GIBSON RESEARCH CORPORATION		https://www.GRC.com/

SERIES:		Security Now!
EPISODE:	#1046
DATE:		October 7, 2025
TITLE:		Google's Developer Registration Decree
HOSTS:	Steve Gibson & Leo Laporte
SOURCE:	https://media.grc.com/sn/sn-1046.mp3
ARCHIVE:	https://www.grc.com/securitynow.htm

DESCRIPTION:  Qantas says no one can releak their stolen data.  Brave's usage is up.  But is it really three times faster.  Next Tuesday the EU votes on Chat Control.  Microsoft formally launches a Security Store.  Outlook moves to block JavaScript in SVGs.  A new release of Chrome.  Gmail will no longer pull external email via POP.  Google Drive starts blocking ransomware encryptions.  The UK issues another order to Apple.  Researchers create a Battering RAM attack device.  HackerOne's significant bug bounty payouts.  The Imgur service goes dark across the UK.  Guess why.  The Netherlands plans to say NO to Chat Control.  Discord was breached and government IDs leaked.  Salesforce says it's not another new breach.  Signal introduces a new post-quantum ratchet.  Your motherboard MIGHT support TPM 2.0.  Google to force Android app devs to register and pay.

SHOW TEASE:  It's time for Security Now!.  Steve Gibson is here once again, making you aware of issues in our community like the Tuesday vote in the EU on Chat Control.  What's wrong with that?  Well, Steve will explain.  He'll also talk about Brave's assertion it's three times faster than other browsers.  Really?  Researchers create the wildest Battering RAM attack device you've ever seen.  And then we will talk about Google's plan to require everybody developing for Android to register with them.  Is that a good idea?  I think not.  Let's find out what Steve thinks, next on Security Now!.

LEO LAPORTE:  This is Security Now! with Steve Gibson, Episode 1046, recorded Tuesday, October 7th, 2025:  Google's Developer Registration Decree.

It's time for Security Now!, the show where we get together with the brightest man I know and talk about the latest in security news, technology, with a dash of sci-fi, and every once in a while a pretty funny little Picture of the Week.  That's Steve Gibson.

STEVE GIBSON:  And we actually do have a dash of sci-fi, which we'll be getting to.  We have a release date for the second volume or the second tome of Peter Hamilton's whatever the hell that thing was.

LEO:  That means I have to finish that thing.

STEVE:  Oh.  I don't know, Leo.

LEO:  Archimedes Engine, yeah.

STEVE:  We'll talk about it.  I don't know.  But, yeah, we've got a ton of news.

LEO:  That's, by the way, that's when I bought the hardcover book.  We were talking about having a lot of stuff, you know, physical media, and how I love books.  But I bought the physical book because I thought it would be nice to have on my bookshelf.  I can never move.

STEVE:  Well, as I said, you and I love books.

LEO:  I do.

STEVE:  I do.  I mean, and...

LEO:  I have a library, the whole room dedicated to books.  It's beautiful.

STEVE:  Well, and I remember that was all there was, once upon a time.

LEO:  It's all we had. 

STEVE:  And so you spent a lot of time paging through books.  And now, you know, I have this huge library, I was telling Leo before that I'm going to be basically downsizing.  My wife and I are moving to another place, and we're not going to bring anything that we don't actually need because...

LEO:  It's a good thing to do.  You're going to do the Marie Kondo thing.

STEVE:  Yeah.

LEO:  You know about that; right?  If it doesn't spark joy, get rid of it.  You hold it up.  You say, does this spark joy?  And if it doesn't, you say...

STEVE:  Oh, unfortunately, Leo, pretty much everything sparks joy.

LEO:  You're very [crosstalk].  

STEVE:  So that's not my criteria.  I would love to have the ability to hold, just to keep everything.  But, I mean, I'm pointing with my finger there, that is a hard disk exerciser for a CalComp CDC or something or other, you know, old-school...

LEO:  Well, you can never get rid of that.

STEVE:  Actually, I do, and I have a garage full of PDP-8s and PDP-11s and things.  And so, you know...

LEO:  Oh, yeah, yeah.

STEVE:  So, you know, but I think I'm going to ask those Guaranteed Obsolescence guys how they would like to have some actual...

LEO:  There you go.

STEVE:  Yeah.  I think they would appreciate...

LEO:  Some reference gear, yeah.

STEVE:  Yeah.

LEO:  So what are we going to talk about on the show today?

STEVE:  Oh my god.

LEO:  Besides this great Picture of the Week.

STEVE:  Okay, lots of stuff.  For 1046, here's our first show of October, a ton of news.  Qantas says no one can releak their stolen data, which is the weirdest thing.  We talked about this a few weeks ago.  They got a temporary injunction.  Now it's permanent.  But, what?  Anyway, we'll get there.

The Brave browser's usage is up, but they make a claim that is just so annoying.  I mean, to me, it just - it ends their credibility for them to say their browser is three times faster than the competition.  It's like, what?

LEO:  Huh?  Huh?

STEVE:  It's based on Chromium.  It's the same as the competition.  Anyway, next Tuesday the EU - oh, boy, everyone's holding their breath on this one.  There's been some motion among the various countries in the EU will be voting on Chat Control.  That'll be the 14th, so I don't think we'll have any probably results by next Tuesday's podcast, but certainly the one after.

Microsoft has formally launched a Security Store.  So maybe you can actually buy security from Microsoft.  I wouldn't hold my breath, but okay.  They're selling something.  Outlook has decided that they want to block JavaScript in SVGs.  Oh.  We have a new release of Chrome.  Gmail saying they will no longer pull external email via POP.  That's not security related, but I thought maybe that would affect our listeners, so I wanted to let them know because I ran across it when I was digging around through other stuff.

Google Drive to start blocking ransomware encryption.  The UK has reissued an order to Apple.  I love that, ordering Apple to do something.  Good luck.  Researchers have created something called the Battering RAM attack device.  HackerOne, we've got news on their bug bounty payoffs.  Imgur, that service, has gone dark across the UK.  Guess why?  Netherlands plans to say no to Chat Control.  We'll be talking about that.  Discord was breached, and guess what leaked out?  Oh, boy.

LEO:  Uh-oh.

STEVE:  We saw this coming.  Also Salesforce is saying, oh, no, that was not another new breach.  They're trying to do some damage control still.  Signal introducing post-quantum ratcheting.  They have right now a double ratchet.  That's not good enough for these guys.  I mean, they are really serious about encryption.  We're getting a triple ratchet.  And it turns out your motherboard might actually support TPM 2.0, and you wouldn't know it, and Windows wouldn't tell you.

So finally, once all of that and a Picture of the Week and some feedback from our listeners and a brief mention about SpinRite and a little bit of sci-fi, we're going to look at how Google has decided to force Android devs to register, provide formal identification, and pay, and what that means for the Android store.  We have - I found a really beautifully written response from a well-known guy who has been doing a lot of work over at F-Droid, saying that basically F-Droid is effed.

LEO:  Toast, yeah.

STEVE:  If Google does this.

LEO:  I'm so disappointed.  I've really wanted to hear what you have to say about this.

STEVE:  Yeah, it feels like a bait and switch, I mean, like now...

LEO:  It's very disappointing.

STEVE:  Now that we've got you all here, we're going to make you unmask.  Anyway...

LEO:  Well, I don't know if you were listening to MacBreak Weekly earlier, but we were talking about with Apple's withdrawal of ICEBlock at the request of the federal government, we were saying, you know, really maybe the solution is having a second store or web-based app so you're not the sole place people can get apps from.  But Google seems to be moving in the opposite direction.  They like it.  They like that lock-in.  Well, we'll talk about that in a little bit.

STEVE:  Yeah.

LEO:  I have the Picture of the Week queued up.  My reaction will be fresh and unsullied.  I have not looked at it.

STEVE:  And not immediate.  I should explain to our listeners what I already said to you.  This is a wonderful Picture of the Week.  I mean, this is, like, tailor-made for this podcast.  But when I saw it I had to, like, what?  And, like, read it all.

LEO:  Think about it.

STEVE:  Think about it for a minute.  And then it was like, OMG, this is the cleverest thing.  Now, okay, I know it's not the cleverest thing I ever saw.  But I want to say that.

LEO:  It's up there.  It's in the top hundred.

STEVE:  It's way - this is just great, yes.

LEO:  Now we got back to Steve, and I shall pull up the Picture of the Week, and I will - actually, you know what?  Let me leave all three of us onscreen because I think this will fit.  And I'm going to scroll up.  This is so clever, you can see me trying to decipher this.  It says "Black Wallet Found.  You can contact me by solving this equation."  Okay.  Now I need to go full screen.  You add your birthday to this number, and that will give you a phone number.  "On Monday I will deliver it to the police station."  Ah.  Because the wallet has his driver's license.  So the guy who posted this knows what his birthday is.  So he has encoded his phone number.  And you would only be able to get his phone number if you knew what your birthday was.  If you're the owner.  

STEVE:  Exactly.  Exactly.

LEO:  Brilliant.

STEVE:  Isn't that just so cool?

LEO:  Yeah, you know, the other day I was walking by a store, it said:  "Lost keys.  Come in if you're missing your keys."  And they hung the keys on the sign that said "Lost Keys."  That's not how you do it.  You say, "I've got them in my pocket.  Can you describe them?"  Right?

STEVE:  Right.  Right.

LEO:  This is a great way to do it.

STEVE:  I thought this was just so clever.  So for those who are listening to this going, "Huh?  Huh?  What?"  Okay.  So some person has left his wallet, like it fell out of his back pocket when he was at the restaurant.  And some clever person comes along and discovers the wallet.  And he thinks, okay, well, now, I found the guy's wallet.  And I want to make sure it gets back to him.  So how can I leave a note such that only the legitimate owner of the wallet will essentially authenticate himself and call me so that we can arrange to get his wallet back to him?

So the person who discovers the wallet knows what his own phone number is.  So he writes his own phone number out.  Then beneath that he puts down the day, month, and year under the digits right aligned of his phone number, and subtracts those two numbers.  The phone number will be 10 digits so it's larger than the day, month, and year.  Subtracts the day, month, and year, getting a new number.

LEO:  You know that he did it that way because this is written on graph paper.

