accounts being taken over of legitimate, high-reputation, integrity software publishers and repositories that then quickly have their stuff embedded with malware, which is being downloaded at the pace of 81,000 pulls per second. That's a problem we still have to solve. Shortly before Christmas, Microsoft's Windows IT Pro blog posted the news that Windows 11 would be adding support for hardware encryption and decryption to their BitLocker whole drive encryption system. The chart of the relative performance of no BitLocker compared to software versus hardware crypto turns out to be quite bracing. But let's first see what Microsoft explained. They wrote, we know that users desire both security and great performance. Right. Historically, we've strived to keep BitLocker performance overhead within single-digit percentage points. However, with the rapid rise in popularity and advancement of non-volatile memory express NVMe drive technology, these drives now achieve much higher input-output operation speeds. As a result, corresponding BitLocker cryptographic operations, this is Microsoft, can require a higher proportion of CPU cycles. This makes the performance impact of BitLocker more pronounced. Oh, Leo, I've got a picture for you on page eight here. Especially on high throughput and IO intensive workloads like gaming or video editing. Okay. Wow, it does make a difference. Holy cow. Oh, boy. In other words, what they're saying is, and this makes sense, there's a fixed absolute overhead cost that's required to encrypt and layer decrypt all of the blocks of data being written to and read back from non-volatile mass storage. It's a function of the data size. The cost is a fixed function of both processor speed and the amount of data being read and written. Significantly, it is entirely independent of the storage medium being written to or read from. Microsoft talks about the overhead as a percentage that's added to the time that would be required without BitLocker. That's certainly a reasonable way to view the encryption overhead, right? As at how much did this add to what it would have been otherwise. Right. But then comes along these pesky, super-fast NVMe drives, which are essentially PCIe devices themselves. SATA drives used a SATA interface to a SATA controller, which was then attached to the processor's PCIe bus. And SATA was never optimal for doing this, which is why you need a controller. It's basically, it packages up the old IDE interface into a packetized system. And, of course, I know all about that from having written a SATA driver myself for Spinrite 6.1. But NVMe drives need no controller. They are themselves first-party PCIe devices. So they're able to stream their data at the highest speed possible directly to and from the rest of the system. What this means in practice is that someone inside Microsoft realized that the actual delivered performance of NVMe drives was now being dramatically limited by the fixed speed overhead introduced by BitLocker. The chart above right in the show notes, which was kindly provided by Microsoft, demonstrates the significance of the encryption overhead. The shortest center bar shows the average CPU cycles per IO operation, that is to say, without any encryption. The hugely tall orange bar is the average number of CPU cycles incurred by software BitLocker encryption. And for those who can't see it, it's quite sobering. It stands about four times the height of the no encryption bar. And finally, by comparison, the hardware accelerated BitLocker only adds a modicum of additional overhead to the no BitLocker transfer. So a very clear takeaway from this is that anyone who is currently using BitLocker on an NVMe drive without the benefit of Windows 11's forthcoming BitLocker hardware encryption, which is to say everyone today, because it doesn't exist yet, is seeing only a true fraction of the performance they could be obtaining from that drive without the comparatively massive overhead that's being introduced by BitLocker. Now, somebody may be wondering about Spinrite. I brought it up. So I'll just mention that you get 100% full performance with Spinrite, regardless of whether BitLocker is present or not, because Spinrite 6.1 doesn't bother with BitLocker encryption and decryption. It just works on the raw encrypted data. But when you actually need to read, write, and understand and use the drives data, as Windows does, then you have no choice other than to run through BitLocker's crypto pipeline. Since the performance with and without BitLocker and with and without hardware acceleration is pretty astonishing, let's see what Microsoft has to tell us about this. They continue writing, as NVMe drives continue to evolve, their ability to deliver extremely fast data transfer rates has set new expectations for system responsiveness and application performance. While this is a major benefit for users, it also means that any additional processing, such as real-time encryption and decryption by BitLocker, can become a bottleneck if not properly optimized. For example, professionals working with large video files, developers compiling massive code bases, or gamers demanding the lowest possible latency may notice delays or increased CPU usage when BitLocker is enabled on these high-speed drives. Balancing robust security with minimal performance impact is more challenging than ever. The need to protect sensitive data remains critical, but users also expect their devices to operate at peak efficiency. As a result, the industry has needed to innovate new solutions that ensure both security and speed are maintained, even as hardware capabilities advance. To achieve this, we announced Hardware Accelerated BitLocker at Microsoft Ignite last month. Hardware Accelerator BitLocker is designed to provide the best combination of performance and security. Starting with September 2025 Windows Update for Windows 11 24H2 and the release of Windows 11 25H2. In addition to existing support for UFS, Universal Flash Storage, inline crypto engine technology, BitLocker will take advantage of upcoming, and that's the key, upcoming system on a chip and central processing unit capabilities to achieve better performance and security for current and future NVMe drives. So, they said these capabilities are two. First, crypto offloading. loading. BitLocker shifts bulk cryptographic operations from the main CPU to a dedicated crypto engine. This capability frees up CPU resources for other tasks and helps improve both performance and battery life And second hardware keys BitLocker bulk encryption keys when necessary SOC support is present are hardware which helps increase security by reducing their exposure to CPU and memory vulnerabilities. This is an addition to the already supported Trusted Platform Module, which protects intermediate BitLocker keys, putting us on a path to completely eliminate BitLocker keys from the CPU and memory. All that's great. Unfortunately, we don't have it yet. They said when enabling BitLocker supported devices with NVMe drives, along with one of the new crypto offload capable SOCs, will use hardware-accelerated BitLocker with the XTS-AES-256 algorithm by default, which is what you want. This includes automatic device encryption, manual BitLocker enablement, policy-driven enablement, or script-based enablement, with some exceptions. We have enhanced the architecture and implementation of the Windows storage and security stacks to support these new capabilities as an operating system enhancement that will bring value to all capable PCs over time. And here it is. Upcoming Intel vPro devices featuring Intel Core Ultra Series 3, formerly codenamed Panther Lake processors, will provide initial support for these capabilities, meaning nobody can have it today. That is on today's hardware. with support for other vendors and platforms planned. Coordinate with your suppliers and keep an eye on listings from us and other vendors as PCs become available on the market. Okay, so all of this fancy new BitLocker crypto engine pipeline support will only be available when using these next generation Intel processors, which, as it turns out, were just unveiled by Intel yesterday at CES, our annual consumer electronics show. And I just bought a laptop. Uh-huh. This means, exactly you and everybody else, Leo, that regardless of the version of Windows being used, 7, 8, 10, or even the latest 11, on our current hardware, the use of BitLocker is exacting a tremendous, typically unseen performance penalty that Microsoft is only now disclosing because they have a solution. Of course, it requires buying new hardware, but that seems to be what Microsoft wants to happen thanks to Windows 11 needing new hardware too. But that solution is for tomorrow, not for today. I would say that if anyone has a BitLocker encrypted NVMe drive, which they encrypted out of the box just because, why not? Where their operating environment doesn't really require that the whole drive be encrypted, and where they'd rather receive a significant, apparently, so says Microsoft, boost in performance, It might be worth considering de-bitlockering any high-speed NVE drives you might be using, reducing the load on your processor, improving the real-time performance of everything else because it bitlockers not hogging your CPU, and finally obtaining the true performance that's available from a state-of-the-art NVMe drive. Everything that Microsoft wrote about the increased overhead of fixed speed encryption and decryption in light of the newer, faster performance of NVMe drives, it makes absolute sense. What might also make absolute sense is waiting until your machine's hardware is able to support ultra-low overhead bitlocker encryption, unless having it now is really necessary. Microsoft ended their post by showing how anyone could check to see whether a BitLockered drives encryption was hardware accelerated. They wrote, to check if your device is using a hardware accelerated BitLocker, open