Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.

Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #692 | 04 Dec 2018 | 134 min.
GPU RAM Image Leakage

This week we discuss another Lenovo Superfish-style local security certificate screw-up; several new, large and high-profile secure breach incidents and what they mean for us; the inevitable evolution of exploitation of publicly exposed UPnP router services; and the emergence of "Printer Spam." How well does ransomware pay? We have an idea now. We talk about two iOS scam apps, a false positive Bing warning, progress on the DNS over HTTPS front, and rumors that Microsoft is abandoning their EdgeHTML engine in favor of Chromium. We also have a bit of miscellany, news of a cybersecurity-related Humble Book Bundle just in time for Christmas, and a bit of closing-the-loop feedback. Then we discuss some new research that reveals that it's possible to recover pieces of web browser page images that have been previously viewed.
64 MB 16 MB  446 KB   <-- Show Notes 107 KB 96 KB 156 KB

Episode #691 | 27 Nov 2018 | 97 min.

Hackers and attackers apparently enjoyed their Thanksgiving, since this week we have very little news to report. But what we do have to discuss should be entertaining and engaging: Yesterday the U.S. Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed; Google and Mozilla are looking to remove support for FTP from their browsers; and from our "What could possibly go wrong?" department we have browsers asking for explicit permission to leave their sandboxes. We also have some interesting post-Troy Hunt "Are Passwords Immortal?" listener feedback from last week's topic. Then we will discuss the next step in the evolution of RowHammer attacks, which do, as Bruce Schneier once opined, only get better - or in this case worse.
46 MB 12 MB  292 KB   <-- Show Notes 94 KB 69 KB 128 KB

Episode #690 | 20 Nov 2018 | 131 min.
Are Passwords Immortal?

This week we cover the action during last week's Pwn2Own Mobile hacking contest. As this year draws to a close, we delve into the final last word on processor misdesign. We offer a very workable solution for unsupported Intel firmware upgrades for hostile environments. We look at a forthcoming Firefox breach alert feature. We cover the expected takeover of exposed Docker-offering servers. We note the recently announced successor to recently ratified HTTP/2. We cover a piece of errata, close the loop with some of our podcast listeners, then finish by considering the future of passwords using a thoughtful article written by Troy Hunt, a well-known Internet security figure and the creator of the popular HaveIBeenPwned web service, among others.
63 MB 16 MB  383 KB   <-- Show Notes 134 KB 96 KB 165 KB

Episode #689 | 13 Nov 2018 | 134 min.
Self-Decrypting Drives

This week we cover last month's Patch Tuesday this month. We look at a GDPR-inspired lawsuit filed by Privacy International. We ask our listeners to check two router ports to protect against a new botnet that's making the rounds. We look at another irresponsibly disclosed zero-day, this time in VirtualBox. We look at CloudFlare's release of a very cool app for iOS and Android. And, in perfect synchrony with this week's main topic, we note Microsoft's caution about the in-RAM vulnerabilities of the BitLocker whole-drive encryption. We also cover a bit of miscellany, we close the loop with our listeners, and then we take a deep dive into last week's worrisome revelation about the lack of true security being offered by today's Self-Encrypting SSD Drives.
65 MB 16 MB  347 KB   <-- Show Notes 146 KB 100 KB 178 KB

Episode #688 | 06 Nov 2018 | 112 min.

This week we discuss the new "BleedingBit" Bluetooth flaws, JavaScript no longer being optional with Google, a new Microsoft Edge browser zero-day, Windows Defender playing in its own sandbox, Microsoft and Sysinternals news, the further evolution of the CAPTCHA, the 30th anniversary of the Internet's first worm, a bizarre requirement of ransomware, a nice new bit of security non-tech from Apple, some closing-the-loop feedback from our listeners, then a look at the impact and implication of the new "PortSmash" attack against Intel (and almost certainly other) processors.
54 MB 13 MB  314 KB   <-- Show Notes 122 KB 82 KB 154 KB

Episode #687 | 30 Oct 2018 | 113 min.
Securing the Vending Machine

This week we follow-up on the Win10 ZIP extraction trouble, discuss some welcome Android patching news, look at SandboxEscaper's latest 0-day surprise, examine the Hadoop DemonBot, follow up on US DoD insecurity, look into the consequences of publicly exposed Docker server APIs, look at a DDoS-for-Hire front end, check out the mid-week Windows non-security Windows 10 bug fix update, look at the just-released Firefox v63, and examine a new privilege escalation vulnerability affecting Linux and OpenBSD. We also handle a bit of errata, some Sci-Fi miscellany, and a bit of closing the loop feedback from a listener. Then we answer last week's puzzler by exploring various ways of securing those vending machines.
54 MB 14 MB  323 KB   <-- Show Notes 112 KB 84 KB 151 KB

Episode #686 | 23 Oct 2018 | 119 min.
Libssh's Big Whoopsie!

This week a widely used embedded OS (FreeRTOS) is in the doghouse, as are at least eight D-Link routers which have serious problems most of which D-Link has stated will never be patched. We look at five new problems in Drupal 7 and 8, two of which are rated critical, trouble with Live Networks RTSP streaming server, still more trouble with the now-infamous Windows 10 Build 1809 feature update, and a long standing 0-day in the widely used and most popular plugin for jQuery. We then look at what can only be described as an embarrassing mistake in the open source libssh library, and we conclude by examining a fun recent hack and pose its solution to our audience as our Security Now! puzzler of the week!
57 MB 14 MB  337 KB   <-- Show Notes 118 KB 79 KB 150 KB

Episode #685 | 16 Oct 2018 | 125 min.
Good Samaritans?

This week we observe the untimely death of Microsoft's co-founder Paul Allen, revisit the controversial Bloomberg China supply chain hacking report, catch up on Microsoft's October patching fiasco, follow up on Facebook's privacy breach, look at the end of TLS v1.0 and 1.1, explore Google's addition of control flow integrity to Android 9, look at a GAO report about the state of U.S. DOD weapons cybersecurity, consider the EOL of PHP 5.x chain, take a quick look at an AV comparison test, entertain a few bits of feedback from our listeners, and then consider the implications of grey hat vigilante hacking of others' routers.
60 MB 15 MB  438 KB   <-- Show Notes 114 KB 88 KB 156 KB

Episode #684 | 09 Oct 2018 | 114 min.
The Supply Chain

This week we examine and explore an October Windows Surprise of a different sort. A security researcher massively weaponizes the existing MicroTik vulnerability and releases it as a proof of concept. Israel's National Cybersecurity Authority warns about a clever voicemail WhatsApp OTP bypass. What DID happen with that recent Google+ breach? Google tightens up its Chrome Extensions security policies. WiFi radio protocol designations finally switch to simple version numbering. Intel unwraps its 9th-generation Core processors. We've got head-spinning PDF updates from Adobe and Foxit. This isn't a competition, guys! And, finally, we take a look at the danger of Supply Chain Attacks, with a possible real-world example.
55 MB 14 MB  278 KB   <-- Show Notes 115 KB 83 KB 152 KB

Episode #683 | 02 Oct 2018 | 111 min.
The Facebook Breach

This week we discuss yet another treat from Cloudflare, the growing legislative battle over Net Neutrality, the rise of Python malware, Cisco's update report on the VPNFilter malware, still more Chrome controversy and some placating, the rapid exploitation of zero-day vulnerabilities, the first UEFI rootkit found in the wild, another new botnet discovery, the danger of the RDP protocol, a nasty website browser trick and how to thwart it, a quick update on recent nonfiction and science fiction, and then a look into the recent massive 50 million account Facebook security breach.
53 MB 13 MB  252 KB   <-- Show Notes 127 KB 84 KB 157 KB

Episode #682 | 25 Sep 2018 | 123 min.
SNI Encryption

This week we look at additional changes coming from Google's Chromium team, another powerful instance of newer cross-platform malware, the publication of a zero-day exploit after Microsoft missed its deadline, the return of Sabri Haddouche with browser crash attacks, the reasoning behind Matthew Green's decision to abandon Chrome after a change in release 69 - and an "Ungoogled Chromium" alternative that Matthew might approve of - Western Digital's pathetic response to a very serious vulnerability, a cool device exploit collection website, a question about the future of the Internet, a sobering example of the aftermarket in unwiped hard drives, Mirai Botnet creators working with and helping the FBI, another fine levied against Equifax, and a look at Cloudflare's quick move to encrypt a remaining piece of web metadata.
59 MB 15 MB  283 KB   <-- Show Notes 157 KB 95 KB 178 KB

Episode #681 | 18 Sep 2018 | 132 min.
The Browser Extension Ecosystem

This week we prepare for the first-ever Presidential Alert unblockable nationwide text message. We examine Chrome's temporary "www" removal reversal, check out Comodo's somewhat unsavory marketing, discuss a forthcoming solution to BGP hijacking, examine California's forthcoming IoT legislation, deal with the return of Cold Boot attacks, choose not to click on a link that promptly crashes any Safari OS, congratulate Twitter on adding some auditing, check in on the Mirai Botnet's steady evolution, look at the past year's explosion in DDoS number and size, and note another new annoyance brought to us by Windows 10. Then we take a look at the state of the quietly evolving web browser extension ecosystem.
63 MB 16 MB  369 KB   <-- Show Notes 109 KB 94 KB 160 KB

Episode #680 | 11 Sep 2018 | 128 min.
Exploits & Updates

This week we discuss Windows 7's additional three years of support life, MikroTik routers back in the news (and not in a good way), Google Chrome 69's new features, the hack of MEGA's cloud storage extension for Chrome, Week 3 of the Windows Task Scheduler zero-day, a new consequence of using "1234" as your password, Tesla making their white hat hacking policies clear (just in time for a big new hack!), our PCs as the new malware battlefield, a dangerous OpenVPN feature spotted, and Trend Micro, caught spying, getting kicked out of the macOS store.
61 MB 15 MB  278 KB   <-- Show Notes 104 KB 92 KB 152 KB

Episode #679 | 04 Sep 2018 | 124 min.