STEVE:  Yeah.

LEO:  And everything fits nicely into a little square.

STEVE:  And they are, you're right, they are lined up in the graph squares, yes.  So then he takes the resulting number, and this is what he writes down on this piece of paper because since his phone number minus the guy's day, month, and year birth date created another number.  When you take that other number and add the lost wallet owner's day, month, and year number, you'll get back the phone number of the person who discovered and is holding the wallet.  Anyway, I just thought this was so clever.

LEO:  Good way to do it.  I like it.

STEVE:  Many of our listeners got it and thought it was great.  A couple, because they're our listeners, of course, said, well, you know, Steve...

LEO:  I know [crosstalk] going to say birthday collisions; right?  Birthday collisions.

STEVE:  Not that as much as the fact that come on, now if the year is four digits, you know it's going to probably be 19, maybe 20.

LEO:  19, yeah.

STEVE:  So anyway...

LEO:  Two numbers.

STEVE:  Everybody understands the nature of entropy.  And we've gone over that for years in various reasons and forms on the podcast.  So they're like, oh, you know, this could have been better.  And other people wanted the day, month, and year moved into other orders for various reasons, or the digits interposed.  I said, okay, you know, yeah.  But you get the idea.

LEO:  You know what, this is just a filter system; right?  So he has a second-factor authentication.  You know, like what's in the wallet or something like that.  This is just a filter out...

STEVE:  Yeah, well, and presumably there's a picture of the guy on his driver's license.  So when the guy shows up, it's going to be like, uh, wait a minute, you used to have blond hair.  So...

LEO:  I think you could just pop that in the mail, and the post office will deliver it.  But that's all right. 

STEVE:  Anyway, I just thought it was very clever.

LEO:  Very clever.

STEVE:  Okay.  So we touched on this weird story in July.  After the Australian Airline, Qantas, you know, Australia's big famous airline Qantas, was able to obtain a temporary injunction, get this, to prevent the use of data which had been stolen from them in a recent ransomware attack.  Okay.  What?  No.  I mean, even then, okay, so that temporary injunction has now been made permanent by the Australian New South Wales Supreme Court.  This court order, which Qantas now has, prevents third parties from publishing, viewing - can't even look at it - or accessing the data if it should be released by the attackers.

Turns out that, I mean, this was a bad breach.  5.7 million Qantas Airlines customers were compromised in a data breach which there was one - it was a breach of one of the airline's call centers.  The data that was stolen included the business and residential addresses attached to 1.3 million accounts, phone numbers of 900,000 customers, and the dates of birth of a further 1.1 million.  So it's a mess.  The ruling justice of the Supreme Court in this case also agreed to impose a six-month, what they called a "non-publication order," basically a gag order, for the press over the names of the, they call them "solicitors" in Australia, you know, the attorneys who were acting on Qantas's behalf in the matter, the attorneys insisted that their identities not be published in any press coverage for fear of retaliation from the attackers.

You know, this is the world we live in today where, you know, like everyone feels vulnerable, even if you didn't do anything and you're not high profile.  So the whole thing seems really bizarre.  Now, I'm pretty certain that the attackers could not care less, the attackers who are probably in Russia or China, you know, could not care less who Qantas hired to obtain an order blocking the publication of their stolen data, any more than they could care about some Australian court order blocking the publication of that data.

You know, it's not as if anyone who might use the stolen data would be law abiding and would feel the least bit constrained by some court order issued by another country.  You know, the data would be released to the Dark Web, perhaps be merged into a larger aggregate database, which we've seen in the past.  Who knows?  But no reputable law-abiding entity that might manage to obtain the data would be re-publishing it anyway, with or without a Supreme Court order.

So anyway, the only thing that makes sense to me, some of the coverage had a picture of the Qantas CEO.  The only thing that made sense to me is that this was just what you might call a CYA move by the Qantas CEO to appear to be doing whatever responsible thing could be arranged after one of their call centers was breached.  So, you know, maybe this looks good to the shareholders.  Oh, we've got a court order, and the Supreme Court has given us a permanent injunction against our data being, you know, looked at by anyone who might see it after it's been released.  It's like, okay.  Well, the bad news is you were breached.  One would hope that they're spending equal time and money shoring up the security of their systems to prevent more trouble like this in the future because I don't think that the bad guys are going to be moved by them obtaining a court order.

Okay.  This one.  The news is, the news that generated the posting from Brave was the Brave browser has surpassed 100 million active monthly users, or monthly active, MAU, monthly active users is their abbreviation.  So here's what they wrote, and then we'll talk about it:  "Over the past two years," they said, "the Brave browser has seen an average of about 2.5 million net new users each month.  This September, we officially surpassed 100 million monthly active users (MAU) worldwide.  At the same time, we surpassed 42 million daily active users" - of course that's DAU, they share with us - "for a DAU-to-MAU ratio of 0.42, underlining the high engagement that users have with Brave."

And I completely agree with that.  If you've got 42 million daily active users, though you've got basically 42 million people for whom Brave is their browser.  You know, they don't have it, like, added to their collection of browsers.  Let's see, what should I use today?  Chrome?  Do I want to use Firefox or Brave?  No.  They're just using Brave.

They said:  "This growth has been fueled by a global awareness that Brave is an alternative to Big Tech and that users benefit greatly from a browser that preserves their privacy and is up to three times faster" - uh-huh - "than competitors.  Also, when users are given a choice, users exercise that choice and switch to new browsers.  For example, daily installs for Brave on iOS in the EU went up 50% with the new browser choice panel..."

LEO:  Oh, that's interesting.

STEVE:  "...following the implementation of the DMA and the release of iOS 17.4 back in 2024."

Okay.  So they go on, but we don't care.  Their usage numbers are nice, as I said, and they have an impressive, you know, upward-pointing graph.  But what really annoyed me was their utterly bogus claim - I mean, come on - "of being up to..."

LEO:  But wait a minute, they've got weasel words.  "Up to" three times faster means if you're using, like, Internet Explorer 6.  Right?

STEVE:  Okay, but that's not a competitor, really.

LEO:  No, I know, but they're saying "up to."

STEVE:  Yeah.  If you've got that, wait, my Palm Pilot browser, Leo...

LEO:  Exactly.

STEVE:  I would imagine...

LEO:  I'm sure there are browsers that are a third as fast as Brave somewhere.

STEVE:  If I took it out of the refrigerator and warmed it up, you know...

LEO:  Yeah.  By the way, are you going to take that with you when you move?

STEVE:  So I call nonsense on this.  Brave, as we know, is based upon the same Chromium engine as Chrome, Edge, Vivaldi, and Opera, their competitors.  And believe me, if it was possible for any of those browsers to go any faster, they already would be.  It's not as if the Brave folks have some magic pixie dust that they're keeping to themselves which magically triples the speed of their browser.  Brave is no faster than any of those others when it's doing the same job.  And that's the key.  You know, it can't be.  The only possible way for any browser that's using the same underlying engine code to render pages any faster would be for it to be rendering less of those pages.  And that's the only way I can see Brave makes any claim at  all.  But 300%?  Give me a break.

If you managed to find a web page that's massively loaded down with large advertisements bringing massive JavaScript blobs and tracking code and heavy scripting all being served by slow servers a long ways away, then okay, sure, okay.  If Brave's privacy enhancing policies block some of that crap from being loaded at all, it gets to declare "done" for that page faster than its sibling competitors, but only because Brave is choosing to render a partial page, whereas the rest of them are rendering the page's entire burden.

So the claim did drive me to poke around the 'Net to see what I could find.  There are some useful head-to-head benchmark comparisons on the Android platform where, when Brave is loading a heavily privacy-disrespecting page, it manages to perform around 21% better than browsers that are rendering the entire page.  So that's useful.  It means that sometimes Brave will, indeed, be a little bit faster than other browsers.  But, you know, Brave should be ashamed of themselves for claiming that users will, in any meaningful way, actually ever experience Brave running three times faster than its competitors.  As I noted, they're actually all the same browser.  They differ only in UI and feature policies, not in their underlying page-rendering technologies.

LEO:  This is true.

STEVE:  They can decide not to render some things that they think are privacy invading.  And in not rendering them, they'll finish a little quicker than the browsers that do render everything that they're being asked to render.

LEO:  I guess the real question is, is the Blink engine or the Chromium engine any faster than Firefox's engine, or WebKit Safari's engine.

STEVE:  That would be, it'd be Safari or Firefox would be the actual alternative to compare.  I just looked at this saying, you know, we're 300% faster than our competitors.  That's like, if you were, you wouldn't have any competition.  You know, one of the things that we know Google found out very early on is how fast they had to make Chrome.  And, you know, they spent a long time working on Chrome speed optimization back in the day. 

I have a chart here in the show notes, bottom of page 3, showing the Brave adoption.  And, I mean, it's impressive.  There's no doubt about it.  I mean, Brave is doing well.  People are responding to the, I mean, I did.  When Firefox wasn't randomizing my fingerprint, I switched to Brave for a while.  I came home to Firefox.  But, you know, I can see people thinking, hey, what the hell, it's just as fast.  Maybe it's three times faster.  No.  But I might as well use Brave.

LEO:  I don't like the crypto association with Brave, and I'm not too crazy about Brendan Eich.  So I don't, you know, there are other choices.  I use Helium, lately I've been using Helium which is a Chromium, de-googled Chrome Chromium fork that has uBlock Origin built in, so you get uBlock Origin back.  And it's just like Chrome.  And I get you that's faster than Brave because it doesn't have all the BAT tokens and all the other stuff Brave's doing.  Right?

STEVE:  Right.  Right.  Right.

LEO:  It feels pretty snappy.

STEVE:  Okay.  So next Tuesday, as I mentioned, October 14th, the EU member countries vote on "Chat Control," as it's informally known.  Some news coverage from last Wednesday, which I had Firefox translate from German, reads:  "The head of the messenger app Signal" - who we all know is Signal's president Meredith Whittaker - "threatens to withdraw from the European market.  The reason is the EU's plan to install backdoors in apps that allow automatic search for criminal content."  That's actually a pretty good explanation of what this boils down to.  

