email subscriptions
Click Here – for the SpinRite 6.1 video walkthrough.





Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

SteveAndLeoAsPicardAndRiker
(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Click here to subscribe and receive a podcast summary and show notes link before each new episode is recorded.

 Send us your feedback: Registering your email address with us, even if you choose not to subscribe, will enable you to send email to the “Security Now” email.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts. So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.





Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

You can receive a weekly show summary, notes and
picture of the week the evening before the podcast!
 
(Every email sent contains an instant unsubscribe.)
Click HERE to see a sample weekly email.


Episode #1026 | 20 May 2025 | 142 min.
Secure Conversation Records Retention

• Chrome to actively refuse admin privileges. • Android Messenger is getting manual key verification. • Pwn2Own to add AI “pwning” as in-scope attack targets. • AI has already been found to be replicating. • Microsoft not killing off Office on Win10 after October. • 23andMe's asset purchaser revealed. • Many fun talking points thanks to our listeners. • Steve's review of “Andor”, season 2. • What's been discovered inside the U.S. power grid.
68 MB 17 MB  364 KB   <-- Show Notes

Episode #1025 | 13 May 2025 | 140 min.
Secure Conversation Records Retention

• The state of Virginia passes an age-restriction law that has no chance. • New Zealand also tries something similar, citing Australia's lead. • A nasty Python package for Discord survived 3 years and 11K downloads. • The FBI says it's a good idea to discard end-of-life consumer routers. • What's in WhatsApp? Finding out was neither easy nor certain. • The UK's Cyber Centre says AI promises to make things much worse. • A bunch of great feedback from our great listeners, then: • Is true end-to-end encryption possible when records must be retained?
67 MB 17 MB  472 KB   <-- Show Notes 187 KB 114 KB 386 KB

Episode #1024 | 06 May 2025 | 146 min.
Don't Blame Signal

• Microsoft to officially abandon passwords and support their deletion. • Meta's RayBan smart-glasses weaken their privacy terms. • 30% of Microsoft code is now being written by AI. • Google says prying Chrome from it will damage its security. • Nearly 1,000 six-year old eCommerce backdoors spring to life. • eM Client moves to version 10.3 • A bunch of terrific listener feedback creates talking points. • A little known insecure message archiving service comes to light.
70 MB 17 MB  520 KB   <-- Show Notes 162 KB 115 KB 366 KB

Episode #1023 | 29 Apr 2025 | 142 min.
Preventing Windows Sandbox Abuse

• Enabling Firefox's Tab Grouping. • Why did a mysterious empty “inetpub” directory appear after April's Patch Tuesday? • And what new Windows Update crashing hack did this also create? • North Korea is now creating fake US companies to lure would-be employees. • The “Inception” attack subverts all GPT conversational AIs. • New information about data loss in unpowered SSD mass storage. • Lots of terrific feedback from our listeners. • How malware has taken to hiding inside the Windows Sandbox and what you can do to stop it.
68 MB 17 MB  571 KB   <-- Show Notes 178 KB 111 KB 376 KB

Episode #1022 | 22 Apr 2025 | 154 min.
Windows Sandbox

• Enabling Firefox's Tab Grouping. • Recalled Recall Re-Rolls out. • The crucial CVE program nearly died. It's been given new life. • China confesses to hacking the US (blames our stance on Taiwan). • CISA says what Oracle still refuses to. • Brute force attacks on the (rapid) rise. • An AI/ML Python package rates a 9.8 (again!) • The CA/Browser forum passed short-life certs. :( • A wonderful crosswalk hack hits Silicon Valley. • Android to add force restarting ahead of schedule. Maybe. • The EFF is never happy. But especially now, about Florida. • Interesting research into ransomware payouts. • Windows Sandbox: The amazing gem hidden inside all Windows 10 & 11!
74 MB 18 MB  370 KB   <-- Show Notes 200 KB 125 KB 418 KB