This week we cover the expected exploitation of the most recent Apache Struts vulnerability, a temporary interim patch for the Windows zero-day privilege elevation, an information disclosure vulnerability in all Android devices, Instagram's moves to tighten things up, another OpenSSH information disclosure problem, an unexpected outcome of the GDPR legislation and sky-high fines, the return of the Misfortune Cookie, many thousands of Magneto commerce sites being exploited, a fundamental design flaw in the TPM v2.0 spec, trouble with MITRE's CVE service, Mozilla's welcome plans to further control tracking, a gratuitous round of Win10 patches from Microsoft - and a working sonar system which tracks smartphone finger movements!
60 MB 15 MB  278 KB   <-- Show Notes 106 KB 89 KB 151 KB

Episode #678 | 28 Aug 2018 | 101 min.
Never a Dull Moment

It's been another busy week. We look at Firefox's changing certificate policies, the danger of grabbing a second-hand domain, the Fortnite mess on Android, another patch-it-now Apache Struts RCE, a frightening jump in Mirai Botnet capability, an unpatched Windows zero-day privilege elevation, and malware with a tricky new C&C channel. We find that A/V companies are predictably unhappy with Chrome, Tavis has found more serious problems in Ghostscript, and there's been a breakthrough in contactless RSA key extraction. As if that weren't enough, we discuss a worrisome flaw that has always been present in OpenSSH, and problems with never-dying Hayes AT commands in Android devices.
49 MB 12 MB  234 KB   <-- Show Notes 110 KB 75 KB 143 KB

Episode #677 | 21 Aug 2018 | 123 min.
The Foreshadow Flaw

This week, as we head into our 14th year of Security Now!, we look at some of the research released during last week's USENIX Security Symposium. We also take a peek at last week's Patch Tuesday details, Skype's newly released implementation of Open Whisper Systems' Signal privacy protocol, Google's Chrome browser's increasing pushback against being injected into, news following last week's observation about Google's user tracking, Microsoft's announcement of more spoofed domain takedowns, another page table sharing vulnerability, believe it or not "malicious regular expressions," some numbers on how much money Coinhive is raking in, flaws in browsers and their add-ons that allow tracking-block bypasses, two closing-the-loop bits of feedback, and then a look at the details of the latest Intel speculation disaster known as the "Foreshadow Flaw."
59 MB 15 MB  175 KB   <-- Show Notes 138 KB 91 KB 169 KB

Episode #676 | 14 Aug 2018 | 110 min.
The Mega FaxSploit

This week we cover lots of discoveries revealed during last week's Black Hat 2018 and DEF CON 26 Las Vegas security conferences, among them 47 vulnerabilities across 25 Android smartphones, Android "Disk-in-the-Middle" attacks, Google tracking when asked not to, more Brazilian D-Link router hijack hijinks, a backdoor found in VIA C3 processors, a trusted-client attack on WhatsApp, a macOS zero-day, a tasty new feature for Win10 Enterprise, a new Signal-based secure email service, Facebook's Fizz TLS v1.3 library, another Let's Encrypt milestone, and then "FaxSploit," the most significant nightmare in recent history - FAR worse, I think, than any of the theoretical Spectre and Meltdown attacks.
53 MB 13 MB  278 KB   <-- Show Notes 108 KB 80 KB 143 KB

Episode #675 | 07 Aug 2018 | 113 min.
New WiFi Password Attack

This week we discuss yet another new and diabolical router hack and attack, Reddit's discovery of SMS 2FA failure, WannaCry refusing to die, law enforcement's ample unused forensic resources, a new and very clever BGP-based attack, Windows 10 update dissatisfaction, and Google advancing their state-sponsored attack notifications. We ask, "What is Google's Project Dragonfly?" We go over a highly effective and highly targeted ransomware campaign, present some closing-the-loop feedback from our listeners, and reveal a breakthrough in hacking/attacking WiFi passwords.
54 MB 14 MB  189 KB   <-- Show Notes 112 KB 80 KB 148 KB

Episode #674 | 31 Jul 2018 | 131 min.
Attacking Bluetooth Pairing

This week we examine still another new Spectre processor speculation attack. We look at the new "Death Botnet," the security of the U.S. DOD websites, lots of Google Chrome news, pushes by the U.S. Senate toward more security, the emergence and threat of clone websites in other TLDs, more cryptocurrency mining bans, and Google's Titan hardware security dongles. We finish by examining the recently discovered flaw in the Bluetooth protocol which has device manufacturers and OS makers scrambling - but do they really need to?
63 MB 16 MB  146 KB   <-- Show Notes 113 KB 95 KB 160 KB

Episode #673 | 24 Jul 2018 | 113 min.
The Data Transfer Project

This week we examine still another new Spectre processor speculation attack, some news on DRAM hammering attacks and mitigations, the consequences of freely available malware source code, the reemergence of concern over DNS rebinding attacks, Venmo's very public transaction log, more Russian shenanigans, the emergence of flash botnets, Apple's continuing move of Chinese data to China, another (the fifth) Cisco secret backdoor found, an optional missing Windows patch from last week, and a bit of Firefox news and piece of errata. Then we look at "The Data Transfer Project" which, I think, marks a major step of maturity for our industry.
54 MB 14 MB  502 KB   <-- Show Notes 111 KB 80 KB 145 KB

Episode #672 | 17 Jul 2018 | 115 min.
All Up in Their Business

This week we look at even MORE new Spectre-related attacks, highlights from last Tuesday's monthly patch event, advances in GPS spoofing technology, GitHub's welcome help with security dependencies, Chrome's new (or forthcoming) "Site Isolation" feature, when hackers DO look behind the routers they commandeer, and the consequences of deliberate BGP routing misbehavior. Plus, reading between the lines of last Friday's DOJ indictment of the U.S. 2016 election hacking by 12 Russian operatives, the U.S. appears to really have been "all up in their business."
55 MB 14 MB  222 KB   <-- Show Notes 112 KB 81 KB 149 KB

Episode #671 | 10 Jul 2018 | 130 min.
STARTTLS Everywhere

This week we discuss another worrisome trend in malware, another fitness tracking mapping incident and mistake, something to warn our friends and family to ignore, the value of periodically auditing previously granted web app permissions, and when malware gets picky about the machines it infects. Another kind of well-meaning Coinhive service gets abused. What are the implications of D-Link losing control of its code-signing cert? There's some good news about Android apps. iOS v11.4.1 introduces "USB Restricted Mode," but is it? We've got a public service reminder about the need to wipe old thumb drives and memory cards. What about those free USB fans that were handed out at the recent North Korea/U.S. summit? Then we take a look at email's STARTTLS system and the EFF's latest initiative to increase its usefulness and security.
62 MB 16 MB  218 KB   <-- Show Notes 148 KB 97 KB 178 KB

Episode #670 | 03 Jul 2018 | 121 min.
Wi-Fi Protected Access v3

This week we discuss the interesting case of a VirusTotal upload - or was it? We've got newly discovered problems with our 4G LTE and even what follows; another new EFF encryption initiative; troubles with Spectre and Meltdown in some browsers; the evolution of UPnP-enabled attacks; an unpatched WordPress vulnerability that doesn't appear to be worrying the WordPress devs; and an early look at next year's forthcoming WPA3 standard, which appears to fix everything!
58 MB 15 MB  229 KB   <-- Show Notes 97 KB 81 KB 139 KB

Episode #669 | 26 Jun 2018 | 115 min.
Cellular Location Privacy

This week we examine some new side-channel worries and vulnerabilities. Did Mandiant "hack back" on China? More trouble with browsers, the big Google Firebase mess, sharing a bit of my dead system resurrection, and a look at the recent Supreme Court decision addressing cellular location privacy.
55 MB 14 MB  267 KB   <-- Show Notes 102 KB 81 KB 165 KB

