The Standup with ThePrimeagen - Why is Microsoft updating their text editors!?
Episode Date: March 6, 2026The crew talks about one of the biggest debates in programming right now: do lines of code actually matter? They dive into AI coding tools, developer productivity, and why measuring engineers by code ...output might be completely broken. Along the way they roast the viral “burned out my USB-C ports using Claude Code” tweet, share stories about gamifying developer metrics, and break down some surprisingly wild security vulnerabilities in both Windows Notepad and Notepad++. A mix of tech insight, developer culture, and plenty of chaos.
Transcript
Discussion (0)
Welcome everybody to the stand-up where we talk about the most important issues of our day.
And today we actually have two very special topics.
The first topic today is going to be on lines of code.
Does your count really matter?
Does size matter or does it not?
And number two, we have Casey Muratore giving us a full-on presentation and or just walk-through, talk-through about the not-pad plus-plus situation when it comes to what's it called?
all the vulnerabilities and all that.
And I think you might even throw in a little bit of notepad RCE potentially at the same time.
Don't know if you're going to do that one.
Both not.
We have both pads.
Both pads.
Both pads.
Not just the plus plus.
Yeah.
Notepad multiplied by one plus plus plus plus.
Yeah.
Yeah.
Yeah.
Yeah.
Anyway.
Sorry.
I don't think we're probably going to have a lot of disagreement.
Sorry for the people out there who are expecting us to really get angry at each other about
this one.
This is more that it's kind of like sometimes you go to the studio to get a little bit off your chest,
sometimes called the stew.
by those in the professional biz.
You know, you just got to, you got to say what you feel and feel what you say and get it
out there.
This is just one of those where I felt like, we just got to say it.
And I don't understand why everyone lost their mind for this.
Like a year ago, or maybe even like two minutes ago, everyone agreed, hey, guys, it's
a terrible metric to determine developer productivity, to just say how many lines of code
someone wrote in the last six months or in the last day.
But now all I ever see, Mr. Gary Tan himself, GT for short, for those who know him in
SF, at the YCDs.
Y16 Zs.
That says for Ycombinator boys with a Z because they're cool.
SF stands for San Francisco.
Josh played the song.
It's like he said he was writing so many lines of code and being so productive
that he burned out his USBC adapters.
Right?
Is that not?
Right, can you find the tweet?
I know you've got the tweet book,
but I don't have the tweet book,
but I'll find it and I'll display it.
Give me a second.
Give me a second.
That was not,
that, please someone tell me that was not a thing
that was said in the real world.
Even by someone at Y Combinator,
which I realize is a very low bar.
No.
The president of Y16 Zs.
You're in trouble now, buddy.
You're getting blocked on Twitter on that one.
Yeah.
Oh, go right ahead.
Like, that saves me the trouble.
You better not try to find some funding in the next three months when it comes to an AI startup or you're screwed, buddy.
Never work in this town again.
I'm never working in this town again.
Sorry, when I need to go, when I finally have my growth hacking strategy for my new to-do list app, I won't know where to go to get the funding.
Oh, I didn't realize, though, Tresh, I'm really sorry.
Receipts is going to have a hard time getting funding.
I was going to bring that up.
Dude, it's getting funding.
I'm getting funding.
I guess we're saying.
It's going to be called IOUs from here on out.
I'm going to try to get funny.
It's going to be amazing.
I'm sorry.
What I meant is why Combinare is amazing.
My favorite place, all the best people work there.
That's what I'm going to say.
True.
Hey, is that H-TTP?
Get that out of here.
That's not how we order coffee.
We order coffee via SSH terminal dot shop.
Yeah, you want a real experience.
You want real coffee.
You want awesome subscription so you never have to remember again.
Oh, you want exclusive blends with
exclusive coffee and exclusive content, then check out Cron.
You don't know what SSH is?
Well, maybe the coffee is not for you.
I actually do want to jump in on this one because I do think.
Yeah, go ahead, Brian.
It's kind of, it's this, you know, I think what ends up happening, and I just, just call me,
just call me crazy here, is that the average person, uh, thank you, T.J.
I love that you made that joke.
I'm listening.
Everybody loves that joke.
I'm sorry, how, we're not moving on.
Someone needs to tell me if somebody actually said that they burned out their USB.
I'm trying to find the tweet.
Hold on.
Where?
Chad.
I don't know how true that part is, but I do have a story about lines of code.
Yes.
Okay.
Just let me finish my lines of coding.
Okay.
Oh, by the way, yes, I found the tweet.
Okay, I think I have it.
Here it goes.
Okay.
Okay, here we go.
I'll just expose the tweet.
All right, it says right here.
It says this.
Is it possible I used Claude code so much?
Somehow my USB connectors burned out of my MacBook Pro, question mark.
Two of mine are dead and won't charge, and now the third maxes out at 15 watts.
Now I'm afraid my code Tomogachi is about to die.
I just...
So basically, I'm going to keep this tweet forever now.
I'm going to put it on my super special meme site.
I guess I don't want to say anything too specific here,
because, I mean, I don't work with Macbooks,
but what is he imagining would have occurred?
Like what would even be using those connectors more because you were using Claude Code?
Is it just because when he says burned out, did he use those to plug into the network
and he thinks that the like network packets were going so fast to Claude Code or something?
I think I know.
What is the thing?
Can I explain it?
Please, I think happened.
I'm very confused right now.
Is that Claude code, especially during that day, which by the way was just weeks ago,
used to use something like terabytes of memory is what it would say on there and it was just always paking out everything.
And so my assumption is that he was running such a heavy program and constantly having a CPU at like 100% and having it charging that somehow the nonstop charging, nonstop running of a computer caused the charging ports to not work.
That's like honestly, that's my guess.
I'm trying to read into it.
But correct me if I'm wrong here again because this is,
not my, this is not my area of expertise at all.
True.
But I thought Max had a MagSafe power connector and didn't charge over the USBC.
They do actually know.
In fact, they do have the USBC charger and the MagSafe charger.
And there's also, remember, there was an in-between generation where they're just like,
we're only going to use USBC.
And that's when they hated everybody and they thought they're Mac super cool.
And so there was a while that was just like three of them, I think that's it.
And that's all you got.
So basically what Gary Tan is saying here, if, so to be
maximally charitable.
Yes.
The maximal charitable would be he's meming on us.
That would be the, which is possible.
Okay.
That would be maximality charitable.
The maximally charitable technical interpretation would be that it went
something like this.
Gary Tan is Claude coding so hard for some reason.
Because I don't know what he makes, but he's doing something.
And he plugs in the power to one of the USB.
ports on the Mac and that is
apparently able to supply power
I don't know anything about
how the Mac is wired electrically. I've never
even seen a Macbook Pro other than the one I think
that Anna had. Claude
sucks down so much power
for such a sustained period of time
that it burns out that USB
C port but carries like that's not a problem
because this thing has more than one USB C port.
