GRC | Security Now! Episode Archive


Our weekly audio security column & podcast by Steve Gibson and Leo Laporte

TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

SteveAndLeoAsPicardAndRiker

(This was not our idea. It was created by a fan of the podcast using GIMP (similar to
Photoshop). But as a work of extreme image manipulation, it came out surprisingly well.)

You may download and listen to selected episodes from this page (see below), or subscribe to the ongoing series as an RSS "podcast" to have them automatically downloaded to you as they are produced. To subscribe, use whichever service you prefer . . .

Receive an automatic eMail reminder whenever a new episode is posted here (from ChangeDetection.com). See the section at the bottom of this page.

Send us your feedback: Use the form at the bottom of the page to share your opinions, thoughts, ideas, and suggestions for future episodes.

Leo also produces "This Week in Tech" (TWiT) and a number of other very popular podcasts (TWiT is America's most listened to podcast!) So if you are looking for more informed technology talk, be sure to check out Leo's other podcasts and mp3 files.

And a huge thanks to AOL Radio for hosting the high-quality MP3 files and providing the bandwidth to make this series possible. We use "local links" to count downloads, but all of the high-quality full-size MP3 files are being served by AOL Radio.

Episode Archive

Each episode has SIX resources:

	High quality 64 kbps mp3 audio file
	Quarter size, bandwidth-conserving, 16 kbps (lower quality) mp3 audio file
	A PDF file containing Steve's show notes
	A web page text transcript of the episode
	A simple text transcript of the episode
	Ready-to-print PDF (Acrobat) transcript

(Note that the text transcripts will appear a few hours later
than the audio files since they are created afterwards.)
For best results: RIGHT-CLICK on one of the two audio icons & below then choose "Save Target As..." to download the audio file to your computer before starting to listen. For the other resources you can either LEFT-CLICK to open in your browser or RIGHT-CLICK to save the resource to your computer.

Episode #940 | 19 Sep 2023 | 104 min.

When Hashes Collide This week, after quickly filling Leo in on last week's two most important pieces of news, guided by some great questions and comments from our listeners, we're going to look into the operating of hardware security modules (HSMs), fast file hash calculations, browser identity segregation, the non-hysterical requirements for truly and securely erasing data from mass storage, a cool way of monitoring the approaching end of UNIX time, my plans to leave Twitter, and what I think will be a very interesting deep dive into cryptographic hashes and the value of deliberately creating hash collisions.
50 MB	12 MB	250 KB <-- Show Notes	141 KB	83 KB	348 KB

Episode #939 | 12 Sep 2023 | 110 min.

LastMess This week we share some exciting and hopeful news about the UK's Online Child Safety legislation. What does it suggest for the future? How was it that Microsoft's super-secret authentication key escaped into the hands of Chinese attackers who then used it to breach secure enterprise eMail? What, if any, lessons did Microsoft learn? Why am I more glad than ever that I'm driving a 19 year old car after the Mozilla Foundation shared what they learned about all of today's automobiles? And then, after sharing and exploring some feedback from our listeners, we're going to examine the horrifying evidence that the data stolen from the LastPass breach is being successfully decrypted and used against LastPass users.
53 MB	13 MB	316 KB <-- Show Notes	97 KB	85 KB	291 KB

Episode #938 | 05 Sep 2023 | 105 min.

Apple Says No This week we have our first sneak peek at “ValiDrive” the freeware I decided to quickly create to allow any Windows user to check any of their USB-connected drives. There's been another sighting of Google's Topics API; where was that? Has Apple actually decided open their iPhone to researchers? And what did some quite sobering research reveal about our need to absolutely trust each and every browser extension we install... and why was that sort of obvious in retrospect? We're then going to entertain some great feedback from our amazing listeners before we conclude by looking at the exclusive club which Apple's just-declared membership made complete.
50 MB	13 MB	587 KB <-- Show Notes	124 KB	84 KB	322 KB

Episode #937 | 29 Aug 2023 | 110 min.