The translation continues:  "The head of the Signal app has criticized plans in the EU, according to which Signal Messenger should have backdoors to enable the automatic search for criminal content.  Meredith Whittaker told the DPA news agency: 'If we were faced...'"  And, you know, she probably has this printed on her business card so she just hands that out.  "'If we were faced with a choice of either undermining the integrity of our encryption and our privacy safeguards or leaving Europe, we would unfortunately make the decision to leave the market.'"  Which, you know, Leo, if this goes far enough, means that only our own administration will be using Signal.  Anyway...

LEO:  By the way, that's one of the things about Chat Control that the EU...

STEVE:  Right.

LEO:  ...legislators exempt themselves.

STEVE:  The government excludes - yes.

LEO:  Holy cow.  That's a tell right there.

STEVE:  And how is that, how exactly is that going to work in practice?  Like, you know, how do you tell, you know, Signal, oh, no, no. I'm with the Parliament, so...

LEO:  I'm okay.

STEVE:  So you can't look at my pictures.  So this announcement said:  "The European Union has been deliberating for three years" - yes, because, I mean, admittedly these are hard problems - "on a law to re-regulate the fight against depictions of child sexual abuse.  The proposal of the corresponding regulation stipulates that messengers such as WhatsApp, Signal, Telegram, or Threema should enable the content to be checked before encryption."

Okay, now, that key should be checked before encryption.  This is not the first time that we've seen this new language talking about checking the content before its encryption.  If this were going to be done, that's the way to do it.  You have an image that's essentially in plaintext before it's pushed through the encrypted tunnel.  So don't screw with the encryption.  Don't mess with backdoors or any of that nonsense.  If you insist upon breaching the user's privacy, don't also weaken the integrity of their communications at the same time.  Simply check the image before it's sent or after it's received.

But here's where I hope somebody with some technical chops is paying attention.  No application running on iOS or Android has any contact whatsoever with the underlying imaging hardware, either its capture or its display.  All of the messaging and communications apps are application programs, so they are accessing an application program interface, which we shorten to  API, which is published by the underlying operating system to give its client applications, those programs with apps running on it, access to camera and stored images and to the device's screen.  The API deliberately divorces all of the hundreds of thousands of platform applications from the underlying hardware.  This allows the manufacturer the freedom to change their smartphone hardware at will.  It explains why the same app can run on wildly differing smartphones without any trouble at all.

And, of course, you know, this is all Computer Science Operating Systems 101.  During the first year, it turns out, of my life, 70 years ago between 1955 and 1956, just shortly before you were born, Leo, General Motors Research, working with IBM, developed what was known as the GM, for General Motors, -NAA I/O system for the IBM model 704 mainframe computer.  That work, for the first time in human history, used an I/O abstraction layer between the programs running on the machine and its underlying hardware.

LEO:  This is fascinating.  I had no idea.  Fascinating.

STEVE:  Needless to say, the idea was a good one, and it stuck.  And it's been evolving ever since.  So here's my point:  It is completely wrong-headed for any legislation to be aimed at any communicating platform application, whether it's encrypted or not.  That's the wrong target.  And if that's the target, that is, if it is made to be the target, then we're playing an endless game of Whac-A-Mole.  The legislation should be directed at the underlying operating system.  It's the OS that runs the camera, and the screen, and the storage.  It's not any messenger app's fault if it's given an abusive image to send.  It's the operating system that gave that image to the messenger app in the first place.  The operating system always sees the image first.

And if the EU insists upon some behavior based upon the detected content of the image, then the operating system is the proper place to have that happen.  If this is not done, then every application that communicates, whether encrypted or not, will need to be doing this, including iOS's and Android's own built-in encrypted Messenger apps.  You know?  We have printer drivers today so that every application doesn't need to bring along its own collection of printer drivers.

Filtering messaging content is exactly the same.  Rather than expecting every application to do this separately, which is crazy, especially since iOS and Android will also be needing to have this technology themselves to support their own legally EU-compliant messaging apps, it ought to be centralized.  And that solves the problem of there being black market messaging apps that don't do this, whereas the good apps are complying.  If this is moved into the underlying OS, no apps will have access to the hardware, and there's no way to get around this.  So I just wanted to make sure everybody understood that there is one place for this to happen.  Lord knows Apple doesn't want to have anything to do with that.  I don't know where Google and Android would stand.  But that's the right target for this legislation.  So we don't know what's going to happen one week from today.

But, you know, it's only a week away.  Twelve of the EU bloc's 27 members have publicly stated that they are going to back the proposal with yeas.  Eight are against.  And the rest have said they're undecided.  The proposal will pass if the Council is able to obtain what they define as "qualified majority."  In this case that means at least 55% of the 27 member states, so that would be 15 of 27, and that majority must also represent at least 65% of the EU's total aggregate population.  Also, the measure could be blocked by at least four countries which represent more than 35% of the EU population voting no.

So this is obviously a big deal.  We'll know in a week, or in a week or two.  But the vote will be happening next Tuesday.  So, really interesting to see how this thing shakes out.  With any luck, it'll just - it won't succeed, again.  In which case they'll, you know, who knows what, try to change it, amend it, you know, three years and counting.  So this is obviously a heavy lift.

Leo, we're going to talk about Microsoft's Security Store, which they just announced last week.

LEO:  Oh, I didn't know security was for sale.

STEVE:  Oh, yeah, because that's a profit center, Leo.  If you've got bugs, you can charge for fixing them.

LEO:  The Security Store.  Let's all go shopping.

STEVE:  That's right.  Securitystore.microsoft.com, for anyone who wants to jump ahead.

LEO:  Unbelievable.  Unbelievable.  I swear.

STEVE:  Anyone going to the URL securitystore.microsoft.com will find themselves looking at Microsoft's just launched Security Store, as the name would suggest, from which Microsoft is literally selling Azure solution solutions.  So just to be clear, this is not for end-users.  This is not for, you know, us.  But it's, you know, Azure cloud-based, and there it is onscreen.  Discover, buy, and deploy security solutions and agents.

LEO:  I think their tagline should be, yes, your security is for sale.

STEVE:  Oh, wow.  So last Tuesday, the Microsoft Security Community Blog posted under the title "Introducing Microsoft Security Store," which starts out saying:  "Security is being reengineered" - because, you know, we didn't get it right the first time - "for the AI era" - of course we had to get that in - "moving beyond static, rule-bound controls and after-the-fact response toward platform-led, machine-speed defense."  Ooh, that all sounds wonderful.  I wonder what it costs.

"We recognize that defending against modern threats requires the full strength of an ecosystem, combining our unique expertise and shared threat intelligence.  But with so many options out there, it's tough for security professionals to cut through the noise" - and of course they're creating some more - "and even tougher to navigate long procurement cycles" - yeah, you don't want those.  You just want to click a button and have it - "and stitch together tools and data before seeing meaningful improvements.

"That's why we built Microsoft Security Store, a storefront designed for security professionals to discover, buy, and deploy security SaaS solutions and AI agents from our ecosystem partners such as Darktrace, Illumio, and BlueVoyant.  Security SaaS solutions and AI agents on Security Store integrate with Microsoft Security products, including Sentinel platform, to enhance end-to-end protection.  These integrated solutions and agents collaborate intelligently, sharing insights and leveraging AI to enhance critical security tasks like triage" - wait, isn't that what happens after you get attacked?  Anyway, "threat hunting, and access management."

So anyway, the page continues at some length describing how the Security Store essentially allows security professionals to browse, point, click, purchase, deploy, and manage their cloud security more easily than ever before.  No more waiting for those pesky purchasing cycles and authorizations.  You know, just get what you need and start using Microsoft's new "Security Copilot" solutions in minutes.

So I have no doubt that we have many listeners who will probably find this new Microsoft packaging and deployment to be very useful, so I just wanted to make sure that those listeners were aware of this new facility.  I am fortunate that I have nothing to do with Azure.

LEO:  Yeah, yeah.

STEVE:  And I will be able to live out the rest of my life happily with that statement remaining true, I'm quite sure.

Okay.  So there's welcome news on the Scalable Vector Graphics security front.  Remember earlier this year the world saw a dramatic rise in the abuse of SVG-format image files.  To ours and many other people's surprise and astonishment, it turns out that SVG image files, being formatted and formally defined as XML, have always, from version 1.0, been allowed to contain JavaScript, which would be faithfully executed whenever the image was rendered by whatever was rendering it, like unfortunately people's email, you know, clients.

So this capability pretty much sat idle for most of that image format's life because SVG's been around for quite a while, until it was recently rediscovered by malefactors and starting being abused with increasing frequency.  So much so that the, I mean, like, everybody, all the security industry, did articles on the explosion in scalable vector graphics abuse.  Various product vendors changed the behavior of their SVG rendering code, such as stripping out <script> tags and its related code before rendering the images that were being described by the SVG files.  And to that end, Microsoft has just announced that they are joining that group.

They said:  "Starting September 2025, Outlook for Web and new Outlook for Windows" - remember there's the old Outlook for Windows and new Outlook for Windows, so if you're on the old one, good luck.  The new Outlook for Windows will stop displaying inline SVG images, meaning at all.  They're not even going to show you the image.  They're just, like, no.  They're going to instead show a blank space.  They said:  "This affects under 0.1% of images, improves security, and requires no user action.  SVG attachments remain supported.  Organizations should update documentation and inform users."

So, images embedded in Outlook email so that they would normally be displayed, like when you look at the email, that will no longer happen.  You just get a little, you know, an empty rectangle.  And this only applies to SVG images which, as Microsoft correctly notes, accounts for a miniscule percentage of all email images.  You know, when any of us are sending images around in email, we're using GIFs, JPEGs, and PNGs.  That's your typical embedded email image format.  So anyone who needs to send an email can attach an SVG file to the email.  It will not be rendered, but it'll be there as an attachment.  So tough luck, bad guys.  You had, what, nine months, and then everyone finally responded.  So unfortunately nine months is quite a while.  Still.

Chrome has advanced to version 141.  The web functions that Chrome supports moved forward.  There was something about wallet credentials being changed.  I jumped on that thing.  Ooh, maybe this is wonderful.  Turns out it was just an incremental little tweak, nothing significant.  There were two high-priority vulnerabilities patched.  The most severe of the two, which was patched in 140, so it's been fixed in 141, was a heap buffer overflow in the WebGPU component.  The person who discovered that earned themselves $25,000.  And I just, whenever I see these bounties being paid by Google and for Chrome, I think that's the right way to go.  You absolutely need to incentivize the security researchers to spend some time looking around, and they're finding things.