Episode #668 | 19 Jun 2018 | 125 min.
Lazy FP State Restore

This week we examine a rather "mega" patch Tuesday, a nifty hack of Win10's Cortana, Microsoft's official "when do we patch" guidelines, the continuing tweaking of web browser behavior for our sanity, a widespread Windows 10 rootkit, the resurgence of the Satori IoT botnet, clipboard monitoring malware, a forthcoming change in Chrome's extensions policy, hacking apparent download counts on the Android store, some miscellany, an update on the status of Spectre & Meltdown - and, yes, yet another brand new speculative execution vulnerability our OSes will be needing to patch against.
60 MB 15 MB  171 KB   <-- Show Notes 125 KB 88 KB 206 KB

Episode #667 | 12 Jun 2018 | 105 min.
Zippity Do or Don’t

This week we update again on VPNFilter, look at another new emerging threat, check in on Drupalgeddon2, examine a very troubling remote Android vulnerability under active wormable exploitation, and take stock of Cisco's multiple firmware backdoors. We discuss a new crypto mining strategy, the evolution of Russian state-sponsored cybercrime, a genealogy service that lost its user database, ongoing Russian censorship, and another Adobe Flash mess. We check in on how Marcus Hutchins is doing. And, finally, we look at yet another huge mess resulting from insecure interpreters.
50 MB 13 MB  232 KB   <-- Show Notes 113 KB 74 KB 138 KB

Episode #666 | 05 Jun 2018 | 110 min.
Certificate Transparency

This week we discuss yesterday’s further good privacy news from Apple, the continuation of VPNFilter, an extremely clever web browser cross-site information leakage side-channel attack, and Microsoft Research’s fork of OpenVPN for security in a post-quantum world. Microsoft drops the ball on a zero-day remote code execution vulnerability in JScript, Valve finally patches a longstanding and very potent RCE vulnerability, Redis caching servers continue to be in serious trouble, a previously patched IE zero-day continues to find victims, and Google’s latest Chrome browser has removed support for HTTP public key pinning (HPKP). And, finally, what is “Certificate Transparency,” and why do we need it?
53 MB 13 MB  241 KB   <-- Show Notes 108 KB 77 KB 138 KB

Episode #665 | 29 May 2018 | 104 min.

This week we discuss Oracle’s planned end of serialization, Ghostery’s GDPR faux pas, the emergence of a clever new banking trojan, Amazon Echo and the Case of the Fuzzy Match, more welcome movement from Mozilla, yet another steganographic hideout, an actual real-world appearance of HTTP Error 418 (I’m a Teapot!), the hype over Z-Wave’s Z-Shave, and a deep dive into the half a million strong VPNFilter botnet.
49 MB 12 MB  206 KB   <-- Show Notes 117 KB 74 KB 137 KB

Episode #664 | 22 May 2018 | 95 min.
SpectreNG Revealed

This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10’s April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook’s Android app mistake, BMW’s 14 security flaws, and some fun miscellany. Then we examine the news of the next generation of Spectre processor speculation flaws and what they mean for us.
45 MB 11 MB  177 KB   <-- Show Notes 96 KB 67 KB 126 KB

Episode #663 | 15 May 2018 | 94 min.
Ultra-Clever Attacks

This week we will examine two incredibly clever, new, and bad attacks named eFail and Throwhammer. But first we catch up on the rest of the past week’s security and privacy news, including the evolution of UPnProxy, a worrisome flaw discovered in a very popular web development platform, the first anniversary of EternalBlue, the exploitation of those GPON routers, this week’s disgusting security headshaker, a summary of the RSA Conference’s security practices survey, the appearance of persistent IoT malware, a significant misconception about hard drive failure, an interesting bit of listener feedback, and then a look at two VERY clever new attacks.
45 MB 11 MB  320 KB   <-- Show Notes 91 KB 65 KB 120 KB

Episode #662 | 08 May 2018 | 101 min.
Spectre – NextGen

This week we begin by updating the status of several ongoing security stories: Russia vs. Telegram, Drupalgeddon2, and the return of Rowhammer. We will conclude with MAJOR new bad news related to Spectre. We also have a new cryptomalware, Twitter’s in-the-clear passwords mistake, new Android “P” security features, a crazy service for GDPR compliance, Firefox’s sponsored content plan, another million routers being attacked, more deliberately compromised JavaScript found in the wild, a new Microsoft Meltdown mistake, a comprehensive Windows command reference, and signs of future encrypted Twitter DMs.
48 MB 12 MB  254 KB   <-- Show Notes 115 KB 73 KB 137 KB

Episode #661 | 01 May 2018 | 120 min.
Securing Connected Things

This week we discuss Win10 getting a new spring in its step, Microsoft further patching Intel microcode, the U.K.’s NHS planning to update, another hack of modern connected autos, Oracle’s botched WebLogic patch, an interesting BSOD-on-demand Windows hack, a PDF credentials theft hack (which Adobe won’t fix), your Echo may be listening to you, a powerful hotel keycard hack, a bit of errata and feedback, and a discussion of another Microsoft-driven security initiative.
57 MB 14 MB  203 KB   <-- Show Notes 117 KB 92 KB 160 KB

Episode #660 | 24 Apr 2018 | 118 min.
Azure Sphere

This week we discuss Drupalgeddon2 continuing to unfold right on plan. The Orangeworm takes aim at medical equipment and companies. The FDA moves forward on requiring device updates. Microsoft leads a new Cybersecurity Tech Accord. We talk about another instance of loud noises and hard drives not mixing, considerations for naming your WiFi network, the unappreciated needs of consumer routers, Google’s new unencrypted messaging app push, Amazon pulling the trigger on “in-car” package delivery, the first puzzle recommendation in a long time, and Microsoft’s move to secure the IoT space.
57 MB 14 MB  246 KB   <-- Show Notes 116 KB 91 KB 159 KB

Episode #659 | 17 Apr 2018 | 93 min.
Never a Dull Moment

This week we discuss AMD’s release of their longawaited Spectre variant 2 microcode patches, the end of Telegram Messenger in Russia, the on-time arrival of Drupalgeddon2, Firefox and TLS v1.3, the new and widespread UPnProxy attacks, Microsoft’s reversal on no longer providing Windows security updates without AV installed, Google Chrome’s decision to prematurely remove HTTP cookies, the Android “patch gap,” renewed worries over old and insecure Bitcoin crypto, new attacks on old IIS, a WhatsApp photo used for police forensics, and an IoT vulnerability from our You Can’t Make This Stuff Up department.
44 MB 11 MB  141 KB   <-- Show Notes 104 KB 65 KB 126 KB

Episode #658 | 10 Apr 2018 | 98 min.
Deprecating TLS 1.0 & 1.1

This week we discuss Intel’s big Spectre microcode announcement, Telegram not being long for Russia, U.S. law enforcement’s continuing push for “lawful decryption,” more state-level Net Neutrality news, Win10’s replacement for Disk Cleanup, a bug bounty policy update, some follow-up to last week’s Quad-1 DNS conversation, why clocks had been running slow throughout Europe, and then a look at the deprecation of earlier versions of TLS and a big Cisco mistake.
46 MB 12 MB  442 KB   <-- Show Notes 102 KB 69 KB 129 KB

Episode #657 | 03 Apr 2018 | 107 min.

This week we discuss “Drupalgeddon2,” Cloudflare’s new DNS offering, a reminder about GRC’s DNS Benchmark, Microsoft’s Meltdown meltdown, the persistent iOS QR code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new email initiative, free electricity, a policy change at Google’s Chrome Store, another “please change your passwords” after another website breach, a bit of miscellany, a heartwarming SpinRite report, some closing-the-loop feedback from our terrific listeners, and a closer look at the Swiss encrypted ProtonMail service.
51 MB 13 MB  362 KB   <-- Show Notes 103 KB 75 KB 137 KB

Episode #656 | 27 Mar 2018 | 110 min.
TLS v1.3 Happens

This week we discuss the mess with U.S. voting machines, technology’s inherent security versus convenience tradeoff, the evolving 2018 global threat landscape, and welcome news on the bug bounty front from Netflix and Dropbox. We have the interesting results of Stack Overflow’s eighth annual survey of 101,592 developers, worrisome news on the U.S. government data overreach front, some useful and important new web browser features, messenger app troubles, a critical Drupal update coming tomorrow, some welcome news for DNS security and privacy, a bit of miscellany, and a look at the just-ratified TLS v1.3.
53 MB 13 MB  185 KB   <-- Show Notes 117 KB 79 KB 144 KB

Episode #655 | 20 Mar 2018 | 97 min.
Pwn2Own 2018

This week we discuss the aftermath of CTS Labs’ abrupt disclosure of flaws in AMD’s outsourced chipsets; Intel’s plans for the future and their recent microcode update news; several of Microsoft’s recent announcements and actions; the importance of testing, in this case VPNs; the first self-driving automobile pedestrian death; a SQRL update; a bit of closing-the-loop feedback with our listeners; and a look at the outcome of last week’s annual Pwn2Own hacking competition.
47 MB 12 MB  189 KB   <-- Show Notes 126 KB 76 KB 143 KB