The Man in the Middle This week we have a really wonderful picture of the week in the form of a techie “what we say” and “what we mean” counterpoint. So we're going to start off spending a bit of time with that. Then we're going to see whether updating to that latest WinRAR version might be more important than was clear last week. And while HTTPS is important for the public Internet, do we need it for our local networks? What about using our own portable domain for eMail? Does Google's new Topics system unfairly favor monopolies? If uBlock Origin blocks ads why does it also need to block Topics? Just how narrow (or wide) is Voyager 2's antenna beam and what does 2 degrees off-axis really mean? Do end users need to worry about that wacky Windows time setting mess? And what's the whole story about Unix time in TLS handshakes? What can be done about fake mass storage drives flooding the market? And finally, let's look at man-in-the-middle attacks. How practical are they and what's been their history?
53 MB	13 MB	558 KB <-- Show Notes	149 KB	90 KB	359 KB

Episode #936 | 22 Aug 2023 | 119 min.

When Heuristics Backfire Which Linux distro is selling itself to private equity capital and what could possibly go wrong? Will Android soon be talking to the sky? What's up with the trouble SanDisk and Western Digital are in over their SSDs? Are children still being tracked on YouTube's "made for kids" channels? Has cryptocurrency become any safer and what dangers are posed by the use of multi-party wallets? Is FIDO2 ready with post-quantum crypto? What's the latest on HTTPS by Default? And after looking at some feedback from our terrific listeners, we're going to examine the nature of heuristic programming algorithms with a case study in what can go wrong.
57 MB	14 MB	367 KB <-- Show Notes	167 KB	96 KB	399 KB

Episode #935 | 15 Aug 2023 | 105 min.

“Topics” Arrives Today, we have a birthday to celebrate. And then I wound up encountering so many interesting thoughts shared by our terrific listeners that once I had written everything that I wanted to say regarding the emergence of Google's long-awaited Topics system to replace tracking, while still giving advertisers what they need, I'd filled up 18 pages of show notes and ran out of space for other news. So next week I'll catch up with everything else that's been happening. But the topic of Topics is, I think, important enough to have most of a podcast for itself!
51 MB	13 MB	684 KB <-- Show Notes	145 KB	87 KB	353 KB

Episode #934 | 08 Aug 2023 | 103 min.

Revisiting Global Privacy Control What was it that also just, last week, happened with Voyager 2? What did Tenable's CEO Amit Yoran have to say about Microsoft's security practices? And what did Bruce Schneier have to say about the recent attack on Azure by Chinese hackers? There's more to AI than ChatGPT. What did some academic researchers in the UK accomplish by adding new deep learning modeling to a classic and previously weak attack? And after discussing some interesting listener feedback from the prior week, we're going to revisit a topic we covered when it was young because it's beginning to show signs that it might have a life of its own and may not be destined to fall by the wayside, as all brokers of personal information would hope.
50 MB	12 MB	305 KB <-- Show Notes	135 KB	83 KB	348 KB

Episode #933 | 01 Aug 2023 | 127 min.

TETRA:BURST It turns out that Advanced Persistent Threats have been leveraging satellite communications for many years. We start by looking at that. Then we'll find out what the next iOS release will be doing to further thwart device tracking. What new feature is Android 6+ releasing? What's the latest on the forthcoming 7th branch of the U.S. military? Why has Russia suddenly criminalized open source contribution? And what do we learn from VirusTotal's 2023 “malware-we've-seen” update? Then, after we share some of the terrific podcast-relevant feedback received from our amazing listeners following last week's second satellite insecurity podcast, we're going to examine one of the revelations to be detailed during next week's Blackhat hacking conference in Las Vegas.
61 MB	15 MB	386 KB <-- Show Notes	170 KB	107 KB	413 KB

Episode #932 | 25 Jul 2023 | 110 min.

Satellite Insecurity, Part 2 What did Apple recently say to the UK? What's Google's “Web Environment Integrity” and why's it so controversial? Who's the latest to express unhappiness over Google Analytics? What happy news did the UK deliver about IoT security that the U.S. not done so far? Might you be qualified to join the U.S.'s forthcoming Expeditionary Cyber Force? What's the latest on ransomware attack payouts and also on the Massive MOVEit maelstrom? And who's the most recent major player to announce the adoption of Passkeys? Once we all have the answers to those questions, we've going to spend some time with our faithful listeners, then wrap up this Part 2 of our look at the current and quite distressing state of satellite insecurity.
53 MB	13 MB	313 KB <-- Show Notes	142 KB	91 KB	361 KB

Episode #931 | 18 Jul 2023 | 99 min.