a command prompt as an administrator and run manage hyphen BDE. You know, that's BitLockered drive encryption. So manage hyphen BDE space hyphen status. Look at the encryption method section. If hardware accelerated is shown, it indicates that BitLocker is utilizing the system on a chip's SOC's crypto acceleration capabilities. So I've got it in the show notes at the bottom of page 10. It's on the screen. Thanks, Leo. No one is going to see that today. But this is a useful tip for the future when you're running Windows 11 on the newest hardware that may be able to offer this support, and that may be why you purchased the newer hardware. Many years ago, back when we were talking about and exploring whole drive encryption with TrueCrypt, I clearly recall wondering about the performance overhead of using it. So I did some benchmarking of a system's read and write performance with and without TrueCrypt. I recall being surprised that I was unable to detect any performance overhead being introduced by its on-the-fly encryption and decryption, all in software, of course. And while I no longer recall the specifics, it's likely that the system I was using back then had a fast processor and a comparatively slower spinning hard drive. So, as a consequence, the overhead that was being introduced by the encryption and decryption would have been completely masked by the drive's physical read-write performance because those two things were able to happen in parallel. So that would have been, you know, the drives read and write performance would have been the limiting factor. It would have been slower than the system's ability to encrypt and decrypt its data. What's changed since then is that now we have not only solid state mass storage as the new default, But that storage is being attached directly to the system's I.O. buses with no controller translation going on in between, allowing today's mass storage to deliver unprecedented performance. Software-based encryption and decryption cannot keep pace, even with, you know, no matter how many cores you have. One of the things that is happening is that pushing all that data and running decryption in software is flushing your processor cache. So it is really rough on the whole system to be doing bulk encryption and decryption by CPU. You don't want to have to if you don't really need to. See, I always turn on full drive encryption, especially with SSDs, because as we've talked about before, you really cannot wipe an SSD very effectively, right? That's true. So if I don't use encryption up front, I'm probably storing stuff in the clear on that drive that can't be erased. I would say that you can't know that you have wiped an SSD. The secure erase should even deal with all of the little pockets of swapped out, you know, leveled regions and no longer effective chunks that had been mapped out of the SSD's use. Secure erase should do that, but you're trusting the manufacturer to, you know, to implement that correctly. So if you really are belt and suspenders, then yes, you would turn BitLocker on, you know. I turn on full disk encryption on everything I have. If it's on by default on a Mac, BioVault, on Linux, I use Lux. And I think BitLocker is on by default on Windows Pro. I'm not sure about Windows Home. But the point is, otherwise. It's not turned on by default on installation. It is on a Mac. That's interesting that Microsoft doesn't do it. Maybe that's why. I'm sure that there's a similar hit in full disk encryption on other systems. Yeah. After covering this, I did not take any time to look around. I'm sure people have done benchmarks that are going to be available so we can see what that is. There is a version of a drive that does it itself, but they are extremely more expensive. You know, they're like data center, high-end drives. They're like triple the price, but it does, it has an AES encryption hardware. Well, in fact, that's what the iPhone has. You know, the iPhone storage is also all encrypted. Everything's encrypted. Yeah. So maybe, you know, hey, we're not getting the full amount of speed that we could be getting, but it's still faster than your old spinning drive in that old processor a lot. Right. Yep. I don't know. I think I'm going to always still use full disk encryption. It'll be interesting to see what the overhead is. What the hit is, yeah. Yeah. I won't be turning it on because, you know, my environment doesn't really require it. So let's take a break, and then we're going to talk about, as you mentioned, Leo, So the odd inclusion of two lines in the New York City recent mayoral inauguration, what is banned from being brought? It's telling, isn't it? It's bizarre. Yeah. Yeah. Okay. Well, our show today brought to you, as it often is, by our good friends at Bitwarden, the password manager I use and strongly recommend. It's open source. That's the reason I use it. It's also the trusted leader in password, pass keys, and secrets management, consistently ranked number one in user satisfaction by G2 and software reviews with over 10 million users across 180 countries, more than 50,000 businesses. Whether you're protecting one account on your personal system or thousands in your business, Bitwarden keeps you secure all year long with consistent updates. I'm always impressed. Maybe it's because it's open source, but the speed with which they add new features is very impressive. They just added for enterprise that they call Bitwarden Access Intelligence, which lets organizations detect weak, reused, or exposed credentials and immediately guide remediation right there at your user's desk, replacing risky passwords with strong, unique ones. This closes a major security gap. Credentials are still one of the top causes of breaches. because people reuse passwords, they use weak passwords, their passwords are exposed in breaches all the time. But with Access Intelligence, those exposed credentials become visible, prioritized, and corrected before expectation can occur. You've got to have this in your business. They've also introduced something brand new, Bitwarden Lite. Bitwarden Lite, this is interesting. This is probably maybe more for us geeks. It delivers a lightweight, self-hosted password manager. It's for home labs, for personal projects, for environments that want quick setup with minimal overhead. This is a self-hosted Bitwarden Vault. It's now enhanced with real-time vault health alerts. Actually, all Bitwarden users get this. Password coaching features that help users identify weak, reused, or exposed credentials and take immediate action to strengthen their security. Bitwarden now supports direct import, too. This is great. You don't have to export into clear text and then import into Bitwarden and then make sure you remember to delete the clear text and all that. No, no. Bitwarden supports direct import from your existing browser password vaults like Chrome, Edge, Brave, Opera, and Vivaldi browsers. I guess those are all Chromium-based browsers. Direct import copies, imports, credentials from the browser right into the encrypted vault without requiring that extra plain text export that is a lot safer. It also simplifies migration. You don't have the same kind of exposure that's associated with manual export. You forget to delete the clear text version of it. It always makes me nervous. That's one of the reasons both Steve and I moved from that other password manager to Bitwarden. We were very careful. We deleted the clear text. And now I'm not moving again. I'm staying right there. This is it. I'm very, very happy with Bitwarden. G2 winner 2025, the one that just came out, reports that Bitwarden continues to hold strong number one in every enterprise category, and that's now the sixth straight quarter, number one in all enterprise categories. Maybe that's because Bitwarden's setup is so easy. It supports importing from almost all password management solutions, so it's quick to move over. I think it's really important. It is to me that Bitwarden is open source, GPL licensed. You can see it on GitHub. You can inspect it. It's also regularly audited by third-party experts. That tells you there's no backdoors. There's no insecurity. They're using well-known standard crypto. Bitwarden meets SOC 2 Type 2, GDPR, HIPAA, CCPA compliance. It's ISO 2701, 2002 certified. And you can get started today with Bitwarden's free trial of a Teams or Enterprise plan. And as an individual, free across all devices, as an individual user, free forever, bitwarden.com. That's bitwarden.com. You might want to do what Steve and I do. We pay $10 a year for the premium just to show our support for Bitwarden, but you don't have to. Bitwarden.com. Yes, it supports hardware keys, YubiKeys. It supports everything. Secrets, pass keys, unlimited passwords. Bitwarden.com. I once asked them because we know other password managers that had free trials that yanked them back. And I said, can you ever do that? And the guy at Bitwarden, he's great. He said, no, we can't. We're open source, Leo, even if we did. People would just go, well, that's that. I'm forking it. And we'd always have it for free. So they know perfectly well, free forever. That's another benefit to open source. Bitwarden.com slash Twit. Take a look at the enterprise or business plans, too, because they're great. And the team's plans. Those are not free forever, obviously. Those are business plans. But for individuals, bitwarden.com. Thank you, Bitwarden, for doing a great job. Happy to give you my $10 every January. Okay, Steve, let's talk about the Raspberry Pi. Okay, so last week, the newly elected and controversial mayor of New York City was inaugurated. And that's not an event that would normally be mentioned here, but this inauguration was a bit special. I'm going to deliberately keep those who haven't already heard about this a little bit in suspense for just a minute because the reveal is just too much fun. The reporting that I want to share over this is from a perfect perspective. And