Episode #654 | 13 Mar 2018 | 109 min.
AMD Chipset Disaster

This week we discuss the just-released news of major trouble for AMD’s chipset security, ISPs actively spreading state-sponsored malware, Windows 10 S coming soon, a large pile of cryptocurrency mining-driven shenanigans, tomorrow’s Pwn2Own competition start, surprising stats about Spam botnet penetration, and a Week 2 update on the new Memcached DrDoS attacks.
52 MB 13 MB  261 KB   <-- Show Notes 126 KB 81 KB 148 KB

Episode #653 | 06 Mar 2018 | 109 min.
“MemCrashed” DDoS Attacks

This week we discuss some very welcome microcode news from Microsoft, ten (yes, ten!) new 4G LTE network attacks, the battle over how secure TLS v1.3 will be allowed to be, the incredible Trustico certificate fiasco, the continually falling usage of Adobe Flash, a new and diabolical cryptocurrency-related malware, the best Sci-Fi news in a LONG time, some feedback from our terrific listeners... and a truly record smashing (and not in a good way) new family of DDoS attacks.
52 MB 13 MB  409 KB   <-- Show Notes 126 KB 77 KB 146 KB

Episode #652 | 27 Feb 2018 | 137 min.

This week we discuss Intel’s Spectre & Meltdown microcode update, this week in cryptojacking, Tavis strikes again, Georgia on my mind (and not in a good way), news from the iPhone hackers at Cellebrite, Apple to move its Chinese customer data, e-Passports? Not really, Firefox 60 loses a feature, the IRS and cryptocurrencies, Android P enhances Privacy, malicious code signing news, a VERY cool Cloudfront/Troy Hunt hack, a bit of errata, miscellany, and closing the loop feedback from our terrific listeners, and a closer look at WebAssembly.
66 MB 16 MB  169 KB   <-- Show Notes 162 KB 101 KB 180 KB

Episode #651 | 20 Feb 2018 | 104 min.
Russian Meddling Technology

This week we examine and discuss the appearance of new forms of Meltdown and Spectre attacks, the legal response against Intel, the adoption of new cybersecurity responsibility in New York, some more on Salon and authorized crypto mining, more on software cheating auto emissions, a newly revealed instance of highly profitable mal-mining, checking in on Let’s Encrypt’s steady growth, the first crack of Windows uncrackable UWP system, Apple’s wacky Telugu Unicode attacks, a frightening EternalBlue experiment, another aspect of crypto mining annoyance, a note now that Chrome’s new advertising controls are in place, and a bit of closing-the-loop with our listeners.
42 MB 11 MB  207 KB   <-- Show Notes 96 KB 75 KB 135 KB

Episode #650 | 13 Feb 2018 | 90 min.
Cryptocurrency Antics

This week we discuss today’s preempted Second Tuesday of the Month, slow progress on the Intel Spectre firmware update front, a worse-than-originally-thought Cisco firewall appliance vulnerability, the unsuspected threat of hovering hacking drones, hacking at the Winter Olympics, Kaspersky’s continuing unhappiness, the historic leak of Apple’s iOS boot source code, a critical WiFi update for some Lenovo laptop users, a glitch at WordPress, a bit of miscellany (including a passwords rap), some closing-the-loop feedback from our listeners, and then a look at a handful of cryptocurrency antics.
42 MB 11 MB  218 KB   <-- Show Notes 96 KB 67 KB 126 KB

Episode #649 | 06 Feb 2018 | 88 min.
Meltdown & Spectre Emerge

This week we observe that the Net Neutrality battle is actually FAR from lost. Computerworld's Woody Leonard enumerates a crazy January of updates. EternalBlue is turning out to be far more "eternal" than we'd wish. Will Flash EVER die? There's a new zero-day Flash exploit in the wild. What happens when you combine Shodan with Metasploit? Firefox 59 takes another privacy-enhancing step forward. We've got a questionable means of sneaking data between systems; another fun SpinRite report from the field; some closing-the-loop feedback from our listeners; and, finally, a look at the early emergence of Meltdown and Spectre exploits appearing in the wild.
42 MB 11 MB  184 KB   <-- Show Notes 101 KB 65 KB 124 KB

Episode #648 | 30 Jan 2018 | 107 min.
Post Spectre?

This week we discuss continuing Spectre updates, how not to treat Tavis Ormandy, a popular dating app where you'd really hope for HTTPS but be surprised to find it missing, the unintended consequences of global posting of fitness tracking data, gearing up (or not) for this year's voting machine hack'fest, another record broken by a cryptocurrency exchange heist, bad ads and fake ads, the unclear fate of the BSD operating systems, a caution about Dark Caracal's CrossRAT Trojan, another way to skin the Net Neutrality cat, a bit of errata and miscellany, one of the best SpinRite testimonials in a long time, and some closing the loop feedback from our terrific listeners.
50 MB 13 MB  140 KB   <-- Show Notes 114 KB 79 KB 145 KB

Episode #647 | 23 Jan 2018 | 105 min.
The Dark Caracal

This week's news continues to be dominated by the industry-shaking Meltdown and Spectre vulnerabilities. We will catch up with what's new there, then discuss the Net Neutrality violation detection apps that are starting to appear; a new app and browser plugin from the search privacy provider DuckDuckGo; a bit of welcome news from Apple's Tim Cook about their planned response to the iPhone battery-life and performance debacle; a bit of errata; and some feedback from our terrific listeners. Then we take a look into a state-level, state-sponsored, worldwide, decade-long cyberespionage campaign which the EFF and Lookout Security have dubbed “Dark Caracal.”
50 MB 13 MB  309 KB   <-- Show Notes 129 KB 78 KB 145 KB

Episode #646 | 16 Jan 2018 | 91 min.
The InSpectre

This week we discuss more trouble with Intel’s AMT, what Skype’s use of Signal really means, the UK’s data protection legislation giving researchers a bit of relief, the continuing winding down of HTTP, “progress” on the development of Meltdown attacks, Google successfully tackling the hardest to fix Spectre concern with a Return Trampoline, some closing-the-loop feedback with our terrific listeners, and the evolving landscape of Meltdown and Spectre – including Steve’s just completed “InSpectre” test and explanation utility.
44 MB 11 MB  140 KB   <-- Show Notes 126 KB 71 KB 138 KB

Episode #645 | 09 Jan 2018 | 116 min.
The Speculation Meltdown

This week, before we focus upon the industry-wide catastrophe enabled by precisely timing the instruction execution of all contemporary high-performance processor architectures, we examine a change in Microsoft’s policy regarding non-Microsoft AV systems, Firefox Quantum’s performance when tracking protections are enabled, the very worrisome hard-coded backdoors in 10 of Western Digital’s My Cloud drives; and, if at first (WEP) and at second (WPA) and at third (WPA2) and at fourth (WPS) you don’t succeed, try, try, try, try, try yet again with WPA3, another crucial cryptographic system being developed by a closed members-only committee.
55 MB 14 MB  222 KB   <-- Show Notes 116 KB 84 KB 162 KB

Episode #644 | 02 Jan 2018 | 118 min.
NSA Fingerprints

This week we discuss a new clever and disheartening abuse of our browsers’ handy-dandy username and password autofill, some recent and frantic scurrying around by many OS kernel developers, a just-released MacOS zero-day allowing full local system compromise, another massively popular router falls to the IoT botnets, even high-quality IoT devices have problems, the evolution of adblocking and countermeasures, an important update for Mozilla’s Thunderbird, a bit of miscellany, listener feedback, and an update on the NSA’s possible intervention into secure encryption standards.
56 MB 14 MB  172 KB   <-- Show Notes 132 KB 86 KB 155 KB

Episode #642 | 19 Dec 2017 | 120 min.

