Tue, 02 Sep 2025 18:58:48 +0100 Tue, 02 Sep 2025 18:58:48 +0100 https://twit.tv/shows/security-now en-US This work is licensed under a Creative Commons License - Attribution-NonCommercial-NoDerivatives 4.0 International - http://creativecommons.org/licenses/by-nc-nd/4.0/ 14400 Technology Security http://twit.cachefly.net/coverart/sn/sn144audio.jpg https://twit.tv/shows/security-now 144 144 TWiT Steve Gibson discusses the hot topics in security today with Leo Laporte. Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific / 20:30 UTC. Steve Gibson, the man who coined the term spyware and created the first anti-spyware program, creator of Spinrite and ShieldsUP, discusses the hot topics in security today with Leo Laporte. Records live at https://twit.tv/live every Tuesday. TWiT, Technology, Steve Gibson, Leo Laporte, security, spyware, malware, hacking, cyber crime, encryption false no Leo Laporte distro@twit.tv Tue, 24 Dec 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1006-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1006-lq.mp3 #956: Apple's Hardware Backdoor: Steve reflects on the previous week's 'The Mystery of CVE-2023-38606' deep-dive. #960: Unforeseen Consequences of Google's 3rd-party Cookie Cutoff: As Google moves to phase out third-party cookies, the advertising industry scrambles to find new ways to track users, potentially leading to more intrusive methods like requiring users to create accounts on websites. #961: Bitlocker: Chipped or Cracked?: A clever hacker demonstrates how BitLocker-encrypted drives can be compromised on systems using separate TPM chips, highlighting the importance of integrating TPM functionality directly into the CPU. #964: So, What Is Apple's PQ3?: Steve analyzes Apple's new "PQ3" post-quantum safe iMessaging protocol, questioning whether it truly offers superior security compared to Signal's existing solution. #976: Recall - The 50 Gigabyte Privacy Bomb: Examining Microsoft's new "Recall" feature that records users' screens every few seconds, raising significant privacy concerns. #984: CrowdStruck: A look at the disastrous global IT outage caused by a faulty CrowdStrike Falcon update, affecting airports, hospitals, banks, and more. #1000: Steve and Leo reflect on 1000 episodes of Security Now. #1001: Artificial General Intelligence: Steve and Leo discuss the challenges in achieving artificial general intelligence (AGI) and the debate surrounding its potential timeline and societal impact. Tue, 17 Dec 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1005-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1005-lq.mp3 Is AI the Wizard of Oz? Or is it more? Microsoft's long standing effective MFA login bypass. Is TPM 2.0 not required after all for Windows 11? Meet 14 North Korean IT workers who made $88 million from the West. Android updates its Bluetooth tracking with anti-tracking. The NPM package manager repository has had 540,000 malicious packages discovered hiding in plain sight. The AskWoody site remains alive, well, and terrific. My iPhone is linked to Windows and it's wonderful. Yay. How has email been finding logos before BIMI? If we use Him and Her for people, how about Hal for AI? Another very disturbing conversation with ChatGPT. What's going on with the new ChatGPT o1 model? It wants to escape? What?? Let's Encrypt plans to reduce its certificate lifetime from 90 to just 6 days. Why in the world? Tue, 10 Dec 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1004-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1004-lq.mp3 All telecom providers have been hacked and may still not be safe to use. So now the government is recommending that we use our own encrypted communications. The plan to obsolete all non-TPM 2.0 PCs remains well underway. Microsoft must be feeling the heat, so they're taking time to not apologize. Whoops. Microsoft's product activation system has been fully hacked. All Windows and Office products may now be easily activated without any licensing. Here come the AI patents. Apple patents AI recognizing people by what they're wearing after earlier seeing their faces and noting what they're wearing. Zoom wasn't encrypting they're early video conferencing. They're still trying to get out from under the mess their lies created for them. AWS introduces physical data terminal locations where users can go to perform massive data transfers to and from the cloud. The FTC has set their sights on data brokers. Let's hope something comes of it. GRC's email finally gets BIMI. (Can you see the Ruby-G logo?) Lot's a terrific listener feedback about authenticator policy, a new and free point-to-point link service, Tor's "Snowflake", linking PCs and Smartphones, and even recharging spent SodaStream canisters. Then we look at a recent conversation I had with "ChatGPT 4o with canvas" and the new plan that resulted. Tue, 03 Dec 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1003-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1003-lq.mp3 Microsoft makes very clear what data they are NOT using to train