The second critical or high-priority vulnerability was also a heap buffer overflow, but that one was in the browser's video component, and that earned its reporter $4,000.  There was also a $5,000 bounty paid for a side-channel information leakage which was found in the storage component.  All told, 21 security problems were fixed, and Google paid out a total, you know, that 25K, 4, and an additional 5, a total of $49K to external security researchers.  So anyway, it's just clear that the concept of paying researchers bounties for their responsible reporting of bugs is a winning strategy.

I did want to also mention, just because I saw this, as I mentioned before, one little more note about Google, specifically Gmail.  Not security related, but perhaps affecting some of our listeners.  Starting January of next year, Google will be eliminating Gmail's "POP Fetching" feature which pulls email from other external accounts via POP, the Post Office Protocol, into Gmail accounts.  So Google recommends that users who wish to have their other email accounts sent to their Gmail inboxes, instead of having Gmail pull it using POP, to have their mail forwarded to Gmail in order to get the transfer.  So push it from the recipient end, rather than pulling it from the Gmail end.

And in a move that I expect we're going to be seeing everyone adopt, actually a lot of companies have so far, Google announced that their Drive product for Windows and MacOS has been enhanced now to detect and block ransomware.  And of course, you know, they couldn't resist tossing in the fact that it's enhanced with "AI" because, you know, Leo, you sprinkle some AI on anything and it makes it better.

LEO:  It's all better.  Yeah, oh, yeah.

STEVE:  That's right.  So they announced:  "While native Google Workspace documents," and they said, "e.g., Google Docs and Sheets, are not impacted by ransomware, and ChromeOS has never had a ransomware attack" - oh, gee - "ransomware," they wrote, "is a persistent threat for other file formats - PDFs, Microsoft Office, et cetera - and desktop operating systems, for example,  Microsoft Windows," they said, "that's why we're enhancing Google Drive for desktop with [once again] AI-powered ransomware detection" - because you know, Leo, you need AI to detect ransomware - "to automatically stop file syncing and allow users to easily restore files with a few clicks."

I've got a picture of the pop-up that they gave as an example, where over on top of your Google Drive UI it pops up and says:  "Ransomware detected:  File syncing paused on August 12, 2025 at 8:29 a.m."  Then they say:  "What is ransomware?  Harmful software that prevents access to a computer system until an amount of money is paid."  Then it says "Your files are safely stored in Drive, but you need to remove the ransomware from your computer.  You should also make sure you have effective and up-to-date antivirus software installed."  Then they add:  "Drive keeps old file versions for 25 days, so you should initiate a restore in less than 25 days."  No one says "fewer" anymore.  "Follow the steps below to begin local file recovery."  And then they go on.  So anyway...

LEO:  That's a personal pet peeve of mine, by the way.  I just [crosstalk] use "less" instead of "fewer."  I just...

STEVE:  Me, too.  I hear it all the time.  It's like, well, okay.

LEO:  If you can count it, use "fewer." 

STEVE:  Exactly.

LEO:  Yeah.

STEVE:  They said:  "In addition, the built-in virus detection in Drive, as well as in Gmail and Chrome, helps to prevent ransomware from spreading to other devices with the aim of taking over an entire network.  As a result, these defenses can help organizations in industries such as healthcare, retail, education, manufacturing, and government" - which is to say pretty much all industries - "from being disrupted by the types of ransomware attacks that have been so destructive up to this point.

"Drive for desktop, available on Windows and macOS, is used to effectively and securely sync users' files and documents to the cloud."  I don't think there's anything else that we don't know here.  When Drive detects unusual activity that suggests a ransomware attack, meaning like lots of files are being scrambled, it automatically pauses syncing of affected files, helping to prevent widespread data corruption across an organization's Drive and the disruption of work.

"Users then receive an alert on their desktop via email, guiding them to restore" - oh, I'm sorry, "on their desktop and via email."  I was going to say, wait a minute, that's not really very good if it's only in email.  "On their desktop and via email, guiding them to restore their files."  And also of course notifying them that they apparently have ransomware that they didn't know about, and maybe their IT department doesn't yet either.

"Unlike traditional solutions," they said, "that require complex re-imaging or costly third-party tools" - they didn't say or paying ransoms - "the intuitive web interface in Drive allows users to easily restore multiple files to a previous, healthy state with just a few clicks.  This rapid recovery capability helps to minimize user interruption and data loss, even when using traditional software such as Microsoft Windows and Office."  Which, you know, are always being hit by that nasty ransomware.

So anyway, bravo, Google.  Other well-known cloud-based file backup solutions like Dropbox, Backblaze, Veeam, FileCloud, and Scality have been marketing similar ransomware protections for their backup solutions.  So pretty much anytime you have file versioning and file deletion protection in place, you're going to be able to recover from anything that attempts to bulk encrypt your files.  But it's nice to have, you know, Google Drive, which I know lots of people are using, also added to this list, able to detect and disconnect to minimize the impact of something trying to encrypt all of your system's data.

Under "If at first you don't succeed," last Wednesday Reuters' headline was "UK makes new attempt to access Apple cloud data."  Reuters re-reported a Financial Times article which was also published last Wednesday, which mostly recounted everything we already know.  What's new is that, according to the Financial Times report, the UK has now reissued a new order to Apple, requiring them to provide access to the iCloud data of any UK citizen.  This amended their previous "We demand access to anyone's data anywhere."  And once again, Apple was reportedly not impressed.

As before, all we have to go on here is off-the-record hearsay and speculation because Apple is gagged.  But it seems clear that this newer order won't go any further with Apple than the last one did.  I mean, Apple already disabled for the UK anyone turning on their ADP, Advanced Data Protection feature.  That's the immediate thing they did.  They didn't turn it off for anybody else in the world, just for the UK, sort of signaling what they were, you know, might be feeling the need to do if this actually happened.  And it does look like, in this case, Apple could, you know, say okay, fine, you are prescribing this only for UK citizens.  So we will, you know, push an iOS update and flip the switch off, or tell people that they have to, give them some length of time to do it themselves and then force it off or something.  Who knows?

Anyway, this revised UK order appears to be responsive to the U.S. administration, which stepped into the fray, objecting to a foreign government demanding access to the private data of U.S. citizens.  So the U.S. likely has no such worries over what the UK does with its own citizens.  In other words, that's fine, if that's what the UK wants to do.  But we know that Apple will be unhappy.  But if that's what the UK forces, they'll just turn off ADP.  We also know that the UK's Investigatory Powers Tribunal (IPT) confirmed last April that Apple had appealed the UK's earlier order.

So it's going to be interesting to see what happens next.  It may be that Apple reappeals this, trying to say please don't make us do this.  They may lose that appeal and then just turn off Advanced Data Protection for everybody in the UK.  Even though, you know, I've got to say again, the Internet really, you know, we've got all this geofencing going on all of a sudden; right?  Where, like, Bluesky people are dark in Mississippi.  Except that it turns out that people near Mississippi are getting blackholed also because the Internet really, you know...

LEO:  Doesn't know exactly.

STEVE:  What's a Mississippi IP?  There's no such thing.

LEO:  Right.  Right.

STEVE:  Wow.  Okay.  Now, this is not relevant to software security, but it was so interesting that I knew that our listeners would want to at least, like, see a picture of this thing.  And you can stick it up on the screen, Leo, if you want, at the bottom of page 8.  The Battering RAM attack.  A team of Belgian academics built - and actually it was KU Leuven, those guys - built a malicious memory module that can be used to break the confidentiality of modern cloud computing.  And this is why it was like, eh, okay.  Well, you know, hammering RAM is more significant, to my mind.  But the module, which they call Battering RAM, must be deployed by a rogue data center employee.

LEO:  Ah.  You need physical access, of course, yeah.

STEVE:  Well, and look at it.  It's actually an extender.  So it sits between the RAM and the motherboard and can allow attackers to break the security features of Intel and AMD processors which power cloud servers.

LEO:  So this, the top part, the green part's the RAM.

STEVE:  Yes.

LEO:  This red thing is the battering RAM.  And it's attached to, by the way, a Raspberry Pi Pico.

STEVE:  Yes, stuck off on the side.

LEO:  Yeah, it's hysterical.

STEVE:  And if you look at the red thing down in the lower half, you can see on the edges of it, I mean, it's made to be the profile of DRAM.

LEO:  Right.  It'd snap right in; right.

STEVE:  So you, yes, so you pull the real RAM out.  You stick this extender in.  And then you plug the original RAM into the top of the extender.  So basically this gives the Raspberry Pi Pico access where needed to the DRAM.  So basically...

LEO:  I think most servers are a little tighter packed than this.  I don't know if you could fit this.

STEVE:  That's exactly the problem.  That is exactly the problem.  There's no way that that's even going to fit in an actual server.

LEO:  Right.

STEVE:  So the guys that developed this said:  "With Battering RAM, we show that even the latest defenses on Intel and AMD cloud processors can be bypassed.  We built a simple, $50 interposer," as they called it, "that sits quietly in the memory path, behaving transparently during startup and passing all trust checks.  Later, with just a flip of a software switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory.

"Battering RAM fully breaks cutting-edge Intel SGX and AMD SEV-SNP confidential computing processor security technologies designed to protect sensitive workloads from compromised hosts, malicious cloud providers, or rogue employees.  Our stealthy interposer bypasses both memory encryption and state-of-the-art boot-time defenses, invisible to the operating system.  It enables arbitrary plaintext access to SGX-protected memory, and breaks SEV's attestation feature on fully patched systems.  Ultimately, Battering RAM exposes the limits of today's scalable memory encryption.  Intel and AMD have acknowledged our findings, but defending against Battering RAM would require a fundamental redesign of memory encryption itself.

"Unlike commercial passive interposers, which are exceedingly expensive and commonly cost over $100,000, we developed a custom-built interposer that uses simple analog switches to actively manipulate signals between the processor and memory, and can be built for less than $50."