This week we examine how Estonia handled the Infineon crypto bug; two additional consequences of the pressure to maliciously mine cryptocurrency; zero-day exploits in the popular vBulletin forum system; Mozilla in the doghouse over “Mr. Robot”; Win10’s insecure password manager mistake; when legacy protocol come back to bite us; how to bulk-steal any Chrome user’s entire stored password vault; and we finally know where and why the uber-potent Mirai botnet was created, and by whom.  We also have a bit of errata and some fun miscellany. Then we’re going to take a look at BGP, another creaky yet crucial – and vulnerable – protocol that glues the global Internet together.
58 MB 14 MB  186 KB   <-- Show Notes 124 KB 85 KB 154 KB

Episode #641 | 12 Dec 2017 | 125 min.
The iOS 11 Security Tradeoff

This week we discuss the details behind the “USB/JTAG takeover” of Intel’s Management Engine, a rare Project Zero discovery, Microsoft’s well-meaning but ill-tested IoT security project, troubles with EV certs, various cryptocurrency woes, a clever DNS spoofing detection system, a terrific guide to setting up the EdgeRouter X for network segmentation, last week’s emergency out-of-cycle patch from Microsoft, a mitigated vulnerability in Apple’s HomeKit, Valve’s ending of Bitcoin for Steam purchases, finally some REALLY GOOD news in the elusive quest for encrypted email, a bit of miscellany, some closing-the-loop feedback with our listeners, and a look at the security sacrifice Apple made in the name of convenience and what it means.
59 MB 15 MB  196 KB   <-- Show Notes 134 KB 93 KB 166 KB

Episode #640 | 05 Dec 2017 | 104 min.
More News & Feedback

This week we discuss the long-awaited end of StartCom & StartSSL, inside last week’s macOS passwordless root account access and problems with Apple’s patches, the question of Apple allowing 3D facial data access to apps, Facebook’s new and controversial use of camera images, in-the-wild exploitation of one of last month’s patched Windows vulnerabilities, an annoying evolution in browser-based cryptocurrency mining, exploitation of Unicode in email headers, Google’s advancing protection for Android users, a terrific list of authentication dongle-supporting sites and services, Mirai finds another 100,000 exposed ZyXEL routers, Google moves to reduce system crashes, a bit of miscellany including another security-related Humble Bundle offering, and some closing-the-loop feedback from our terrific listeners.
50 MB 12 MB  304 KB   <-- Show Notes 129 KB 78 KB 147 KB

Episode #639 | 28 Nov 2017 | 129 min.
News & Feedback

This week we discuss a new bad bug found in the majority of SMTP mailing agents, 54 high-end HP printers found to be remotely exploitable, more than 3/4ths of 433,000 websites are using vulnerable JavaScript libraries, horrible free security software, some additional welcome Firefox news, a bit of errata, some fun miscellany, and a BUNCH of feedback from our listeners including reactions to last week's Quad 9 recommendation.
62 MB 15 MB  459 KB   <-- Show Notes 134 KB 102 KB 178 KB

Episode #638 | 21 Nov 2017 | 93 min.
Quad Nine

This week we discuss Windows having a birthday, Net Neutrality about to succumb to big business despite a valiant battle, Intel's response to the horrifying JTAG over USB discovery, another surprising AWS public bucket discovery, Android phones caught sending position data when all permissions are denied, many websites found to be watching their visitors' actions, more Infineon ID card upset, the return of BlueBorne, a new arrival to our "Well, THAT didn't take long" department, speedy news for Firefox 57, some miscellany, listener feedback, and a look at the very appealing and speedy new "Quad 9" alternative DNS service.
44 MB 11 MB  360 KB   <-- Show Notes 107 KB 70 KB 130 KB

Episode #637 | 14 Nov 2017 | 131 min.
Schneier on Equifax

This week we discuss why Steve won’t be relying upon Face ID for security, a clever new hack of longstanding NTFS and Windows behavior, the Vault 8 WikiLeaks news, the predictable resurgence of the consumer device encryption battle, a new and clever data exfiltration technique, new antimalware features coming to Chrome, an unbelievable discovery about access to the IME in Skylake and subsequent Intel chipsets, a look at who’s doing the unauthorized crypto mining, WebAssembly is ready for primetime, a bit of miscellany, some closing-the-loop feedback with our listeners – and then we share Bruce Schneier’s congressional testimony about the Equifax breach.
62 MB 16 MB  389 KB   <-- Show Notes 144 KB 97 KB 174 KB

Episode #636 | 07 Nov 2017 | 97 min.

This week we discuss the inevitable dilution in the value of code signing, a new worrisome cross-site privacy leakage, is Unix embedded in all our motherboards?, the ongoing application spoofing problem, a critical IP address leakage vulnerability in TOR and the pending major v3 upgrade to TOR, a Signal app for ALL our desktops, an embarrassing and revealing glitch in Google Docs, bad behavior by an audio driver installer, a pending RFC for IoT updating, two reactions to Win10 Controlled Folder Access, a bit of miscellany, some closing the loop with our listeners, and, three weeks after the initial ROCA disclosure I'm reminded of two lines from the movie "Serenity" -- Assassin:"It's worse than you know." Mal:"It usually is."
46 MB 12 MB  294 KB   <-- Show Notes 126 KB 75 KB 140 KB

Episode #635 | 31 Oct 2017 | 127 min.
Reaper Redux

This week we examine the source of WannaCry, a new privacy feature for Firefox, Google's planned removal of HPKP, the idea of visual objects as a second factor, an iOS camera privacy concern, the CAPTCHA wars, a horrifying glimpse into a non-Net Neutrality world, the Coinhive DNS hijack, the new Bad Rabbit cryptomalware, a Win10 anti-cryptomalware security tip, spying vacuum cleaners, a new Amazon service, some loopback Q&A with our listeners, and another look at the Reaper botnet.
61 MB 15 MB  477 KB   <-- Show Notes 148 KB 95 KB 172 KB

Episode #634 | 24 Oct 2017 | 123 min.
IoT Flash Botnets

This week we discuss some ROCA fallout specifics, an example of PRNG misuse, the Kaspersky Lab controversy, a DNS security initiative for Android, another compromised download occurrence, a browser-based cryptocurrency miner for us to play with... and Google considering blocking them natively, other new protections coming to Chrome, an update on Marcus Hutchins, Microsoft's "TruePlay" being added to the Win10 fall creators update, some interesting "Loopback" from our terrific listeners... and then we take a closer look at the rapidly growing threat of IoT-based "Flash Botnets."
59 MB 15 MB  317 KB   <-- Show Notes 147 KB 92 KB 168 KB

Episode #633 | 17 Oct 2017 | 120 min.

This week we examine ROCA's easily factorable public keys, the surprising prevalence of web-based cryptocurrency mining, some interesting work in iOS dialog password dialog spoofing, Google's Advanced Protection Program, some good "Loopback" comments from our listeners... and then we take a close look at KRACK - the Key Reinstallation AttaCK against ALL unpatched WiFi systems.
57 MB 14 MB  577 KB   <-- Show Notes 166 KB 93 KB 171 KB

Episode #632 | 10 Oct 2017 | 109 min.
The DNSSEC Challenge

This week we take a look at a well-handled breach-response at Discus, a rather horrifying mistake Apple made in the implementation of their APFS encryption (and the difficulty to the user of fully cleaning up after it), the famous "robots.txt" file gets a brilliant new companion, somewhat shocking news about Windows XP... or is it?, Firefox EOL for Windows XP support coming next summer, the sage security thought for the day, an update on "The Orville", some closing the loop comments, including a recommendation of the best Security Now series we did in the past... and finally, a look at the challenge of DNSSEC.
52 MB 13 MB  340 KB   <-- Show Notes 129 KB 81 KB 151 KB

Episode #631 | 03 Oct 2017 | 120 min.
Private Contact Discovery

This week we discuss some aspects of iOS v11, the emergence of browser hijack cryptocurrency mining, new information about the Equifax hack, Google security research and Gmail improvements, breaking DKIM without breaking it, concerns over many servers in small routers and aging unpatched motherboard EFI firmware, a new privacy leakage bug in IE, a bit of miscellany, some long-awaited closing-the-loop feedback from our listeners, and a close look into a beautiful piece of work by Moxie & Co. on Signal.
59 MB 14 MB  269 KB   <-- Show Notes 135 KB 89 KB 161 KB

Episode #630 | 25 Sep 2017 | ??? min.
The Great DOM Fuzz-Off

This week, Father Robert and I follow more Equifax breach fallout, look at encryption standards blowback from the Edward Snowden revelations, examine more worrisome news of the CCleaner breach, see that ISPs may be deliberately infecting their own customers, warn that turning off iOS radios doesn't, look at the first news of the FTC's suit against D-Link's poor security, examine a forthcoming Broadcom GPS chip features, warn of the hidden dangers of high-density barcodes, discuss Adobe's disclosure of their own private key, close the loop with our listeners, and examine the results of DOM fuzzing at Google's Project Zero.
57 MB 14 MB  267 KB   <-- Show Notes 123 KB 98 KB 169 KB

Episode #629 | 19 Sep 2017 | 120 min.
Apple Bakes Cookies

This week Padre and I discuss what was up with SN's recent audio troubles, more on the Equifax fiasco, the EFF and Cory Doctorow weigh in on forthcoming browser-encrypted media extensions (EME), an emerging browser-based payment standard, when two-factor is not two-factor, the CCleaner breach and what it means, a new Bluetooth-based attack, an incredibly welcome and brilliant cookie privacy feature in iOS 11, and a heads-up caution about the volatility of Google's Android smartphone cloud backups.
57 MB 14 MB  249 KB   <-- Show Notes 126 KB 101 KB 172 KB

Episode #628 | 12 Sep 2017 | 108 min.
The Equifax Fiasco

This week we discuss last Friday's passing of our dear friend and colleague Jerry Pournelle, when AI is turned to evil purpose, whether and when Google's Chrome browser will warn of man in the middle attacks, why Google is apparently attempting to patent pieces of a compression technology they did not invent, another horrifying router vulnerability disclosure -- including ten 0-day vulnerabilities, an update on the sunsetting of Symantec's CA business unit, another worrying failure at Comodo, a few quick bits, an update on my one commercial product SpinRite, answering a closing the loop question from a listener, and a look at the Equifax fiasco.
52 MB 13 MB  326 KB   <-- Show Notes 114 KB 83 KB 148 KB

Episode #627 | 05 Sep 2017 | 119 min.