Unplugs it
right. He
unplugs the cable from that
port and he plugs it into the other USBC port, which now I'm supposed to believe that all of these
USBC ports are all wired to the charging, which doesn't sound like how a laptop is normally wired,
but I'm just going to go with it.
That is how Macs work.
You can plug it into any of them.
Yeah.
So this is like just because hard crap engineering plugs it into the other one, he's like awesome.
Now I can get back to making this to-do list app that I was working on.
No, it was actually called Gary's lists.
All right.
That's actually what he was making.
It's a little bit different.
Ironically, it was called Gary List.
That was what he was making.
Okay, so he was making Gary List, and he was like,
I just need Claude Code to just please finish this Gary List's app.
Just suck down enough power to finish the care of this app
so I can finish recording the fact that my wife left the fucking dishes in the sink
or whatever it is.
So he has it in there, and he does it again, and it burns out again.
And now he's like, there's only one explanation for this.
Claude, fried my ports.
That's what we think happened.
That was my interpretation of it was that he was running his computer nonstop,
which I also run my nonstop.
Like I never turn off my computer and it's just always plugged into one.
So somehow it just...
Yeah, but...
Okay.
Brian.
Juicing.
All right.
To be fair.
I mean, maybe.
I want to say this.
You don't have the token flow going over those ports like he does.
Dude, can a white boy catch the flow?
Like that's all that.
They cannot, unfortunately.
Okay.
What I, because the tokens flowing is even more powerful than electricity.
Think about that.
So I think that's the, it's just an unprecedented amount of power through the USB.
It was not rated for this level of intelligence.
That's true.
When you buy power courts, you have to now check the intelligence level, because that's how
you know if you can handle that level of intelligence for not.
It can only handle up to GPT4.
After that, this, this bad boy burns out.
What's the X. What's the X.com account?
So I want to check.
Because you're saying I get blocked.
I want to know if I'm already blocked.
I bet I'm just already blocked.
It's Gary with two R's.
No, I'll just give the exact one here.
Here, hold on.
No, he wants to know if he's blocked.
I know.
I'm just going to give him like the exact tweet and everything.
G.T follows me.
What's up, G.
Oh, actually?
Wow.
Really?
G.
G.T follows you?
I'm a much.
I'm a nice person on X.com to everything application.
If you're not in the McDonald's CEO,
so he's gone in for your job.
I am nice.
to everybody on X.com.
I say like almost nothing mean.
That's not true.
As I'm posting this into the studio chat.
I can't tell you.
That's why if I had a nap, I would have logged it and I would have told you.
See?
Great point. Exactly. Case and point.
My last thing that I said that was mean as I said Claude Opus is trash, but I did this
photo, which is actually making fun of people who are perennially thinking that every single,
every single like new model makes all the other models trash.
And, like, this is what I imagine the person looks like.
It's just constantly like, oh, a new one came out.
Actually, everything else was trash before this.
And that's kind of like, I was actually, that was a meta joke.
Casey, I didn't see where, I didn't get a message in.
Check your tweet.
Check your X.com.
I, I, uh, I added you on something.
Yeah, it turns out, yep, yep, yep.
Poor fella.
I, how did she get lost?
I was already blocked.
I had nothing to lose.
He already blocked me at some point.
in the past for something.
GT and the Y16 Zs.
Thank you,
there you go.
There you go.
No worries.
I don't even see that tweet.
Nothing on the line.
Yeah.
All right, so let's get back
a little bit to the thing.
Let me tell you why I think lines of code is happening.
So my big grand theory,
my unified theory of the universe is this,
is that the average developer,
I mean, I've been around a lot of developers.
When they're programming,
they look at code for an exceptionally long period of time
and then make some changes
and they don't have that editor flow.
They don't have a lot of hotkeys memorized.
It's actually,
it's why I hate pair programming.
It just makes me want to cry.
And so when I watch all these things happen,
it's just like, holy cow.
And now they've been given a canon
in which can make changes in rates
in which they've never had.
And so now lines of code went from,
oh, that's not a meaningful metric
to look how meaningful it is
because now their life has completely changed.
And this does represent at least a good portion of developers,
even if we assume that everyone
beyond five years of experience
is an expert programmer that is maximally efficient,
the majority of people are going to still be pretty slow.
Not that because they have five or less years of experience,
especially after like the great wave of incoming people.
So I think that we just have a huge amount of people
that have come into the industry in the last couple years.
And now like magic has happened on their rate of production.
And so it's just like,
I hadn't,
I hadn't considered this angle of it was something we used to measure before
and most people couldn't get a big number,
just like either from physical skill issues
or for good ideas or like they just don't have enough code in their code base or whatever.
And so everyone's like, well, we don't want to measure that because I can't even get a big number,
even if we could.
That's right.
But now they can get big number.
And I forgot big number good up into the right good, as Casey said when we got on the call.
But up into the right, it's good.
So, okay, now it all is becoming very clear to me.
That's a great point.
I do think there's like a lot of that kind of thing going on because basically like,
what the AI, sort of what the, what the AI era has taught me is that literally everything anybody
ever said about programming that was critical of something that I previously was trying to argue for,
they actually, none of those arguments they actually believed. Those were all just things they
said because that's how they were writing code. And the instant that they changed to writing code a
different way, all those arguments go out the window, whether it was lines of code or the code should
be readable or any of those. They're just like, nope, because now I use this other tool. And so now I'm
not going to, all those things that I was arguing for, but why I couldn't do this good thing you were
suggesting that I do, suddenly those arguments don't matter anymore, right? And so I think like,
that's been the most annoying part of that whole process was like, yeah, none of it was actually
true. They didn't, they don't actually believe any of it. They were just ways of
justifying an existing development practice that they didn't want to have to recap.
consider. And the instant you give them a tool that makes it easier for them to do something else than
the current easiest thing they were doing, then they'll do that thing and start arguing that that's
the good way to do things. No analysis necessary, right? Like, they will not actually go undertake
some project to determine that it's actually better in some way. They'll just start arguing for
the new thing, right? It's very disappointing. And this has nothing to do with AI being good or bad.
There's literally nothing to do with the AI.
AI is not relevant here at all,
other than it's just the new thing,
like object-oriented programming was,
AI can be good or bad,
and all the things I just said are happening regardless, right?
True, true.
I am fully convinced that if you could build a basic routing system
that really works well with the AI and is fully documented,
and it takes no React,
and everything goes back to, like, say, web components,
you know, which everybody says web components are the worst thing in the universe.
But if you could just go back to that and you're like, oh, yeah, reduce your bundle size by 60%.
And all these things happen and everything just works.
People would be like, yeah, everyone hates React.
React is actually the worst way of the development.
It would just instantaneously turn.