So it's just, you know, it's meant to be a proof-of-concept device, but it does thoroughly prove the concept.  And this demonstrates why Apple has been so ruthlessly rigorous with the physical security of the servers in their iCloud data centers.  Remember that they, like, were x-raying them and taking high-resolution photographs, I mean, really protecting the physical manufacture of their devices, anything that they allow into the iCloud data center because they recognize that, like, this is one line of attack.  They fully realize that physical access to a server basically means that all bets are off.

Anyway, so the device, as you said, Leo, is not practical to use since the DRAM is elevated about an inch and a half away from its original socket, where it would likely not fit with any kind of a standard closed server chassis.  Generally those have a bunch of RAM in a row.  Then they have a hood covering it, and then forced air through the RAM.  So there's just no way you could even close the lid on the server, or slide it back into the rack.  So, but the point was to create a proof-of-concept device, rather than a practical attack platform.

LEO:  Yeah.  You could probably miniaturize it.  Yeah.  You can make it smaller, yeah.

STEVE:  Right.  I wanted to mention that the HackerOne bug bounty platform paid $81 million to security researchers over the past year.  The company received almost 85,000 - think about that, 85,000 - valid bug reports and paid out an average of $1,090 per award.  Some obviously much more than that because I'm sure that there were, you know, many lower value payouts.  But a total of $81 million paid to researchers.  And also the report said that vulnerabilities in AI products were a rising category this year, with more than $2.1 million paid to researchers.  Most of those reports were for the discovery of new prompt injection attacks, you know, where you sweet talk the AI into doing something that it's not supposed to do, technically.

Oh, and I can't wait to talk about this next piece of news, which we will get to, Leo, after our next break.

LEO:  Oh, well, if you can't wait to talk...

STEVE:  Because Imgur links are now broken.

LEO:  Oh, I saw that, yeah.  What a mess that is.

STEVE:  I know.  Okay, so the extremely popular online image hosting site, Imgur, I-M-G-U-R, felt the need to remove its service from the UK.  The first I heard of this was when the people I interact with in the UK, testing the DNS Benchmark, reported that they were unable to use their preferred image posting and hosting site, Imgur.com.

Imgur has posted a page titled "Imgur access in the United Kingdom," which says:  "From September 30, 2025, access to Imgur from the United Kingdom is no longer available.  UK users will not be able to log in, view content, or upload images.  Imgur content embedded" - again, here's a real issue.  "Imgur content embedded on third-party sites will not display for UK users."  Wow.  What we've been anticipating is happening.  This is what that looks like.  So here's what the BBC's reporting explained under their headline "Imgur blocks access to UK users after regulator warned of fine."

They wrote:  "Image-hosting platform Imgur has blocked people in the UK from accessing its content.  Imgur is used by millions to make and share images such as memes across the web, particularly on Reddit and in online forums."  And yeah, like GRC's newsgroups, which are deliberately text-only.  So anyone who wants to post something typically uploads it to an image hosting site. 

They wrote:  "But UK users trying to access Imgur on Tuesday," that is, last Tuesday, "were met with an error message saying 'content not available in your region,' with Imgur content shared on other websites also no longer showing.  The UK's watchdog, the Information Commissioner's Office (ICO), said it recently notified the platform's parent company, MediaLab AI, of plans to fine Imgur after probing its approach to age checks and use of children's personal data.  A help article on Imgur's U.S. website, seen by the BBC, states that 'from September 30, 2025, access to Imgur from the United Kingdom is no longer available.  UK users will not be able to log in, view content, or upload images.  Imgur content embedded on third-party sites will not display for UK users.'

"The ICO," wrote the BBC, "launched its investigation into Imgur in March, saying it would probe whether the companies were complying with both the UK's data protection laws  and the children's code.  These require platforms to take steps to protect children using online services in the UK, including minimizing the amount of the data they collect from them.  A document published by the ICO alongside the launch of its investigation stated that Imgur did not ask visitors to declare their age when setting up an account.  It said on Tuesday it had reached initial findings in its investigation and, on 10th of  September, issued MediaLab with a notice of intent to impose a fine.

"Tim Capel, an interim executive director at the ICO, said:  'Our findings are provisional, and the ICO will carefully consider any representations from MediaLab before taking a final decision whether to issue a monetary penalty.  We've been clear that exiting the UK does not allow an organization to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing."

So, yikes.  That's a little chilling.  Seems rather harsh.  But I suppose that retroactive responsibility is a necessary thing to impose, otherwise the law will just be ignored until notice is given.  The BBC wrote:  "The watchdog would not elaborate on what its findings were, nor the details of the potential fine, when asked by the BBC.  Tim Capel said:  'This update has been provided to give clarity on our investigation, and we will not be providing any further detail at this time.'

"Some Imgur users and reports speculated as to whether Imgur moved to block UK users from its services, rather than comply with child safety duties recently imposed on some platforms under the Online Safety Act.  Among these are requirements for sites allowing pornography or content promoting suicide and self-harm to use technology to check whether visitors are over 18.  But both the ICO and Ofcom" - the media regulator enforcing the Online Safety Act - "said Imgur suspending access for UK users had been its own 'commercial decision.'  An Ofcom spokesperson told the BBC:  'Imgur's decision to restrict access in the UK is a commercial decision taken by the company and not a result of any action taken by Ofcom.  Other services run by MediaLab remain available in the UK, such as Kik messenger, which has implemented age assurance to comply with the Online Safety Act.'"

So it feels as though we're going to be passing through a period of turmoil and confusion until the technology has the chance to catch up to the legislation, which is, as we know, barreling along without much apparent concern for the feasibility of implementing the controls that it is mandating.

And I should note that Imgur is not alone.  Last Friday, March 3rd, ICO, that's the UK's regulator, posted under their headline:  "Investigations announced into how social media and video sharing platforms use children's personal information."  They wrote:  "We are today announcing three investigations looking into how TikTok, Reddit, and Imgur protect the privacy of their child users in the UK.  Our investigation into TikTok is considering how the platform uses personal information of 13 to 17 year olds in the UK to make recommendations to them and deliver suggested content to their feeds.  This is in light of growing concerns about social media and video sharing platforms using data generated by children's online activity in their recommender systems, which could lead to young people being served inappropriate or harmful content.

"Our investigations into Imgur and Reddit are considering how the platforms use UK children's personal information and their use of age assurance measures.  Age assurance plays an important role in keeping children and their personal information safe online.  There are tools or approaches that can help estimate or verify a child's age, which then allow services to be tailored to their needs or access to be restricted.

"The investigations are part of our efforts to ensure companies are designing digital services that protect children.  At this stage, we are investigating whether there have been any infringements of data protection legislation.  If we find there is sufficient evidence that any of these companies have broken the law, we will put this to them and obtain their representations before reaching a final conclusion."

It should be abundantly clear by now that, regardless of how anyone feels about it, and no one objectively wants this, the accurate determination of the age of anyone using a social media or content-sharing service will be part of the cost of doing business going forward in the future.  It may only be in the UK and a few states in the U.S. today, but the entire European Union doesn't feel far off, and many other U.S. states have their own legislation working its way through their internal legislatures.  And this feels like something which will accelerate as more and more regions are seen to be successfully adopting these new laws.

LEO:  And it will be incumbent on every single site and app and everything.  The problem is, you know, we have a Mastodon.  I don't know how I'm supposed to do this.  I don't - we're going to have to shut down all of our forums and Mastodon and...

STEVE:  Just like these accursed cookie pop-ups.  It's like, what a mess.  Every site you go to.  Yes, fine, use cookies, use cookies, use cookies, use cookies.

LEO:  Now, there's - by the way, podcasts have no way of doing this.  This is an RSS feed.  We literally have no way of knowing anything about you.  Except your IP address when you come to download it.  How are we supposed to do that?  Are we going to be required to do that?  How are we supposed to do that?

STEVE:  That's really interesting, Leo.

LEO:  Well, if in five years you don't have any social networks, you don't have any podcasts, you don't have any websites, you don't have any games, you can...

STEVE:  Blame the people you elected.

LEO:  Yeah, you can thank the governments because that's what they're headed towards.  It's just not viable.  It's not feasible.  I mean, it's going to affect me directly.  You know, Facebook can do this.  Google can do this.  The incumbents, the big guys can do this.  It only affects the little people.  That's who it affects, the small independent sites.  And podcasts.

STEVE:  Well, and wait till you hear what happened with Discord.

LEO:  Oh, boy.

STEVE:  But first, in other late-breaking news regarding the embattled EU Chat Control legislation, the Dutch government of the Netherlands has stated that it plans to vote No on Chat Control when that measure comes up for a vote next Tuesday.  Minister Van Oosten's letter to Parliament states that the Netherlands cannot support the proposal in its present form, citing privacy concerns, encryption risks, and proportionality issues.  The ministry emphasizes that combating child sexual abuse remains vital, but insists on "legally sound, effective, and privacy-respecting" measures.

Okay.  To which I say, these politicians want the impossible, which is why this is a supremely difficult problem.  On the one hand, they say that they want a privacy-preserving solution.  But if the goal is to combat the sharing of illegal content, and the only way it's possible to know whether content is illegal is for someone or something to look at it, then that, by definition, requires that everyone's privacy be compromised.  You literally can't have it both ways.  And as has been pointed out, breaching everyone's privacy is a direct contravention of the EU's existing and well-established privacy protections.  EU-wide.

Meanwhile, as last reported that Germany was planning to vote No, but it has since been reporting that they're apparently succumbing to pressure, and I don't know from where, and may be voting in favor next Tuesday.

LEO:  This is the big one because they have the most members of the European Parliament.

STEVE:  Ah, okay.

LEO:  So this is a big bloc.

STEVE:  Because it does, as I noted before, it is about the size of their population.

LEO:  This is the swing state for this whole thing.

STEVE:  Wow.  Wow.  And Germany, you'd think they would, like, know.

LEO:  They're big on privacy; right?  More than any country I know.

STEVE:  Yes.

LEO:  By the way, this is a proposal from Denmark.

STEVE:  Yes.

LEO:  Which is interesting.

STEVE:  Yes.  Because you know how the presidency of the EU rotates around.  And I don't remember who it was last.  But, I mean, this thing's a hot potato, and it landed in Denmark's lap, and they decided, okay.