their AI models. What's a "Digital Epileptic Seizure"? What induces them? And why you don't want your self-driving car to have one! A public plea for help in the form of volunteer bridge servers from the Tor Network. If you are one of 140 million Zello users, heed their notice to change your password. The U.S. Federal Trade Commission opens a broad antitrust investigation into whether Microsoft has been naughty or nice. A new form of Android smartphone "scareware" simulates a seriously malfunctioning, cracked and broken screen. It's almost certainly positively and completely safe to leave Wireguard open and listening for incoming connections. Is "almost certainly positively and completely safe" safe enough? If the Internet fills with AI output, what happens when AI starts training on that? It seems we know. Last week, Australia passed the social media age restriction law. Now what? And finally, not only is Voyager 1 nearly an entire light-day away, it's beginning to have some harder to remotely repair problems. How much longer will we be in touch with it? Tue, 26 Nov 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1002-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1002-lq.mp3 What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. Then we ask: What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Tue, 19 Nov 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1001-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1001-lq.mp3 How Microsoft lured the US Government into a far deeper and expensive dependency upon its cybersecurity solutions. Gmail to offer native throwaway email aliases like Apple and Mozilla. Russia to ban several additional hosting companies and give its big Internet disconnect switch another test. Russia uses a diabolical Windows flaw to attack Ukrainians. The value of old Security Now episodes. TrueCrypt's successor. Using Cloudflare's Tunnel service for remote network access. How to make a local server appear to be on a remote public IP. How to share an 'impossible to type' password with someone. How to find obscure previous references in the Security Now podcast. What are the parameters for the expected and widely anticipated next generation Artificial General Intelligence (AGI)? What do those in the industry and academia expect? And is OpenAI's Sam Altman completely nuts for predicting it next year? Is it just a stock ploy? Tue, 12 Nov 2024 18:00:00 -0800 http://media.grc.com/sn/sn-1000-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-1000-lq.mp3 Did Bitwarden go closed-source? The rights of German security researchers are clarified. Australia to impose age limits on social media. Free Windows Server 2025 anyone? UAC wasn't in the way enough, so they're fixing that. "From Russia with fines" -- obey or else. South Korea fines Meta over serious user privacy violations. Synology's (very) critical zero-click RCE flaw. Malicious Python packages invoked by typos. Google to enforce full MFA for all cloud service users. Mozilla Foundation lays off 30%? Is Firefox safe? Some feedback from Dave's Garage (https://grc.sc/dave) And a bunch of thought provoking "Closing The Loop" feedback from our terrific listeners: The AI arms race, blocking YouTube shorts with uBlock Origin, the story behind the hose crossing the train tracks, the DNS Benchmark on non-Windows platforms, will AIs learn to tell the truth?, how to securely connect remotely to home network resources?, and listeners who have been with us for the past 20 years of their lives. Tue, 05 Nov 2024 18:00:00 -0800 http://media.grc.com/sn/sn-999-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-999-lq.mp3 Google's record-breaking fine by Russia. (How many 0's is that?) RT's editor-in-chief admits that their TV hosts are AI-generated. Windows 10 security updates set to end next October... or are they? When a good Chrome extension goes bad. Windows .RDP launch config files. What could possibly go wrong? Firefox 132 just received some new features. Chinese security cameras being removed from the UK. I know YOU wouldn't fall for this social engineering attack. What's GRC's next semi-commercial product going to be? And what's the prospect for AI being used to analyze code to eliminate security vulnerabilities? Tue, 29 Oct 2024 18:00:00 -0800 http://media.grc.com/sn/sn-998-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-998-lq.mp3 Apple proposes 45-day maximum certificate life. Please, no. :( SEC fines four companies for downplaying their SolarWinds attack severity. Google adds 5 new features to Messenger including inappropriate content. Does AI-driven local device-side filtering resolve the encryption dilemma forever? The very nice looking "Session" messenger leaves Australia for Switzerland. Another quick look at the question of the EU's software liability moves. Fake North Korean employees WERE found to install backdoor malware. How to speed up an SSD without using SpinRite. Using ChatGPT to review and suggest improvements in code. And Internet governance has been trying to move the