It would just instantaneously turn.
We actually already had this because React is every new major version has completely redone.
React.
We've actually done this already.
They're like class components.
No, that's lame.
We're all about hooks now.
Nope, we're not about, or I don't remember what the order.
So we actually have that.
Use the fact is the best.
No.
We already had that situation play out.
Like, we already did that.
And everyone did.
Yep, we hate that.
We hate classes.
I have a quick related story about, like, uh, like output.
But this is pre-AI.
This is like 20, I mean, not pre-AI, but pre-AID.
We can't even, but we understand it.
How long?
Yeah, exactly.
Exactly.
This is like 2019.
So we used to have this.
Uh, okay.
Okay.
Okay.
Okay.
My bad.
My bad.
My bad.
This is, uh, pre-AI.
So we had this app that we used that actually like tracked your, like,
commit rates, your lines of code.
We didn't actually use it to, like, extract any meaningful data or decisions.
But I gave, I gave access to it.
I let my engineers cause leading a team at the time.
I was like, dude, check out this, like, app.
It shows, like, where we all fall on this graph.
And obviously, if you're up to the right, you're doing better.
And everyone saw that they were, like, kind of in the middle.
But I tell you what, after they saw that graph, I have never seen an engineering team work so hard.
It gets the top right.
And it was actually like the best thing that ever happened.
They're like, we're by it now, coach?
We're by it now?
I'm on top right?
And every week they'd go look and be like, yeah, I'm at the top.
And they would just like code.
So like everyone was locked in.
They used to all just sit around and talk, but everyone's had their headphones on,
clicky clacky.
Man, it was so cool.
It was insane.
It was, I was just like, oh my God, they really want, like they just gamified it.
Like, not even on purpose.
And they were just, man, it was insane.
Anyways, I don't want to share that.
Wait, so, Tresher, you arguing lines of code is a good metric now is that.
I think pre-AI, if you just like, if you don't actually use it for, like, making actual
decisions and you just look at it just for funzies.
But if that happens as a result,
I think that's pretty cool. Like, just like fun
fun fun competition, I guess.
I do. It was insane to see.
Yeah.
I do feel like there is
the difficult thing for
the lines of code discussion before though was
like, okay, if you shipped zero
lines of code, we do know you didn't do
anything though.
There is a metric. Like there's time
and lines of change and it's just like, oh, you didn't
do anything. We know you're not doing something.
Oh, you've only deleted a thousand but did nothing else.
You're a genius.
There's like this weird kind of weird hills that exist for people like genius.
Or you just write docs full time.
Your negative lines.
Negative lines of code is definitely a metric.
Like if you, if this per, like how many lines of code did this person do this year?
It's like negative 360,000.
You're like, okay, that person is a freaking like double the salary.
Yeah.
Double it.
That dude's like, promote it.
That's a principal engineer.
Yeah.
It is nice.
The other thing.
That's no longer true now.
Well, I don't know.
What's crazy is like, I mean, I've been vibe coding a lot.
I've been vibe coding a lot lately.
And, but I, well, I see, I don't really like calling it vibe coding because I actually read the code and also open my editor and like write things and then like tell it that it was wrong and stuff.
It is insane to me how many times if it happens to get unlucky in the search of the repo, it will just start rewriting a thing that we have that all.
already like 80%.
These are not big repos yet, by the way, either.
This is like just tiny, tiny repos.
Not like anything that I would say like a real company has after two years or something, right?
They're like tiny.
And I'm like, this is nightmare scenario stuff for like if you were trying to maintain something
and you were like fixing some path and you thought you handled it because you fixed the function
with exactly the same name.
But then it turns out 37 other spots randomly in the code base it in line that same
function at the top of the typescript.
I'm like, oh, no.
And they all have some variant of the set of fixes.
They're not deterministic.
It's just like, okay, well, that one has 14 of the 22 fixes we've needed to apply.
This one has 12.
Casey, you saw this, though.
I actually am curious, we should redo this again, Casey, where I let Twitch chat build
something, build a game, and then Casey and I walked through the code together to kind
to be like, what did vibe coding produced?
Like, how was it?
And it was an experience.
But it would be fun to retry, but it would be fun to retry it because now,
everything has gotten significantly.
Like,
we could all agree that the models have gotten better.
It's foolish for people not to say those things.
So I'd be curious,
what is the practical implication of vibe coding now versus a year and a half ago?
Like,
is it actually dramatically better in practice,
or is it partially better?
Let's have a write it as well.
It might be interesting for you to try it too,
because you never really got it to produce like a working,
like it didn't really work either.
So, like,
not back.
Bleak that out.
Because, you know,
you were asking it to kind of make like a ray marcher
and it never really
quite was able to pull that off.
And so the anime way to see if the new ones
can just do, could at least, if the new ones
can at least do, you know, just make
a repository that at least does that minimally, right?
Yeah, yeah, yeah. All right, I'll do it
this or next week and we'll do a little code review.
be a fun time.
It does sound good.
Anything else on the lines of code?
Just guys, this is, this was, like I said, this was a chance to just get it off my
chest.
I just have to feel like, don't let it be a metric for how much stuff you're shipping at work,
okay?
Like, if you want to maintain the software and be able to use it again in the future, even
if AIs get a hundred times smarter, it's actually still good for them to spend less
tokens.
So if you're like, hey, like, I've spent a lot of money on vibe coding, well, other
people's money. Shout out. Thanks, Curser, for the free credits. Anyways, um, I spent a lot of
cursors money on credits in the last two weeks. T.J's been telling me about his spending habits
with Cursor. They got me hooked. You guys got any, you guys got any more than credits? Yeah,
I guess got any more than credits. Um, the, it is actually, like, let's say you think we're going to
spend a bunch more, uh, do more AI driven stuff, blah, blah, whatever. Like, okay, but then the
baseline thing you're spending is tokens.
So you actually want to make sure that you don't have an extra 100,000 lines of code in your code base that the AI has to read and process and figure out what they do and check all the places and spend tokens on that.
It's like actually still bad, even if you're an AI maxi.
So I don't understand it.
Guys, don't do it.
Just be on the lookout for that.
Try and get some PRs that are red, net.
Net removals.
It feels good too.
You'll be happy at the end of the day.
So that's, I just had to get that off my chest.
Get it out and stew.
Thanks, guys.
No, you're actually shockingly right on that one even.
Shockingly.
Wow.
I can't tell if you're, like, it's hard to tell where you're meaning and not, but it's actually a great astute officer.
Well, TJ, you come on, you know that sometimes you meme a little bit, but the future side of it is really good, which is even if you get 10x the more context, a big code base is actually way worse.
You will spend so much money.
Like, you don't want big context, okay?
I know.
Right.
The only people are excited about that.
I'm not excited about it.
Open AI loves big context and it cannot lie.
Okay.