LEO:  Okay, we're going to do it.

STEVE:  Let's have a vote now and see, you know, do the right thing.  No.  It is a mess.  You know, all of the independent messaging platforms have said, all of them, that they would leave any jurisdiction that compels them to break their promises of absolute privacy.  And iOS and Android both have their own native securely encrypted messaging platforms.  What are they going to do?  Apple tried to offer a solution, and everyone said, "Eww, we don't want any of that in our phone."

LEO:  That's right.  It's actually a solution very similar to what's being proposed with Chat Control.

STEVE:  Yes.

LEO:  It's that hash, that NCMEC hash.

STEVE:  Yes.

LEO:  Yeah.

STEVE:  Yes.  And then there is a graph in the proposed legislation, a graphic, and we've talked about this early on, where if something is questionable, then the device contacts a central clearinghouse and, you know, submits an image that may be against the law and, you know, waits for a decision.  So, I mean, it is a real - again, you can't have it both ways.  They're saying we don't want anyone to be able to send, transmit illegal content.  If that's true, you must look at everyone's content.  Something has to look at it to determine if it's legal or not.

LEO:  I feel sorry for whoever has to listen to all of our podcasts.

STEVE:  Wow.

LEO:  And then, you know what, there's nothing adult in any of this stuff.

STEVE:  Yeah.  Who would even, like, bother with this?  Okay.  So reading about a breach that Discord just revealed, one of the factoids there caught my eye.  As usual, hackers made off with sensitive user data.  The breach occurred at a third-party company that handles Discord's customer support.  The stolen data includes names, email addresses, payment details, and customer support tickets.  But guess what the breached and stolen data also contained?  The scanned images of government-issued IDs...

LEO:  Oh.  Oh.

STEVE:  ...that Discord had been compelled to collect for age verification.

LEO:  Oh, my goodness.

STEVE:  So there it is.  We don't yet have the infrastructure in place for securely allowing for the assertion of users' ages online.  So we've dropped to the lowest common denominator, which is to present some form of our most private information.  I certainly don't want criminals to have front and back scans of my driver's license or other similar clearly identifying document.  And while I'm sure that the third-party that was breached is not a criminal organization, they've just demonstrated that they are unable to protect our private data from disclosure.

So the question we should ask is why they had retained that identifying data at all.  Right?  Once an age verification has been made, that data that's required to do the scan and to be examined should have been erased.  But people like to collect data.  It's like, ooh, data's good.  We've got big hard drives.  Let's fill them up.  And we have no way to force its deletion after it's served its purpose; right?  It's out of our control.  As is often noted, anything that gets loose on the Internet, it's like it's gone.  The Internet has it now.  So the only way to prevent the inadvertent disclosure of our personally identifying data is to never provide it in the first place, which is why we need technology that we do not yet have.  But, you know, if you want to go use Discord, and you have to prove for some reason that you are of age, you're over 18, you have to, right, hold your driver's license up to the camera.

LEO:  I don't know, I don't think I've ever had to do that.  Of course, we have a very active Discord.  Club TWiT members, have you been asked for your ID to use Discord?  I wonder where that happens.  Maybe it's not in the U.S.?  I don't know.

STEVE:  There must, it must be some adult content site...

LEO:  Oh, maybe it's an adult site, yeah.

STEVE:  Yeah, that uses...

LEO:  Discord has none of my information.

STEVE:  Right.

LEO:  Just my login.  Huh.

STEVE:  Wow.

LEO:  Our Club is saying you, we've never had to do that.  So I don't know where you would do - where they did that.

STEVE:  Yeah, well, and all of your content is PG; right?

LEO:  Yeah, we don't even allow swearing.

STEVE:  Right.  And you've got John in there to...

LEO:  Yeah, shouting at us.

STEVE:  JammerB to just stomp on anybody who, like...

LEO:  He just yells every time somebody says a bad word.  So I don't have to think about it.

JAMMERB:  Hey.

LEO:  Hey.  I'm sorry, John.

STEVE:  Okay.  So Salesforce, god, this was really bad.  I hope they've really, really learned some lessons here.  Lord knows they've got all the technology they could ever ask for.  So this had to hurt them.  

Last Thursday they explained that the new extortion attempts their customers have been receiving are not the result of another hack.  Their headline was "Security Advisory:  Ongoing Response to Social Engineering Threats."  And you've got to love the language here.

This is what they posted:  "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities.  Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.  At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.  We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.

"As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors."  Brought to you by the "Salesforce Public Relations Department," I'm sure.

LEO:  Notice they don't actually say anything.  Like...

STEVE:  No.  That said absolutely nothing.  It was beautifully crafted.

LEO:  They don't say it didn't happen.  

STEVE:  Nope.  I tracked down the posting that the group calling themselves "Scattered LAPSUS$ Hunters," which we know is a concatenation of three different groups, posted over in "BreachForums," Leo.  That's here at the bottom of or in the middle of, oh, conveniently page 13, lucky 13.  This is posted over in BreachForums.  I was unable to determine its posting date.  What the posting does make very clear is the Salesforce deadline, which is 10-10-2025, this coming Friday.  The BreachForums posting cites 989.45 million (approximately one billion) records.  So they're saying they have around a billion records, which I don't know how you could possibly have a billion records, but that's what this thing says.  And it says:  "To negotiate this ransom..."

LEO:  Misspelled.

STEVE:  Yeah, you're right, misspelled, "...negotiate this ransom or all your customers' data will be leaked.  If we come to a resolution, all individual extortions against your customers will be withdrawn from.  Nobody else will have to pay us, if you pay.  Salesforce, Inc.  In case if Salesforce does not engage with us to resolve this, we will completely target each and every individual customers of theirs listed below.  Failure to comply will result in massive consequences.  If you are listed below, we advise you to take every action to protect yourselves and reach out to us to resolve this.  Do not be mistaken that your SaaS provider will protect all of you.  They won't.  Don't be the next headline.  Make the correct decision and reach out."

And then there's just - it has a line, "Salesforce Inc. deadline 10-10-225.  Status:  Negotiation required."  So we may have another bit of news to report next Tuesday after the shoe has dropped on this one.

LEO:  Wow.

STEVE:  Because I don't - as far as I know, Salesforce is not capitulating.  And the bad guys have demonstrated that they did launch a very effective, massive phishing attempt using - that was effective against some of Salesforce's customers using persistent OAuth tokens, which unfortunately allowed people to get in through Salesforce accounts that were logged in through automation, and then pivot.  So, boy, what a mess.

LEO:  Wow.

STEVE:  Signal's Sparse Post-Quantum Ratchet, known as SPQR.  The Signal messenger system has just been further enhanced, it'll be a rolling upgrade that at no point will obsolete any existing clients.  They've come up with a way of just sort of incrementally releasing it.  And when you have two clients that both support the new Sparse Post-Quantum Ratchet, then they will use it.  As we've covered previously, Signal already incorporated post-quantum encryption protection.  And they did it the right way.  They have both pre- and post-quantum encryption, and they're using both.  So if there's a problem with either, the other one will still provide protection.  But these guys are seriously never satisfied.  We also previously covered the operation of their double ratchet technology.

So they have added another ratchet to create a triple ratchet.  And this one, this third ratchet in the trio, is quantum computing safe.  Now, the details are interesting and plenty, so I am thinking that it might be time for a deep dive next week into the operation of Signal's new triple ratchet, the third one, as I said, being quantum safe.  We'll see what the news is.  And I'm thinking that it would be fun to talk about how that works.  We have previous covered all of Signal's operation in detail, and I know that those were some popular podcasts.  So probably fun to talk about how that's working.

I got a piece of very nice email from a Goran Jordanov, who said:  "Hello, Steve.  I'm a long-time fan of the podcast and recently decided to try SpinRite and try to revive some old drives from a TrueNAS system.  SpinRite did a phenomenal job of repairing a few hard drives, speeding up some SSDs, and detected a bad, out-of-the-box Inland NVMe.  A bootable SpinRite on a USB stick will now be part of my 'must carry' collection of USBs.  Thank you."  And Goran, thank you for sharing your success with SpinRite.

Steve Penfold said:  "I've just spotted the (supposed) release date on Amazon here in the UK for Book 2 in Peter F. Hamilton's latest two-book Exodus series."  And seeing that name, Leo, exodus is what I'm doing.

LEO:  I didn't finish it.  I tried.  I got bogged down.

STEVE:  I understand.  So Steve said:  "I thought that you, Leo, and the Security Now! audience might like to know how long we all have left to wait."  He said:  "I assume that the release date will be fairly consistent across countries.  Regards, Steve Penfold."  And I actually remember that I think the UK, Peter's own locale, gets them a little bit before Amazon does.  I kind of think I remember that before.  Anyway, the title will be "Exodus:  The Helium Sea," with a release date of June 16th, 2026.

LEO:  Oh, well, I've got plenty of time.

STEVE:  Yes.  You have, yeah, nine months.  So I was actually, I happened to be working on the DNS Benchmark code when Steve's email arrived, and my eM Client popped up a notification of email from a Security Now! listener.  So I quickly thanked Steve for his note.  And to that he replied:  "I thought you might like that.  I'm holding out before reading the first book, until they're both available."

Okay.  Well, first of all, amen to that.  I now regret that I already read the first half.

LEO:  You've got to reread it.

STEVE:  Oh, Leo.  The plot was so convoluted with, like, behind-the-scenes machinations and subtle long-range manipulations.  I mean, it's all about a weird hierarchy of post-human creatures and pulling the strings on little puppet people that they're sending messages to over long distances and long periods of time.  You know, you really need to be taking notes along the way.  But I didn't know that when I started.  And since then I've pretty much forgotten everything I knew about who, what, where, when, and why of this plot, you know.  And, frankly, I didn't feel that the book was really that good, you know, like, you know? 

I'm sorry to report that this much-beloved author's work seems to be on a steady decline.  I loved "Fallen Dragon."  I loved "Pandora's Star" and "Judas Unchained."

LEO:  Yes.

STEVE:  I mean, those were just works of art.

LEO:  What was the one with Al Capone?  I wasn't that crazy about that one.

STEVE:  That was "The Reality Dysfunction," Night's Dawn Trilogy.