Internet to IPv6 for the past 25 years, but the Internet just doesn't want to go. Why not? And will it ever? Tue, 22 Oct 2024 18:00:00 -0800 http://media.grc.com/sn/sn-997-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-997-lq.mp3 Did Chinese researchers really break RSA encryption? What did they do? What next-level terror extortion is being powered by the NPD breach data? The EU to hold software companies liable for software security? Microsoft lost weeks of security logs. How hard did the try to fix the problem? The Chinese drone company DJI has sued the DoJ over its ban on DJI's drones. The DoJ wishes to acquire "DeepFake" technology to create fake people. Microsoft has bots pretending to fall for phishing campaigns, then leading the bad guys to their honeypots. It's diabolical and brilliant. A bit of BIMI logo follow-up, then... A look at the operation of the FIDO Alliance's forthcoming Credential Exchange Protocol which promises to create passkey collection portability. Tue, 15 Oct 2024 18:00:00 -0800 http://media.grc.com/sn/sn-996-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-996-lq.mp3 A great deal more about uBlock Origin which we've been underutilizing. National Public Data files for bankruptcy (is anyone surprised?). Will the .IO top level Internet domain be disappearing? Last week was Patch Tuesday, what did we learn? Firefox fixed a bad remote exploit that was attacking Tor users. Why a Server edition of Windows won't substitute for a desktop edition. A look back at a fabulous multi-platform puzzle/game from 2015. Feedback on Saturday's surprise Security Now! Mailing. More on "What's the best router?" What in the world is BIMI for email? What it does and what it promises. And next week we dig into the just-announced Passkey "Credential Exchange Protocol" which promises to deliver passkey portability. Tue, 08 Oct 2024 18:00:00 -0800 http://media.grc.com/sn/sn-995-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-995-lq.mp3 Meta was not bothering to hash passwords? PayPal to begin selling its user's purchase histories. 2021's record for maximum DDoS size has been broken. It's national cybersecurity month. When was the last time you updated your router's firmware? North Korean hackers are successfully posing as domestic IT workers. Why would a security-related podcast ever talk about Vitamin D? What's another way the recent Linux CUPS vulnerability might be weaponized? What's the secure consumer WiFi router of choice today? And what should be done to further secure it after purchase? Recent troubles with uBlock Origin's Lite edition shine a light on Chrome's coming content-blocking add-on restrictions. What's going on and what can be done? Tue, 01 Oct 2024 18:00:00 -0800 http://media.grc.com/sn/sn-994-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-994-lq.mp3 We have the full story about the Linux remote code execution flaw. What bad stuff can happen if a domain escapes control even briefly? What social media platform is now in Russia's Roskomnadzor crosshairs? Update VLC to eliminate a potential remote code execution flaw. Tor merges with Tails for greater efficiency. Telegram announces that it will now obey court orders to disclose information. Interesting info from Bobiverse's author and some early feedback about Peter F. Hamilton's latest novel. How to keep Windows from re-asking to set up an already setup system. And... Microsoft is re-rolling out Recall. Have they actually addressed the valid Tue, 24 Sep 2024 18:00:00 -0800 http://media.grc.com/sn/sn-993-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-993-lq.mp3 The case of the exploding pagers and walkie-talkies. Are Ford Motor Company autos planning to listen-in to their occupants? Highly personal data of 106,316,633 U.S individuals was found unprotected online. Passkeys takes a huge step forward with native support in Chrome. Is there a serious 9.9-level unauthenticated remote code exploit in Linux? More credit bureau freezing insanity, Drobo vs Synology, GRC's email adventure, WiFi security with and without a VPN, obtaining CPE credits from listening to Security Now, and in defense of Microsoft Defender XDR. Then, what mess did Kaspersky make leaving the U.S. market last week and what are the wider implications for the Internet's future? Tue, 17 Sep 2024 18:00:00 -0800 http://media.grc.com/sn/sn-992-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-992-lq.mp3 What happened during Microsoft's recent Windows Endpoint Security Ecosystem Summit? And what, if anything, will probably result? How reliable is ANY form of digital storage when used for long-term archiving? What happened when an illegal Starlink Internet network was set up on a U.S. Navy ship? What's the best solution for securing the Internet-facing "edge" of enterprise networks? GRC has started notifying SpinRite 6 owners about 6.1. What's been learned about the challenge of sending email in 2024? Why might running SpinRite on an SSD cause the SSD to then appear to be running more slowly? Why is true secrecy so difficult