blog icon Twitter Icon RSS Icon





Our weekly audio security column
& podcast by Steve Gibson and Leo Laporte
TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

SteveAndLeoAsPicardAndRiker
(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

 You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

 Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

 Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

 Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

 And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.





Episode Archive

Each episode has SIX resources:

High quality 64 kbps mp3 audio file
Quarter size, bandwidth-conserving,
16 kbps (lower quality) mp3 audio file
A PDF file containing Steve's show notes
A web page text transcript of the episode
A simple text transcript of the episode
Ready-to-print PDF (Acrobat) transcript  

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)

For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #925 | 30 May 2023 | 82 min.
Brave's Brilliant Off the Record Request

This week, before we address what I think is a brilliant new idea from the Brave Browser's Privacy Team, we're going to see why people are suggesting that the initials HP stands for “Huge Pile”?, What was Google thinking when they created the .ZIP TLD that no one was asking for? How has the Python Foundation responded to attacks and subpoenas? Do we believe a VPN service when it promises that no logs are saved anywhere? Will Twitter be leaving the EU? Does Bitwarden now support Passkeys? Who just got fined 1.2 billion euros? – and why so little? What feature did WhatsApp just add, and what's the story about Google's new bug bounty for their Android apps? Then, after answering those questions and a brief bit of good news about SpinRite, we're going to look at Brave's Brilliant “Off the record” request concept and new feature.
39 MB 10 MB  225 KB   <-- Show Notes

Episode #924 | 23 May 2023 | 93 min.
VCaaS - Voice Cloning as a Service

This week, we'll lead off with a tracking device follow-up, then answer some questions including: What happened when I updated my own ASUS router, and what happened when HP attempted to update all of their OfficeJet Pro 9020e-series printers in the field? What did the Supreme Court have to say, if anything, about Section 230? How concerned should KeePass users be about this new master password disclosure vulnerability? What's Apple's position on ChatGPT? What's Google been quietly doing about its “user profiling without tracking” Privacy Sandbox technology? What disappointing news did the Senate Intel Committee just reveal about the FBI, and why did The Python Foundation suddenly close all new registrations of users and packages? Then, after I announce and explain the discovery and fix for a longstanding bug that has always existed in SpinRite 6.0, probably extending as far back as SpinRite 3.1 in the mid 90's, we're going to finish by examining the emergence of new "Voice Cloning as a Service" Dark Web facilities.
45 MB 11 MB  405 KB   <-- Show Notes 100 KB 75 KB 281 KB

Episode #923 | 16 May 2023 | 101 min.
Location Tracker Behavior

This week we're going to answer only two questions. First, why hasn't Steve been saying anything about his work on SpinRite recently, and then second, what are all the details spelled out in the emerging specification for the detection of unwanted location tracking?
49 MB 12 MB  397 KB   <-- Show Notes 119 KB 84 KB 316 KB

Episode #922 | 09 May 2023 | 108 min.
Detecting Unwanted Location Trackers

Last week Google activated their Passkeys support. What does that actually mean? Do TP-Link Router auto-update by default? What trouble did a secretive branch of the US Marshals get in to? When and why will Chrome be eliminating the padlock icon? Were you prompted by Apple's new Rapid Security Response? What did Elon Musk do to upset WordPress?, and why is it a win for Mastodon? How many fake news AI-driven websites have been spotted so far?, and are they convincing? What's this about Russia dropping TCP/IP in favor of their own Russian network protocol? What three mistakes does Vint Serf, co-designer of the Internet Protocols think he made? And finally, in the first half of our two-part very deep dive into the design of the next-generation location tracking devices, will you be put off when you learn that law enforcement is able to query for the identity of any device's owner? Fasten your seatbelts for another interesting Security Now! podcast brought to you by TWiT, the itch that Leo scratched.
52 MB 13 MB  902 KB   <-- Show Notes 159 KB 90 KB 389 KB

Episode #921 | 02 May 2023 | 100 min.
OSB OMG and other news!

This week, because the UK's Online Safety Bill continues to stir up a hornet's nest of worries and concerns within many industries, we're going to examine WhatsApp's reaction to Signal's “we plan to walk” position and Wikipedia's concerns over the Bill's age verification requirements. And, undaunted, I have another idea that might be useful! We also have a new UDP reflection attack vector, a welcome (and late) update to Google Authenticator, more NSO Group client news, a Russian OS?, the unintended consequences of releasing updates for routers that won't actually be updated, a smart move by Intel with pre-release security auditing, yet another side-channel attack on Intel CPUs, cURL's maintainer implores Windows users not to delete it, and VirusTotal gets AI.
48 MB 12 MB  347 KB   <-- Show Notes 146 KB 86 KB 358 KB