LEO:  Oh, yeah.

STEVE:  And I agree, it was a little fantastical for my, you know, when you've got Al Capone coming back to life, it's like, what?

LEO:  What?

STEVE:  Yeah.  I mean, literally.  You know?  The Greg Mandel series, those were where Peter...

LEO:  The mysteries, those were great, yeah.

STEVE:  Yeah.  Those were really fun.  But I don't know, Peter's later works.  And then the whole dreaming thing, the dreaming...

LEO:  Yeah, I didn't like that, yeah.

STEVE:  ...stuff, you know, it's like, eh.  Anyway, I'm not even sure that I have the energy to reread the first "Exodus" book again, once the story's conclusion is available.  You know, I suppose I will probably.  Maybe, you know, JammerB can just tell us what happened.

LEO:  He loves it.  He says he's read it twice already.  He can't wait to reread it a third time.

STEVE:  Wow.

LEO:  He really loves it.  I'm going to give it a chance.  When the new - but I'm going to wait till the second volume comes out, and then I'll read them both together.

STEVE:  Yeah.  Well, we're at an hour and a half in.  Time for...

LEO:  [Crosstalk] in 2028.

STEVE:  Time for - yes.  Time for almost our penultimate break.  And then...

LEO:  Our penultimate break.

STEVE:  Our penultimate break.  We're going to do a little more listener feedback, and then we'll spend some time looking at what Google has decided to do.

So Mike Lendvay wrote:  "Hi, Steve.  In the past few episodes you've mentioned that your iPhone 12 does not support Liquid Glass.  However, nothing online from Apple or anywhere else indicates that a subset of iPhones that support iOS 26 don't support the new design.  Is it possible that you have accessibility settings enabled that tone down the new visual effects, such as Reduce Transparency or Reduce Motion," and then he gives me the menu locations in those.  He says:  "This is a small and perhaps unimportant clarification, but it's been bugging me since I can't confirm this piece of information anywhere else.  Much thanks to you and Leo for the show.  I look forward to it every Tuesday."

Mike, thank you for challenging me on that.  And I can confirm that you are 100% correct.  After reading Mike's note I checked the settings on my older iPhone 12 and, sure enough, I had previously disabled all of the previous nonsense.  So when I upgraded that phone to iOS 26, Apple continued to honor those settings, so all I saw was relatively minor changes to the UI.  Curious to see what iOS 26 looks like for everyone else, I flipped those switches back to their normal defaults and, wow.  And not in a good way.  My most honest impression is that this is a demonstration of Apple having run out of anything useful to do.  The phone has become cartoony.  You know how, Leo, like when the Wile E. Coyote is about to take off chasing the Road Runner, in true cartoon fashion Wile E. will first pull back a little bit, as if to kind of compress some imaginary invisible spring to help him launch out after the Road Runner?

LEO:  Oh, yeah.  Oh, now I'm never going to be able to unsee that.

STEVE:  No.  And also when something, like, lands, it like goes a little too far and then comes back, like it's bouncing off sort of like an invisible barrier.  When unrestrained, iOS 26's various elements give extra little hops and giggles and splurts, just like that, because apparently it's not actually the content in the phone that we want to focus on.  We want to have our attention called to admire Apple's amazing animated user interface.

Long ago, it was observed that the best user interfaces were those that went unnoticed and which did not call attention to themselves.  The example of this that I've always loved most was the telephone handset.  When you're using it, you don't think in terms of speaking into a mouthpiece and a microphone.  No.  Your attention extends past the phone all the way to the person to whom you are speaking at the other end.  The phone disappears, as it should.  But here we have Apple's new user interface jumping up and down like a spoiled infant, going out of its way to constantly call attention to itself and to make everything about it.  It's really over the top.

But the good news is, turns out it's possible to tone that way, way down, so that the only thing you see is some improved visibility enhancements.  And those I very much like.  You know, like things are a little - they're like outlined with a thin rule line around them.  And, you know, so they're kind of nice.  I mean, there's  still a little bit of jump and wiggle.  But okay, at least it's not what it was.  And boy, I mean, I really, I found myself trying to look through some drop of water at something that was blurry behind it.  It's like, what is that?  What?  You know, obviously you're not supposed to wonder.  But, you know, again, it's like, wow, Apple.  Just seems dumb to me.  You know, at least we don't have wood grain any longer.  We got tired of that.  So we went to, you know...

LEO:  Yeah, we kind of went the other direction, yeah.

STEVE:  Yeah.

LEO:  We're in the future now.

STEVE:  Wow.  Eric Perry said:  "Hi, Steve.  I really enjoyed your show 1045."  That was last week.  He said:  "I've been listening since my career change about five years ago.  I'm an admin of an Microsoft 365 tenant, and your read of the passkey authentication for Microsoft accounts felt all too familiar.  I wanted to share some additional knowledge that I've found is unique with Microsoft over other passkey accounts I've worked with."  He said:  "There are several issues I've run into with Microsoft passkey configuration.  If you attempt to use passkeys with LastPass, the setup fails when registering with a Microsoft account.  I don't know if the same goes for Bitwarden or not.

"I personally use a YubiKey registered as a passkey, and the experience is great, although we have users testing the Microsoft Authenticator method, and it's exactly as that listener described.  It's clunky, far too many steps, and defeats the whole point of making login easier and more secure.  If Microsoft fixed the LastPass or any third-party storage of passkeys, this would have really greatly improved adoption in my opinion, especially if the password managers are managed and compliant with company policies.  Love the show.  I look forward to it every week.  Thanks, Eric."

Okay, so that's really interesting.  As Leo, you noted last week, your experience with Passkeys is entirely different because you're able to store your Passkeys in Bitwarden that's able to perform all the required cryptographic operations on behalf of its user.  So the entire process is smooth and seamless.  But our listener Eric notes that Microsoft refuses to work with password managers, at least with LastPass.  One of the things that we learned way back at the dawn of all this, was that the FIDO2 specification for Passkeys allows sites to determine the nature of the authenticator being used and can refuse to accept what they may feel is insufficiently secure.  And that appears to be what's going on with Eric's observation.  At this time, Entra ID and Azure ID do not accept browser-based Passkeys authenticators.

LEO:  Huh.

STEVE:  So this is a deliberate policy decision by Microsoft to force you to use Microsoft's Authenticator.

LEO:  Yeah, well, great.  That's just great.

STEVE:  With its Passkeys.

LEO:  Yeah, yeah.

STEVE:  Yeah.  Andrew Ayre in Perth, Western Australia raises a very interesting question.  He said:  "Hi, Steve.  I thought you and your listeners might find the following helpful.  My son has a PC which is only three years old, running Windows 10.  Windows 10 said that the PC did not meet the minimum hardware requirements.  After a bit of digging, it appears that the reason was that" - he has TMP, but he meant TPM.  "TPM 2.0 could not be found."

He said, and I love this:  "I used ChatGPT to find the Windows command to identify the motherboard.  Then I asked ChatGPT if that motherboard did have a TPM 2.0, to which it replied Yes.  After more ChatGPT-ing and frowning, to my relief I was able to discover that a BIOS update would likely make TPM 2.0 appear to Windows.  I asked ChatGPT how to upgrade the BIOS - upgrading the BIOS on some gaming machines is not that simple - and it diligently provided all the steps for the motherboard in question.  The PC then qualified for a Windows 11 upgrade and was upgraded successfully.  This begs the question, how many PCs around the world are perfectly good, and will end up as e-waste and will never be upgraded to Windows 11 simply because of an older BIOS, or an incorrect BIOS setting?  ChatGPT saved me hours.  I thought other listeners may find this experience useful."

And of course Andrew's observation is extremely useful.  TPM provisioning can be through either a discrete TPM chip soldered onto the motherboard or via the motherboard's own firmware.  Firmware TPM is a thing.  In the case that Andrew cited, his son's relatively new, only three-year-old gaming PC was still using firmware-based TPM.  It was using a firmware-based TPM.  And it was on 1.2.  And since its initial release when the motherboard's firmware was set, newer firmware was released for that motherboard which then included TPM 2.0.  So this is a very important observation.  Thank you, Andrew.

And to our listeners, if you've got systems where Windows is saying, "Love to help you out here, move you to Windows 11, except you've got TPM 1.2," find out whether your motherboard's TPM is hardware based or firmware based.  And if it's in firmware, it might be that there is newer firmware for it.  Updating that will bring you to 2.0, and then Windows 11 will happily, or Microsoft will happily upgrade to Windows 11.  So, very, very cool.  Thank you.  It's not something that we've talked about and covered.

Okay.  Leo, why don't we take our last break.

LEO:  Okay.

STEVE:  That way we'll do the rest of this uninterrupted while we talk about Google's Developer Registration Decree and what it means for a big pool of users.

LEO:  Yeah, I can't wait to talk to you about this.  Yeah, I'm a little disappointed, to be honest, but I want to hear what you have to say about it.

STEVE:  Okay.  So I encountered a posting over at F-Droid.org that I wanted to share because I thought it was so well conceived and heartfelt.  It was written by a well-known developer of a system called Skip.tools which enables the creation of native SwiftUI apps for iOS and Android.  Here's what Marc wrote.

He said:  "For the past 15 years, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps.  When contrasted with the commercial app stores  of which the Google Play store is the most prominent  the differences are stark.  They are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.

"F-Droid is different.  It distributes apps that have been validated to work for the user's interests, rather than for the interests of the app's distributors.  The way F-Droid works is simple.  When a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers.  Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution.

"The package is then signed, either with F-Droid's cryptographic key or, if the build is reproducible, enables distribution using the original developer's private key.  In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with."  This is all just beautiful, and exactly done right.

He said:  "Do you want a weather app that does not transmit your every movement to a shadowy data broker?  Or a scheduling assistant that doesn't siphon your intimate details into an advertising network?  F-Droid has your back.  Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

"The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google.  In addition to demanding payment of a registration fee and agreement to their non-negotiable and ever-changing terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique 'application identifiers' for every app that is to be distributed by the registered developer.

"The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot take over the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

"If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all.  F-Droid's myriad users will be left adrift, with no means to install, or even update their existing, installed applications.  How many F-Droid users are there, exactly?  We don't know, because we don't track users or have any registration:  No user accounts, by design.