But you, you, the guy footing the bill for Open AI, you don't want big context.
You want it to be small and more self-contained and obvious and it works nice so that you don't have to spend 200,000 tokens to get to the first prompt.
You guys don't know anything.
You don't understand vibe coding.
None of that's true.
You don't know what you're talking about.
All you have to do is buy like 12 math.
minis guys and then that's it then you have all the car you just keep buying mac minis and plug them
together and then that's all you then knows no more payment it's all running on the mac minis
not so you burn out both power both usp power cables and gary tan's got to go to the best buy
to keep his tokens i've got extras i got extras right here i've got extra right here i've got extras
i can tell right away those those are not rated for for uh five one intelligence or higher those are
some kate cords man gross
those out of here.
I have this in my head.
I'm imagining Gary Tan
at the Best Buy going like,
do you guys have any like power cables
that don't like burn out
when you're running Claude Code
on your MacBook Pro?
I need the AI section.
You guys have an AI section
at Best Buy?
If I'm doing Suno and generating music,
do I need this one?
Yes.
That one looks like it's right.
That one looks like it's right.
And a vacuum tube.
A vacuum tube, Teage,
if you really want that warm analog
sound.
I don't have that.
Sorry.
All right.
I don't even know what that means.
I was really hoping you were going to say something random that I might have around my desk,
but it wasn't one of them.
You have so many cores.
Where are they coming from?
Dresha.
I've got,
Dresha,
unlike you,
I don't have $10,000 of Pokemon cards right behind my desk.
I have only other electronics.
It's funny.
I say that and I looked over and I have this.
Yeah.
T.
Oh my goodness.
I don't have $10,000 of Pokemon cards,
but I have a $10,000 marimba in my rooms.
It was not $10,000.
but with inflation maybe.
All right.
A long time ago.
Do we want to get to the main topic?
Yes, please.
The main topic, 40 minutes in.
All right.
30.
So today on the stand-up, we are going to have Casey Muratore
give us the lowdown on notepad and notepad Plus Plus.
If you are not familiar, there has been some big news in both of the old pads.
And so, Casey, why don't you take the floor?
I mean, big news might be saying a little bit much.
They both had security exploits is really what was kind of weird.
And the reason, normally we probably wouldn't be talking about it
if it weren't for the fact that it's kind of just getting absurd now
that both of the Notepad apps for Windows both had security exploits
in the last 12 months, which is just kind of a little bit weird.
And you're just like, how have we gotten to the place
where the text editor is regularly having security exploits?
So I'll start with regular Notepad,
which is just the one that comes bundled with Windows,
that's the one that you're probably most likely to use
because it comes directly from Microsoft
and you don't have to have installed it,
it's just going to be there, right?
So this one's kind of nuts,
and actually I'm sort of glad that I read up on this one
because I didn't actually know this fact about Windows.
I maybe could have guessed it had I thought really hard,
but I might not have because I might have been like,
well, surely no one would do that.
You underestimate Microsoft.
friend. And I was like, okay, I guess, yeah, lesson learned. So anyway, so what happens is
in Notepad, in normal Notepad now, they've sort of started adding features, which is exactly what
you don't want someone to do to a Notepad, right? Like, the whole point of Notepad is just this
really crappy text editor. And you can kind of breathe a sigh of relief when you fire it up because
it's just not going to do anything, right? So you kind of would have hoped that like, oh, if I'm
going to open this file. Nothing could possibly go wrong because it's Notepad. It doesn't have
anything in it. Can't do anything. It's fine. But they've been steadily adding features to Notepad,
so now that's not true anymore. It's got co-pilot integration and all this other stuff now.
That's what I need. Yeah. So now if you open up Notepad, it's like anything goes. It's just like
opening up Microsoft Word or something. Who knows how much security snap foods could be hiding.
So one of the things that they did is if you open a markdown file in Notepad now, normally,
you'd think, well, it's just Notepad, so I've opened a
markdown file, just going to show it as a text file. But no,
it will actually do
the markdown parsing in
Notepad, I guess. And now I have never
noticed this myself. I've never used
Notepad to open a markupus. I didn't even know it did that.
Same. Apparently it does,
right? And one of the
things that it does when it
parses the markdown file is that it
properly obeys that like parentheses
bracket syntax for linking
where you can basically put in
like here's a URL of some kind,
and here's the display text that I want for it,
it will actually do that conversion
and properly display that in the notepad
so that you can kind of just click on links
and it'll take you to the links.
Now, here is where the problem begins.
The way that they shipped this feature
is like...
Oh my God.
Casey, are you okay?
Do we need the, like, do we need like a personal chat right now?
Yeah.
Here, Casey, I can make you feel a lot better.
I actually do have a copy of the secure notepad.
It's right here.
I got it right here.
This is like super secure.
Yeah, you couldn't fit secure on one line.
No mistakes.
No mistakes.
Anyway, go ahead, Casey.
So the way that they, they shipped this feature, anyone, this will be lost on most of you,
but anyone who's been like a longtime Windows programmer, they will be.
they will just, they won't, they'll have the face that I just had on my face.
They will have that on their face too.
So the way that they shipped this feature was they do the Markdown parsing as you would expect
and they produce the like URL, they produce the like string, the display string like you
would in Markdown and they take whatever the URL would have been and they save just that
raw string basically.
They just keep that.
when the user clicks on the link,
literally they call
Shell execute XW
and just pass that trick.
That can't be...
How did that even pass like...
Is it like security audits when they like...
I don't believe it.
Yes.
And it's hidden, right?
You can't see what it is because it's hidden.
Yeah, I mean, it's not going to tell.
you what it. It's just going to pass it to shell execute.
Just, that's it. Right. So it's just
like they fill out, you can actually go see
that people have decompiled the code.
So you can actually go see it's like, yep, it fills
out the shell xW like infostruct.
It sets the command to open
and just, just
blam, the string is just
there's the string. Like, have a party
open, right?
Wow. So basically what this
means is that anybody
who, you know,
was unaware, because like normally you wouldn't think that's what it would do.
Like normally you'd be like, oh, this is going to go to a web, like, this will go to a web browser.
And the web browser will interpret the URL.
So how risky could it possibly be?
It's no different than if I was just clicking a link on a website, right?
No.
You can literally put anything you want in there, like file colon slash slash the path to something you want to run.
And it will just run with your permission.
on your machine right there.
No web browser necessary, right?
I'm trying in my head
to come up with a reason why that happened
and like I can't even come up with one.
Well, I'm trying to come up with how it
was allowed to happen.
So that's just in there, right?
And the only real
saving grace here, so like that's
really bad. Like that just should never
I mean, that's not
there's people, there's
apologists who like replied to the tweet
that I made about this who were like
well, I mean, the user clicked on the link
I'm like, no, no, I don't think you understand.