Episode #920 | 25 Apr 2023 | 109 min.
An End-to-End Encryption Proposal

This week's look at the past week's most interesting security news answers the question of whether Apple's Lockdown Mode does anything that's actually useful? Just how big is the market for commercial “Pegasys-style” smartphone spyware? Why exactly has the Dark Web suddenly become interested in purloined ChatGPT accounts and is “purloined” a word one uses in mixed company? What trove of secrets did ESET discover when they innocently purchased a few second hand routers? And speaking of routers, what was the mistake that users of old Cisco routers really wish Cisco hadn't made, and whose fault is its exploitation today? What's the story behind the newly established Security Research Legal Defense Fund? Then, after a few quick update and upgrade notes, we look at two opposing open letters written about the coming end-to-end-encryption apocalypse, and consider whether I may have just stumbled upon a solution to the whole mess? So, I doubt that anyone's going to be bored this week!
52 MB 13 MB  347 KB   <-- Show Notes 137 KB 88 KB 350 KB

Episode #919 | 18 Apr 2023 | 90 min.
Forced Entry

So... what happened with last week's Patch Tuesday? was there anything of note? If we took a quick overview of just a tiny bit of last week's news, what would that look like? and what would those stories all have in common? What new developer-centric service is Google making freely available for the good of the open source community? What moves is WhatsApp making to improve the security for the world's most popular secure messaging system? What happens when a European psychotherapy clinic apparently doesn't care enough to provide even minimal security for the patient's records? And finally, in this week's deep dive, we're going to answer the question: What could researchers have found inside a piece of the NSO Group's Pegasys smartphone spyware that actually terrified them? And why?
43 MB 11 MB  310 KB   <-- Show Notes 74 KB 66 KB 238 KB

Episode #918 | 11 Apr 2023 | 110 min.
A Dangerous Interpretation

This week we seek answers: What did Microsoft and Fortra ask from the courts, and what did the courts say in return? When can chatting with ChatGPT leak corporate secrets? Why has Apple suddenly updated many much older of their iDevices? Why bother naming a six year old ongoing WordPress attack campaign? Which Samsung handsets just went out of security support? What two user-focused policy changes has Google just made for Android users? and do we really have additional ChatGPT hysteria? After answering those questions, and examining an example of the benefit of rewriting solid state non-volatile storage, we're going to take a rather deep dive into a tool that was meant for good, but which I fear may see more use for evil.
53 MB 13 MB  225 KB   <-- Show Notes 96 KB 84 KB 282 KB

Episode #917 | 04 Apr 2023 | 96 min.
Zombie Software

This week we answer questions which arose during the past week: When is an attack not an attack? When our AI overloard arrives how shall we call him? Why has Italy said NO to ChatGPT? What does Twitter's posting of its code to GitHub tell us? Why is India searching for commercial spyware less well know than Pegasys and what does the Summit for Democracy have to say about that? Has the FDA finally moved on the issue of medical device security updates? And seven years after the first “Hack the Pentagon” trial, the Pentagon remains standing, or does it? Then, after addressing a quick bit of miscellany, listener feedback and an update on my ongoing work on SpinRite, we use CISA's KEV database to explore the question of how exactly we define “Zombie Software” and answer the question of whose brains will the zombies eat?
46 MB 12 MB  905 KB   <-- Show Notes 93 KB 74 KB 276 KB

Episode #916 | 28 Mar 2023 | 81 min.
Microsoft's Email Extortion

In this week's grab bag question collection we wonder: What happened, and who cleaned up during last week's elite 2023 Pwn2Own competition? What happens when GitHub inadvertently exposes their own private SSH RSA key? Are all DDoS-for-hire sites legitimate, and is legitimate ever a word we can apply? Just how bad has the malicious open source registry package problem become? And how is it that Russia's presidential staff are still using iPhones? After its rocky start in the limelight, how has Zoom's security been faring these past few years? And what benefits can be derived from the sum of two sine waves along a logarithmic curve? What new feature is Microsoft exploring for their already feature-encumbered web browser? And in one of my blessedly rare rants we're then going to learn what new "revenue harvesting" measure Microsoft has just announced which seems deeply ethically wrong to me.
39 MB 10 MB  734 KB   <-- Show Notes 90 KB 65 KB 265 KB

Episode #915 | 21 Mar 2023 | 99 min.
Flying Trojan Horses

This week, our time-limited quest to answer today's burning questions causes us to wonder, how worried should Android smartphone users be about Google's revelation of serious flaws in Samsung's baseband chips? What great idea should the NPM maintainers steal? What is it that nation-states increasingly want to have both ways? What crazy but perhaps inevitable change is Google telegraphing that it might push on the entire world? Was it possible to cheat at Chess.com, and what did Checkpoint Research discover? What's the most welcome news of the week for the United States infrastructure? And if Trojan Horses could fly, how many propellers would they need? The answers to those puzzles and riddles coming up next on Security Now!.
48 MB 12 MB  666 KB   <-- Show Notes 122 KB 80 KB 318 KB