"While directly installing or 'sideloading' software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution.  Google Play itself has repeatedly hosted malware, proving that corporate gatekeeping doesn't guarantee user protection.  By contrast, F-Droid offers a trustworthy and transparent alternative approach to security:  every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly."

LEO:  That's really important.

STEVE:  Yes.

LEO:  They always do reproducible builds.  That's huge.

STEVE:  Yes.  Yes.  "This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose.  Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

"Furthermore, Google's framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device:  the Play Protect service that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience.  Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.  We do not believe that developer registration is motivated by security.  We believe it is about consolidating power and tightening control over a formerly open ecosystem.

"If you own a computer, you should have the right to run whatever programs you want on it.  This is just as true with the apps on your Android or iPhone mobile device as it is with the applications on your Linux, Mac, and Windows desktop or server.  Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works.  It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

"By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom.  We must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.  So what do we propose?

"Regulatory and competition authorities should look very carefully at Google's proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control.  We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

"If you are a developer or user who values digital freedom, you can help.  Write to your Member of Parliament, congressperson or other representative, sign petitions in defense of sideloading and software freedom, and contact the European Commission's Digital Markets Act (DMA) team to express why preserving open distribution matters.  By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping."  Wow.

As with any high-quality dispute where both sides are engaged in a good faith discussion, it's possible to empathize with each side of the argument.  We absolutely know that malware is a problem on the Android platform.  We also know that Google's Play Store is a sewer of shenanigans.  We've covered many of them in the past on the podcast.  So it's understandable for Google to wish to somehow get a handle on the mess that has evolved from their original good intentions.  And I would bet that there are those inside Google who are no more happy with this decision than the author of this F-Droid piece.

For one thing, Google is dramatically changing the game in what amounts to a bait-and-switch tactic.  The requirement to completely deanonymize all Android developers is doubtless a big deal.  But so much real damage is done through the abuse of the absolute freedom of anonymity that holding developers accountable for the actions of their code would likely go a long way toward cleaning up the mess that the Play Store has become.

And then there's the requirement of a developer fee to register.  I suppose I can understand Google feeling that they have the right to cover their registration costs - although Google doesn't need the money.  But obtaining payment from someone creates another barrier to malicious registrations.

It's also worth noting that Google's Play store is currently home to over two million apps.  Let me say that again:  two million apps.  I have no right to judge.  But does anyone really believe that more than a tiny fraction of those two million apps could possibly be useful?  One thing seems sure, which is that this move by Google will change the nature of the Play Store.  And it sounds as though it may spell the end of F-Droid unless they're able to work around the limitations.

At one point Marc wrote:  "The F-Droid project cannot require that developers register their apps through Google; but at the same time, we cannot 'take over' the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications."  To which I say, so what?

I certainly get it that F-Droid would not choose or wish to 'take over' the application identifiers of the open-source apps they distribute, but that may be the solution, assuming that Google allows them to do that.  Given what Marc wrote, F-Droid is already fully, deeply and thoroughly inspecting and vetting any app they distribute, and they're building them and signing them themselves already.  So they should not have any trouble signing the result with their developer's ID.

And if F-Droid became the sanctuary for all those legitimate Play Store developers who do not wish to reveal themselves to Google, then that could be good for F-Droid, too, though the tsunami of developer submissions might be a lot to handle.

I wanted to finish with a pair of posts I found over on Y Combinator.  The first is in reply to Marc's F-Droid post, and then he replied to that.  So the first says:  "I contacted the European Commission DMA team on this gross abuse of power (Google just followed Apple in this regard, who reacted to the DMA by coming out with this notarization for developers)."  And this poster said:  "Here is their flack-y answer.  'Dear Citizen, thank you for contacting us and sharing your concerns regarding the impact of Google's plans to introduce a developer verification process on Android.  We appreciate that you have chosen to contact us, as we welcome feedback from interested parties.'

"'As you may be aware, the Digital Markets Act (DMA) obliges gatekeepers like Google to effectively allow the distribution of apps on their operating system through third-party app stores or the web.  At the same time, the DMA also permits Google to introduce strictly necessary and proportionate measures to ensure that third-party software apps or app stores do not endanger the integrity of the hardware or operating system or to enable end users to effectively protect security.

"'We have taken note of your concerns; and while we cannot comment on ongoing dialogue with gatekeepers, these considerations will form part of our assessment going forward.  Kind regards, The DMA Team.'"  

And then this guy finishes, saying:  "The DMA is in fact cementing their duopoly power, the opposite of the objective of the law."

And to this, Marc replied:  "Post author here.  I've also been in various DMA enforcement workshops and consulted with EU regulators on the topic of app distribution.  The 'strictly necessary and proportionate measures to not endanger the integrity of the hardware or operating system' defense comes up time and time again, and is clearly a primary talking point for those lobbying against effective enforcement.

"From a developer's perspective, this stipulation is obviously intended to ensure that the existing on-device protections (sandboxing, entitlement enforcement, signature checks, et cetera) are not permitted to be circumvented by third-party app stores.  But the anti-DMA brigades have twisted their interpretation to imply that gatekeepers are permitted to keep on gatekeeping.

"Apple still requires that all software be funneled through its app review (they call it 'notarization,' but it is the exact same thing as review:  developer fees, terms and conditions, arbitrary review delays, blocking apps based on policy, et cetera) before it is signed, encrypted, and re-distributed to third-party marketplaces like AltStore.  And now Google is going to introduce its own new gatekeeping for all software on Android-certified devices, which covers 95%-plus of all Android devices outside of China.

"The lack of alarm has been, for me, quite alarming.  Every piece of software installed on billions of mobile devices around the world is going to be gate-kept by two U.S. companies headquartered 10 miles away from each other and with increasingly authoritarian-friendly leadership.

"If you have an Android device, install F-Droid today and let it be known that you won't give up your right to free software without a fight."

So I completely understand where Marc is coming from.  But the scourge of Internet malware and Internet malconduct is changing the nature of computing.  Windows developers now need to sign their code to have it pass Windows Defender's "guilty until proven innocent" deletion.  The author of Notepad++ discovered this when he attempted to push an unsigned update, and it was a disaster.  It did not go well.  And code-signing certificates do not come cheap.  Fortunately, Microsoft no longer gives EV code signing certificates any extra benefit treatment, so my own next certificate will be much less expensive.  But "not free" means that it's becoming much more difficult for freeware authors, who just want to contribute to the community, to do so.

LEO:  Yeah.

STEVE:  Unfortunately, to me all of this change, which is taking us in the direction of having less freedom, feels inevitable.  I feel as though the handwriting has been on the wall for some time.  I believe that big tech is going to continue exerting its influence toward its own ends, and that governments are going to inevitably regulate more and more of what can be done by us on the Internet.

Are these actions by the powerful being taken in response to crime?  Or is crime just their excuse?  No one will argue against protecting children.  But whatever the reason, the outcome is the same.  New gates are being erected, and with those gates come gatekeepers.  The truth is, the Internet remains an incredible place. It is an incredibly rich asset for anyone who wishes to plumb its depths. And we'll be back here next week to do some more plumbing and discuss what's going on.

LEO:  Oh, you're more than a plumber.  Yeah, I've been really intrigued.  Grayson uses a version of Android that I've been thinking of putting on my Pixel 9 for some time called Graphene.

STEVE:  Yes.

LEO:  Which does let you - it's supposedly more secure.  It's third party.  It's open source.  It does let you use the Google Play Store in a sandbox.  They don't include it, though.  You know, they don't put services on there.

STEVE:  Right.

LEO:  And you can use F-Droid on it.  And I think this might be just the push I need to give it a shot.

STEVE:  It's got a good logo.  Wow.

LEO:  Yeah.  It's Graphene, get it?

STEVE:  Uh-huh.

LEO:  Of course you get it, yeah.  Yeah, there are a number of third-party ROMs like this.  Of course the response to this is, and I imagine Google will be doing it any day now, is locking down the bootloader so you can't modify the operating system.  All in the, you know, support of security.

STEVE:  Oh, it's for the users' benefit.  That's right.

LEO:  It's all to support your security, yeah.

STEVE:  That's right.  I wonder if they're going to do that.  I mean, there was a huge concern that Microsoft was going to lock, you know, Windows System so that you had no choice to install another OS.  That might be - we haven't seen that yet, so...

LEO:  It came close.  I had to turn off Secure Boot, of course, to put Linux on my new desktop.

STEVE:  Yeah.

LEO:  But you can still do that in BIOSes.

STEVE:  But they do let you turn it off, yeah.

LEO:  Yes, yeah.  Samsung has locked down, in the past, has locked down its bootloader.  Some manufacturers do.  Google does not yet.  I just - I don't know.  I don't know.  I think there's a - I think they're not too worried about it because it's such a techie kind of geeky thing to do that...

STEVE:  Yup, yup.

LEO:  ...the mass number of users isn't going to do it.  But, boy, I think people need to really start looking at open source.  I love Linux.  I mean, as Apple does down this chute, and Microsoft has really gone down the chute, more and more I like open source solutions.  It's just...

STEVE:  Well, it's going to be interesting, too, to see, I mean, Google is going to do this.  They've announced it.  So it'll be interesting to see how it reshapes the Play Store, how many apps disappear.  First of all, because they've been abandoned years ago, and they're just sitting around.  I mean, I imagine, if they're not from a registered developer, Google will give it some time and then will just say, okay, we're going to delete this.

LEO:  Yeah.  Yeah, you know, they've backed down in the past.  They could back down if they get enough pressure.  This could just be a trial balloon.  Let's hope it is.  Anyway... 

STEVE:  Well, I know for sure, Leo, that this podcast is not a trial balloon.

LEO:  No.

STEVE:  Because I have the lack of hair to prove it.

LEO:  If it is, it's a very long - we're playing the long game, very much so.  1046 episodes later we're doing our best here to figure it all out.

Copyright (c) 2025 by Steve Gibson and Leo Laporte.  SOME RIGHTS RESERVED.  This work is licensed for the good of the Internet Community under the Creative Commons License v2.5.  See the following Web page for details:  https://creativecommons.org/licenses/by-nc-sa/2.5/.