to achieve, and how were most password managers leaking some of their secrets. Tue, 10 Sep 2024 18:00:00 -0800 http://media.grc.com/sn/sn-991-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-991-lq.mp3 Microsoft's "Recall" uninstallability is a bug. Yubikeys can be cloned. How worried should you be? When was that smoke detector installed? We share and discuss lots of interesting listener feedback: Is whatsApp more secure than Telegram? Does Telegram's lack of security really matter? Elevators in Paris have problems, too. There's a 4th credit bureau to be frozen, too. Can high pitched sound keep dogs from barking? A reminder of a terrific UNIX 2038 countdown clock. A new Bobiverse Sci-Fi book & new Peter Hamilton novel. Why does SpinRite show user data flashing past? And... TEMPEST is alive and well in the form of the latest RAMBO attack. Tue, 03 Sep 2024 18:00:00 -0800 http://media.grc.com/sn/sn-990-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-990-lq.mp3 Telegram's founder, owner and CEO arrested in France. What does that mean? One year after Microsoft began offering free cloud security event logging. How's that going? To no one's surprise, CrowdStrike is losing customers - But how many? Microsoft to meet with CrowdStrike and other vendors to discuss new solutions. Yelp is not happy with Google. Did/does Google put their thumb on the scale? Where do you go to purchase yourself some DDoS? How about sending a Telegram? Chrome exploits are becoming more rare and difficult to find so Google has upped the ante. Believe it or not, Cox Media Group is still promoting their incredibly privacy invading "Active Listening" capability. How about secretly having foreigners doing all of your work for you. What could possibly go wrong? And Johns Hopkins Cryptographer Matthew Green has become increasingly annoyed by Telegram's claims of being an encrypted messaging platform. So he finally asks the question: Is Telegram an Encrypted App? Tue, 27 Aug 2024 18:00:00 -0800 http://media.grc.com/sn/sn-989-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-989-lq.mp3 CrowdStrike's president appears in person to accept the "Most Epic Fail" award. A secret backdoor discovered in Chinese-made RFID access key cards. Counterfeit and poorly functioning Cisco brand networking gear in use by major institutions, government and military. A startling SSD performance improvement thanks to SpinRite. When is "Bing" actually "Edge" ... and other errata. Another useful National Public Data breach check service. And what are "Cascading Bloom Filters" and why do they offer the promise of 100% browser local and instantaneous certificate revocation detection? Tue, 20 Aug 2024 18:00:00 -0800 http://media.grc.com/sn/sn-988-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-988-lq.mp3 As we embark on our 20th year of this weekly Internet security and privacy oriented technical news podcast, we're going to look at some more interesting certificate revocation news and we have an experiment for our listeners. What six 0-days were patched during Microsoft's Patch Tuesday last week? 53 episodes of the 1980's "Famous Computer Cafe" radio show were recently discovered and are now online -- hear Bill Gates before his voice changed. We have release #3 of IsBootSecure and a GRC email update and some interesting listener feedback. Then, to no one's surprise, we're going to take a deep dive into the background, meaning and impact of the largest personal data breach in history; how to look up your own breached records online, what to do and what this means for the future. Tue, 13 Aug 2024 18:00:00 -0800 http://media.grc.com/sn/sn-987-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-987-lq.mp3 A million domains are vulnerable to the "Sitting Duck" attack. What is it? Is it new? Why does it happen? And who needs to worry about it? A CVSS 9.8 (serious) remote code execution vulnerability has been discovered in Windows' RDL (Remote Desktop Licensing) service. Patch it before the bad guys use it! All of AMD's chips have a critical (but patchable) microcode bug that allows boot-time security to be compromised. Now what? Microsoft apparently decides NOT to fix a simple Windows bug that allows anyone to easily crash Windows with a Blue Screen of Death anytime they wish. You sure don't want that in your Windows startup folder! GRC's IsBootSecure freeware is updated and very nearly finished. And believe it or not, the entire certificate revocation system that the industry has just spent the past ten years getting working is about to be scrapped in favor of what never worked before. Go figure. Tue, 06 Aug 2024 18:00:00 -0800 http://media.grc.com/sn/sn-986-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-986-lq.mp3 What's been learned over the past week about the PKfile Platform Key misuse issue? What is "IsBootSecure?" and why does that sound suspiciously like a new piece of GRC freeware? There's plenty of news on the 3rd-party cookie front. What's going on with Firefox and what position has the World Wide Web Consortium (W3C) taken on this important issue? Now that we're a few weeks downstream of the CrowdStrike disaster, the attorneys have come out to play. What are we learning about the legal side of this massive outage? What's been going on with GRC's incoming "SecurityNow" email system? And we finish by looking at DigiCert's recent mass certificate revocation event. Why it happened? What happened? Did it matter? Was it necessary? And how does it compare to Entrust's past behavior? Tue, 30 Jul 2024 18:00:00 -0800 http://media.grc.com/sn/sn-985-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-985-lq.mp3 The obligatory follow-up on the massive CrowdStrike event: How do CrowdStrike's users feel? Are they switching or staying? How does CrowdStrike explain what happened? Does it make sense? How much blame should they receive? An update on how Entrust is attempting to keep its customers from changing certificate authorities. Firefox appears not to be blocking 3rd-party tracking cookies when it claims to be. How hiring remote workers can come back to bite you in the you-know-what. Did Google really want to kill off 3rd-party cookies or are they actually happy? And is there any hope of ending abusive tracking? Auto-updating anything is fraught with danger. Why do we do it and is there no better solution? And what serious mistake did a security firm discover that compromises the security of nearly 850 PC makes and models? Tue, 23 Jul 2024 18:00:00 -0800 http://media.grc.com/sn/sn-984-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-984-lq.mp3 Tue, 16 Jul 2024 18:00:00 -0800 http://media.grc.com/sn/sn-983-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-983-lq.mp3 Tue, 09 Jul 2024 18:00:00 -0800 http://media.grc.com/sn/sn-982-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-982-lq.mp3 Tue, 02 Jul 2024 18:00:00 -0800 http://media.grc.com/sn/sn-981-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-981-lq.mp3 Tue, 25 Jun 2024 18:00:00 -0800 http://media.grc.com/sn/sn-980-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-980-lq.mp3 Tue, 18 Jun 2024 18:00:00 -0800 http://media.grc.com/sn/sn-979-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-979-lq.mp3 Tue, 11 Jun 2024 18:00:00 -0800 http://media.grc.com/sn/sn-978-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-978-lq.mp3 Tue, 04 Jun 2024 18:00:00 -0800 http://media.grc.com/sn/sn-977-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-977-lq.mp3 Tue, 28 May 2024 18:00:00 -0800 http://media.grc.com/sn/sn-976-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-976-lq.mp3 Tue, 21 May 2024 18:00:00 -0800 http://media.grc.com/sn/sn-975-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-975-lq.mp3 Which browser has had a very rough week? And why? Which bodily fluid should you probably not drink despite Google's recommendation? And how can you tweak your browser to avoid those in the future? What happens when a Windows XP machine is exposed to the unfiltered Internet? Duck and Cover! How did a pair of college kids get their laundry washed for free? And what do we learn about still-clueless corporations? And finally, after engaging with some terrific listener feedback, we're going to examine the latest thought-provoking response to the EU's proposed Child Sexual Abuse Regulation from their own scientific and research community. Tue, 14 May 2024 18:00:00 -0800 http://media.grc.com/sn/sn-974-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-974-lq.mp3 What fascinating insights do we obtain from examining 3.4 million 4-digit PINs? What plans are already underway as a backup for today's vulnerable GPS technology? How many passkeys will websites store per account? And what's all this about Microsoft promising to get serious about their cloud-based services security? Tue, 07 May 2024 18:00:00 -0800 http://media.grc.com/sn/sn-973-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-973-lq.mp3 What danger is presented by the world's dependence upon GPS? And why is that of any concern? Has the sky fallen on all VPN systems? And why does the tech press appear to think so? Today's myriad network authentication options are confusing and incomplete. What does the future promise? Why might Apple have been erasing iCloud Keychain data? And what's actually going on between Google and the United Kingdom regarding the sunsetting of 3rd-party cookies? What's the problem? Or is there one? Tue, 30 Apr 2024 18:00:00 -0800 http://media.grc.com/sn/sn-972-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-972-lq.mp3 The choice for this week's main topic received some serious competition from some surprising legislation that came into effect yesterday in the United Kingdom. So we're going to start by taking a close look at what happened in the UK that promises to completely change the face of consumer IoT device security. As we'll see, that's not an overstatement; the world as we've known it just changed. While that exploration is going to consume most of the first half of today's podcast, I also want to look at what happened last week