Security Now - 16k MP3

/ Germany may soon outlaw ad blockers. / What's happening in the courts over AI. / The U.K. drops its demands of Apple. / New Microsoft 365 tenants being throttled. / Is Russia preparing to block Google Meet. / Bluesky suspends its service in Mississippi. / How to throttle AI / A tricky SSH-busting Go library. / Here comes the Linux desktop malware. / Apple just patched a doozy of a vulnerability. / A trivial Docker escape was found and fixed. / Why the recent browser 0-day clickjacking is really just whac-a-mole.

/ What AI website summaries mean for Internet economics. / Time to urgently update Plex Servers (again). / Allianz Life stolen data gets leaked. / Chrome test Incognito-mode fingerprint script blocking. / Chrome 140 additions coming in two weeks. / Data brokers hide opt-out pages from search engines. / Secure messaging changes in Russia. / NIST rolls-out lightweight IoT crypto. / SyncThing moves to v2.0 and beyond. / Alien:Earth -- first take. / What can we learn from another critical vulnerability?

/ CISA's Emergency Directive to ALL Federal agencies re: SharePoint. / NVIDIA firmly says "no" to any embedded chip gimmicks. / Dashlane is terminating its (totally unusable) free tier. / Malicious repository libraries are becoming even more hostile. / The best web filter (uBlock Origin) comes to Safari. / The very popular SonicWall firewall is being compromised. / >100 models of Dell Latitude and Precision laptops are in danger. / The significant challenge of patching SharePoint (for example). / A quick look at my DNS Benchmark progress. / Does InControl prevent an important update. / An venerable Sci-Fi franchise may be getting a great new series. / What to do about the problem of AI "website sucking".

/ A follow-up to the SharePoint server patch mess. / How Russia arranges to spy on other country's local embassies. / "Dropbox Passwords" manager app is ending in October. / Signal will leave Australia rather than help spy. / YouTube deploys viewing history age-estimation heuristics. / Chrome adds clever lightweight extension signing to prevent abuse. / A domain registrar is coming close to losing its rights. / A TP-Link router that doesn't encrypt its configuration. / What is "TruAge" and might it be useful for age verification. / An update on "Artemis". / With U.S.-China tensions on the rise, should Chinese security companies receive weeks of advance notice of forthcoming Microsoft flaw patches?

/ Brave randomizes its fingerprints. / The next Brave will block Microsoft Recall by default. / Clorox sues its IT provider for $380 million in damages. / 6-month Win10 ESU offers are beginning to appear. / Warfare has significantly become cyber. / Allianz Life loses control of 125 million customers' data. / The CIA's Acquisition Research Center website was hacked. / The Pentagon says the SharePoint RCE didn't get them. / A look at a DPRK "laptop farm" to impersonate Americans. / FIDO's passkey was NOT bypassed by a MITM after all. / Is our data safe anywhere? / The UK is trying to back-pedal out of the Apple ADP mess. / Meanwhile, the EU resumes its push for "Chat Control". / What happened after Microsoft fumbled the patch of a powerful Pwn2Own exploit?

/ Bypassing all passkey protections. / The ransomware attacks just keep on coming. / Cloudflare capitulates to the MPA and starts blocking. / The need for online age verification is exploding. / Microsoft really wants Exchange Servers to subscribe. / Russia (further) clamps down on Internet usage. / The global trend toward more Internet restrictions. / China can inspect locked Android phones. Use a burner. / Web shells are the new buffer overflow. / An age verification protocol sketch. / What Cloudflare did to create an outage of 1.1.1.1.

/ A glorious takedown of quantum factorization. / Notepad++ signs its own code signing certificate. / Dennis Taylor has Bobiverse Book 6 on his lap. / Crypto/ATM machines flat out outlawed. / Signal vs WhatsApp: Encryption in flight and at rest. / A close look at browser fingerprinting metrics. / Rewriting interpreters in memory-safe languages. / An introduction to zero-knowledge proofs.