Although there are an unbelievable FIVE “Sharknado” movies, this will be the first and last time we use that title for a podcast! This week we have another update on Marcus Hutchins. We discuss the validity of WikiLeaks documents, the feasibility of rigorously proving software correctness, and the fact that nearly half a million people need to get their bodies' firmware updated. Another controversial CIA project is exposed by WikiLeaks. A careful analysis is done of the FCC's Title II Net Neutrality public comments. We talk about a neat two-factor auth tracking site, the Stupid Patent of the Month, an example of a vanity top-level domain, a bit of errata, and finish up with the utterly unconscionable security mistakes made by AT&T in their line of U-Verse routers.
56 MB 14 MB  359 KB   <-- Show Notes 143 KB 95 KB 172 KB

Episode #626 | 29 Aug 2017 | 120 min.
Shattering Trust

This week we cover a bit of the ongoing drama surrounding Marcus Hutchins, examine a reported instance of interagency hacking, follow the evolving market for 0-day exploits, examine trouble arising from the continued use of a deprecated Apple security API, discover that Intel's controversial platform management engine CAN, after all be disabled, look into another SMS attack, bring note to a nice looking TOTP authenticator, recommend an alternative to the shutting-down CrashPlan, deal with a bit of errata and miscellany, then we look into an interesting bit of research which invokes "The Wrath of Kahn".
58 MB 14 MB  327 KB   <-- Show Notes 136 KB 93 KB 167 KB

Episode #625 | 22 Aug 2017 | 129 min.
Security Politics

This week we discuss the continuing Marcus Hutchins drama, the disclosure of a potentially important Apple secret, a super-cool website and browser extension our listeners are going to appreciate, trouble with extension developers being targeted, a problem with the communication bus standard in every car, an important correction from Elcomsoft, two 0-days in Foxit's PDF products, Lavalamps for entropy, the forthcoming iOS 11 TouchID killswitch, very welcome Libsodium audit results, a mistake in AWS permissions, a refreshingly forthright security statement, a bit of errata, miscellany, and a few closing the loop bits from our terrific listeners!
61 MB 15 MB  475 KB   <-- Show Notes 156 KB 99 KB 180 KB

Episode #624 | 15 Aug 2017 | 123 min.
Twelve and Counting

This week we have a Marcus Hutchins update, the backstory on the NIST's rewrite of their 15 year old password guidance, can DNA be used to hack a computer?, can stop sign graffiti be used to misdirect autonomous vehicles?, the final nail in the WoSign/StartCom coffin, why we need global Internet policy treaties, this week in "researchers need protection", a VPN provider who is doing everything right, Elcomsoft's password manager cracker, a bit of errata and miscellany... and some closing the loop feedback from this podcast's terrific listeners.
58 MB 15 MB  219 KB   <-- Show Notes 121 KB 89 KB 157 KB

Episode #623 | 08 Aug 2017 | 125 min.
Inching Forward

This week we discuss and look into DigiCert's acquisition of Symantec's certificate authority business unit, LogMeIn's LastPass Premium price hike, the troubling case of Marcus Hutchins' post-Defcon arrest, another instance of WannaCry-style SMBv1 propagation, this week's horrific IoT example, some hopeful IoT legislation, the consequences of rooting early Amazon Echoes, the drip drip drip of Wikileaks Vault 7 drips again, Mozilla's VERY interesting easy-to-use secure large file encrypted store and forward service, the need to know what your VPN service is really up to, a bit of errata, miscellany, and some closing-the-loop feedback from our always-attentive terrific listeners.
59 MB 15 MB  219 KB   <-- Show Notes 139 KB 91 KB 163 KB

Episode #622 | 01 Aug 2017 | 102 min.
Hack the Vote

This week we look at the expected DEF CON fallout including the hacking of U.S. election voting machines, Microsoft’s enhanced Bug Bounty Program, the wormification of the Broadcom WiFi firmware flaw, the worries when autonomous AI agents begin speaking in their own language which we cannot understand, Apple’s pulling VPN clients from its Chinese App Store, a follow-up on iRobot’s floor plan mapping intentions, some news on the Chrome browser front, the 18th Vault 7 WikiLeaks dump, and some closing-the-loop feedback from our terrific podcast followers.
48 MB 12 MB  177 KB   <-- Show Notes 119 KB 76 KB 144 KB

Episode #621 | 25 Jul 2017 | 123 min.
Crypto Tension

We start off this week with a fabulous Picture of the Week and, for the first time in this podcast’s 12-year history, our first Quote of the Week. Then we’ll be discussing the chilling effects of arresting ethical hackers, the upcoming neutrality debate congressional hearing, something troubling I encountered at McAfee.com, an entirely new IoT nightmare you couldn’t have seen coming and just won’t believe, the long-awaited Adobe Flash end-of-life schedule, welcome performance news for Firefox users, the FCC allocates new sensor spectrum for self-driving cars, three bits of follow-up errata, a bit of miscellany, and then Crypto Tension – a careful look at the presently ongoing controversy surrounding the deliberate provisioning of passive eavesdropping decryption being seriously considered for inclusion in the forthcoming TLS v1.3 standard.
59 MB 15 MB  263 KB   <-- Show Notes 166 KB 98 KB 179 KB

Episode #620 | 18 Jul 2017 | 104 min.
Calm Before the Storm

This week, while waiting for news from the upcoming BlackHat & DefCon conventions, we discuss another terrific security eBook bundle offer, a Net Neutrality follow-up, a MySpace account recovery surprise, another new feature coming to Win10, the wrong-headedness of paste-blocking web forms, Australia versus the laws of math, does an implanted pacemaker meet the self-incrimination exemption?, an updated worse-case crypto-future model, it's surprising what you can find at a flea market, another example of the consumer as the product, a SQRL technology update, and some closing-the-loop feedback from our terrific listeners.
49 MB 12 MB  250 KB   <-- Show Notes 119 KB 80 KB 149 KB

Episode #619 | 11 Jul 2017 | 113 min.
All the Usual Suspects

This week we have all the usual suspects: governments regulating their citizenry, evolving Internet standards, some brilliant new attack mitigations and some new side-channel attacks, browsers responding to negligent certificate authorities, specious tracking lawsuits, flying device jailbreaking, more IoT tomfoolery, this week’s horrifying Android vulnerability, more Vault 7 CIA WikiLeaks, a great tip about controlling the Internet through DNS – and even more! In other words, all of the usual suspects! (And two weeks until our annual Black Hat exploit extravaganza!)
54 MB 14 MB  292 KB   <-- Show Notes 116 KB 78 KB 143 KB

Episode #618 | 27 Jun 2017 | 113 min.
Research: Useful & Otherwise

This week we discuss another terrific NIST initiative, RSA crypto in a quantum computing world, Cisco's specious malware detection claims, the meaning of post-audit OpenVPN bug findings, worrisome bugs revealed in Intel's recent Skylake and Kaby Lake processors, the commercialization of a malware technique, WannaCry keeps resurfacing, Linksys responds to the CIA's Vault 7 CherryBomb firmware, another government reacts to encryption, the NSA's amazing GitHub repository, more news about HP printer auto-updating, a piece of errata, some miscellany, and some closing-the-loop feedback from our listeners.
54 MB 14 MB  257 KB   <-- Show Notes 122 KB 86 KB 154 KB

Episode #617 | 20 Jun 2017 | 113 min.
When Governments React

This week we discuss France, Britain, Japan, Germany & Russia each veering around in their Crypto Crash Cars, Wikileaks' Vault7 reveals widespread CIA WiFi router penetration, why we can no longer travel with laptops, HP printer security insanity, how long are typical passwords?, Microsoft to kill off SMBv1, the all-time mega ransomware pay out, Google to get into the whole-system backup business, hacking PCs with "Vape Pens", a bit of miscellany, and a bunch of Closing the Loop feedback with our terrific listeners.
54 MB 14 MB  365 KB   <-- Show Notes 153 KB 88 KB 165 KB