Satellite Insecurity, Part 1 What did Kaspersky have to say about last Tuesday's Microsoft patch event, and what security consequences does it have for all non-subscribing Microsoft Office users? What was inevitably going to happen once the power of Large Language Model generative AI became widely appreciated and available? What does it mean that Microsoft just revoked more than 100 malicious Windows drivers? What two new well-known companies have been added to Clop's MOVEit file transfer victim list? What does Dun & Bradstreet have to do with Android Apps? Where in the world can you use Meta's new Threads service, and where not? And what's a side effect of bitcoin addresses looking like gibberish? And after we examine those questions, cover some miscellany and user feedback, we're going to turn our attention to the heavens in recollection of those famous words of Henny Penny.
48 MB	12 MB	328 KB <-- Show Notes	105 KB	78 KB	287 KB

Episode #930 | 11 Jul 2023 | 110 min.

Rowhammer Indelible Fingerprinting Could it be that yet another SQL injection flaw was found in the MOVEit Transfer system, and what more has been learned about last month's widespread attacks? What's a “Rug Pull”? What horrible conduct was the popular Avast AV found to be engaging in? Did China actually create their own OS? Version 1 is out! How many times can we say “TootRoot” while covering one story? What's the controversy surrounding the recent release of Firefox 115? Did Russia just successfully disconnect itself from the Internet? What are modern Internet honeypots discovering? How much of your life savings should you transfer into online cryptocurrency exchanges? (Okay, that's an easy one.) What did EU agencies just rule against Meta and Google? What happened to Apple's quickly withdrawn Rapid Security Response update? And after a bit of miscellany and listener feedback, we're going to look at the return of Rowhammering for the purpose of creating indelible fingerprints.
53 MB	13 MB	230 KB <-- Show Notes	158 KB	86 KB	387 KB

Episode #929 | 27 Jun 2023 | 112 min.

Operation Triangulation Today's podcast is chock full of news. What has DuckDuckGo just announced? What about the Tor Project? Has Opera just made a big mistake? What is the KasperskyOS? What's happening to non-Russian web hosting for Russians? Are SolarWinds executives finally going to be held to account? We now have the US Space Force, what's next? What's the latest large site to support Passkeys? Who would like permission to spy on their own citizens? Which facial recognition smartphone unlocking can you trust and which should not be? And what was the inevitable shoe to drop following last week's coverage of the Massive MOVEit Transfer mess? Then, after sharing a bit of listener feedback, we're going to take a much closer look into Kaspersky's discovery of a pervasive 4-year iPhone spyware campaign.
54 MB	13 MB	1,301 KB <-- Show Notes	155 KB	93 KB	364 KB

Episode #928 | 20 Jun 2023 | 111 min.

The Massive MOVEit Maelstrom This week, two big stories dominate our podcast. We start by taking a quick look back at last week's Microsoft Patch Tuesday. Then we examine the latest surprising research to emerge from the Ben-Gurion University of the Negev. What these guys have found this time is startling. Then, after sharing some feedback from our listeners and a long-awaited big SpinRite milestone announcement, we're going to spend the rest of our available time examining the story behind this month's massive cyber-extortion attack which is making all of the recent headlines and causing our listeners to tweet: “I'll bet I can guess what you're going to be talking about this week.” Yes, indeed.
53 MB	13 MB	263 KB <-- Show Notes	97 KB	84 KB	291 KB

Episode #927 | 13 Jun 2023 | 125 min.