/ Another Israeli spyware vendor surfaces. / Win11 to delete restore points more quickly. / The EU accelerates its plans to abandon Microsoft Azure. / The EU sets timelines for Post-Quantum crypto adoption. / Russia to create a massive IMEI database. / Canada and the UK create the "Common Good Cyber Fund". / U.S. states crack down on Bitcoin ATMs amid growing scams. / Congressional staffers cannot use WhatsApp on gov devices. / LibXML2 and the problems with commercial use of OSS. / A(nother) remote code execution vulnerability in WinRAR. / Have-I-Been-Pwned gets a cool data visualization site. / How is ransomware getting in? / Windows to offer "safe" non-kernel endpoint security? / Proactive age verification coming to porn sites. How? / Canada (also) says "bye bye" to Hikvision. / Germany will be banning DeekSeek. The whole EU may follow. / Cloudflare throttled in Russia? / What must the U.S. do to compete in global exploit acquisition?

/ Let's Encrypt drops its long-running email notifications. / Microsoft's new "Unexpected Restart Experience". / Microsoft's response to last year's massive CrowdStrike outage. / Windows 10's extended service updates will sort of be free. / Russia-sold iPhones MUST include the RuStore app. / Lyon, in France, says bye-bye to Windows. Hello to Linux. / The US Gov gets more serious about memory-safe languages. / A new unbelievable AI malware scanner evasion technique. / A new pair of Cisco 9.8 and 10.0 vulnerabilities. / The current state of post-Elon government cybersecurity. / PNGv3, Swift on Android, and the Samsung email purge. / Andy Weir's "Project Hail Mary" movie trailer. / And a close look at the pervasiveness of web browser tracking fingerprinting.

/ An exploited iOS iMessage vulnerability Apple denies? / The NPM repository is under siege with no end in sight. / Were Comcast and Digital Realty compromised? Don't ask them. / Matthew Green agrees: XChat does not offer true security. / We may know how Russia is convicting Telegram users. / Microsoft finally decides to block two insane Outlook file types. / 40,000 openly available video camera are online. Who owns them? / Running SpinRite on encrypted drives. / An LLM describes Steve's (my) evolution on Microsoft security. / What do we know about the bots that are scanning the Internet?

/ In memoriam: Bill Atkinson. / Meta native apps & JavaScript collude for a localhost local mess. / The EU rolls out its own DNS4EU filtered DNS service. / Ukraine DDoS's Russia's Railway DNS ... and... so what? / The Linux Foundation creates an alternative Wordpress package manager. / Court tells OpenAI it must NOT delete ANYONE's chats. Period! :( / A CVSS 10.0 in Erlang/OTP's SSH library. / Can Russia intercept Telegram? Perhaps. / Spain's ISPs mistakenly block Google sites. / Reddit sues Anthropic. / Twitter's new encrypted DM's are as lame as the old ones. / The Login.gov site may not have any backups. / Apple explores the question of recent Large Reasoning Models "thinking".

/ Pwn2Own 2025, Berlin results. / PayPal seeks a "newly registered domains" patent. / An expert iOS jailbreak developer gives up.

/ What's the status of Encrypted Client Hello (ECH)? / What radio technology would be best for remote inverter shutdown? / Some DNS providers already block newly listed domains. / Knowing when not to click a link can take true understanding. / Why can losing a small portion of a power grid bring the rest down? / Where are we in the "AI Hype Cycle" and is this the first? / Speaking of hype: An AI system resorted to blackmail? / Why are we so quick to imbue AI with awareness? / ChatGPT's latest o3 model ignored the order to shutdown. / Copilot may not be making Windows core code any better. / Venice.AI is an unfiltered and unrestrained LLM.

/ Chrome to actively refuse admin privileges. / Android Messenger is getting manual key verification. / Pwn2Own to add AI "pwning" as in-scope attack targets. / AI has already been found to be replicating. / Microsoft not killing off Office on Win10 after October. / 23andMe's asset purchaser revealed. / Many fun talking points thanks to our listeners. / Steve's review of "Andor", season 2. / What's been discovered inside the U.S. power grid.

/ The state of Virginia passes an age-restriction law that has no chance. / New Zealand also tries something similar, citing Australia's lead. / A nasty Python package for Discord survived 3 years and 11K downloads. / The FBI says it's a good idea to discard end-of-life consumer routers. / What's in WhatsApp? Finding out was neither easy nor certain. / The UK's Cyber Centre says AI promises to make things much worse. / A bunch of great feedback from our great listeners, then: / Is true end-to-end encryption possible when records must be retained?