with Chrome's change of plan regarding 3rd-party cookies, I have a bit of listener feedback to share, and news of the next installment in a long-running science fiction book series. I also have the welcome news that I am finally working on bringing up GRC's eMail communications system. Then we'll finish by taking a look at a blog posting by an industry insider that many of our listeners forwarded to me asking "what do you think about this?". Tue, 23 Apr 2024 18:00:00 -0800 http://media.grc.com/sn/sn-971-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-971-lq.mp3 What would you call Stuxnet on steroids? What's the latest on the Voyager 1 drama? What new features are coming to Android and Thunderbird? What's China done now? Why did Gentoo Linux say 'no' to AI? And after sharing and discussing a bunch of feedback from our terrific listeners and a SpinRite update, we're going to examine the latest update to the European Union's worrisome "Chat Control" legislation which is reportedly just over a month away from becoming law. Is the EU about to force the end of end-to-end encryption in order to enable and require the scanning of all encrypted communications? It appears ready to do just that. Tue, 16 Apr 2024 18:00:00 -0800 http://media.grc.com/sn/sn-970-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-970-lq.mp3 What's the latest on that massive five year old AT&T data breach? Who just leaked more than 340,000 social security numbers, Medicare data and more, and what does that mean? Are websites honoring their cookie banner notification permissions? And why do we already know the answer to that question? What surprise has the GDPR's transparency requirements just revealed? And after sharing a bit of feedback from our listeners, we're going to go deeper into raw fundamental computer science technology than we have in a long time... and it may be inadvisable to operate any heavy equipment while listening to that part. Tue, 09 Apr 2024 18:00:00 -0800 http://media.grc.com/sn/sn-969-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-969-lq.mp3 When is it far better for a security researcher to just keep their mouth shut? Are all Internet-based secure note exchanging sites created equal? What's been happening in the lucrative and slimy world of 0-days for pay? And what has NASA just learned about the state of Voyager 1? Something momentous has happened with SpinRite, and we're going to take a deep dive into an important industry initiative that just acquired an important new contributor. Tue, 02 Apr 2024 18:00:00 -0800 http://media.grc.com/sn/sn-968-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-968-lq.mp3 Why should all Linux users update their systems if they haven't since February? What do 73 million current and past AT&T customers all have in common? What additional and welcome, though very different, new features await Signal and Telegram users? Which major IT supplier has left Russia early? What did Ghostery's ad blocking profile reveal about Internet users? Whatever happened with that Incognito-mode lawsuit against Google? And how are things going in the open source repository world? And then, after I share something kinda special that happened Sunday involving my Wife, SpinRite and her laptop - and it's probably not what you think - we're going to take a look at another rather horrifying bullet that the Internet dodged again. Tue, 26 Mar 2024 18:00:00 -0800 http://media.grc.com/sn/sn-967-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-967-lq.mp3 After I comment on US Departement of Justice's antitrust suit against Apple, we'll update on General Motor's violation of its car owner's privacy and answer some questions, including what happy news is Super Sushi Samurai celebrating? Has Apple abandoned its plans for HomeKit-compatible routers? And what appears to be shaping up to take their place? Will our private networks be receiving their own domain names? And if so, what? The UN has spoken out about AI -- does anyone care? and what do I think the prospects are of us controlling AI? What significant European country just blocked Telegram? What did the just-finished 2024 Pwn2Own competition teach? Might the US be hacking back against China as they are against us? And after a bit of interesting SpinRite news and a bit of feedback from our listeners, we're going to spent the rest of our time looking into last week's quite explosive headlines about the apparently horrific unfixable flaws in Apple's M-series silicon. Just how bad is it? Tue, 19 Mar 2024 18:00:00 -0800 http://media.grc.com/sn/sn-966-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-966-lq.mp3 Voyager lives! (Maybe). The world wide web just turned 35. What does its Dad think? What's the latest horrific violation of consumer privacy to come to light? Our listeners have been extremely engaged and interested in several of this podcast's recent topics. So we're going to use their feedback to finish off several of those topics. And finally, we look at how a group of Cornell University researchers