The user clicked on the link
is true for every security exploit
that's ever occurred. Like, every security
exploit, somebody at some point
installed something, even if it's the operating
system, and you can't be like, well,
they install an operating system on the computer,
so it's their fault that eventually
it got hacked. They clicked except on
the terms and conditions, so they're for.
Yes, like the user is, if the
user clicks on a link,
it's the program's responsibility,
to ensure that it's going to just open the link in a web browser,
not, oh, that could just be crap that runs on your machine now, right?
Can I ask a follow question?
That's not on the table, right?
Yeah.
So, Shell execute, when it gets handed a URL that is a properly formatted HTTP thing,
will just launch a browser.
It had, I didn't even, that's kind of crazy.
I guess I never really realized that you could just.
That's the protocol.
So Shell execute.
I don't know Shell.
execute and I've never tried this method.
It just seems interesting to me that you can just be like,
here's HTTP, you know what to do.
And it's just like, yeah, actually this is, so,
so you could think of it as that is the job of open.
So, so when you do shell execute,
you can basically pass these things called verbs, right?
Is XTB open the same?
Sorry, sorry, sorry, keep going.
I'm just trying X DGG, XDG,
the open.
Yes.
And the idea is, you know, it makes sense.
And when it was created, you know, Shell Execute,
the first time I remember it was in Win95
so it's been around like a very long time
but the yeah
that's how GX works in Neovenprom
yeah so the idea behind shell execute
is very simple it's that
protocol handlers like people who know how to do something
they can register those with the shell
and the shell can go oh you know I
someone called open and they gave me a
PDF file
who are the people who are currently registered to handle PDF files?
Okay, let's open one of those and hand them this thing.
So this is its job.
Its job is to take something like a URL
and decode it into saying,
oh, that I know how to open one of those.
Here's a program on the machine that can do that for me.
So Shell Execute is operating as intended.
Now, obviously, this is a huge security hole,
which is one of the reasons you generally don't want a program
to just be calling Shell Execute on stuff.
if the user is unfamiliar with it.
Typically, like, if you're going to call Shell Execute,
you probably want to do a bunch of, like,
hardening of that path to make sure that you've parsed the string yourself
and know that it's not something confusing, right?
Now, obviously, this has been a security exploit topic before,
because...
And now we'll get to the really cool stuff.
So, prior to 2024,
one of the things that Shell Execute did know how to handle
was installer apps.
So MSIs, shit that just runs and installs crap to your machine, right?
So you could, with this exploit, you could do MS-dash app install, colon, some remote file,
and it will download and run it.
Now, thankfully, in 2024, Microsoft just removed that feature.
2024?
2020, well, you know, better late than never, Teage.
Okay, yeah, that's like.
Yeah, so now what will actually happen if you wanted to do the maximal version of this notepad exploit is thankfully Microsoft's other people who removed that will stop that from happening.
You'll get a box that pops up that says, hey, I can no longer auto install things.
Please notify whoever it was that distributed the software that they have to update their installation link.
Like, yes, good. Very, very good job. That was good, right? And so that actually stopped this exploit.
from being potentially a lot worse than it was.
Now, the other thing is, one quick question.
Can you just do like a curl, you know, some,
I don't know what they call,
DOS scripts.
I'm just going to call BASH for, you know,
some remote script and then pass it into BASH,
whatever the equivalent of that,
can you just shell execute that?
Can you just shell execute a curl?
So you, as far as I know,
and I guess I haven't thought about it too hard,
but as far as I know,
with a single click,
meaning all you're going to do is click on one of those
markdown parsed links
and it's going to pass something
to shell execute.
The thing that it's going to do
has to be resident
on your machine. So it would have
to be like file colon slash slash something on your
machine and it would run that.
Okay. But it can't, because they close
that MS-dash app install.
So a practical exploit
for this exploit would have had to look like,
hey, here's the GitHub
for our document collection.
No executables or anything, right?
And you download it, but it does
secretly have an executable in it, but you're never
going to click on that because it's buried in some
sub-director you'll never see or whatever, right?
Then the main page, which is like,
hey, table of contents with a link,
you click on that and it's got a file link
to that executable, and it runs it.
And then you're done, you're toast, right?
Because that's going to run that executable with your
permissions right away.
So, but without that
MS app install, because that loophole
is closed now for shell execute, I don't think
there was a way to have one click
both download and run a program.
I could be wrong about that, though,
but I don't think with a single shell execute,
it can do that. It had to be something
already read. So it could either go get a file
from the internet, like by opening a
web browser with one click, or
it could run a file already on a computer, but I don't think
can do both together. I don't think.
People can correct me if I'm wrong about that, though,
because, I mean, I'm not the person who reverse
engineer this exploit, so I don't know. I'm just going by what
security researchers put
up there and making my best guess.
But I did
test it myself though. I went and ran, I made
my own little shell execute thing to see
what happens if I did an MSM app install.
And I did verify that that is now blocked, at least
on whatever my current version of Windows
is that was running on this machine I'm talking
to you via right now.
It does in fact block those, so that's cool.
Now, I don't think,
unlike the exploit we're going to talk about
next, I don't think this one was ever
exploited in the wild because Microsoft
found it. So they shipped it,
And then some security audit or somebody who was going through the code or some research team that found it, send it, send it to them might have been what happened.
I don't know.
Because there were reverse engineerings of it online.
So it might have been that one of those reverse engineering people actually were people reported it, right?
I didn't look to see who was the, if there's somebody got a bug bounty for it or whatever.
I had canon is that somebody who was really mad that Microsoft is shipping updates to Notepad internally.
and they're like, I'm going to show that you guys should stop updating this.
Because I know for sure that you got, that's what I think in my head.
Very possible.
Some guy inside is like, stop updating this.
I've been telling you we just needed an error.
Yep, the security, like someone on one of their harder core security teams was like,
they did what to Notepad?
All right, I'm going to go look at that.
And it was like, what did you do?
Yeah.
Joe from engineering's on that team.
I know he left a shell exploit and here somewhere.
Yeah, yeah, yep.
the entire security audit is just like
Grap shell XxW
and it's like
Bam bam bam bam bam bam bam bam bam bam bam
And they're like oh no
Yeah
So that was that was the one that ship with Windows
And fortunately again as far as I'm aware
This was found by either security researchers
Inside or outside of Microsoft
Prior to anyone getting severely compromised by it
So it didn't end up being an issue I don't think
that's my understanding anyway.
Not so for Notpad
Plus Plus, unfortunately.
Notepad Plus Plus,
which I use, by the way,
and have now uninstalled from my machines
because I'm now terrified
of even using a text editor anymore,
which is terrifying.