/ Microsoft to officially abandon passwords and support their deletion. / Meta's RayBan smart-glasses weaken their privacy terms. / 30% of Microsoft code is now being written by AI. / Google says prying Chrome from it will damage its security. / Nearly 1,000 six-year old eCommerce backdoors spring to life. / eM Client moves to version 10.3 / A bunch of terrific listener feedback creates talking points. / A little known insecure message archiving service comes to light.

/ Enabling Firefox's Tab Grouping.

/ Enabling Firefox's Tab Grouping.

/ Android to get "Lockdown Mode". / What's in the new editions of Chrome and Firefox? / Why did Apple silently re-enable automatic updates? / My new iPhone 16, Chinese tariffs and electronics. / Dynamic "hotpatching" coming to Win11 Enterprise & Edu. / Why is it so difficult for Oracle to fess up? / Another multi-year breach inside US Treasury. / An Apple -vs- the UK update. / "Thundermail" (Can't someone come up with a better name?) / The (in)Security of Programmable Logic Controllers. / When LLM's write code and hallucinate non-existent packages. / Wordpress core security and PHP gets an important audit. / Device-Bound Session Credentials update session cookie technology.

/ Canon printer driver vulnerabilities enable Windows kernel exploitation. / Astonishing cyber-security awareness from a household appliance manufacturer. / France tries to hook 2.5 million school children with a Phishing test. / Wordpress added an abuse prone feature in 2022. Guess what happened? / Oracle? Is there something you'd like to tell us? / Utah's governor just signed the App Store Accountability Act. Now what? / AI bots hungry for new data are DDoSing FOSS projects.

/ Kuala Lumpur International Airport says no to a ransom attack, switches to whiteboard. / A tired and jet-lagged Troy Hunt got Phished then listed himself on his own site. / Cloudflare completely pulls the plug on port 80 (HTTP) API access. / Malware is switching to obscure languages to avoid detection. FORTH, anyone? / Password reuse doesn't appear to be dropping. Cloudflare has numbers. / A listener shares his log of malicious Microsoft login attempts. Why no geofencing? / 23andMe down for the count (reminder). / A sobering Ransomware attack & victim listing website. Gulp! / "InControl" keeps VR planes aloft. / And the European Union gets serious about a switch to Linux.

/ The dangers of doing things you don't understand. / Espressif responds to the claims of an ESP32 backdoor. / A widely leveraged mistake Microsoft stubbornly refuses to correct. / A disturbingly simple remote takeover of Apache Tomcat servers. / A 10/10 vulnerability affecting some ASUS, ASRock and HPE motherboards. / Google snapped up another cloud security firm but paid a price! / RCS messaging to soon get full end-to-end encryption (done right!). / How did an AI Crypto Chatbot lose $105,000? ...and what is an AI Crypto Chatbot? / Looks like Oracle may take stewardship of TikTok to keep it in-country. / Whoops! 23andMe is sinking - don't let them take your genetics with them! / The White House says "the cyber guys should stay!" / AI project failure rates are on the rise. Anyone surprised? / Listener feedback, and a very interesting update on just how looming is the threat from quantum computing?

An analysis of Telegram Messenger's crypto. A beautiful statement of the goal of modern crypto design. Who was behind Twitter's recent outage trouble? An embedded Firefox root certificate expired. Who was surprised? AI-generated Github repos, voice cloning, Patch Tuesday and an Apple 0-day. The FBI warns of another novel attack vector that's seeing a lot of action. Google weighs in on the Age Verification controversy. In a vacuum, Kazakhstan comes up with their own solution. Was Google also served an order from the UK? Can they say? A serious PHP vulnerability you need to know you don't have. A bunch of great listener feedback, some Sci-Fi content reviews and... a new tool allows YOU to test YOUR PCs for their RowHammer susceptibility.