by someone who writes quite well, they wrote, Public safety rules should be dull in the best possible way. Clear, predictable, written by people who understand what actually causes harm in a crowd of thousands. New York City usually gets this right. It has decades of muscle memory for doing hard things in public under pressure without panicking, which is why the prohibited items list for the January 1, 2026, New York City mayoral inauguration block party seemed off. Okay, and at this point, the post provided a link to the list of prohibited items, which I'm going to share with our listeners. The notice read, prohibited items. All spectators will be screened as they enter the viewing area. The following items are prohibited. laser pens, bats and batons. And finally, tacked onto the bottom of the list as the final two items. What do we find? Flipper Zero and Raspberry Pi. Yep. We wouldn't want any of those crowd-disturbing technologies or capabilities being bandied about casually. The posting to the blog of the well-known and very popular Adafruit website continues, Explicitly banned. Raspberry Pi and Flipper Zero? Why? Not categories, not capabilities. Two named devices, brand trademarked names, parked right next to weapons, explosives, and drones, as if the list itself is supposed to do the thinking for us. Raspberry Pi is a general-purpose single-board computer. It shows up in classrooms, newsrooms, accessibility rigs, art installations, and civic tech demos. Flipper Zero is a consumer electronics testing tool, but its functional territory overlaps heavily with laptops, smartphones, radios, microcontrollers that remain perfectly legal to carry. If the concern is electronic interference, signal disruption or hacking, the policy does not say that. It gestures vaguely by naming a couple of gadgets and hoping the implication sticks. Curiosity, it seems, is now contraband. There already is a list of prohibited items that works great. At Times Square on New Year's Eve, one of the most tightly secured public events on the planet, the prohibited list is blunt and practical. Backpacks, drones, weapons, alcohol, large objects that block movement or sight lines. The rules focus on crowd dynamics and physical risk. They do not play whack-a-mole at the end with brand name electronics. When a policy bans specific devices rather than behaviors or capabilities, it creates ambiguity for people on the ground. Once a Raspberry Pi is banned, a smartphone sails through security despite being way more powerful, more connected, and more capable of surveillance, disruption, or both. That's not a security framework. That's a vibe-based list. Maybe it was AI-generated. That would be interesting if that was what happened. If the goal is to restrict electronic interference, the language should say so plainly. Unauthorized transmitters, signal interception tools, electronic hacking devices. Those are enforceable things already. Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy. There's a cultural cost to banning brand names like Raspberry Pi. New York is full of educators, artists, technologists, and journalists who use small embedded computers as tools of expression and access. A device-specific ban turns curiosity itself into something suspicious, while ignoring the far more capable computers already in everyone's pockets. The future ban list will have everything. This is my favorite part of this article here. Today, it's, yes, to the enumeration. Today, it's Raspberry Pi and Flipper Zero. Tomorrow, it's BeagleBone Blacks, Arduino Qs, ESP35 DevBoards, Team Seaboards, Pine 64s, Orange Pies, Jetson Nanos, USB Logic Analyzers, SDR Dongles, Bus Pirates, DEF CON badges, Hotel Key Cards, Garage Door Openers, Tamagotchis, graphing calculators, old Nokias, Game Boys with Link Cables, a TI-83 calculator, right, held sideways, a pocket operator making beeps too abrasively, a Furby with unresolved father issues, and some guy's wristwatch that definitely has a microcontroller in it. Meanwhile, everyone walks through holding a smartphone that can film, scan, transmit, triangulate, and live stream the entire event in 4K. Yeah. He said, Zoran for NYC. Audra Heinrichs, quote, directed all press logistics on the Mondami campaign's final events. Public safety is a beacon, a flashlight, not a fog machine. They have heavy hitters here. They can fix this. The list feels symbolic rather than functional. New York has done better before and it can do better again. There's enough time for the new mayor's team to check this out, and if they do, I'll get word out and say there will be no tickets to a security theater. So, you know, I can kind of see the Flipper Zero being on the list. I mean, if you're going to have something like that, and I can see why it might have needed to be named directly. You know, it is now a famous mischievous hacking tool that you could argue has no real place or purpose at such an event. If someone were to attempt to bring one in, although I'm sure they could smuggle it, it would not be unreasonable to ask them why they have it and then probably hold it for them until they were leaving afterward. And, you know, really, it would need to be called out by name since using the generic no transmitters allowed would, of course, include everybody's phone. But that said, I can totally agree that the idea of the Raspberry Pi being put on the list is nothing short of nuts. And I can see why this author wondered whether AI might have had a hand in there. Although, you know, it's all academic now, it would be interesting to know exactly where those last two items came from. You know, like how did they find themselves on the list? It's just a curious, I mean, I can't see getting upset about it. Although I am upset about another thing. Why do we always blame AI when people do stupid things? Humans are very capable of doing stupid things all by themselves. We have, well, first of all, humans train the AI. and we have a new whipping boy. Oh, it must have been AI. That's right. This is not something AI would say. This sounds like somebody who kind of half had an idea. Yeah, or someone's nephew said, you know. You know, you really shouldn't let raspberry. Again, I agree with you. I can see Flipper Zero. That's a hacking device. That's what that's designed to do. What would you do? Would you carry a bare raspberry pie in your pocket? And a power supply and antennas and stuff. Like what? We talked about it on Twitter, and they said, why didn't they ban Wi-Fi pineapples? I mean, let's get serious. There's some stuff that could have been. But you can't. There's no way you can make a blanket list. No, there's too many ways people can do things. Anyway. I want to hear about this new show. I want to know about this. I have. Yes. I have the best news for our sci-fi enjoying listeners. Okay. Forbes' headline was, Forbes' headline was, Netflix's best new show has a 100% Rotten Tomatoes score. But there's a catch. They're describing a two-season, 16 episodes in total, and this is me speaking, I watched it. Astonishingly well-conceived science fiction time travel series that can currently be found on Netflix and Apple TV. Amazon Prime Video only has season two, and the rights are expiring. Okay, this thing is called The Lazarus Project. L-A-Z-A-R-U-S, The Lazarus Project. There's a movie by the same name, and as you'd expect, Lazarus generically has been used several times before. There's a movie, there's a Lazarus Project movie, Lazarus files and other stuff. What you want is the Lazarus Project. So beware of name collisions when you're searching. The one I'm talking about is a two-season British television production. I was made aware of it when it popped up on Netflix with the news that it would be leaving a few weeks from now on January 28th. I don't know whether or when Apple TV and Amazon may be losing it, but since I never want to be without it, I mean that. I never want to be without this. After getting a couple of, no, it is so good, Leo. I don't even have to worry about overselling it. I know I tend to oversell things, but when I'm excited about them or infatuated, but oh my God. After getting a couple of episodes into the second season, I immediately purchased both seasons on Apple TV. They were $20 each. But, you know, I assume that means if I bought them on Apple TV, I'll always have access to them. Apple TV is not going to say, oh, sorry, Steve, you paid $20 and now you can't see it. Okay. Following their headline, Forbes wrote, Netflix's best new show has a 100% Rotten Tomatoes score, but there's a catch. They wrote, that show is The Lazarus Project, a sci-fi series that originally aired in 2023 on Sky, but has now ported over its two seasons to Netflix. The series has a perfect 100% score on Rotten Tomatoes from critics, an infrequent feat. Okay, I checked over on Amazon Prime where it has a 4.8 out of 5, with most giving it 5 stars and a few giving it 4. No one gave it a 1, 2, or 3. Now, I'm mystified by the show's comparatively low 7.3 rating over on IMDb because I have never, and I really mean never, seen a more compelling, astonishingly clever, and gripping time travel concept and plot. There is new stuff here. The Lazarus Project is truly remarkable science fiction. It's so good that I felt duty-bound to tell everyone here, and I also posted about it over in GRC's sci-fi news group. One of the denizens who hangs out over there replied, I watched it somewhere besides Netflix, and I have to admit, he said, I was amazed as well. But I strongly recommend that people binge watch it because the plot is highly complex, and some critical plot points happen almost in passing. This is not a series to watch in the background while you're doing something else. No, I can't even imagine. I keep hitting the backspace button in order to catch something again because, I mean, there is so much there. He said, the logic of the time resets will have you twisted in knots at times, but it's a completely new