Episode #616 | 13 Jun 2017 | 124 min.
Things Are Getting Worse

This week we discuss clever malware hiding its social media communications. The NSA documents the Russian election hacking two-factor authentication bypass; meanwhile, other Russian attackers leverage Google’s own infrastructure to hide their spoofing. Tavis finds more problems in Microsoft’s anti-malware protection; a cryptocurrency stealing malware; more concerns over widespread Internet-connected camera design; malware found to be exploiting Intel’s AMT motherboard features; the new danger of mouse-cursor hovering; Apple’s iCloud sync security claims; Azure changes their CA; a bunch of catch-up miscellany; and a bit of “closing the loop” feedback from our listeners.
60 MB 15 MB 484 KB   <-- Show Notes 125 KB 97 KB 169 KB

Episode #615 | 06 Jun 2017 | 119 min.
Legacy’s Long Tail

This week we discuss an embarrassing high-profile breach of an online identity company, an overhyped problem found in Linux’s sudo command, the frightening software used by the U.K.’s Trident nuclear missile submarine launch platforms, how emerging nations prevent high school test cheating, another lesson about the danger of SMS authentication codes, another worrisome Shodan search result, high-penetration dangerous adware from a Chinese marketer, another “that’s not a bug” bug in Chrome allowing websites to surreptitiously record audio and video without the user’s knowledge, the foreseeable evolution of hybrid cryptomalware, the limp return of Google Contributor, Google continues to work on end-to-end email encryption, a follow-up on straight-to-voicemail policy, “homomorphic encryption” (what the heck is that?), and “closing the loop” follow-up from recent discussions.
57 MB 14 MB 251 KB   <-- Show Notes 115 KB 93 KB 161 KB

Episode #614 | 30 May 2017 | 123 min.
Vulnerabilities Galore!

This week we discuss a new non-email medium for spearphishing, Chipotle can’t catch a break, social engineering WannaCry exploits on Android, video subtitling now able to takeover our machines, a serious Android UI design flaw that Google appears to be stubbornly refusing to address, Linux gets its own version of WannaCry, another dangerous NSA exploit remains unpatched and publicly exploitable on WinXP and Server 2003 machines, a look at 1Password’s brilliant and perfect new Travel Mode, Google extends its ad tracking into the offline world, some follow-ups, miscellany, and closing-the-loop feedback from our terrific listeners – concluding with my possibly useful analogy to explain the somewhat confusing value of open versus closed source.
58 MB 15 MB 212 KB   <-- Show Notes 137 KB 93 KB 168 KB

Episode #613 | 23 May 2017 | 129 min.
WannaCry Aftermath

This week we examine a bunch of WannaCry follow-ups, including some new background, reports of abilities to decrypt drives, attacks on the kill switch, and more. We also look at what the large Stack Overflow site had to do to do HTTPS, the WiFi security of various properties owned by the U.S. President, more worrisome news coming from the U.K.'s Theresa May, the still sorry state of certificate revocation, are SSDs also subject to Rowhammer-like attacks, some miscellany, and closing the loop with our listeners.
62 MB 16 MB 453 KB   <-- Show Notes 128 KB 92 KB 159 KB

Episode #612 | 16 May 2017 | 116 min.
Makes You WannaCry

This week Steve and Leo discuss an update on the FCC's Net Neutrality comments, the discovery of an active keystroke logger on dozens of HP computer models, the continuing loss of web browser platform heterogeneity, the OSTIF's just-completed OpenVPN security and practices audit, more on the dangers of using smartphones as authentication tokens, some extremely welcome news on the Android security front, long-awaited updated password recommendations from NIST, some follow-up errata, a bit of tech humor and miscellany, closing the loop with some listener feedback, and then a look at last week's global explosion of the WannaCry worm.
55 MB 14 MB 185 KB   <-- Show Notes 135 KB 88 KB 158 KB

Episode #611 | 09 May 2017 | 131 min.
Go FCC Yourself

This week Steve and Leo discuss much more about the Intel AMT nightmare, Tavis and Natalie discover a serious problem in Microsoft's built-in malware scanning technology, Patch Tuesday, Google's Android patches, SMS two-factor authentication breached, Google goes phishing, the emergence of ultrasonic device tracking, lots of additional privacy news, some errata and miscellany, actions U.S. citizens can take to express their dismay over recent Net Neutrality legislation, and some quick closing-the-loop feedback from our terrific listeners.
62 MB 16 MB 574 KB   <-- Show Notes 145 KB 95 KB 170 KB

Episode #610 | 02 May 2017 | 137 min.
Intel's Mismanagement Engine

This week Steve and Leo discuss the long-expected remote vulnerability in Intel's super-secret motherboard Management Engine technology, exploitable open ports in Android apps, another IoT blows a suspect's timeline, newly discovered problems in the Ghostscript interpreter, yet another way for ISPs and others to see where we go, a new bad problem in the Edge browser, Chrome changes its certificate policy, an interesting new "vigilante botnet" is growing fast, a proposed solution to smartphone-distracted driving, ransomware as a service, Net Neutrality heads back to the chopping block (again), an intriguing new service from Cloudflare, and the ongoing Symantec certificate issuance controversy. Then some fun errata, miscellany, and some "closing the loop" feedback from our terrific listeners.
66 MB 16 MB 208 KB   <-- Show Notes 147 KB 100 KB 173 KB

Episode #609 | 25 Apr 2017 | 107 min.
The Double Pulsar

This week Steve and Leo discuss how one of the NSA's Vault7 vulnerabilities has gotten loose, a clever hacker removes Microsoft deliberate (and apparently unnecessary) block on Win7/8.1 updates for newer processors, Microsoft refactors multifactor authentication, Google to add native ad-blocking to Chrome… and what exactly *are* abusive ads?, Mastercard to build a questionable fingerprint sensor into their cards, are Bose headphones spying on their listeners?, 10 worrisome security holes discovered in Linksys routers, MIT cashes out half of its IPv4 space, and the return of two meaner BrickerBots. Then some Errata, a bit of Miscellany, and, time permitting, some "Closing the Loop" feedback from our podcast's terrific listeners.
51 MB 13 MB 270 KB   <-- Show Notes 129 KB 82 KB 151 KB

Episode #608 | 18 Apr 2017 | 127 min.
News & Feedback Potpourri

This week Steve and Leo discuss another new side-channel attack on smartphone PIN entry (and much more), Smartphone fingerprint readers turn out to be far more spoofable that we had hoped. All Linux kernels prior to v4.5 are vulnerable to a serious remote network attack over UDP, a way to prevent Google from tracking the search links we click (and to allow us to copy the links from the search results), the latest NSA Vault7 data dump nightmare, the problem with punycode domains, four years after the public UPnP router exposure, looking closely at the mixed blessing of hiding WiFi access point SSID broadcasts, some miscellany, and then a collection of quick "Closing The Loop" follow-ups from last week's "Proactive Privacy" podcast.
61 MB 15 MB 265 KB   <-- Show Notes 122 KB 90 KB 155 KB

Episode #607 | 11 Apr 2017 | 139 min.
Proactive Privacy  (Really, this time!)

This week Steve and Leo discuss Symantec finding 40 past attacks explained by the Vault 7 document leaks, an incremental improvement coming to CA certificate issuance, and Microsoft’s patching of a zero-day Office vulnerability that was being exploited in the wild. They ask, “What’s a Brickerbot?” They cover why you need a secure DNS registrar, This Week in IoT Tantrums, a headshaker from our “You really can’t make this stuff up” department, the present danger of fake VPN services, and an older edition of Windows reaching end of patch life. They continue with some “closing the loop” feedback from their listeners and a bit of miscellany, then close with a comprehensive survey of privacy-encroaching technologies and what can be done to limit their grasp.
67 MB 17 MB 225 KB   <-- Show Notes 150 KB 102 KB 178 KB

Episode #606 | 04 Apr 2017 | 115 min.
Proactive Privacy

This week Steve and Leo discuss another iOS update update, more bad news and some good news on the IoT front, the readout on Tavis Ormandy's shower revelation, more worrisome anti-encryption saber rattling from the EU, a look at a recent Edward Snowden tweet, Samsung's S8 mistake, an questionable approach to online privacy, celebrating the 40th anniversary of Alice and Bob, some quickie feedback loops from our listeners, an update on my projects, and a comprehensive examination of proactive steps users can take to enhance their online privacy.
54 MB 14 MB 210 KB   <-- Show Notes 148 KB 87 KB 160 KB

Episode #605 | 28 Mar 2017 | 142 min.
Google -vs- Symantec

This week Jason and I discuss Google’s Tavis Ormandy taking an inspiration shower, iOS gets a massive feature and security update, a new target for ‘Bot money harvesting appears, Microsoft suffers a rather significant user-privacy fail, the UK increases its communications decryption rhetoric, a worrisome vote in the US senate, NEST fails to respond to a researcher's report, this week in IoT nonsense, a fun quote of the week, a bit of miscellany, some quickie questions from our listeners, and a close look at the developing drama surrounding Google's enforcement of the Certificate Authority Baseline rules with Symantec.
68 MB 17 MB 416 KB   <-- Show Notes 123 KB 106 KB 175 KB