Scanning the Internet This week we examine what happens to your monthly cloud services bill if you're infected by cryptomining malware? And speaking of cloud services, is Elon paying his bills? Just how fast are IoT-based DDoS attacks rising? What was the strange tale of wayward Chinese certificate authority? What useful new privacy and security features will Apple be adding to their services with their net OSes this fall? And why has France headed in another direction? How does Russia feel about foreign Internet probes and what can they do about it? And after a bit of miscellany, listener feedback and a SpinRite update, we're going to take a deep dive into the backstory and current capabilities of the Internet's premiere scanning and indexing service: Censys.
60 MB	15 MB	1165 KB <-- Show Notes	140 KB	96 KB	365 KB

Episode #926 | 06 Jun 2023 | 111 min.

Windows Platform Binary Table This week we're back to answer a collection of burning questions which we first pose, including: What news from HP? What is Microsoft doing for Windows 11 that promises to break all sorts of network connections? What's OWASP's new Top Ten list of worries about? Did Apple help the NSA attack the Kremlin? and what crucially important revelation does this incident bring? What new hacking race has Google created? And what misguided new U.S. legislation will hopefully die before it gets off the ground? What is TOR doing to protect itself from DoS attacks? How much are educational institutions investing in CyberSecurity? And what can go wrong with civilian cameras in Ukraine? Are we seeing the rise of Cyber Mercenaries? What is the “Windows Platform Binary Table”, why should we care, and how can we turn it off?
53 MB	13 MB	429 KB <-- Show Notes	112 KB	86 KB	313 KB

Episode #925 | 30 May 2023 | 82 min.

Brave's Brilliant Off the Record Request This week, before we address what I think is a brilliant new idea from the Brave Browser's Privacy Team, we're going to see why people are suggesting that the initials HP stands for “Huge Pile”?, What was Google thinking when they created the .ZIP TLD that no one was asking for? How has the Python Foundation responded to attacks and subpoenas? Do we believe a VPN service when it promises that no logs are saved anywhere? Will Twitter be leaving the EU? Does Bitwarden now support Passkeys? Who just got fined 1.2 billion euros? – and why so little? What feature did WhatsApp just add, and what's the story about Google's new bug bounty for their Android apps? Then, after answering those questions and a brief bit of good news about SpinRite, we're going to look at Brave's Brilliant “Off the record” request concept and new feature.
39 MB	10 MB	225 KB <-- Show Notes	100 KB	67 KB	272 KB

Episode #924 | 23 May 2023 | 93 min.

VCaaS - Voice Cloning as a Service This week, we'll lead off with a tracking device follow-up, then answer some questions including: What happened when I updated my own ASUS router, and what happened when HP attempted to update all of their OfficeJet Pro 9020e-series printers in the field? What did the Supreme Court have to say, if anything, about Section 230? How concerned should KeePass users be about this new master password disclosure vulnerability? What's Apple's position on ChatGPT? What's Google been quietly doing about its “user profiling without tracking” Privacy Sandbox technology? What disappointing news did the Senate Intel Committee just reveal about the FBI, and why did The Python Foundation suddenly close all new registrations of users and packages? Then, after I announce and explain the discovery and fix for a longstanding bug that has always existed in SpinRite 6.0, probably extending as far back as SpinRite 3.1 in the mid 90's, we're going to finish by examining the emergence of new "Voice Cloning as a Service" Dark Web facilities.
45 MB	11 MB	405 KB <-- Show Notes	100 KB	75 KB	281 KB

Episode #923 | 16 May 2023 | 101 min.

Location Tracker Behavior This week we're going to answer only two questions. First, why hasn't Steve been saying anything about his work on SpinRite recently, and then second, what are all the details spelled out in the emerging specification for the detection of unwanted location tracking?
49 MB	12 MB	397 KB <-- Show Notes	119 KB	84 KB	316 KB

Episode #922 | 09 May 2023 | 108 min.

Detecting Unwanted Location Trackers Last week Google activated their Passkeys support. What does that actually mean? Do TP-Link Router auto-update by default? What trouble did a secretive branch of the US Marshals get in to? When and why will Chrome be eliminating the padlock icon? Were you prompted by Apple's new Rapid Security Response? What did Elon Musk do to upset WordPress?, and why is it a win for Mastodon? How many fake news AI-driven websites have been spotted so far?, and are they convincing? What's this about Russia dropping TCP/IP in favor of their own Russian network protocol? What three mistakes does Vint Serf, co-designer of the Internet Protocols think he made? And finally, in the first half of our two-part very deep dive into the design of the next-generation location tracking devices, will you be put off when you learn that law enforcement is able to query for the identity of any device's owner? Fasten your seatbelts for another interesting Security Now! podcast brought to you by TWiT, the itch that Leo scratched.
52 MB	13 MB	902 KB <-- Show Notes	159 KB	90 KB	389 KB

Episode #921 | 02 May 2023 | 100 min.