take on time travel. And I replied to Milton's posting, writing, I agree 100%. It takes extreme attention and focus, which is part of what makes it so good. It's the absolute reverse of nothing much happened during that episode. The sense is that they're working to cram as much content into each episode as possible, and they succeed. Okay, so I'll just say that the series has been nominated for a BAFTA award. BAFTA is the British Academy of Film Awards, which is Britain's highest honor for British cinema. There is a downside, which is the catch that Forbes referred to in their headline. It's that the series apparently did not plan to end after just two seasons. It proved, I believe, to be a bit too much for Sky TV's British viewer demographic, who probably did want to be able to do something like iron or something while they were watching TV. You know, and I understand. I mean, it really is a lot. Lori is lost. She's like, okay, would you just tell me what happened? Because, I mean, oh, Leo, it is so good. I can't wait. It is so good. So Sky chose not to commission a third season, and we're left a bit hanging. Milton said that it looked like they tacked on kind of some attempt to satisfy, and I got right, it was almost 1 a.m. this morning when I could not make myself watch the final one because I had to go to sleep so I could do the podcast. Wait a minute, you watched the whole two seasons in one evening? No, no, no, no, no. It took, I did the first three, then I was hooked, and then I did the second season in two pieces of, two blocks of two and five or something, or two and two, and then I watched the second season in three parts. Anyway, the point is I am one episode from finishing. I did not get the final episode, but, oh, my God, the second or the last one last night. Oh, I mean, oh, wow. Anyway. Wow, I can't wait to see this. It is really, really good. So if you don't have Netflix, I'm trying to think. You could purchase, but if you have Apple TV, you could buy the first episode for whatever it is, $2.95 or something, just the episode. Right. Then when you see how good it is, you could join Netflix just to watch both seasons and then resign and save some money. In fact, if you haven't ever done Netflix before, I think you can join and get a free week or something and then resign. Oh, it is It is really good And so probably If you actually start, Leo You will be done by the time we talk about it If we can, if you watch it By next podcast Okay, I'll be that Hooked It is beyond It is this Okay Wow Yeah It's just, it's a treat So everybody, you know, and again, don't have, you know, like distractions while you're trying to watch it. You'll quickly see that you really need to pay attention. The acting is good, as a lot of British TV really is, where they have people you've never seen before, but they're really good. They just, it's, and it's one of those shows also where you kind of hope something's going to happen, and it does, where like everything you want to have happen happens. So it's gratifying that way. But then they also completely keep you off balance with things that you didn't expect. And then afterwards you go, oh, that's so brilliant. Anyway, yeah, it's really good. Can't wait. Tom Kreitz sent me a link. He's a listener of ours. He sent Security Now feedback. It contained nothing but the link, which I would normally be a little skeptical about. But it was the subject of his email that caught my eye, which was vitamin D and magnesium. And the link was to a just December 30th published piece on the Science Daily website. Science Daily does sort of synopsis of other studies across the realm of science and sort of like pulls them all together. So the piece was titled, Why Your Vitamin D Supplements Might Not Be Working. Now, since I was unaware of a tight link between vitamin D and magnesium, since last week's holiday podcast was a replay of our much earlier vitamin D podcast, and since magnesium happens to be another substance that I have extensively researched and experimented with, I wanted to share the substance of this piece, which is brief. The summary at the top says, a randomized trial from Vanderbilt Ingram Cancer Center reveals that magnesium may be the missing key to keeping vitamin D levels in balance. The study found that magnesium raised vitamin D in people who were deficient while dialing it down in those with overly high levels, suggesting a powerful regulating effect. Increases it or decreases it, depending. It pulls it into the proper range. They said this could help explain why vitamin D supplements don't work the same way for everyone and why past studies linking vitamin D to cancer and heart disease, as in prevention, have produced mixed results. The Peace and Science News is a report on findings published in the American Journal of Clinical Nutrition. And so they went on to say the study published in the American Journal of Clinical Nutrition adds clarity to long-standing debates about vitamin D's links to colorectal cancer and other diseases. These questions have gained attention due to mixed results from major studies, including the VITAL, V-I-T-A-L, all caps, trial. The new findings also reinforce earlier research from 2013 by the same team, which found that people with low magnesium intake often had low vitamin D levels as well. So again, there was a correlation. At that point, they didn't have causation. You need to do what happened, which was a randomized controlled clinical study in order to get the actual causal link. So they said, beyond confirming earlier observations, the trial uncovered an additional insight. Magnesium did not simply raise vitamin D across the board. Instead, it appeared to act as a regulator, lowering vitamin D levels in participants whose levels were already high. This is the first clinical evidence suggesting magnesium may help optimize vitamin D levels rather than just increasing them, which could be important for reducing disease risk linked to vitamin D imbalance. The Ingram professor of cancer research and lead author of the study explained that the healthiest vitamin D range appears to fall in the middle of a U-shaped curve. Previous observational studies have linked this middle range to the lowest risk of cardiovascular disease. Despite earlier warnings, vitamin D did not show a clear link to cardiovascular disease in the recent VITAL trial. Di and co-author Martha Shrubsoul, a research professor of medicine in the Division of Epidemiology, are now examining whether magnesium could help explain these inconsistent results. Their work is part of the ongoing personalized prevention of colorectal cancer trial. Shrubsoul said, There's a lot of information being debated about the relationship between vitamin D and colorectal cancer risk that's based on observational studies versus clinical trials. The information is mixed thus far. The researchers turned their attention to magnesium after noticing that vitamin D supplements did not work equally well for everyone. Some people fail to raise their vitamin D levels even when taking high doses. Dye said magnesium deficiency shuts down the vitamin D synthesis and metabolism pathway. The study included 250 adults considered at a high risk for colorectal cancer, either due to known risk factors or because they had previously had a precancerous polyp removed. Participants received either magnesium supplements or placebo, with dosages tailored to their usual dietary intake. Shrub Soul noted that vitamin D insufficiency is widely recognized as a public health concern in the United States, and many patients are advised to take supplements based on blood test results. She said vitamin D insufficiency is something that has been recognized as a potential health problem on a fairly large scale in the U.S. As we know, that's relatively recent. That was since we first did the podcast. She said, based on those national estimates. And we know the RDA is not the live long and prosper level. It's the keep yourself above ground barely level. Shrub Soul emphasized that magnesium intake in the study matched RDA guidelines and suggested that diet is the best way to increase magnesium levels. Foods rich in magnesium include dark leafy greens, beans, whole grains, dark chocolate, fatty fish such as salmon, nuts, and avocados. Okay, so having said all that, first, I want to acknowledge that I know this is not a health and nutrition podcast and that as a health hobbyist and tinkerer with no formal medical training, I would never presume to be an authoritative source of medical information. So for those who have no interest in the topic of health longevity, please rest assured that we will not be spending much time on the subject. I'm not going to go there. That said, the subject of the preservation and maintenance of health, vitality, and energy as we age is an extreme personal passion of mine. It's something I've quietly devoted a large fraction of my life to researching and understanding as well as experimenting with. So in reply to this article, which Tom brought to my attention, I'm going to share a bit more of what I've learned and practiced on the magnesium front. Good. Yeah, I want to hear about this. Yeah. So it is absolutely true that magnesium is a grossly underappreciated mineral. It is a required cofactor in more than 400 individual enzymatic reactions, which in our human body, which transmute, you know, being enzymes, are involved in transmuting an organic model from one form to another. The book I read back in 2009 that started me down the path to understanding the role and importance of magnesium was called The Magnesium Miracle, written by Carolyn Dean, who's an MD and an ND. I went over to Amazon to double-check the spelling of her name, and Amazon flagged that book as having been purchased by me in 2009. It's currently $6 on Kindle and available in audio, Kindle, and paperback. Now, and in fact, I'm holding it up to the camera. The front of the book says, it's