Utah passes age verification requirement for app stores. The inside story on fake North Korean employees. Is that a Texas accent? An update on the ongoing Bybit cryptoheist saga. The industry may be making some changes in the wake of the Bybit attack. Apple pushes back legally against the UK's secret order. Did someone crack Passkeys? The UK launches a legal salvo at an innocent security researcher. The old data breach we witnessed that just keeps on giving. A bit more Bybit post-mortem forensic news. A lesson to learn from a clever and effective ransomware attack. And what about that Bluetooth Backdoor discovery everyone is talking about?

/ Firefox amends their privacy policy -- the world melts down. / Signal threatens to leave Sweden. / Aftermath of the massive $1.5 billion Bybit ETH heist. / It turns out that it wasn't actually Bybit's fault. / "The Lazarus Bounty" monitoring and management site. / Mozilla's commitment to Manifest V2 (and the uBlock Origin). / What does the ACM's plea for memory-safe languages mean for developers? / What exactly are memory-safe languages? / Australia joins the Kaspersky ban. / Gmail plans to switch from SMS to QR code authentication. / A SpinRite success and some fun feedback. / An astonishing new technology for targeted radio jamming.

/ Apple disables Advanced Data Protection for new UK users. / Paying ransoms is not as cut and dried as we might imagine. / Elon Musk's "X" social media blocks "Signal.me" links. / Spain's soccer league blocks Cloudflare and causes a mess.

US lawmakers respond to the UK's outrageous demand about Apple's encryption. What, exactly, is a "backdoor", and can a "backdoor" NOT be secret? Highlights from last week's Windows' Patch Tuesday. A look into RansumHub: The latest king of the Ransomware hill. "TOAD": Telephone-Oriented Attack Delivery. The state of Texas -versus- DeepSeek. Disabling Apple's "Restricted Mode". Where did I put that $800 million in Bitcoin? A Sci-Fi author update. And a deep dive into the misoperation of Chrome's critically important Web Extension Store.

New "SparkCat" secret-stealing AI image scanner discovered in App and Play stores. The UK demands that Apple does the impossible: decrypting ADP cloud data. France moves forward on legislation to require backdoors to encryption. Firefox moves to 135 with a bunch of useful new features. The Five Eyes alliance publishes edge-device security guidance. Six NetGear routers contain CVSS 9.6 and 9.8 vulnerabilities. Sysinternals utilities allow malicious Windows DLL injection. Google removes restrictive do-gooder language from AI application policies. "AI Fuzzing" successfully jailbreaks the most powerful ChatGPT o3 model. Examining the well and deliberately hidden truth behind ransomware cyberattacks on U.S. K-12 schools.

Why was DeepSeek banned by Italian authorities? What internal proprietary DeepSeek data was found online? What is "DeepSeek" anyway? Why do we care, and what does it mean? Did Microsoft just make OpenAI's strong model available for free? Google explains how generative AI can be and is being misused. An actively exploited and unpatched Zyxel router vulnerability. The new US "ROUTERS" Act. Is pirate-site blocking legislation justified or is it censorship? Russia's blocked website count tops 400,000. Microsoft adds "scareware" warnings to Edge. Bitwarden improves account security. What's still my favorite disk imaging tool? And let's take a close look into the extraction of proscribed knowledge from today's AI systems -- It only requires a bit of patience.

eM Client CAN be purchased outright. An astonishing 5-year-old typo in MasterCard's DNS. An unwelcome surprise received by 18,459 low-level hackers. DDoS attacks continue growing, seemingly without any end in sight. Let's Encrypt clarifies their plans for 6-day "we barely knew you" certificates. SpinRite uncovers a bad brand new 8TB drive. Listener feedback about TOTP, Syncthing and UDP hole punching, email spam, ValiDrive speed, AI neural nets, DJI geofencing, and advertising in the "New" Outlook. A look into the tradeoffs required to obtain privacy for our DNS lookups.

What do we learn from January's record breaking 0-day critical Patch Tuesday? Microsoft to "force-install" a new Outlook into all Windows 10 and 11 desktops? GoDaddy is required to get much more serious about its hosting security. More age verification enforcement is coming, including globally. What another instance of a widely exposed management interface teaches us. DJI drone's official firmware update lifts geofencing for unrestricted flight. CISA's efforts pay off with MUCH improved critical infrastructure security. Listener feedback about TOTP, HOTP and age-verification. And we take a deep dive into cracking authenticator keys.