I'm having a hard time emotionally thinking of
whatever teams in charge of Notepad Plus Plus,
which hasn't changed from Windows 95
all the way up until just like two years ago.
whatever team that was that was in charge of it
has started putting so many features into it
including AI
and I don't think they're ready for all the possible exports
like I just don't think they're ready for it
and they don't know what they're doing out there
no
notepad plus plus on the other hand
this one is very scary
the notepad one
that I just said is more of like a
face palm kind of thing
it's like guys don't
we don't need to add shell execute
just don't put shell execute in notepad
Ever. Like, it doesn't need that, right?
But, yeah, so the problem is
with Notepad Plus Plus, this is a different story.
Notepad Plus Plus is actually like a very sophisticated
attack attacking individuals.
That's why this one's so scary.
Oh, cool.
Yeah, yeah, yeah. And by cool, I'm terrifying, but also cool story.
Yeah.
Okay.
So, and I would preface that Notepad Plus Plus
us is like it's, you know, it's something developed by just some folks, right? Like, it's not a
commercial package. It's really not their responsibility to secure it. So at some level, it's
not that, you know, it's not like it's somebody's fault for doing a bad job because it's like,
well, they, you know, you, they aren't even getting paid to do this thing, right? Like, so it's like,
they're not necessarily supposed to employ a security team or anything else, right? But it just goes to
show you that like, well, if you're just using some open source software, whatever it is,
it's like actually you might just want to be really scared about that because who the heck knows
at this point. What happened with Notepad Plus Plus is as follows. They unfortunately
made the decision, which I just wish people would just stop doing. They unfortunately made the
decision quite some time ago to have the thing have auto update feature. Now, thankfully, it's not
the kind of feature that's like, you know,
Chrome or whatever, where it just
silently updates the binary,
like, if, you know, if you have the
automatically keep updated checkbox checked
or something, it just updates
your binary whenever there's a new one
or something like that. Thankfully, they did not
do that. But what they did do
is they made a thing called
WinG up or something like that,
which they basically made their own little
update program,
their own little update sort of
codebase, and they actually share it.
So you can use this, you know,
this is something that other people could use as well.
And it's just an updater that checks the website,
gets an XML, a little XML like payload
that says like what the latest, you know,
download is so that can compare against itself.
And if it's newer, it pops up a dialogue box,
basically, that says like, hey, there's a new version of,
in this case, Notepad Plus Plus, or whatever the wind GEP is running on.
There's a new version, would you like to download it now?
Right? And you can click yes if you want it or no if you don't.
Thankfully, because I hate software updates,
for the past four years I have always clicked no.
Other people who probably were also advised
that they should keep their software up to date for security reasons,
which is always a mixed, like,
the thing they don't tell you is the easiest way to get security exploits
is to not update your software,
and the easiest way to get security exploits is to update your software.
software. So, right? So, like, you're damned if you do, damned if you don't. And this is a
great example of that. So probably going like, oh, I should make sure I'm up to date on my
notepad plus plus clicked yes. So this particular updater at the time didn't have any kind of
cryptographic integrity check. So for those of you who maybe aren't familiar with this kind of
process, when you are going to update a binary, typically what you want to do is you want to make
sure that the binary that you're updating to actually is the binary that you think it is.
So, for example, if I install Notepad++ on my machine in an ideal world, what would happen
is I only have to trust the first time I got Notepad Plus Plus.
Now, obviously, if the first time I get Notepad Plus, it's a hacked version of it.
I'm screwed.
So maybe don't download the first version from the Pirate Bay or whatever.
right. But once I have it installed, what I would like is for that program to have what we would
traditionally call like a public key that, you know, every copy of Notepad++ just has the same key.
When it wants to download a new version of itself, when it downloads that executable,
it can check to see if that executable is signed in some way so that the binary itself actually matches.
when you do a signature check matches the public key that we have.
And only the people who produce the binary have the private key
so no one else can do it without actually hacking
like extracting the private key from this, you know,
wherever the build form.
And that can happen too, at which case all bets are off.
But at least now we know someone can't just, you know, hijack it.
And the reason that this is important is because
if you think about when something goes to auto update,
It's just connecting to the internet to get that update.
If it gets man in the middle, like somebody's sitting there and can intercept the traffic,
it can just go, oh, he's trying to download a new Notepad Plus Plus.
I've got a great Notepad Plus Plus for him and gives the modified executable that has all the security exploits in it.
So anyway, this particular version of Notepad, I guess prior to 2025, they just didn't have any kind of verification.
so they didn't verify the XML package and they also came to say where you should get the new
version from and they also didn't verify any executables that they that you would have downloaded
as a consequence for that. So this was just an insecure process. And again, there's a standard
CVE for this. You actually go, not CVEE, there's a standard, what do they call it? I don't know if you've
ever, if you ever read, I'm not a security researcher. If you've ever read those CVEEs, which are basically
like the thing that details what the exploit was from the MITR Corporation keeps them in a giant
list, right?
There's part of the thing
that details the exploit, there's like
codes that they have for what
kind of exploit it was. So, like,
this is just a standard kind. It's did not
validate an update an update binary.
That's like, it's just, that's just like a standard
thing, right? Because this has happened before.
So anyway,
so that's the basic idea
of what's about to happen.
And so that part
while scary, because it's like, well,
that's not great. The scary
part is how they went about exploiting this because a normal kind of exploit is a lot less
scary than the kind that they carried out here. So what they chose to do, what the attacker
chose to do with it, and they are believed to be state sponsored because of the level of
sophistication, is they decided, look, if we start randomly exploiting all of these, you know,
this backdoor to notepad, you know, that's going to get to,
quickly. So instead what we'll do is we'll pick high value targets whose machines we were trying to
compromise and we will see if any like of those IP addresses connect to update Notepad plus plus.
We'll man in the middle it because we figured out how to hack the web like we hacked the like the web
provider or someone in between the web provider. I don't remember the specifics are actually
not as well documented as I would have this specifics of the hack are very well documented.
the specifics of exactly what the man in the middle part looked like, we're not.
We're man in the middle of that we're just going to wait.
We're going to pass everything through so it looks like Notepad++ is updating normally for everyone else.
But when we see a high value IP comes in, then we'll slip him the Mickey, right?
Then that and only that cup of Coke gets the roofie, right?
So what they then do is they serve just the high value targets, an updated note.
Notepad plus plus that has, and I loved, I loved this.
It was, I don't know if hackers do these things to be funny, because, you know, I've
never really known like a real black hat hacker, I guess, but I know some people who are
kind of like maybe adjacent to that, and they do like inside jokes in that way.
So I don't know.
So what it does is it includes a legit.
copy of
Bit Defender, of some
executable from Bit Defender.
A legitimate one.
That
they have replaced some of the
DLLs that it loads,
so they use an executable that is
signed, but that loads an
external DLL, so that
they won't get security checked on that.
And they replace just
the DLL it loads with the DL
that does the security exploit that they need.
Right?
So I'm like, okay.