titled The Magnesium Miracle, which annoys me because it's not a miracle, right? It's science. But okay, she needs to sell some. and apparently she still is, it says, discovering the missing link to total health, lower the risk of heart disease, prevent stroke and obesity, treat diabetes, improve mood and memory. So the problem with magnesium, the reason for that report's observation, that there's a general magnesium deficiency in the U.S. is that natural sources of magnesium, you know, we don't synthesize the mineral in our body. We have to get it exogenously. And the natural sources of magnesium have largely been removed from our lives. Before we obtain our water from municipal processing plants, which is what's happening now, we once used to drink water from wells or from river streams where the water would contain dissolved magnesium. and we'd be consuming plants that were rich sources of magnesium. But plants don't synthesize magnesium atoms either. So if they're grown in magnesium-poor soil, they're no longer able to provide the magnesium they once did. And the water we drink now has been processed and filtered and chlorinated and bears very little resemblance to the water that was consumed by pre-industrial man. The upshot of living within a poor magnesium environment is a magnesium-poor body that's unable to synthesize as many of the enzymes it would like to as it could if magnesium were available in greater supply. Now the problem is how to get magnesium into us, because that turns out to be a little tricky. One of the things anyone who practices dietary supplementation comes to appreciate is that it can be difficult to get some substances into our bloodstream due to the fact that they must first survive our stomach acid's deliberately low acidic pH. And after surviving our stomach, the substance will be absorbed by our intestinal lining into our bloodstream, but its first destination will then be our livers, where it may need to survive what's known as first-pass hepatic metabolism. Our livers may wish to take it apart and use its bits for its own purposes. So what about magnesium? Our stomach's low pH acidic contents is the death of most forms of supplementary magnesium, at least as far as disassociation from its carrier atoms is concerned. When my physician recommended at my age, and this was several decades ago, that I should start probably having a periodic colonoscopy screening, he handed me a large empty plastic jug. Well, it wasn't completely empty. There was a loose white powder in the bottom of the jug. My instructions were to just fill it with water and shake it up to dissolve the powder. Then I was to pour a cup of this mixture every hour and drink it until the entire jug was empty. And not long after that, my entire intestinal tract would also be similarly empty, and I'd be ready to have my intestinal lining inspected for any abnormalities. I'm sharing this seemingly off-topic story because that loose white powder wasn't the only thing that was loose at that point. That loose white powder in the bottom of the initially empty jug was pure magnesium oxide. Magnesium oxide is the least expensive and least well-absorbed of all magnesium formulations. It was what was traditionally used along with ample water to flush out one's intestines. Is that what's in milk of magnesia? Yes, exactly. Interesting. So my point is, this is not the magnesium you want to take. You want to absorb it. Yes. Yes. If you're interested in replenishing and increasing your body's magnesium levels. Now, there are many forms of magnesium. There's magnesium oxide, citrate, magnesium malate, taurate, orotate, L-3 and 8, and so on. All of these are simple salts of magnesium, and they all have their proponents. They also all have, and probably meaninglessly, on the label, different uses. Like L-3 and 8, it goes through the blood-brain barrier. Well, yes, it is unique. Magnesium L3 and 8 is unique in being able to cross the blood-grain barrier. Okay, okay. So that's not untrue. So, okay. No, that is true. And so, you know, I guess they all have various benefits, except probably magnesium oxide, which is just really a laxative. So as you experiment, you will find that magnesium in general has this effect. By the way Epsom salts are magnesium sulfate So we been using this as an age remedy isn it Yes Wow. Yes. Okay. Yes. So magnesium is not harmful in any way. Well, there must be a fatal dose. I mean, I'm sure. Well, actually, no, because you are unable to absorb more than your digestive tract will give you. So anyway, so oxide is the cheapest, but you don't want to use it. It's basically a laxative. And as you experiment with it, you will find in general magnesium has that effect. It's not harmful in itself, which is why it was once used by the medical establishment as the standard means of preparing a patient for being scoped. Right. Okay, but the key concept to understand is that the laxative effect induced by magnesium is the result of its non-absorption into our bloodstream. It's the magnesium that remains behind that causes that effect. What happens is our intestines are induced to osmotically pull water into them by magnesium. So that's why that happens. It's not what we want for optimal health and certainly not for digestion. So the problem is that to varying degrees, all of those common simple salts of magnesium succumb to our stomach's acidic environment. Their molecules disassociate into their constituent atoms and then they suffer whatever fate awaits them. The problem of effective dietary mineral supplementation absorption was finally solved by a company called Albion Minerals. Their nutritional chemists came up with a means of sneaking magnesium and other minerals because they sell a huge amount of their bulk product into the veterinary and animal breeding markets where you need healthy animals. So their nutritional chemists, as I said, they figured out how to do this by sneaking the minerals into our intestines without being broken apart by stomach acid. The key, it turns out, is instead of creating a simple salt to carry the magnesium, bind it into a dipeptide. Now, that sounds more complicated than it is. A dipeptide is just two amino acids. So there are two forms, two most common forms of magnesium that are highly successful and are worth taking. One is known as magnesium glycinate lysinate and the other is magnesium biglycinate. The first one, magnesium glycinate lysinate, consists of an atom of magnesium bound to the two amino acids glycine and lysine. Glycine is actually a very good choice since it's the smallest of all amino acids and also because glycine is another substance that most people could use a lot more of. The second form of magnesium, which is magnesium bisglycinate, is an atom of magnesium bound to a pair of glycine molecules. And this is handy since, as I said, being the smallest of all the aminos, there's a much higher percentage of elemental magnesium per milligram of the combined molecule. Okay, so the upshot of all of this is that either of these dipeptide forms of magnesium, and they're readily available, you know, at wherever you find supplements and minerals and so forth, they will strongly resist disassociation in our low pH stomach environment. They will be able to transport the magnesium through our stomach and cross our intestinal lining to carry it into our bloodstream where it can be used by our body. So I should note that unlike vitamin D and many other blood-borne substances whose levels can be checked with a blood test, There is no reliable blood test for magnesium because most of the magnesium that we have in our body is stored in our skeletal system where it is literally kept out of circulation. So anyway, if you decide to get serious about magnesium, and I certainly have, the first thing I would recommend would be grabbing Carolyn's book or otherwise learn much more about it than what I've just said here. because obtaining sufficient magnesium, I believe, is important. I only just barely touched on the importance of this very much underappreciated and inexpensive mineral for both immediate and long-term health. Carolyn Dean and many others recommend that you experiment to find what's known as your, sometimes they call it your bowel tolerance level or your gut tolerance level, I think we know what that means. Yes. And that being the amount of magnesium you can consume in multiple divided daily doses, and you should divide them up, not take them all at once, where you begin to notice a laxative effect and then back off from that until you are again comfortable. If you're taking one of the dipeptide forms, that should initially be a lot of magnesium. I kid you not, Leo During my early experimentation There was a Christmas where I went up to visit my sister And her young kids at the time Where I was wearing some sort of a chronometer around my neck That beeped every hour And I would take a magnesium tablet And my 7-year-old nephew said Mom, why is Uncle Steve Crazy Uncle Steve Crazy Uncle Steve Yeah. Anyway, what what I noted is that like nine months later, I could suddenly take less than I used to be able to. And my brother in law, who I who I explained all this to and who also decided to get on the magnesium bandwagon, he reported the same thing. That is, you are replenishing your depleted body for quite some time, and once it becomes topped off, you can't take as much as you were before because it won't get absorbed. So there's really some real-world evidence that you've just done something by taking a lot. And I also do know that my rate of occasional PVCs, preventricular contractions, which are just a normal consequence that everybody has, they used to be far higher than they are now. Is that when your heart skips a beat a little bit? Exactly. Yeah, it's sort of a little double thumpa-thumpa, and then there's a little bit of a pause, and then you go on. So anyway, I may be doing it wrong because I take magnesium L3 in the morning, and