Meta winds down 3rd-party content filtering. Is encryption soon to follow? Taking over abandoned Command & Control server domains (strictly for research purposes only!). IoT devices to get the "Cyber Trust Mark" - will anyone notice or care? "SyncThing" receives a (blessedly infrequent) update. Government email is not using encryption? Really? Email relaying prevents point-to-point end-to-end encryption and authentication. Just because Let's Encrypt doesn't support email doesn't mean it's impossible. What Sci-Fi does ChatGPT think I (Steve) should start reading next? To auto-update or not to auto-update? - is that one question or two? And, until today, we've never taken a deep dive into the technology of time-varying 6-digit one time tokens. Let's fix that! (And last week's uncaptioned picture is finally captioned!)

The consequences of Internet content restriction. The measured risks of 3rd-party browser extensions. The consequences of SonicWall's unpatched 9.8 firewall severity. The incredible number of still-unencrypted email servers. Salt Typhoon finally evicted from three telecom carriers. HIPAA gets a long-needed cybersecurity upgrade. The EU standardizes on USB-C for power charging. What? Believe it or not, a CATCHA you solve by playing DOOM. And once we've caught up with all of that: What I learned from three weeks of study of AI.

#956: Apple's Hardware Backdoor: Steve reflects on the previous week's 'The Mystery of CVE-2023-38606' deep-dive. #960: Unforeseen Consequences of Google's 3rd-party Cookie Cutoff: As Google moves to phase out third-party cookies, the advertising industry scrambles to find new ways to track users, potentially leading to more intrusive methods like requiring users to create accounts on websites. #961: Bitlocker: Chipped or Cracked?: A clever hacker demonstrates how BitLocker-encrypted drives can be compromised on systems using separate TPM chips, highlighting the importance of integrating TPM functionality directly into the CPU. #964: So, What Is Apple's PQ3?: Steve analyzes Apple's new "PQ3" post-quantum safe iMessaging protocol, questioning whether it truly offers superior security compared to Signal's existing solution. #976: Recall - The 50 Gigabyte Privacy Bomb: Examining Microsoft's new "Recall" feature that records users' screens every few seconds, raising significant privacy concerns. #984: CrowdStruck: A look at the disastrous global IT outage caused by a faulty CrowdStrike Falcon update, affecting airports, hospitals, banks, and more. #1000: Steve and Leo reflect on 1000 episodes of Security Now. #1001: Artificial General Intelligence: Steve and Leo discuss the challenges in achieving artificial general intelligence (AGI) and the debate surrounding its potential timeline and societal impact.

Is AI the Wizard of Oz? Or is it more? Microsoft's long standing effective MFA login bypass. Is TPM 2.0 not required after all for Windows 11? Meet 14 North Korean IT workers who made $88 million from the West. Android updates its Bluetooth tracking with anti-tracking. The NPM package manager repository has had 540,000 malicious packages discovered hiding in plain sight. The AskWoody site remains alive, well, and terrific. My iPhone is linked to Windows and it's wonderful. Yay. How has email been finding logos before BIMI? If we use Him and Her for people, how about Hal for AI? Another very disturbing conversation with ChatGPT. What's going on with the new ChatGPT o1 model? It wants to escape? What?? Let's Encrypt plans to reduce its certificate lifetime from 90 to just 6 days. Why in the world?

All telecom providers have been hacked and may still not be safe to use. So now the government is recommending that we use our own encrypted communications. The plan to obsolete all non-TPM 2.0 PCs remains well underway. Microsoft must be feeling the heat, so they're taking time to not apologize. Whoops. Microsoft's product activation system has been fully hacked. All Windows and Office products may now be easily activated without any licensing. Here come the AI patents. Apple patents AI recognizing people by what they're wearing after earlier seeing their faces and noting what they're wearing. Zoom wasn't encrypting they're early video conferencing. They're still trying to get out from under the mess their lies created for them. AWS introduces physical data terminal locations where users can go to perform massive data transfers to and from the cloud. The FTC has set their sights on data brokers. Let's hope something comes of it. GRC's email finally gets BIMI. (Can you see the Ruby-G logo?) Lot's a terrific listener feedback about authenticator policy, a new and free point-to-point link service, Tor's "Snowflake", linking PCs and Smartphones, and even recharging spent SodaStream canisters. Then we look at a recent conversation I had with "ChatGPT 4o with canvas" and the new plan that resulted.