Episode #604 | 21 Mar 2017 | 117 min.
Taming Web Ads

This week Leo and I discuss developments in the New Windows on Old Hardware front, Cisco finds a surprise in the Vault 7 docs, Ubiquiti was caught with their PHPs down, Check Point discovered problems in WhatsApp and Telegram, some interesting details about the long-running Yahoo breaches, the death of the “eBay Football,” the latest amazing IoT insanity, the incredible results of the CanSecWest Pwn2Own competition, a classic “you’re doing it wrong” example, Tavis pokes LastPass again, some miscellany, and an interesting proposal about controlling web advertising abuse.
56 MB 14 MB 248 KB   <-- Show Notes 126 KB 85 KB 153 KB

Episode #603 | 14 Mar 2017 | 108 min.
Vault 7

This week Leo and I discuss March's long-awaited patch Tuesday, the release deployment of Google Invisible reCaptcha, getting more than you bargained for with a new Android smartphone, the new "Find my iPhone" phishing campaign, the failure of WiFi anti-tracking, a nasty and significant new hard-to-fix web server 0-day vulnerability, what if your ISP decides to unilaterally block a service you depend upon?, shining some much-needed light onto a poorly conceived end-to-end messaging application, two quick takes, a bit of errata and miscellany... and a look into what Wikileaks revealed about the CIA's data collection capabilities and practices.
51 MB 13 MB 176 KB   <-- Show Notes 131 KB 83 KB 153 KB

Episode #602 | 07 Mar 2017 | 138 min.
Let's Spoof

This week, Leo and I discuss the countdown to March’s Patch Tuesday. What was behind Amazon’s S3 outage? Why don’t I have a cellular connectivity backup? We share some additional Cloudflare perspective. Amazon will fight another day over their Voice Assistant’s privacy. An examination of the top nine Android password managers uncovers problems. We’ll cover another fileless malware campaign found in the wild; security improvements in Chrome and Firefox; a proof of concept for BIOS ransomware; a how-to walk-through for return-oriented programming; a nifty new site-scanning service.
66 MB 17 MB 360 KB   <-- Show Notes 140 KB 103 KB 177 KB

Episode #601 | 28 Feb 2017 | 101 min.
The First SHA-1 Collision

This week, Leo and I discuss the “CloudBleed” incident; another project zero 90-day timer expires for Microsoft; this week's IoT head-shaker; a New York airport exposes critical server data for a year; another danger created by inline third party TLS-intercepting "middleboxes"; more judicial thrashing over fingerprint warrants; Amazon says no to Echo data warrant; a fun drone-enabled proof on concept is widely misunderstood; another example of A/V attack surface expansion; some additional Crypto education pointers and miscellany... and, finally, what does Google's deliberate creation of two SHA-1-colliding files actually mean?
48 MB 12 MB 220 KB   <-- Show Notes 133 KB 80 KB 148 KB

Episode #600 | 21 Feb 2017 | 124 min.
The MMU Side-Channel Attack

This week, Leo and I discuss the completely cancelled February patch Tuesday amid a flurry of serious problems; it's not only laptop webcams that we need to worry about; the perils of purchasing a previously-owned Internet connected auto; Chrome changes its UI making certificate inspection trickier; the future of Firefox Add-Ons; Win10's lock screen is leaking the system’s clipboard; a collection of new problems for Windows; a amazing free Crypto book online from Stanford and New York University; pfSense and Ubiquity follows-ups; a bit of geek humor and miscellany… And a deep dive into yet another sublime hack from our ever-clever friends, led by professor Herbert Bos at the University of Amsterdam.
59 MB 15 MB 206 KB   <-- Show Notes 127 KB 89 KB 155 KB

Episode #599 | 14 Feb 2017 | 102 min.
TLS Interception INsecurity

This week, Leo and I discuss the delay in this month's Patch Tuesday (we may know why!), our favorite ad-blocker embraces the last major browser, a university gets attacked by its own vending machines, PHP leaps into the future, a slick high-end Linux hack, the rise of fileless malware, some good advice for tax time, it's not only Android's pattern lock that's vulnerable to visual eavesdropping, what happens with you store a huge pile of Samsung Note 7's in one place?, some fun miscellany, a MUST NOT MISS science fiction TV series, a look at the growing worrisome security implications of uncontrolled TLS interception.
48 MB 12 MB 260 KB   <-- Show Notes 110 KB 72 KB 133 KB

Episode #598 | 07 Feb 2017 | 115 min.
Two Armed Bandits

This week, Leo and I discuss printers around the world getting hacked!, Vizio's TVs really were watching their watchers, Windows has a new 0-day problem, Android's easy-to-hack pattern lock, an arsonist's pacemaker rats him out, a survey finds that many iOS apps are not checking TLS certificates, the courts create continuing confusion over eMail search warrants, a blast from the past: SQL Slammer appears to return, Cellebrite's stolen cell phone cracking data begins to surface, some worrisome events in the Encrypted Web Extensions debate, Non-Windows 10 users are not alone, a couple of questions answered, my report of a terrific Sci-Fi series, a bit of other miscellany... and a fun story about one armed bandits being hacked by two armed bandits..
54 MB 14 MB 257 KB   <-- Show Notes 116 KB 85 KB 150 KB

Episode #597 | 31 Jan 2017 | 107 min.
Traitors in our Midst

This week, Leo and I discuss the best “I'm not a Robot” video ever; Cisco's WebEx problem being far more pervasive than first believed; More bad news (and maybe some good news) for Netgear; Gmail adds .js to the no-no list; a hotel finally decides to abandon electronic room keying; more arguments against the use of modern AV; another clever exploitable CSS browser hack; some (hopefully final) password complexity follow-ups; a bit of errata and miscellany; a SQRL status update; a “Luke... trust the SpinRite” story; and a very nice analysis of a little-suspected threat hiding among us.
51 MB 13 MB 322 KB   <-- Show Notes 115 KB 80 KB 143 KB

Episode #596 | 24 Jan 2017 | 119 min.
Password Complexity Calculations

This week, Leo and I discuss how, while still on probation Symantec issues additional invalid certificates, Tavis Ormandy finds a very troubling problem in Cisco's Web conferencing extension for Chrome, yesterday's more-important-than-usual update to iOS, renewed concerns about LastPass metadata leakage, the SEC looks askance at what's left of Yahoo, a troubling browser form auto-fill information leakage, Tor further hides its hidden services, China orbits a source of entangles photons?, Heartbleed three years later, a new take on compelling fingerprints, approaching the biggest Pwn2Own ever, some miscellany... and some tricks for computing password digit and bit complexity equivalence.
56 MB 14 MB 207 KB   <-- Show Notes 112 KB 84 KB 146 KB

Episode #595 | 17 Jan 2017 | 113 min.
Whats up with WhatsApp?

This week, Leo and I discuss a classic bug at GoDaddy which bypassed domain validation for 8850 issued certificates; could flashing a peace sign compromise your biometric data?; it's not only new IoT devices that may tattle on you: many autos have been able to for the past 15 years; McDonalds gets caught in a web security bypass; more famous hackers have been hacked; Google uses AI to increase image resolution; more on the value or danger of password tricks; and... does WhatsApp incorporate a deliberate crypto backdoor?
54 MB 14 MB 234 KB   <-- Show Notes 120 KB 85 KB 150 KB

Episode #594 | 10 Jan 2017 | 112 min.
A look into PHP malware

This week, Leo and I discuss the US Federal Trade Commission's step into the IoT and home networking malpractice world, a radio station learning a lesson about what words NOT to repeat, Google's plan to even eliminate the "checkbox", a crucial caveat to the "passwords are long enough" argument, more cause to be wary of third-party software downloads, a few follow-ups to last week's topics, a bit of miscellany and a close look at the government's Russian hacking disclosure and a well-known piece of (related?) PHP malware.
53 MB 13 MB 224 KB 126 KB 86 KB 152 KB

Episode #593 | 03 Jan 2017 | 107 min.
I'm NOT a Robot! (Really)

This week, Leo and I discuss law enforcement and the Internet of Tattling things, a very worrisome new and widespread PHP eMail vulnerability, Paul and MaryJo score a big concession from Microsoft, a six year old "hacker" makes the news, Apple discovers how difficult it is to make developers change, hyperventilation over Russian malware found on a power utility's laptop, the required length of high entropy passwords, more pain for Netgear, an update on the just finalized v1.3 of TLS, the EFF's growing "Secure" messaging scorecard, a bunch of fun miscellany... and how does that "I'm not a Robot" non-CAPTCHA checkbox CAPTCHA work?
50 MB 13 MB 379 KB 137 KB 83 KB 153 KB

• Current Podcast Page
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005

You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Dec 09, 2018 at 16:03 (1.36 days ago)Viewed 6,803 times per day