OSB OMG and other news! This week, because the UK's Online Safety Bill continues to stir up a hornet's nest of worries and concerns within many industries, we're going to examine WhatsApp's reaction to Signal's “we plan to walk” position and Wikipedia's concerns over the Bill's age verification requirements. And, undaunted, I have another idea that might be useful! We also have a new UDP reflection attack vector, a welcome (and late) update to Google Authenticator, more NSO Group client news, a Russian OS?, the unintended consequences of releasing updates for routers that won't actually be updated, a smart move by Intel with pre-release security auditing, yet another side-channel attack on Intel CPUs, cURL's maintainer implores Windows users not to delete it, and VirusTotal gets AI.
48 MB	12 MB	347 KB <-- Show Notes	146 KB	86 KB	358 KB

Episode #920 | 25 Apr 2023 | 109 min.

An End-to-End Encryption Proposal This week's look at the past week's most interesting security news answers the question of whether Apple's Lockdown Mode does anything that's actually useful? Just how big is the market for commercial “Pegasys-style” smartphone spyware? Why exactly has the Dark Web suddenly become interested in purloined ChatGPT accounts and is “purloined” a word one uses in mixed company? What trove of secrets did ESET discover when they innocently purchased a few second hand routers? And speaking of routers, what was the mistake that users of old Cisco routers really wish Cisco hadn't made, and whose fault is its exploitation today? What's the story behind the newly established Security Research Legal Defense Fund? Then, after a few quick update and upgrade notes, we look at two opposing open letters written about the coming end-to-end-encryption apocalypse, and consider whether I may have just stumbled upon a solution to the whole mess? So, I doubt that anyone's going to be bored this week!
52 MB	13 MB	347 KB <-- Show Notes	137 KB	88 KB	350 KB

Episode #919 | 18 Apr 2023 | 90 min.

Forced Entry So... what happened with last week's Patch Tuesday? was there anything of note? If we took a quick overview of just a tiny bit of last week's news, what would that look like? and what would those stories all have in common? What new developer-centric service is Google making freely available for the good of the open source community? What moves is WhatsApp making to improve the security for the world's most popular secure messaging system? What happens when a European psychotherapy clinic apparently doesn't care enough to provide even minimal security for the patient's records? And finally, in this week's deep dive, we're going to answer the question: What could researchers have found inside a piece of the NSO Group's Pegasys smartphone spyware that actually terrified them? And why?
43 MB	11 MB	310 KB <-- Show Notes	74 KB	66 KB	238 KB

Episode #918 | 11 Apr 2023 | 110 min.

A Dangerous Interpretation This week we seek answers: What did Microsoft and Fortra ask from the courts, and what did the courts say in return? When can chatting with ChatGPT leak corporate secrets? Why has Apple suddenly updated many much older of their iDevices? Why bother naming a six year old ongoing WordPress attack campaign? Which Samsung handsets just went out of security support? What two user-focused policy changes has Google just made for Android users? and do we really have additional ChatGPT hysteria? After answering those questions, and examining an example of the benefit of rewriting solid state non-volatile storage, we're going to take a rather deep dive into a tool that was meant for good, but which I fear may see more use for evil.
53 MB	13 MB	225 KB <-- Show Notes	96 KB	84 KB	282 KB

Episode #917 | 04 Apr 2023 | 96 min.