Microsoft makes very clear what data they are NOT using to train their AI models. What's a "Digital Epileptic Seizure"? What induces them? And why you don't want your self-driving car to have one! A public plea for help in the form of volunteer bridge servers from the Tor Network. If you are one of 140 million Zello users, heed their notice to change your password. The U.S. Federal Trade Commission opens a broad antitrust investigation into whether Microsoft has been naughty or nice. A new form of Android smartphone "scareware" simulates a seriously malfunctioning, cracked and broken screen. It's almost certainly positively and completely safe to leave Wireguard open and listening for incoming connections. Is "almost certainly positively and completely safe" safe enough? If the Internet fills with AI output, what happens when AI starts training on that? It seems we know. Last week, Australia passed the social media age restriction law. Now what? And finally, not only is Voyager 1 nearly an entire light-day away, it's beginning to have some harder to remotely repair problems. How much longer will we be in touch with it?

What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. Then we ask: What are Microsoft's "Connected Experience" and why might you choose to disconnect from them?

How Microsoft lured the US Government into a far deeper and expensive dependency upon its cybersecurity solutions. Gmail to offer native throwaway email aliases like Apple and Mozilla. Russia to ban several additional hosting companies and give its big Internet disconnect switch another test. Russia uses a diabolical Windows flaw to attack Ukrainians. The value of old Security Now episodes. TrueCrypt's successor. Using Cloudflare's Tunnel service for remote network access. How to make a local server appear to be on a remote public IP. How to share an 'impossible to type' password with someone. How to find obscure previous references in the Security Now podcast. What are the parameters for the expected and widely anticipated next generation Artificial General Intelligence (AGI)? What do those in the industry and academia expect? And is OpenAI's Sam Altman completely nuts for predicting it next year? Is it just a stock ploy?

Did Bitwarden go closed-source? The rights of German security researchers are clarified. Australia to impose age limits on social media. Free Windows Server 2025 anyone? UAC wasn't in the way enough, so they're fixing that. "From Russia with fines" -- obey or else. South Korea fines Meta over serious user privacy violations. Synology's (very) critical zero-click RCE flaw. Malicious Python packages invoked by typos. Google to enforce full MFA for all cloud service users. Mozilla Foundation lays off 30%? Is Firefox safe? Some feedback from Dave's Garage (https://grc.sc/dave) And a bunch of thought provoking "Closing The Loop" feedback from our terrific listeners: The AI arms race, blocking YouTube shorts with uBlock Origin, the story behind the hose crossing the train tracks, the DNS Benchmark on non-Windows platforms, will AIs learn to tell the truth?, how to securely connect remotely to home network resources?, and listeners who have been with us for the past 20 years of their lives.

Google's record-breaking fine by Russia. (How many 0's is that?) RT's editor-in-chief admits that their TV hosts are AI-generated. Windows 10 security updates set to end next October... or are they? When a good Chrome extension goes bad. Windows .RDP launch config files. What could possibly go wrong? Firefox 132 just received some new features. Chinese security cameras being removed from the UK. I know YOU wouldn't fall for this social engineering attack. What's GRC's next semi-commercial product going to be? And what's the prospect for AI being used to analyze code to eliminate security vulnerabilities?

Apple proposes 45-day maximum certificate life. Please, no. :( SEC fines four companies for downplaying their SolarWinds attack severity. Google adds 5 new features to Messenger including inappropriate content. Does AI-driven local device-side filtering resolve the encryption dilemma forever? The very nice looking "Session" messenger leaves Australia for Switzerland. Another quick look at the question of the EU's software liability moves. Fake North Korean employees WERE found to install backdoor malware. How to speed up an SSD without using SpinRite. Using ChatGPT to review and suggest improvements in code. And Internet governance has been trying to move the Internet to IPv6 for the past 25 years, but the Internet just doesn't want to go. Why not? And will it ever?