Episode #914 | 14 Mar 2023 | 106 min.
Sony Sues Quad9

This week fewer questions required longer answers. What, if anything, can be done about the constant appearance of malicious Chrome extensions? What's the latest country to decide to pull Chinese telecommunications equipment from their country? What's the #1 way that bad guys penetrate networks, and how has that changed in the past year? What delicate and brittle crypto requirement is responsible for protecting nearly $1 trillion dollars in cryptocurrency and TLS connections, and how can we trust it? What's now known about the Plex Media Server defect that indirectly triggered the exodus from LastPass? And why in the world would Sony Entertainment Germany bring a lawsuit against the innocent non-profit do-gooder Quad9 DNS provider? Stay tuned! The answers to questions you didn't even know you had will be provided during this March 14th “PI day” 914th episode, of Security Now!
51 MB 13 MB  372 KB   <-- Show Notes 142 KB 84 KB 350 KB

Episode #913 | 07 Mar 2023 | 87 min.
A Fowl Incident

This week's answers are many: How has Fosstodon survived a sustained DDoS attack? Or has it? What luck have Europol and the FBI had with taking down DDoS-for-hire services and have they returned? What's the point of blocking TikTok, and is it even possible? What happens when government-backed surveillance goes rogue? What exactly is “Strategic Objective 3.3” and what, if anything, does it portend for future software? Should you enable GitHub's new secret scanning service and get scanned? What exactly did CISA's secretive red-team accomplish; and against whom? Which messenger apps have been banned by Russia, who's missing from that list, and why? What exactly is old, that's new again, what happens when everyone uses the same cryptographic library for their TPM code, what's the latest WordPress plug-in to threaten more than one million sites and why has Russia fined Wikipedia? And once we've put that collection of need-to-know questions to rest we're going to examine the surprising revelations that surface as we unearth the Fowlest of recent security incidents.
42 MB 10 MB  337 KB   <-- Show Notes 112 KB 72 KB 305 KB

Episode #912 | 28 Feb 2023 | 86 min.
The NSA @ Home

What mistake did Windows Update make last week? What if you don't want to paste with formatting? What browser is building-in a limited bandwidth VPN? What more did we just learn about LastPass' second breach? What did Signal say to the UK about scanning its user's messages? What was just discovered hiding inside the Python package Index repository? What proactive move has QNAP finally taken? What disastrous bug did SpinRite's testers uncover last weekend in motherboard BIOSes? And what amazingly useful “Best Practices” advice has the NSA just published for home users? Answers to all those questions and some additional thoughts will be yours – before you know it – on this week's 912th episode of Security Now!, titled: “The NSA @ Home”.
41 MB 10 MB  357 KB   <-- Show Notes 96 KB 69 KB 272 KB

Episode #911 | 21 Feb 2023 | 87 min.
A Clever Regurgitator

For how long were bad guys inside GoDaddy's networks? What important oral arguments is the US Supreme Court hearing today and tomorrow? What's Elon done now? What's Bitwarden's welcome news? What's Meta going to begin charging for? Should we abandon all hope for unattended IoT devices? Are all of our repositories infested with malware? How'd last Tuesday's monthly patchfest turn out? Why would anyone sandbox an image? What can you learn from TikTok that upsets Hyundai and KIA? And are there any limits to what ChatGPT can do, if any? We're going to find out by the end of today's 911 emergency podcast.
42 MB 10 MB  1157 KB   <-- Show Notes 101 KB 70 KB 277 KB

Episode #910 | 14 Feb 2023 | 99 min.
Ascon

What more has happened with the ESXi ransomware story? Is malicious use of ChatGPT going to continue to be a problem? What exactly is Google giving away? Why is the Brave browser changing the way it handles URLs? What bad idea has Russia just had about their own hackers? Why would Amazon change its S3 bucket defaults? Now who's worried about Chinese security camera spying? And who has just breathed new life into Adobe's PDF viewer? What's on our listeners' minds, and what the heck is Ascon, and why should you care? Those questions and more will be answered on today's 910th episode of Security Now!.
47 MB 12 MB  416 KB   <-- Show Notes 97 KB 76 KB 279 KB

Episode #909 | 07 Feb 2023 | 112 min.
How ESXi Fell

Leo used to say at the top of our Q&A episodes: “You have questions, we have answers.” Now we tease most of the questions and provide their answers. This week we wonder: What is about to happen with the EU's legislation to monitor its citizen's communications? Why would a French psychotherapy clinic be keeping 30,000 old patient records online, and who stole them? What top level domains insist upon, and enforce, HTTPS? How is Chrome's release pace about to change? When you say that Russia shoots the messenger is that only an expression? Were a fool and his crypto soon parted... or should that be “was”? Exactly why is QNAP back in the news, and what do I really think about Synology? Would companies actually claim unreasonably low CVSS scores for their own vulnerabilities? Nooooo! What questions have our listeners been asking after all this recent talk about passwords? What's the whole unvarnished story behind this weekend's massive global attack on VMware's ESXi servers, and who's really at fault? These questions and more will probably be answered before you fall asleep... but no guarantees.
54 MB 13 MB  519 KB   <-- Show Notes 120 KB 88 KB 329 KB