So they give you this package, and effectively what happens is Notepad Plus Plus will update itself with the bad version that you sent.
If it doesn't check, it just starts running that.
You think you're running Notepad Plus Plus, but actually you're running this copy of Bit Defender, which they've actually renamed to Bluetooth service.
So you're running a thing called Bluetooth service.
Yes, you're running this extra thing called Bluetooth service that's actually a copy of Bit Defender that's intact.
They haven't changed that at all, but they replaced some of the DLs that it would have loaded with ones that have their exploit payload.
And off we go.
So this thing was like pretty hard to find apparently.
I'm not sure how the security researchers actually ended up doing it.
You can see, you can go read Rapid 7 has like their full breakdown of like how they went about finding it.
And it's like they had to find it on just there was a small number of machines that were having this happen and they had to dig into it, I guess.
because again, like, very few people had it.
So it's kind of like hair pulling of like, wait, what's going on?
And eventually they were able to track it back to the fact that it was notepad,
even though most people's not compilts, were not compromised, right?
So at the end of the day, this is kind of terrifying because it's like, holy cow, like, I mean,
I'm not a high value target, so I guess I don't really have to worry too much about that kind of thing.
But it's crazy just how intentional these things are.
are, I didn't quite realize, like, how specific they might be.
And my guess is we have not found most of these, right?
Like, this is not the only time they've done something like this, I'm sure.
And what are the chances that we've actually detected most of them?
That's interesting that they're able to man in the middle so thoroughly like that.
That's what I'm, like, most curious about is how could you, like, what kind of access do you need to have?
or what have you hacked to be able to do that?
Just the web provider that happened to be running
the little wingy update other end or whatever it is.
Or not the other end.
We're the file.
The web provider, basically.
Whatever they were hosting the notepad.
They just had to hack the host.
That's it.
Yeah.
That's crazy.
And then they would just,
they would selectively pick which one is wild.
Well, that's the thing is like, yeah, like,
I feel like that's what.
it's so insidious is because normally
like if somebody hacks a web host
provider or hacks some website
a bunch of people will get screwed but
will know like that day right
because all hell breaks loose and like
security researchers are seeing weird files
like they're monitoring all this stuff right
whereas this they don't see anything
because they're not a high value
target well they're presumably
they know they try to figure
out where all of those collections
spaces are and intentionally would never
serve it to one of those right the hard part is
finding someone high profile using no plan.
Dang it, you took my joke, trash.
That's what I was going to ask is, is there's such thing as a high value target using
no plan?
Sorry, buddy.
Sorry, Prime.
I said it already.
Sorry.
That's why I said, can I ask you a question?
That's why I'm looking in there.
I was like, I got to get this same before somebody else says it.
Trash, that's genius.
Thanks.
Thanks a lot.
Thanks a lot.
I really appreciate that.
It makes me feel great about myself.
I use it because I have to, I make the materials.
I want people to be able to use a text editor that they're familiar with that they can
just get for free on wind.
Windows, okay. You know, I'm not proud of it.
They're handing out Notepad Plus Plus for free for sure now.
They're like, guys, don't like this. Casey, how does it make you feel?
Not great. That when they attacked high value targets, you weren't included.
Like, what went through your mind that day?
You know, it's on the up and up, guys.
We don't know that they didn't try. Casey's been clicking no.
That's what I was just going to say, I'm sure I was tops on the list prime.
Topps on that list. And I just didn't hit up.
They were probably furious that they couldn't get access to my machine with this hack.
Probably the whole reason they did it.
And the other targets were just like to, you know, they're like, well, we could, since we didn't get Casey, we'll get a couple, get, you know, NORAD or whatever, you know.
There's like a cinematic scene that has Casey's face on the dartboard, a guy just smoking cigars, just throwing darts at his face.
Yeah.
I mean, that's a chance why they kept the exploit open.
They were just waiting for Casey to hit the update.
They were going, going, going.
Yeah.
I don't know, man.
We got to get something back to the boss, even though we're.
We're really here to get Casey.
They're like, all we got was Bill.
And it was like, no big deal.
Bill from IT.
Yeah.
First, this guy doesn't play Minesweeper ever.
And now he doesn't update his notepad.
How are we going to hack this guy?
We've tried leaving USBs on the sidewalk.
He doesn't put those in his computer.
We're screwed.
He's not even clicking markdown links in notepad.
He's sometimes a free.
What the hell?
Everyone clicks markdown links.
That's why they're there.
Especially a notepad.
Specifically.
the world's most markdown friendly editor that everyone knows about.
Notepad.
Yeah.
Well, now that it has co-pilot, I do kind of think it is the best place to work with
Markdown documents, Prime.
I do like the idea of someone at Microsoft coming out and going, well, we have some good
news and bad news.
The bad news is that the Markdown parsing in Notepad was attacked with a pretty significant
security exploit.
The good news is, since nobody knew that Notepad parsed Markdown to begin with, no one was
opening markdown files in mine. So we avoided any actual security situation. We like to call that
here at the big kind of shops like we operate at Microsoft. We like to call that Swiss cheese
security. And so we're really confident we've got so many layers of abstraction. Nobody's going to be
able to exploit our software. Good news. Co-Pilot has had no security exploits because nobody uses
it. And we will continue this. Nobody uses co-pilot so it can't get exploited strategy.
Do we know what happened to Cortana? Where is she? Has
And you heard from her.
I actually feel bad that they killed Cortana.
Yeah.
And then they replaced it with co-pilot.
And I also feel bad that co-pilot is the name of their office suite.
The thing that's on your desktop, the thing that's inside of your notepad, the thing that's on GitHub and also the auto-complete.
Like, it does make it a bit confusing that they could have, like, one of them could have just been Cortana.
You know, Cortana for the boys.
I've got a question.
If anyone internal to Microsoft can confirm this for us before the next episode.
I'd like to get a guess from everybody.
How many people do you think at Microsoft are still actively working on Cortana
because the answer is guaranteed to be more than zero.
I know it's more than zero.
So how many people do you think are still actively working on a Cortana-related team at Microsoft?
Oh, so TJ, it's something you may not understand.
And honestly, I feel bad for you.
Okay.
In Halo Infinite, Cortana is like effectively killed.
so they even killed.
Oh, so they did it because of that's, they did it for continuity and for lore.
Yeah, for lore purposes.
That's why they killed Cortana introduced.
I would hate to refer to the Halo timeline, but AIs actually have a finite amount of operating time before they actually go unstable.
You just literally called a Halo Infinite and now you're saying it's finite.
I'm not following at all what's happening.
That lore kind of sounds like the real world.
Again, see now, see, now you're really showing your lack of Halo knowledge because Infinite obviously refers to the USS Infinite, the major flagship ship that
lies on Halo 5 and Halo 6th.
They have a ship that's infinitely big.
You may have played a little bit too much Halo.