Zombie Software This week we answer questions which arose during the past week: When is an attack not an attack? When our AI overloard arrives how shall we call him? Why has Italy said NO to ChatGPT? What does Twitter's posting of its code to GitHub tell us? Why is India searching for commercial spyware less well know than Pegasys and what does the Summit for Democracy have to say about that? Has the FDA finally moved on the issue of medical device security updates? And seven years after the first “Hack the Pentagon” trial, the Pentagon remains standing, or does it? Then, after addressing a quick bit of miscellany, listener feedback and an update on my ongoing work on SpinRite, we use CISA's KEV database to explore the question of how exactly we define “Zombie Software” and answer the question of whose brains will the zombies eat?
46 MB	12 MB	905 KB <-- Show Notes	93 KB	74 KB	276 KB

Episode #916 | 28 Mar 2023 | 81 min.

Microsoft's Email Extortion In this week's grab bag question collection we wonder: What happened, and who cleaned up during last week's elite 2023 Pwn2Own competition? What happens when GitHub inadvertently exposes their own private SSH RSA key? Are all DDoS-for-hire sites legitimate, and is legitimate ever a word we can apply? Just how bad has the malicious open source registry package problem become? And how is it that Russia's presidential staff are still using iPhones? After its rocky start in the limelight, how has Zoom's security been faring these past few years? And what benefits can be derived from the sum of two sine waves along a logarithmic curve? What new feature is Microsoft exploring for their already feature-encumbered web browser? And in one of my blessedly rare rants we're then going to learn what new "revenue harvesting" measure Microsoft has just announced which seems deeply ethically wrong to me.
39 MB	10 MB	734 KB <-- Show Notes	90 KB	65 KB	265 KB

Episode #915 | 21 Mar 2023 | 99 min.

Flying Trojan Horses This week, our time-limited quest to answer today's burning questions causes us to wonder, how worried should Android smartphone users be about Google's revelation of serious flaws in Samsung's baseband chips? What great idea should the NPM maintainers steal? What is it that nation-states increasingly want to have both ways? What crazy but perhaps inevitable change is Google telegraphing that it might push on the entire world? Was it possible to cheat at Chess.com, and what did Checkpoint Research discover? What's the most welcome news of the week for the United States infrastructure? And if Trojan Horses could fly, how many propellers would they need? The answers to those puzzles and riddles coming up next on Security Now!.
48 MB	12 MB	666 KB <-- Show Notes	122 KB	80 KB	318 KB

Episode #914 | 14 Mar 2023 | 106 min.

Sony Sues Quad9 This week fewer questions required longer answers. What, if anything, can be done about the constant appearance of malicious Chrome extensions? What's the latest country to decide to pull Chinese telecommunications equipment from their country? What's the #1 way that bad guys penetrate networks, and how has that changed in the past year? What delicate and brittle crypto requirement is responsible for protecting nearly $1 trillion dollars in cryptocurrency and TLS connections, and how can we trust it? What's now known about the Plex Media Server defect that indirectly triggered the exodus from LastPass? And why in the world would Sony Entertainment Germany bring a lawsuit against the innocent non-profit do-gooder Quad9 DNS provider? Stay tuned! The answers to questions you didn't even know you had will be provided during this March 14th “PI day” 914th episode, of Security Now!
51 MB	13 MB	372 KB <-- Show Notes	142 KB	84 KB	350 KB

Episode #913 | 07 Mar 2023 | 87 min.

A Fowl Incident This week's answers are many: How has Fosstodon survived a sustained DDoS attack? Or has it? What luck have Europol and the FBI had with taking down DDoS-for-hire services and have they returned? What's the point of blocking TikTok, and is it even possible? What happens when government-backed surveillance goes rogue? What exactly is “Strategic Objective 3.3” and what, if anything, does it portend for future software? Should you enable GitHub's new secret scanning service and get scanned? What exactly did CISA's secretive red-team accomplish; and against whom? Which messenger apps have been banned by Russia, who's missing from that list, and why? What exactly is old, that's new again, what happens when everyone uses the same cryptographic library for their TPM code, what's the latest WordPress plug-in to threaten more than one million sites and why has Russia fined Wikipedia? And once we've put that collection of need-to-know questions to rest we're going to examine the surprising revelations that surface as we unearth the Fowlest of recent security incidents.
42 MB	10 MB	337 KB <-- Show Notes	112 KB	72 KB	305 KB

Episode #912 | 28 Feb 2023 | 86 min.