I take magnesium citrate at lunch, and I take some magnesium glycinate at night to go to sleep. I think that's good because they claim to have different properties, right? Yeah. I take – I am experimenting with L3 and 8 because of the promise of it crossing the blood-brain barrier. Right, and that's a newer form. Yeah. It's a newer form. It's more expensive because someone has a patent on it, so you're paying some licensing fee. I just take – I'm taking what I was always taking, which is the doctor's best high-absorption – I have a glycine. Yes, I have a big bottle of that. Yeah, and I remember when I was trying to turn my mom on to this, she said, Honey, this is an SUV. I can't take this. It's huge. Oh, it is a big pill. That's one of the things you also get used to after a while is swallowing a bunch of stuff. And frankly, can you have too much to impede the digestion? Like I'm not going to get my nutrients? No, it doesn't bind to anything else. So, yeah, I mean, I really liked taking Metamucil. I got into Metamucil in the mornings because I just liked, you know, sort of an orange tart, you know, psyllium fiber drink. But it turns out you can't do anything. You can't combine it with supplements because the psyllium fiber, the reason it lowers your cholesterol is it binds tightly with cholesterol in your intestines and transports it out. It also binds tightly with all of the supplements you might be taking. So, you know, as you know, I'm on a Zepic, and it's been a boon to me. I've lost weight, and my blood sugar is normal now, and it's amazing. But one of the side effects is because it slows the food moving through your stomach. Yes. That you feel bloated, and you might be a little constipated because of it, or a lot, depending, you know. I thought I was supposed to do more fiber. that's actually counterindicated because it just ends up your stomach's even fuller. And it turns out magnesium citrate is the kind of recommended solution to that. And that's been really good. And the reason is that it's not as well absorbed. What I would do, what I do do, so to speak, is I – sorry, I couldn't resist. I just increase my consumption of glycinate-lyzonate because that has the same effect. You get to take more because it is much better absorbed. Citrate works at more than as well absorbed. Because it's not as well absorbed, so the magnesium that stays behind is the one that causes the mischief. But you want some mischief, and I am getting just the right amount of mischief. But I'm taking a full milligram, which is to say 10 of those magnesium glycinate a day. Okay. Because each one has 100 milligrams. I'm sorry, a full gram. They each have 100 milligrams of elemental magnesium. So 10 of those is a full gram. But most of it is not being absorbed, right? So you take a lot because a lot of it is just going right through you, or no? A lot of it is being absorbed, but enough is not that it has that effect. Okay. And you can't overdose? You can't. And I apologize to everyone for taking so much time. The young kids are rolling their eyes going, what the heck is he talking about? When you get to a certain age, children. That's right. You start to worry about these things. Let me just tell you. I can say that I know that a huge body of our listeners find this really interesting, and they like the fact that I bring science to, you know, to. Yeah, we trust you not to be, you know, woo-woo about this. Well, and what's fascinating is there are reasons this works. There's a reason that a dipeptide form is what you want. Well, I have that doctor's best probably because of you, the glycinate. Yeah, it is the one. You could just take more of that. Take more of that. Just take more of that. You know, one of the bad things about this, as I try different supplements and so forth, is I have a lot of bottles of supplements I no longer take. I don't know what to do with those. Yeah. I'll donate them to goodwill. Been there, yeah. Now I have a very large bottle of magnesium citrate. Anybody want it? Okay, yeah. Let's take a little break, and we are going to talk about Mongo Bleed. Mongo Bleed. Oh, yeah, baby. And what I love about this is that everybody's going to understand the mistake. It's such a cool mistake. MongoDB is everywhere. It's one of the most popular NoSQL databases out there. That's exactly what it is. All over the place, yeah. So a bad flaw in it would be a bad problem. You're watching Security Now. We're glad you're here, especially you Club Twit members. We hope you will continue to support the show by going to twit.tv slash club twit. increasingly your support is what makes the difference to us. It's more than 25% of our operating costs now. That includes Steve. That includes keeping the lights on. It does not include me. It is really for doing our programming. You get a lot of benefits, ad-free versions of the shows. You get access to the Discord. You get special programming you don't do anywhere else. You know, we've been doing this AI user group once a month. We just did it on Friday. It is incredible because we have some really smart AI users in our club. We talk about it. It's like the old school user group where we sit around and do little presentations for each other and talk about what we're doing. Just one of the many reasons I think it's well worth your $10 a month. Find out more, twit.tv slash club, especially thanks to our existing club members. We really appreciate that. Going into 2026, your participation is absolutely vital to us. So thank you. All right. Mongo Bleed. You did not name this, I take it. No, no. Although I like the name, and we'll see why. It's got a little blazing saddles thing going on. Well, remember, there was Citrix Bleed and there was Heartbleed. Heartbleed. That's the famous one. Actually, Heartbleed is where this got its name. So what is it? MongoDB, for those who don't know, is a source-available, this is what Wikipedia explains, source-available cross-platform document-oriented database program classified as a NoSQL database product. They write, MongoDB uses JSON-like documents with optional schemas. Released in February 2009 by 10Gen, now MongoDB.inc. It supports features like sharding, replication, and ACID transactions from version 4.0 on. MongoDB Atlas, its managed cloud service, operates on AWS, Google Cloud Platform, and Microsoft Azure. Current versions are licensed under the server-side public license, the SSPL. MongoDB is a member of the Mach Alliance. They said, SQL database product. The company released a database-as-a-service product called Atlas in 2016 that became 70% of MongoDB's revenue by 2024. Over time, MongoDB added analytics, transactional databases, encryption, vector databases, ACID transactions, migration features, and other enterprise tools. Initially, the MongoDB software was free and open source under the AGPL license. MongoDB adopted an SSPL license, server-side public license, for future releases starting in 2018. For those who are interested, I included a chart of the top five databases, since I thought that our more DB-centric listeners might be curious about the industry's current database popularity lineup, which has MongoDB in fifth place. So Oracle is firmly in first place with a January 26th score, and wherever it was I found this, of 1,237. MySQL is in second place at 867. Microsoft's SQL Server, third place at 706. PostgreSQL at 666. and MongoDB in fifth place at 376. So if it's at 376 and Oracle in first place is at 1237, you know, it's about one quarter of the popularity of Oracle. But still, fifth place and one quarter of the leading DB. So that's a chunk. To give us a quick snapshot of Mongo's history, because this ends up being relevant, They wrote, a publicly traded company listed on the NASDAQ as MDB with an IPO price of $24 per share. On November 8, 2018, with a stable release, and this is important too, 4.0.4, okay, back in 2018, back in 2018, yeah, the software's license changed from AGPL 3.0 to SSPL. On October 30th, this is basically Wikipedia just reciting some facts, But the last one is really relevant. On October 30th, 2019, MongoDB teamed with Alibaba Cloud to offer Alibaba Cloud customers a MongoDB as a service solution. Customers can use the managed offering from Alibaba's global data centers. And the final item in Wikipedia's short summary of notable benchmarks through time. In December 2025, a major exploit was discovered entitled Mongo Bleed. This exploit led to the compromising of many corporate servers. And of course, it's that final bit of news, which is the reason MongoDB is our main topic for this podcast of 2026. because a major exploit it was and still is, since we know how slow software updating can be, especially those servers forgotten and left in some closet gathering dust somewhere but still being plugged into the Internet. I've assembled a story of what happened here starting in late December from several sources, But I've chosen this not only because this is a new, significant, industry-wide mess, but also because Bug, as I've now noted several times, which is now more than eight years old, that's important too, and is thus present in virtually all instances of MongoDB, it is in many ways a classic mistake. No deep voodoo is used. By the time we're finished here, I'm pretty certain that every one of our listeners will clearly understand what happened along with how and why. So what's been called Mongo Bleed is officially CVE 2025 14847. The CVE assigned to this recently discovered vulnerability affecting all versions of MongoDB since version 3.6, which was first published on November 28th of 2017. So this encompasses a huge span of major and minor releases, all of them. Essentially, it is a subtle bug which was introduced into version 3.6 a little over eight years ago, and it was not discovered until just over eight years later by the MongoDB people themselves internally after everyone in the world had updated and upgraded to any of the past several years of