I'm just a big fan.
Okay.
I'm just like have you read like the other novels?
I have not read the books.
I have not read the books.
Oh, that's what he says.
That's not what he said in DMs, Casey.
Okay.
He was DMing me about him last week.
He was telling me how much he liked the novels.
That's a lot.
Prime, here's like honestly, real talk here.
Is it possible to have,
like a brief, you know, five-minute segment on the stand-up in the future where you
summarize the whatever chapter you just read from a Halo novel every week.
I'm just finishing up that hideous strength this, probably this week, and so I could go into
a Halo book. I'll go into Reach or something, and then I'll give you like this week on Halo.
Yeah, I would like to know, and this is sort of like our soap opera serialization version of
the novel that we can. Okay. So we can all kind of be there with you.
I just did all of Sanderson effectively,
so now I'm ready for the next set and sell.
Okay.
So I'm doing the one CS Lewis fiction book I haven't read,
which is that hideous strength,
and then I'll finish it all off.
All right.
I'm ready.
Looking forward to it.
Heck you out.
All right, so which Halo book, though?
There's like a lot of Halo books.
I guess we probably have no idea.
I didn't even know there was a halo book.
Trash, there's books for everything now.
I don't know if you know that.
There's always, like, shovelware novel, like,
like.
I should know there's a show to go with,
Pokemon cards?
What?
You're kidding me.
Like look at this.
Just so you guys know, for Halo books, it does
appear that there was at least
five or there's six, 12,
18, 19 of them and stopped in
2019.
Oh, man, there's like an official book guide.
Okay, we got a lot of books there.
I got a lot of books to go through.
You don't have to read them all, just one.
No, you got to read them all.
No.
What a rainer.
That would be difficult.
I like it.
One book.
That's a lot of reading,
that would be like a whole year's worth of reading of Halo books.
And I also read words out loud, unlike TJ.
I respect the book and I give voices to each individual.
But TJ apparently.
Did you know that TJ reads without reading the word in his head?
What does that mean?
That's pretty common.
You don't have to say, you don't have to vocalize in your head.
Yes, you do.
You need to, like, they all need to have voices and forms of speech.
Like, you've got to give the art of the book.
It's due.
I'm telling you.
I don't know how to read without verbalizing it in my head.
I'm over there like, hey, T.J.
I can't, yeah, Rand's currently in Tancico, and he's just like, I don't know what that is.
I'm like, Tan Chico, he's like, no, that is not what happened.
I said, I don't know how you would say.
You say it differently than me is what we said.
No, you say nothing.
You've just never said it.
That's what you said.
You're like, oh, I've never said that word.
I said I never spoke it with my mouth.
There's a different.
Yeah.
Quick question.
Yeah.
When you sing a song and it's a female, do you try to sing like a girl?
Of course.
Yeah, of course.
You just hit that pharyngeal, baby.
I just want it.
Well, first off, trash, boys and girls can both sing.
We don't say that you have to sing like a girl.
That's offensive in 2026.
They're also good singers, okay?
Well, you would think when they throw a baseball too or something, trash?
It's a little offensive, okay?
All right, all right.
I don't want to get canceled.
I'm just saying.
I'm just against girls.
That's what I'm hearing.
This has taken the worst turn ever.
Boys and girls can both sing, okay, trash.
All right, in this podcast, Josh did not put that in here.
Trash so many people out there on the receipts app
just added what you just did to their list of things
that they did not like today.
Terrible.
No, I'm saying, I'm saying when we talked about it in the past,
I don't know how you're going to say the words
because they're made up words.
So some of them I don't know how you're saying.
We say them differently.
But I don't sound out the words in my head as I'm reading.
Yeah, so you've never said them.
Yes, with my mouth.
Yeah, or your head.
Sometimes I do so.
You mean brain.
I've just never said them in my head or my mouth.
And I'm like, yeah, so you've never said them.
But that wasn't the conversation we had for that before.
You said it in a really goofy way that I didn't think anyone could possibly connect English letters together to make that sound from those things on the page.
I miss read Murd Rawl so bad.
I called it a midreale.
Like I was so far off.
My disgrace was so thick.
But it was that one.
It was a different one.
It was a different one.
What book are we talking about?
Oh, that was Wheel of Time.
That was Wheel of Time.
Also read that one.
I read the whole series out loud to my kids.
How long would that take?
Two and a half years.
As long as I've known him.
I feel like you've done about Wheel Time since I've discovered Prime.
Yeah.
Yep.
That was my fault too.
Sorry, Prime.
Yeah, that was a good book.
We were very happy.
My son, in fact, liked it so much he wants to rego through it,
though he is very angry at the end.
end. No spoilers for trash. He's just about to start. It's only like 15,000 pages,
trash. You got this. It's quick. It's easy. You can honestly get it in half here if you really
put your mind to it. That's true. I used to read the books like in a weekend when they came out.
So you could get him done fast. But that's because he doesn't say any of the words in his head. So he's
Omni reading. I am reading. I'm not Omni reading. That's Began. He doesn't read anything.
Omni reading is made up word that he made up to explain why you can send him a text and nothing
comes out the other side. Right. So is this one of those things where he's
like we see a new government report that's like unfortunately up to 37% of all high school graduates are now Omni reading
Right, a coin termed by a recent influencer Began bot for the reason why we don't we don't have an illiteracy problem just to be clear what we have is an omni reading problem they're very different they're reading everything at once or not at all and so it's kind of like they're really good at
at reading. We did such a good job
that they can read everything slash nothing.
Yeah.
Well, thank you very much for joining
us on this week of the stand-up.
With me, as always, is
T-H-D-V, Trash Dev,
and KC. Miratory. If you want to find out
more, go on Twitter and follow C.
Muratory. Follow Trash with two
H's or Tej-V-E-E-J-U-D-V.
Or the stand-up pod.
Or the stand-up pod.
And by the way, TikTok. Nobody knows.
Instagram,
X.com,
standup pod.com,
all over the place.
I've got links now
for Casey because I made the site.
Yep.
Also,
super cool stuff
that's happening over
on Spotify.
And I was just thinking
that,
you know,
you keep telling me
about how these hackers
are state-sponsored.
We're always looking
for new sponsorsors for the podcast.
Great point.
If states also do sponsorships
first podcast,
I was going to ask like
Florida, Georgia,
California,
who was putting it on.
Yeah,
yeah, yeah.
Yeah.
I want to know.
Yeah.
South Dakota,
if you want to say,
Sponsorship.
I got one for you.
Podcast of South Dakota, a state sponsorship,
the official podcast of South Dakota.
The official.
All right.
Bye.
The end.
I didn't know that joke was going to land or not.
Some people are like,
that's not funny.
That's not funny.
That's not funny.
That's not funny.
Out of the day.
Five code.
Errors on my screen.
Terminal car thing.