Episode #1021 | 15 Apr 2025 | 168 min.
Device Bound Session Credentials

• Android to get "Lockdown Mode". • What's in the new editions of Chrome and Firefox? • Why did Apple silently re-enable automatic updates? • My new iPhone 16, Chinese tariffs and electronics. • Dynamic "hotpatching" coming to Win11 Enterprise & Edu. • Why is it so difficult for Oracle to fess up? • Another multi-year breach inside US Treasury. • An Apple -vs- the UK update. • "Thundermail" (Can't someone come up with a better name?) • The (in)Security of Programmable Logic Controllers. • When LLM's write code and hallucinate non-existent packages. • Wordpress core security and PHP gets an important audit. • Device-Bound Session Credentials update session cookie technology.
81 MB 20 MB  318 KB   <-- Show Notes 237 KB 140 KB 458 KB

Episode #1020 | 08 Apr 2025 | 163 min.
Multi-Perspective Issuance Corroboration

• Canon printer driver vulnerabilities enable Windows kernel exploitation. • Astonishing cyber-security awareness from a household appliance manufacturer. • France tries to hook 2.5 million school children with a Phishing test. • Wordpress added an abuse prone feature in 2022. Guess what happened? • Oracle? Is there something you'd like to tell us? • Utah's governor just signed the App Store Accountability Act. Now what? • AI bots hungry for new data are DDoSing FOSS projects. • No Microsoft Account? No Microsoft Windows 11. • Gmail claims it now offers E2EE. It kinda sorta does. Somewhat. • A dreaded CVSS 10.0 was discovered in Apache Parquet. • A bunch of terrific listener feedback. • What's Multi-Perspective Issuance Corroboration and why must all certificate authorities now do it?
78 MB 20 MB  416 KB   <-- Show Notes 208 KB 130 KB 428 KB

Episode #1019 | 01 Apr 2025 | 159 min.
EU OS

• Kuala Lumpur International Airport says no to a ransom attack, switches to whiteboard. • A tired and jet-lagged Troy Hunt got Phished then listed himself on his own site. • Cloudflare completely pulls the plug on port 80 (HTTP) API access. • Malware is switching to obscure languages to avoid detection. FORTH, anyone? • Password reuse doesn't appear to be dropping. Cloudflare has numbers. • A listener shares his log of malicious Microsoft login attempts. Why no geofencing? • 23andMe down for the count (reminder). • A sobering Ransomware attack & victim listing website. Gulp! • “InControl” keeps VR planes aloft. • And the European Union gets serious about a switch to Linux.
76 MB 19 MB  603 KB   <-- Show Notes 232 KB 132 KB 451 KB

Episode #1018 | 25 Mar 2025 | 155 min.
The Quantum Threat

• The dangers of doing things you don't understand. • Espressif responds to the claims of an ESP32 backdoor. • A widely leveraged mistake Microsoft stubbornly refuses to correct. • A disturbingly simple remote takeover of Apache Tomcat servers. • A 10/10 vulnerability affecting some ASUS, ASRock and HPE motherboards. • Google snapped up another cloud security firm but paid a price! • RCS messaging to soon get full end-to-end encryption (done right!). • How did an AI Crypto Chatbot lose $105,000? ...and what is an AI Crypto Chatbot? • Looks like Oracle may take stewardship of TikTok to keep it in-country. • Whoops! 23andMe is sinking – don't let them take your genetics with them! • The White House says “the cyber guys should stay!” • AI project failure rates are on the rise. Anyone surprised? • Listener feedback, and a very interesting update on just how looming is the threat from quantum computing?
74 MB 19 MB  350 KB   <-- Show Notes 194 KB 125 KB 401 KB

Episode #1017 | 18 Mar 2025 | 154 min.
Is YOUR System Vulnerable to RowHammer?