Did Chinese researchers really break RSA encryption? What did they do? What next-level terror extortion is being powered by the NPD breach data? The EU to hold software companies liable for software security? Microsoft lost weeks of security logs. How hard did the try to fix the problem? The Chinese drone company DJI has sued the DoJ over its ban on DJI's drones. The DoJ wishes to acquire "DeepFake" technology to create fake people. Microsoft has bots pretending to fall for phishing campaigns, then leading the bad guys to their honeypots. It's diabolical and brilliant. A bit of BIMI logo follow-up, then... A look at the operation of the FIDO Alliance's forthcoming Credential Exchange Protocol which promises to create passkey collection portability.

A great deal more about uBlock Origin which we've been underutilizing. National Public Data files for bankruptcy (is anyone surprised?). Will the .IO top level Internet domain be disappearing? Last week was Patch Tuesday, what did we learn? Firefox fixed a bad remote exploit that was attacking Tor users. Why a Server edition of Windows won't substitute for a desktop edition. A look back at a fabulous multi-platform puzzle/game from 2015. Feedback on Saturday's surprise Security Now! Mailing. More on "What's the best router?" What in the world is BIMI for email? What it does and what it promises. And next week we dig into the just-announced Passkey "Credential Exchange Protocol" which promises to deliver passkey portability.

Meta was not bothering to hash passwords? PayPal to begin selling its user's purchase histories. 2021's record for maximum DDoS size has been broken. It's national cybersecurity month. When was the last time you updated your router's firmware? North Korean hackers are successfully posing as domestic IT workers. Why would a security-related podcast ever talk about Vitamin D? What's another way the recent Linux CUPS vulnerability might be weaponized? What's the secure consumer WiFi router of choice today? And what should be done to further secure it after purchase? Recent troubles with uBlock Origin's Lite edition shine a light on Chrome's coming content-blocking add-on restrictions. What's going on and what can be done?

We have the full story about the Linux remote code execution flaw. What bad stuff can happen if a domain escapes control even briefly? What social media platform is now in Russia's Roskomnadzor crosshairs? Update VLC to eliminate a potential remote code execution flaw. Tor merges with Tails for greater efficiency. Telegram announces that it will now obey court orders to disclose information. Interesting info from Bobiverse's author and some early feedback about Peter F. Hamilton's latest novel. How to keep Windows from re-asking to set up an already setup system. And... Microsoft is re-rolling out Recall. Have they actually addressed the valid

The case of the exploding pagers and walkie-talkies. Are Ford Motor Company autos planning to listen-in to their occupants? Highly personal data of 106,316,633 U.S individuals was found unprotected online. Passkeys takes a huge step forward with native support in Chrome. Is there a serious 9.9-level unauthenticated remote code exploit in Linux? More credit bureau freezing insanity, Drobo vs Synology, GRC's email adventure, WiFi security with and without a VPN, obtaining CPE credits from listening to Security Now, and in defense of Microsoft Defender XDR. Then, what mess did Kaspersky make leaving the U.S. market last week and what are the wider implications for the Internet's future?

What happened during Microsoft's recent Windows Endpoint Security Ecosystem Summit? And what, if anything, will probably result? How reliable is ANY form of digital storage when used for long-term archiving? What happened when an illegal Starlink Internet network was set up on a U.S. Navy ship? What's the best solution for securing the Internet-facing "edge" of enterprise networks? GRC has started notifying SpinRite 6 owners about 6.1. What's been learned about the challenge of sending email in 2024? Why might running SpinRite on an SSD cause the SSD to then appear to be running more slowly? Why is true secrecy so difficult to achieve, and how were most password managers leaking some of their secrets.

Microsoft's "Recall" uninstallability is a bug. Yubikeys can be cloned. How worried should you be? When was that smoke detector installed? We share and discuss lots of interesting listener feedback: Is whatsApp more secure than Telegram? Does Telegram's lack of security really matter? Elevators in Paris have problems, too. There's a 4th credit bureau to be frozen, too. Can high pitched sound keep dogs from barking? A reminder of a terrific UNIX 2038 countdown clock. A new Bobiverse Sci-Fi book & new Peter Hamilton novel. Why does SpinRite show user data flashing past? And... TEMPEST is alive and well in the form of the latest RAMBO attack.