The NSA @ Home What mistake did Windows Update make last week? What if you don't want to paste with formatting? What browser is building-in a limited bandwidth VPN? What more did we just learn about LastPass' second breach? What did Signal say to the UK about scanning its user's messages? What was just discovered hiding inside the Python package Index repository? What proactive move has QNAP finally taken? What disastrous bug did SpinRite's testers uncover last weekend in motherboard BIOSes? And what amazingly useful “Best Practices” advice has the NSA just published for home users? Answers to all those questions and some additional thoughts will be yours – before you know it – on this week's 912th episode of Security Now!, titled: “The NSA @ Home”.
41 MB	10 MB	357 KB <-- Show Notes	96 KB	69 KB	272 KB

Episode #911 | 21 Feb 2023 | 87 min.

A Clever Regurgitator For how long were bad guys inside GoDaddy's networks? What important oral arguments is the US Supreme Court hearing today and tomorrow? What's Elon done now? What's Bitwarden's welcome news? What's Meta going to begin charging for? Should we abandon all hope for unattended IoT devices? Are all of our repositories infested with malware? How'd last Tuesday's monthly patchfest turn out? Why would anyone sandbox an image? What can you learn from TikTok that upsets Hyundai and KIA? And are there any limits to what ChatGPT can do, if any? We're going to find out by the end of today's 911 emergency podcast.
42 MB	10 MB	1157 KB <-- Show Notes	101 KB	70 KB	277 KB

Episode #910 | 14 Feb 2023 | 99 min.

Ascon What more has happened with the ESXi ransomware story? Is malicious use of ChatGPT going to continue to be a problem? What exactly is Google giving away? Why is the Brave browser changing the way it handles URLs? What bad idea has Russia just had about their own hackers? Why would Amazon change its S3 bucket defaults? Now who's worried about Chinese security camera spying? And who has just breathed new life into Adobe's PDF viewer? What's on our listeners' minds, and what the heck is Ascon, and why should you care? Those questions and more will be answered on today's 910th episode of Security Now!.
47 MB	12 MB	416 KB <-- Show Notes	97 KB	76 KB	279 KB

Episode #909 | 07 Feb 2023 | 112 min.

How ESXi Fell Leo used to say at the top of our Q&A episodes: “You have questions, we have answers.” Now we tease most of the questions and provide their answers. This week we wonder: What is about to happen with the EU's legislation to monitor its citizen's communications? Why would a French psychotherapy clinic be keeping 30,000 old patient records online, and who stole them? What top level domains insist upon, and enforce, HTTPS? How is Chrome's release pace about to change? When you say that Russia shoots the messenger is that only an expression? Were a fool and his crypto soon parted... or should that be “was”? Exactly why is QNAP back in the news, and what do I really think about Synology? Would companies actually claim unreasonably low CVSS scores for their own vulnerabilities? Nooooo! What questions have our listeners been asking after all this recent talk about passwords? What's the whole unvarnished story behind this weekend's massive global attack on VMware's ESXi servers, and who's really at fault? These questions and more will probably be answered before you fall asleep... but no guarantees.
54 MB	13 MB	519 KB <-- Show Notes	120 KB	88 KB	329 KB

Episode #908 | 31 Jan 2023 | 88 min.

Data Operand Independent Timing This week we embark upon another two hour tour to answer some pressing questions: What happens if the vendor of the largest mobile platform begins blocking old and unsafe APIs, and can anything be done to prevent that? What new add-on is now being blocked by the dreaded Mark of the Web? Would you have the courage to say no after your gaming source code was stolen? Is any crypto asset safe, and what trap did our friend Kevin Rose fall victim to last week? How can Meta incrementally move to end-to-end encryption? Isn't it all or nothing? What other new feature did iOS 16.3 bring to the world, what's the latest government to begin scanning its own citizenry, and why aren't they all? Or are they? What spectacular success gives the FBI bragging rights, and why is Russia less than thrilled? What questions have our listeners posed? What's the possible value of making up your own words? How's SpinRite coming? What, is your favorite color? What have Intel and AMD just done to break the world's crypto? And what exactly did ChatGPT reply when it was asked by one of our listeners to explain an SSL certificate chain in the voice of a stoned surfer bro? Leo will present the answer to that in his dramatic reading once the answers to all of the preceding questions have been revealed during this week's gripping episode of Security Now!.
42 MB	11 MB	530 KB <-- Show Notes	116 KB	72 KB	312 KB

Episode #907 | 24 Jan 2023 | 85 min.