An analysis of Telegram Messenger's crypto. A beautiful statement of the goal of modern crypto design. Who was behind Twitter's recent outage trouble? An embedded Firefox root certificate expired. Who was surprised? AI-generated Github repos, voice cloning, Patch Tuesday and an Apple 0-day. The FBI warns of another novel attack vector that's seeing a lot of action. Google weighs in on the Age Verification controversy. In a vacuum, Kazakhstan comes up with their own solution. Was Google also served an order from the UK? Can they say? A serious PHP vulnerability you need to know you don't have. A bunch of great listener feedback, some Sci-Fi content reviews and... a new tool allows YOU to test YOUR PCs for their RowHammer susceptibility.
74 MB 18 MB  625 KB   <-- Show Notes 212 KB 128 KB 429 KB

Episode #1016 | 11 Mar 2025 | 148 min.
The Bluetooth Backdoor

Utah passes age verification requirement for app stores. The inside story on fake North Korean employees. Is that a Texas accent? An update on the ongoing Bybit cryptoheist saga. The industry may be making some changes in the wake of the Bybit attack. Apple pushes back legally against the UK's secret order. Did someone crack Passkeys? The UK launches a legal salvo at an innocent security researcher. The old data breach we witnessed that just keeps on giving. A bit more Bybit post-mortem forensic news. A lesson to learn from a clever and effective ransomware attack. And what about that Bluetooth Backdoor discovery everyone is talking about?
71 MB 18 MB  469 KB   <-- Show Notes 216 KB 123 KB 422 KB

Episode #1015 | 04 Mar 2025 | 150 min.
Spatial-Domain Wireless Jamming

• Firefox amends their privacy policy -- the world melts down. • Signal threatens to leave Sweden. • Aftermath of the massive $1.5 billion Bybit ETH heist. • It turns out that it wasn't actually Bybit's fault. • "The Lazarus Bounty" monitoring and management site. • Mozilla's commitment to Manifest V2 (and the uBlock Origin). • What does the ACM's plea for memory-safe languages mean for developers? • What exactly are memory-safe languages? • Australia joins the Kaspersky ban. • Gmail plans to switch from SMS to QR code authentication. • A SpinRite success and some fun feedback. • An astonishing new technology for targeted radio jamming.
72 MB 18 MB  620 KB   <-- Show Notes 195 KB 118 KB 398 KB

Episode #1014 | 25 Feb 2025 | 137 min.
FREEDOM Administration Login

• Apple disables Advanced Data Protection for new UK users. • Paying ransoms is not as cut and dried as we might imagine. • Elon Musk's "X" social media blocks "Signal.me" links. • Spain's soccer league blocks Cloudflare and causes a mess. • Two new (and rare) vulnerabilities discovered in OpenSSH. • The U.S. seems unable to evict Chinese attackers from its Telecom systems. • What are those Chinese "Salt Typhoon" hackers doing to get in? • The largest (by far) cryptocurrency heist in history occurred Friday. • Ex-NSA head says the U.S. is falling behind on the cyber front lines. • We have the winner (and a good one) replacement term for "backdoor". • A look at a pathetic access control system that begs to be hacked (and will be).
66 MB 16 MB  518 KB   <-- Show Notes 190 KB 111 KB 385 KB

Episode #1013 | 18 Feb 2025 | 130 min.
Chrome Web Store is a mess

US lawmakers respond to the UK's outrageous demand about Apple's encryption. What, exactly, is a "backdoor", and can a "backdoor" NOT be secret? Highlights from last week's Windows' Patch Tuesday. A look into RansumHub: The latest king of the Ransomware hill. "TOAD": Telephone-Oriented Attack Delivery. The state of Texas -versus- DeepSeek. Disabling Apple's "Restricted Mode". Where did I put that $800 million in Bitcoin? A Sci-Fi author update. And a deep dive into the misoperation of Chrome's critically important Web Extension Store.
63 MB 16 MB  557 KB   <-- Show Notes 166 KB 106 KB 357 KB

Episode #1012 | 11 Feb 2025 | 137 min.
Hiding School Cyberattacks

New “SparkCat” secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. “AI Fuzzing” successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools.
66 MB 16 MB  435 KB   <-- Show Notes 181 KB 117 KB 379 KB