releases. meaning that all, I'm sure, all MongoDB that is out in the world today incorporated this flaw, which was introduced at version 3.6. So now as for everyone in the world, how everyone is that? The Internet scanning company, Census, has identified on the order of 87,000 publicly reachable MongoDB instances. And that's, of course, the crucial bit of information since it's those publicly accessible instances that the bad guys have access to and access they have had. This is one of those inopportunely timed events which became public just before Christmas and was not the Christmas present many IT workers were hoping to unwrap. Exploitation of this long present vulnerability allows an unauthenticated, meaning anyone, attacker, which is, you know, again, unauthenticated attacker is now the fancy way the industry refers to anyone, to read memory from the database server's heap, meaning anything that was allocated to memory from previous database operations. It's only the fact that this is not directly a remote code execution vulnerability that rendered this a CVSS of 8.7 rather than 9.8 or 10.0 house on fire, so forth. And it's because this vulnerability leaks database server memory that it's been named MongoBlead, which is meant, of course, to remind us of HeartBlead, which was a flaw discovered in OpenSSL's 1.0.1 implementation, and leaked server memory through SSL connections. Okay, so here comes a description of this exploit, which just ruined many Christmases after bad guys figured out that they could spend their Christmas vacation reading out a bunch of MongoDB server data from around 87,000 publicly available server instances. Okay, first of all, MongoDB uses its own TCP wire protocol, that is protocol on the wire, instead of, for example, something like HTTP. And that's not unusual for databases, especially when they are working to obtain the highest possible network performance. So a general, just generic raw TCP connection is established to the server's TCP port 27017. Now, as an aside, when I just asked ChatGPT which port MongoDB server uses, as I confessed earlier on this podcast, I've just asked ChatGPT things like this. I could have gone and done a Google search, and I could have found the information too, but I knew that ChatGPT would know. So I asked ChatGPT which port MongoDB server uses, and to that answer, it told me it was 270.17. It added the note. Note, exposing 270.17 to the public Internet is strongly discouraged. It should be firewalled or bound to private interfaces only. Right. So even this unconscious LLM knows better than some 87,000 server deployments. Uh-huh. You see? You see? Deployers. Don't blame the AI. People would come all on their own. Okay, so just to be clear, MongoDB itself probably never needs to be publicly exposed. It would normally be sitting behind a publicly exposed web app server of some kind, serving as that web app server's back-end database. MongoDB itself really doesn't have any public exposure use cases. We've been talking a lot recently about the need to make these sorts of public exposure mistakes far, far more difficult to make. When I was swooning over Cisco's promises a month or two back, it was because the noises Cisco was then making strongly suggested that this might have finally sunk in. We can only hope and pray. Anyway, so we connect with TCP to the server's port 270.17. Mongo uses a binary variant of JSON, J-S-O-N, called BSN, B-S-O-N, you know, binary object notation. So, the request that's sent to the Mongo server contains one of these BSN messages. And for the sake of the speed of transmission, that request can optionally be compressed using Zlib. Compression makes the message smaller, of course. So one of the 32-bit values in the requests header at the front of the message, which specifies that this request has been compressed, indicates the original uncompressed, no, the decompressed size that the message would be, what it originally would be and what it would again be when decompressed by the receiving server. So this allows the receiving MongoDB server to request the allocation of a block of memory from the underlying, actually it's the runtime, the C++ runtime, we'll get to that in a second, into which MongoDB will decompress the message. So an attacker creates and sends a server request, which claims to contain far more data than it actually does. In response, the server allocates the requested memory. An attacker might claim, for example, that the uncompressed request will require one million bytes, one megabyte, when in fact it only needs 1K. The critical flaw is that once MongoDB has finished decompressing, it never checks the actual resulting size of the newly decompressed payload. It trusts the data the user provided, using that as the actual size of the payload. Now, I need to stop here to hover over that phrase a bit longer. That phrase being, it trusts the data the user provided. If we were to produce a list of the root causes behind many of the worst flaws that have been found in software, trusting user-provided input would definitely be right up there near the top, if not perhaps in first place. since even buffer overflows typically result from the similar mistake of trusting and using something that a malicious user deliberately provided. In this case, we have a deliberate buffer underflow that results entirely from trusting input from the user. Okay, so what's the big deal about allocating an oversized buffer that's not needed? In many contemporary languages, memory allocated from a program is cleared to zeros. It's initialized to zeros before it's returned for use by the caller who requested an allocation of memory. But Malik, the memory allocation function used by C and C++, does not bother doing so. This is part of the trusting, performance-oriented, but dangerous legacy of C, since zeroing RAM takes time and blows the processor's cache. C deliberately returns uninitialized memory. And wouldn't you know, MongoDB is written in C++. The result of the bug is that multiple megabytes of the server's raw internal data can be exfiltrated to the attacker. This data might, and often does, contain clear text passwords and credentials, session tokens, API keys, customer data, database configurations, system info, Docker paths, and client IP addresses, and so on. In short, all of the internal operations of the server that would otherwise never be made available to anyone, whether they had authenticated and were a legitimate user or not. So to sum this up, an attacker sends an otherwise valid MongoDB message, which indicates that it employs compression. but that compressed message is deliberately manipulated to specify a hugely exaggerated claim about the message's uncompressed size. Since the server has no way to know in advance, MongoDB obtains a large and uninitialized buffer from the C runtime based upon the attacker's message's claimed need. MongoDB's built-in Zlib decompresses the much smaller compressed data into just the front of the huge decompression buffer, thus avoiding overriding the mother load of data that's already sitting there in that buffer. Subsequent commands then instruct the database server to return to this attacker what it believes is the user's provided data, even though it's actually megabytes of whatever data had been previously used and left behind by previous database operations and internal workings of any kind. It's obvious now why this critical flaw was named MongoBlead, right? And also why it was given a CVSS of 8.7. Although it doesn't allow a remote attacker to execute their own code on the server, it's a data exfiltration flaw of the highest order that's just about as bad as it gets. Proof of concept code has been published on GitHub and the flaw is trivial to exploit. There's nothing like it only works less than one time in 1,000 and only when your code wins some slippery internal race condition or something. No. This one is extremely straightforward. It obeys simple rules. The attacker receives much more than a tiny trickle of data, you know, over time without raising any alarms, without crashing the server, or otherwise calling any attention to itself. The abuse of this longstanding vulnerability that's been present in every version of MongoDB published in the last eight years allows remote bad guys to freely rummage around inside the more than 87,000 currently online and publicly exposed instances of MongoDB. They're able to keep sucking out and examining megabytes of a server's data that is assumed to be utterly private internal working data, and which might therefore, and does, it turns out, often contain very juicy information. It's always fun to see Kevin Beaumont's take on these things. On December 16th, day after Christmas, Kevin posted, somebody from Elastic Security decided to post an exploit for CVE 2025 14847 on Christmas Day. The vuln, which dropped just before Christmas, in theory, allowed memory read without authentication. Patches are available. It impacts every version of MongoDB going back about a decade. Another vendor decided it would be a great idea to post technical details on Christmas Eve. And he has a link to an OX security blog. He said, looks for those class of credentials and secrets as well. The Internet footprint of MongoDB is very large, over 200,000 instances. Because of how simple this is now to exploit, the bar is removed. Expect high likelihood of mass exploitation and related security incidents. The exploit author has provided no details on how to detect exploitation in logs via products like Elastic. Advice would be to keep calm and patch Internet-facing assets. So now we know all about this mess. And Kevin's ending advice to keep calm and patch Internet-facing assets reminded me of something Leo and I talked about long ago. We made the observation, many times in fact, that once a user's system had been infected by something, anything, it was never really again possible to trust it. How could anyone ever know with 