Credential Reuse This week we again address a host of pressing questions. What other major player fell victim to a credential reuse attack? What does Apple's update to iOS 16.3 mean for the world? And why may it not actually mean what they say? It was bound to happen. To what evil purpose has ChatGPT recently been employed? And are any of our jobs safe? Why was Meta fined by the EU for the third time this year? And which European company did Bitwarden just acquire, and why? PBKDF iteration counts are on the rise and are changing daily. What the latest news there? What other burning questions have our listeners posed this past week? What has Gibson been doing and where the hell is SpinRite? And what does the terrain for credential reuse look like, what can be done to thwart these attacks, and what two simple measures look to have the greatest traction with the least user annoyance? All those questions and more will be answered, hopefully before your podcast player's battery runs dry.
41 MB	10 MB	477 KB <-- Show Notes	97 KB	68 KB	273 KB

Episode #906 | 17 Jan 2023 | 95 min.

The Rule of Two This week we're back to answering some questions that you didn't even know were burning. First, is the LastPass iteration count problem much less severe than we thought because they are doing additional PBKDF2 rounds at their end? What sort of breach has Norton LifeLock protected its user's from? And have they really? What did Chrome just do which followed Microsoft and Firefox? And is the Chromium beginning to Rust? Will Microsoft ever actually protect us from exploitation by old known vulnerable kernel drivers? What does it mean that real words almost never appear in random character strings? And what is Google's “Rule of Two” and why does our entire future depend upon it? The answers to those questions and more will be revealed during this next gripping episode of Security Now!
45 MB	11 MB	335 KB <-- Show Notes	106 KB	73 KB	277 KB

Episode #905 | 10 Jan 2023 | 94 min.

1 This week, in a necessary follow-up to last week's “Leaving LastPass” episode, we'll share the news of the creation of a terrific PowerShell script, complete with a friendly user interface, which quickly de-obfuscates any LastPass user's XML format vault data. What it reveals is what we expected, but seeing is believing. Then we're going to examine the conclusions drawn and consequences of the massive amount of avid (and in some cases rabid) listener feedback received since last week, and some of the truly startling things that listeners of this podcast discovered when they went looking.
45 MB	11 MB	335 KB <-- Show Notes	145 KB	78 KB	347 KB

Episode #904 | 03 Jan 2023 | 103 min.

Leaving LastPass This week, since a single topic dominated the security industry and by far the majority of my Twitter feed and DMs, after a brief update on my SpinRite progress we're going to spend the entire podcast looking at a single topic: LastPass.
50 MB	12 MB	263 KB <-- Show Notes	156 KB	88 KB	360 KB

Past Years Archives

• Current Podcast Page
• Security Now 2022
• Security Now 2021
• Security Now 2020
• Security Now 2019
• Security Now 2018
• Security Now 2017
• Security Now 2016
• Security Now 2015
• Security Now 2014
• Security Now 2013
• Security Now 2012
• Security Now 2011
• Security Now 2010
• Security Now 2009
• Security Now 2008
• Security Now 2007
• Security Now 2006
• Security Now 2005

You can receive an eMail reminder whenever this page is updated with a new Security Now! episode. Click the "Monitor Changes" button to have the highly-regarded "Change Detection" web site monitor this page and send you a note when it changes.

Security Now!, SpinRite Testimonials, and other Feedback:

Please use GRC's Visitor & Listener FEEDBACK Page where you may easily submit any feedback for Security Now, SpinRite testimonials, suggestions for future Security Now topics or questions & comments for future Listener Feedback episodes. Thank you!

/feedback

Gibson Research Corporation is owned and operated by Steve Gibson. The contents
of this page are Copyright (c) 2022 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.

Last Edit: Sep 25, 2023 at 06:56 (1.34 days ago)

Viewed 1,390 times per day