Episode #1011 | 04 Feb 2025 | 165 min.
Jailbreaking AI

Why was DeepSeek banned by Italian authorities? What internal proprietary DeepSeek data was found online? What is "DeepSeek" anyway? Why do we care, and what does it mean? Did Microsoft just make OpenAI's strong model available for free? Google explains how generative AI can be and is being misused. An actively exploited and unpatched Zyxel router vulnerability. The new US "ROUTERS" Act. Is pirate-site blocking legislation justified or is it censorship? Russia's blocked website count tops 400,000. Microsoft adds "scareware" warnings to Edge. Bitwarden improves account security. What's still my favorite disk imaging tool? And let's take a close look into the extraction of proscribed knowledge from today's AI systems -- It only requires a bit of patience.
79 MB 20 MB  637 KB   <-- Show Notes 200 KB 131 KB 424 KB

Episode #1010 | 28 Jan 2025 | 139 min.
DNS over TLS

eM Client CAN be purchased outright. An astonishing 5-year-old typo in MasterCard's DNS. An unwelcome surprise received by 18,459 low-level hackers. DDoS attacks continue growing, seemingly without any end in sight. Let's Encrypt clarifies their plans for 6-day "we barely knew you" certificates. SpinRite uncovers a bad brand new 8TB drive. Listener feedback about TOTP, Syncthing and UDP hole punching, email spam, ValiDrive speed, AI neural nets, DJI geofencing, and advertising in the "New" Outlook. A look into the tradeoffs required to obtain privacy for our DNS lookups.
67 MB 17 MB  685 KB   <-- Show Notes 142 KB 106 KB 333 KB

Episode #1009 | 21 Jan 2025 | 166 min.
Attacking TOTP

What do we learn from January's record breaking 0-day critical Patch Tuesday? Microsoft to "force-install" a new Outlook into all Windows 10 and 11 desktops? GoDaddy is required to get much more serious about its hosting security. More age verification enforcement is coming, including globally. What another instance of a widely exposed management interface teaches us. DJI drone's official firmware update lifts geofencing for unrestricted flight. CISA's efforts pay off with MUCH improved critical infrastructure security. Listener feedback about TOTP, HOTP and age-verification. And we take a deep dive into cracking authenticator keys.
80 MB 20 MB  557 KB   <-- Show Notes 211 KB 133 KB 431 KB

Episode #1008 | 14 Jan 2025 | 147 min.
HOTP and TOTP

Meta winds down 3rd-party content filtering. Is encryption soon to follow? Taking over abandoned Command & Control server domains (strictly for research purposes only!). IoT devices to get the “Cyber Trust Mark” – will anyone notice or care? “SyncThing” receives a (blessedly infrequent) update. Government email is not using encryption? Really? Email relaying prevents point-to-point end-to-end encryption and authentication. Just because Let's Encrypt doesn't support email doesn't mean it's impossible. What Sci-Fi does ChatGPT think I (Steve) should start reading next? To auto-update or not to auto-update? – is that one question or two? And, until today, we've never taken a deep dive into the technology of time-varying 6-digit one time tokens. Let's fix that! (And last week's uncaptioned picture is finally captioned!)
71 MB 18 MB  1,011 KB   <-- Show Notes 206 KB 117 KB 409 KB

Episode #1007 | 07 Jan 2025 | 144 min.
AI Training & Inference

The consequences of Internet content restriction. The measured risks of 3rd-party browser extensions. The consequences of SonicWall's unpatched 9.8 firewall severity. The incredible number of still-unencrypted email servers. Salt Typhoon finally evicted from three telecom carriers. HIPAA gets a long-needed cybersecurity upgrade. The EU standardizes on USB-C for power charging. What? Believe it or not, a CATCHA you solve by playing DOOM. And once we've caught up with all of that: What I learned from three weeks of study of AI.
69 MB 17 MB  658 KB   <-- Show Notes 195 KB 116 KB 389 KB
Past Years Archives

• Current Podcast Page
• Security Now 2024
• Security Now 2023
• Security Now 2022
• Security Now 2021
• Security Now 2020
• Security Now 2019
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 21, 2025 at 10:24 (2.80 days ago)Viewed 1,071 times per day