managed to get today's generative AI models to behave badly and at just how much of a cautionary tale this may be. Tue, 12 Mar 2024 18:00:00 -0800 http://media.grc.com/sn/sn-965-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-965-lq.mp3 What happened with CERT? What headache has VMware been dealing with? What's Microsoft's latest vulnerability disclosure strategy? What's China's "Document 79," and is it any surprise? What long-awaited new feature is in version 7.0 of Signal? How is Meta coping with the EU's new Digital Marketing Act that just went into effect? What's the latest on that devastating ransomware attack on Change Healthcare? And after addressing some interesting feedback from our listeners, I want to clarify something about Passkeys that is not at all obvious. Tue, 05 Mar 2024 18:00:00 -0800 http://media.grc.com/sn/sn-964-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-964-lq.mp3 Last week we covered a large amount of security news; this week, not so much. There are security stories I'll be catching us up with next week, but after sharing a wonderful piece of writing about the fate of Voyager 1, news of an attractive new Humble Bundle, a tip of the week from a listener, a bit of SpinRite news and a number of interesting discussions resulting from feedback from our listeners, our promised coverage of Apple's new "PQ3" post-quantum safe iMessage protocol consumed the entire balance of this week's podcast budget, bulging today's show notes to a corpulent 21 pages. I think everyone's going to have a good time. Tue, 27 Feb 2024 18:00:00 -0800 http://media.grc.com/sn/sn-963-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-963-lq.mp3 What US state is now trying to ban encryption for minors? What shocking truth did a recent survey of IT professionals reveal? What experimental feature from Edge is Chrome inheriting? Are online services really selling our private data? And what about browser add-ons? Should we be paying extra to obtain cloud security logs? Now that the dust has settled, what happened with LockBit? What new features just appeared in Firefox v123? And what lesson have we just received another horrific example of? I have news on the GRC software front, and we have a bunch of interesting feedback from our terrific podcast listeners. So another jam-packed episode of Security Now. Tue, 20 Feb 2024 18:00:00 -0800 http://media.grc.com/sn/sn-962-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-962-lq.mp3 What's the worst mistake that the provider of remotely accessible residential webcams could possibly make? What surprises did last week's Patch Tuesday bring? Why would any website put an upper limit on password length? And for that matter, what's up with no use of special characters? Will Canada's ban on importing the Flipper-Zero hacking gadgets reduce car theft? Exactly why didn't the Internet build-in security from the start? How could they miss that? Doesn't Facebook's notice of a previous password leak information? Why isn't TOTP just another password that's unknown to an attacker? Can exposing SNMP be dangerous? Why doesn't eMail's general lack of encryption and other security make eMail-only login very insecure? And, finally, what major cataclysm did the Internet just successfully dodge? And is it even possible to have a "minor cataclysm"? Today, we'll be taking a number of deep dives after we examine a potential solution to global warming and energy production as shown in our terrific picture of the week. Some things are so obvious in retrospect. Tue, 13 Feb 2024 18:00:00 -0800 http://media.grc.com/sn/sn-961-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-961-lq.mp3 What's the story behind the massive incredible 3 million toothbrush takeover attack? How many honeypots are out there on the Internet? What's the best technology to use to access your home network while traveling? Exactly why is password security all just an illusion? Does detecting and reporting previously used passwords create a security weakness? Will Apple's opening of iOS in the EU drive a browser monoculture? Can anything be done to secure our router's UPnP? Has anyone encountered the "Unintended Consequences" we theorized last week? Are running personal eMail servers no longer practical? And what's up with the recently reported vulnerability in many TPM-protected Bitlocker systems? Tue, 06 Feb 2024 18:00:00 -0800 http://media.grc.com/sn/sn-960-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-960-lq.mp3 What move has CISA just made that affects our home routers? What serious flaw was discovered in a core C library used everywhere by Linux? Does OpenSSL still have a future? What's Roskomnadzor done now? How can a password manager become proactive with Passkey adoption? Which favorite browser just added post-quantum crypto? What prevents spoofing the images taken by digital signing cameras? Why are insecure PLC devices ever attached to the Internet? And what may be an undesirable and unforeseen consequence of Google's anti-tracking changes? Tue, 30 Jan 2024 18:00:00 -0800 http://media.grc.com/sn/sn-959-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-959-lq.mp3 What changes will the EU's soon-to-be-in-force Digital Markets Act be bringing to Apple's traditional iOS policies? What OS is ransomware unable to infect? What has HP done now with their printer ink policy? How many stolen user database records will fit in 12 terabytes? Can't you just delete that incriminating chat stream? Did Mercedes-Benz leave their doors unlocked? What's a latest on ransom payments rates? And after entertaining some questions from our terrific listeners and a long-awaited announcement from me, we're going to take a look at Alex Stamos' reaction to Microsoft's most recent security incident response. Tue, 23 Jan 2024 18:00:00 -0800 http://media.grc.com/sn/sn-958-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-958-lq.mp3 What mistake did Microsoft make that allowed Russians to access their top executive's eMail? What does the breach of US Health & Human Services teach us? What does Firefox's complaint about Apple, Google & Microsoft mean? Why has the Brave browser just reduced the strength of its anti-fingerprinting measures? Last year CISA started proactively scanning. How'd that go? What new feature of smartphones has become a competitive advantage? And just how Incognito is that mode? Then we'll wrap up the week by looking at some of the best feedback from our listeners, including what's the future of fraudulent media creation?, how should a high school listener of our gets started with computing?, why did a popular Android app suddenly become sketchy?, does Google's Privacy Sandbox allow websites to customize their presentations to their visitors?, how might last week's LG smart washing machine have become infected?, does the Protected Audience API also protect its audience from malvertising?, and why do big ISPs just pull the plug on DDoSed sites rather than attempt to protect them? Tue, 16 Jan 2024 18:00:00 -0800 http://media.grc.com/sn/sn-957-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-957-lq.mp3 What would an IoT device that had been taken over, do? And what would happen to the target of attacks it might participate in? What serious problem was recently discovered in a new post-quantum algorithm and what does this mean? What does a global map of web browser usage reveal? And after entertaining some thoughts and feedback from our listeners and describing the final touch I'm putting on SpinRite, we're going to rock everyone's world (and I'm not kidding) by explaining what Google has been up to for the past three years, why it is going to truly change everything we know about the way advertisements are served to web browser users, and what it all means for the future. Tue, 09 Jan 2024 18:00:00 -0800 http://media.grc.com/sn/sn-956-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-956-lq.mp3 I want to start off this week by following-up on last week's podcast about the hardware backdoor discovered in Apple's silicon, to support the conclusion I've reached since then, that this was deliberate on Apple's part, that they always knew about this, and why. Then we're going to wonder whether everyone is as cyber-vulnerable as Ukraine appears to be? And if so, why and just how serious could cyberattacks become? What's the latest on the mess over at 23andMe? How's cryptocurrency been faring, and are things getting better, staying the same, or getting worse? What Google Mandiant account got hacked? Just how seriously, and legally, do we take the term "war" in "cyberwar", and what are the implications of that? LastPass recently announced some policy changes; even if they are about two years late, what lessons should the rest of the 'Net take away? During 2023, how did Windows 11 fare against Windows 10? What happens when users discover that Chrome's Incognito mode is still tracking them? And then, after exploring some questions from our terrific listeners, I want to share the result of some interesting research I conducted last week during the final days of the work on SpinRite 6.1 for this week's podcast, titled: ‘The Inside Tracks’. Tue, 02 Jan 2024 18:00:00 -0800 http://media.grc.com/sn/sn-955-lq.mp3 TWiT Technology Security false http://media.grc.com/sn/sn-955-lq.mp3 After everyone is updated with the state of my still-continuing work on SpinRite 6.1, and after I've shared a bit of feedback from our listeners, the entire balance of this first podcast of 2024 will be invested in the close and careful examination of the technical details surrounding something that has never before been found in Apple's custom proprietary silicon. As we will all see and understand by the time we're finished here today, it is something that can only be characterized as a deliberately designed, implemented and protected backdoor that was intended to be, and was, let loose and present in the wild. After we all understand what Apple has done through five successive generations of their silicon, today's podcast ends, as it must, by posing a single one-word question: Why?