100% assurance that every last bit of an infection had been removed? And what about whether an infection might have spread over the local network to infect other assets? In short, it's a real mess. We've also seen instances where huge problems resulted when companies did not take prior intrusions seriously enough. The advice is always to, you know, rotate all credentials which may have had any chance of being exposed, meaning invalidate any long-term authentication tokens, change all passwords, and so on. But as I said, we keep seeing instances where companies, for one reason or another, you know what, oversight, laziness, lack of belief that it was really necessary, who knows? But for whatever reason, they failed to adequately and fully remediate the consequences of a breach, only to suffer again, often even worse. So now consider the plight of corporate users, of publicly exposed MongoDB servers. You're told that for the past eight years, the database server you've been relying upon has contained a flaw that allows for effectively unfettered mass exfiltration of your server's internal working memory, which contains myriad private credentials, past database search results, and essentially any and all proprietary information to which that server may have had internal access or may have been storing and retrieving over time. To call this a mess is truly an understatement. And this mess is now squarely in the laps of every enterprise that was using a publicly exposed MongoDB server. My question is, why was even a single instance of MongoDB publicly exposed? I'm sitting here right now as I talk to Leo and our audience in Southern California. From my location here, I have access to any and all of those 87,000-some instances of MongoDB. Why? Why do I have access? Why can I send out a TCP SYN packet to port 27017 to any of those 87,000 IPs and promptly receive a TCP SYN ACK packet inviting me to complete the TCP handshake connection? Why? I have no need to ever do so. Whoever runs that MongoDB instance certainly doesn't want or expect me, sitting here in Southern California, to be able to connect to their database server. But I can. Why? By now, I hope that everyone in this podcast's audience understands not only that this is wrong, but just how wrong it is. If I were to confront whomever it was who set up any given instance among those 87,000, that IT person would probably respond, well, we've password-protected access to our database, and you can't do anything without that. Oh, yeah? Mongo bleed, baby. No authentication needed. The decompression of the message is pre-authentication and never requires any form of authentication for its exploitation. One of the refrains everyone listening to this podcast has been hearing from me beginning last year, when it finally so clearly crystallized after we all witnessed mistake after mistake after mistake, which all carried the same pattern, this pattern, which is that authentication does not work. Now, the world depends upon and turns on the strength of authentication. So I obviously don't mean that it can't work. What I mean is that it cannot be absolutely dependent upon to work. In my hypothetical conversation with that MongoDB IT person, their defense of their database's utterly unnecessary public exposure was that I didn't know the secret handshake. So they didn't feel the need to take every possible precaution. The massive sweep of today's mongo bleed vulnerability is the direct consequence of that wrong way of thinking. That way of thinking is obviously defective and wrong. Sitting here in Southern California, I have no need to be able to connect to any of those 87,000 MongoDB servers, even if only to test the strength of their authentication. I should not be allowed to do that, but I can. And that's on them. That's on each and every one of them individually. This erroneous reliance upon remote authentication, which we keep seeing over and over, does not work. It's perhaps the single most important thing that has to change in today's Internet networked world. And what's most galling is that it's not about flaws or mistakes, right? It's entirely about policy and caring. If we cared to, we could fix it. Bravo, Steve. Good to know. It's amazing that 80,000 plus people ignore the instructions and just do it. I would love to be a fly on the wall to know what were they thinking. How did that happen? I mean, it must be that it's like, well, we have a password. Maybe, but it's not public by default, right? So they'd have to explicitly say, open up this port and make it available. It's just like whatever that server was we talked about a couple weeks ago. Right. I mean, it says right there in the docs, do not bind this to a publicly facing interface. Right. It's kind of amazing. It's not how you would normally set up a database like this. You'd have the CMS would access the database. Exactly. Yes. So it's a weird way to do it. why can I access their... Your data. I have no need or purpose. I shouldn't be able to even see it. I shouldn't know that it exists. It ought to be on their land. It's bizarre that so many people have done that on purpose. Well, and Leo, these are the problems we have, not the lifetime of certificates. Right. That's what's so maddening. Okay, well, you've been warned. I mean, probably there are a few people listening to the show who are going, oh, yeah, maybe I better go fix that. Oh. And after you fix it, watch The Lazarus Project on Netflix. Oh, boy, it is so good. Leo, you'll be immediately hooked. Aren't you glad you listened to the show, everybody? Steve Gibson is at GRC.com, the Gibson Research Corporation. It's a website. It's like Stranger Things. It's a throwback to the 60s or the 80s or something. But it's got it all there, everything you'd ever want to see and know. You've got, of course, many of Steve's software projects, including his bread and butter, which is of Spinrite, the world's best mass storage, maintenance, recovery, and performance-enhancing utility. But there's also the now DNS Benchmark Pro there. And there's a ton of free stuff, too. And most of what Steve does, he just gives away. You'll find that at GRC.com. If you want to contact Steve, I still get to this day emails saying, can you send this to Steve? No. You go to GRC.com slash email. You put in your email address. Steve, in his magic way, will validate that it's not some spammer or weirdo. It's you. And now you're going to be whitelisted. You can email him directly. But there's also securitynow at GRC.com. Yeah, it's very simple. But don't send it unless you do that because you'll just bounce, right? Yep. There are two newsletters that Steve offers. They're unchecked by default, but if you check them, you'll get the weekly show notes, 22 pages of goodness with pictures and everything. Usually it's even more. You'll also get announcements of new software and so forth. Did you ever send out an email for DNS Benchmark Pro? I haven't yet because I mentioned earlier that I have a surprise. And I forgot to mention that everybody who has purchased it and will purchase it gets the surprise. That's the nice thing about today's deployment model is that there's no need to wait, and you get it immediately. So, yeah. I'm waiting until it gets a little more stable in terms of like I've added some things that are so cool. This is what's unique about Steve. He's actually reluctant to send out the email, so that's why you should sign it up. Sign up for grc.com slash email. He also has copies of the show there. All of his copies are unique to grc.com. He's got a 16-kilobit audio version for the bandwidth impaired. He's got a 64-kilobit, which sounds great, but it's still smaller than the one we offer. He also has the show notes for download if you want to do that. He has transcripts a few days after the show. Elaine Ferris is probably already madly typing away, and she'll have that transcript available for you in a couple of days. so you can read along while you listen or use it to search. It's very handy. I did a little search for the, for instance, PayPal football. Immediately found the episode. I was sad, though, because it wasn't a video episode. It was an audio. So I can't show us holding up the football and showing everybody the PayPal football. But we interviewed somebody from PayPal who had created it. We actually interviewed them. They were from Verisign. Oh, Verisign. They created it for PayPal. That's right. Right. Yeah. Verisign actually offers a key or did. Nobody needs it now. You've got it on your phone. Same thing. So that's all at GRC.com. We have the show as well on our website, twit.tv slash SN. There is a YouTube channel dedicated to security now, and I would refer you to that if you want to share anything from the show. Sharing clips of the show is really easy on YouTube. Everybody can see it. It's very easy for you to clip it. There's a dedicated channel for it. And, of course, the best way to get it is to subscribe in your favorite podcast client. You'll get it automatically. You could choose audio or video. We have on our website the 128 kilobit audio and the video. That's our unique version of the show. We do security now on a Tuesday right after Mac break weekly. That's about 1330 Pacific time, 1730. No, actually, it's, yeah, that's right. No, 1630. Sorry, three hours. 1630 East Coast time, and it's 19, no, 2130. UTC. So if you want to watch the show live, you can. You don't need to. Obviously, it's a podcast. But if you do want to get the freshest version, you can watch on YouTube, x.com, not TikTok, Facebook, LinkedIn, Tic, or Facebook. Anyway. Oh, Twitch. I forgot Twitch. Twitch.tv. You can also watch if you're in the club on the ClubTwit Discord. So that makes seven places. You can watch the show live if you You should choose to do so. Well, now I've run out of all the things I need to say. I just want to say thank you, Steve, as always, for an amazing show. We will see you right here next week on Security Now. Vado.