Episode #908 | 31 Jan 2023 | 88 min.
Data Operand Independent Timing

This week we embark upon another two hour tour to answer some pressing questions: What happens if the vendor of the largest mobile platform begins blocking old and unsafe APIs, and can anything be done to prevent that? What new add-on is now being blocked by the dreaded Mark of the Web? Would you have the courage to say no after your gaming source code was stolen? Is any crypto asset safe, and what trap did our friend Kevin Rose fall victim to last week? How can Meta incrementally move to end-to-end encryption? Isn't it all or nothing? What other new feature did iOS 16.3 bring to the world, what's the latest government to begin scanning its own citizenry, and why aren't they all? Or are they? What spectacular success gives the FBI bragging rights, and why is Russia less than thrilled? What questions have our listeners posed? What's the possible value of making up your own words? How's SpinRite coming? What, is your favorite color? What have Intel and AMD just done to break the world's crypto? And what exactly did ChatGPT reply when it was asked by one of our listeners to explain an SSL certificate chain in the voice of a stoned surfer bro? Leo will present the answer to that in his dramatic reading once the answers to all of the preceding questions have been revealed during this week's gripping episode of Security Now!.
42 MB 11 MB  530 KB   <-- Show Notes 116 KB 72 KB 312 KB

Episode #907 | 24 Jan 2023 | 85 min.
Credential Reuse

This week we again address a host of pressing questions. What other major player fell victim to a credential reuse attack? What does Apple's update to iOS 16.3 mean for the world? And why may it not actually mean what they say? It was bound to happen. To what evil purpose has ChatGPT recently been employed? And are any of our jobs safe? Why was Meta fined by the EU for the third time this year? And which European company did Bitwarden just acquire, and why? PBKDF iteration counts are on the rise and are changing daily. What the latest news there? What other burning questions have our listeners posed this past week? What has Gibson been doing and where the hell is SpinRite? And what does the terrain for credential reuse look like, what can be done to thwart these attacks, and what two simple measures look to have the greatest traction with the least user annoyance? All those questions and more will be answered, hopefully before your podcast player's battery runs dry.
41 MB 10 MB  477 KB   <-- Show Notes 97 KB 68 KB 273 KB

Episode #906 | 17 Jan 2023 | 95 min.
The Rule of Two

This week we're back to answering some questions that you didn't even know were burning. First, is the LastPass iteration count problem much less severe than we thought because they are doing additional PBKDF2 rounds at their end? What sort of breach has Norton LifeLock protected its user's from? And have they really? What did Chrome just do which followed Microsoft and Firefox? And is the Chromium beginning to Rust? Will Microsoft ever actually protect us from exploitation by old known vulnerable kernel drivers? What does it mean that real words almost never appear in random character strings? And what is Google's “Rule of Two” and why does our entire future depend upon it? The answers to those questions and more will be revealed during this next gripping episode of Security Now!
45 MB 11 MB  335 KB   <-- Show Notes 106 KB 73 KB 277 KB

Episode #905 | 10 Jan 2023 | 94 min.
1

This week, in a necessary follow-up to last week's “Leaving LastPass” episode, we'll share the news of the creation of a terrific PowerShell script, complete with a friendly user interface, which quickly de-obfuscates any LastPass user's XML format vault data. What it reveals is what we expected, but seeing is believing. Then we're going to examine the conclusions drawn and consequences of the massive amount of avid (and in some cases rabid) listener feedback received since last week, and some of the truly startling things that listeners of this podcast discovered when they went looking.
45 MB 11 MB  335 KB   <-- Show Notes 145 KB 78 KB 347 KB

Episode #904 | 03 Jan 2023 | 103 min.
Leaving LastPass

This week, since a single topic dominated the security industry and by far the majority of my Twitter feed and DMs, after a brief update on my SpinRite progress we're going to spend the entire podcast looking at a single topic: LastPass.
50 MB 12 MB  263 KB   <-- Show Notes 156 KB 88 KB 360 KB
Past Years Archives

• Current Podcast Page
• Security Now 2022
• Security Now 2021
• Security Now 2020
• Security Now 2019
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005



You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Monitor this page for changes: (it's private by ChangeDetection)
Security Now!, SpinRite Testimonials, and other Feedback:
Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!
/feedback


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 31, 2023 at 10:42 (2.73 days ago)Viewed 937 times per day