• A follow-up to the SharePoint server patch mess.
• How Russia arranges to spy on other country's local embassies.
• "Dropbox Passwords" manager app is ending in October.
• Signal will leave Australia rather than help spy.
• YouTube deploys viewing history age-estimation heuristics.
• Chrome adds clever lightweight extension signing to prevent abuse.
• A domain registrar is coming close to losing its rights.
• A TP-Link router that doesn't encrypt its configuration.
• What is "TruAge" and might it be useful for age verification.
• An update on "Artemis".
• With U.S.-China tensions on the rise, should Chinese security companies receive weeks of advance notice of forthcoming Microsoft flaw patches?

Show Notes - https://www.grc.com/sn/SN-1037-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• bigid.com/securitynow
• joindeleteme.com/twit promo code TWIT
• Melissa.com/twit
• threatlocker.com for Security Now

• Brave randomizes its fingerprints.
• The next Brave will block Microsoft Recall by default.
• Clorox sues its IT provider for $380 million in damages.
• 6-month Win10 ESU offers are beginning to appear.
• Warfare has significantly become cyber.
• Allianz Life loses control of 125 million customers' data.
• The CIA's Acquisition Research Center website was hacked.
• The Pentagon says the SharePoint RCE didn't get them.
• A look at a DPRK "laptop farm" to impersonate Americans.
• FIDO's passkey was NOT bypassed by a MITM after all.
• Is our data safe anywhere?
• The UK is trying to back-pedal out of the Apple ADP mess.
• Meanwhile, the EU resumes its push for "Chat Control".
• Microsoft fumbled the patch of a powerful Pwn2Own exploit

Show Notes - https://www.grc.com/sn/SN-1036-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• canary.tools/twit - use code: TWIT
• threatlocker.com for Security Now
• bitwarden.com/twit
• uscloud.com

• Bypassing all passkey protections.
• The ransomware attacks just keep on coming.
• Cloudflare capitulates to the MPA and starts blocking.
• The need for online age verification is exploding.
• Microsoft really wants Exchange Servers to subscribe.
• Russia (further) clamps down on Internet usage.
• The global trend toward more Internet restrictions.
• China can inspect locked Android phones. Use a burner.
• Web shells are the new buffer overflow.
• An age verification protocol sketch.
• What Cloudflare did to create an outage of 1.1.1.1

Show Notes - https://www.grc.com/sn/SN-1035-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• zscaler.com/security
• 1password.com/securitynow
• go.acronis.com/twit

• A glorious takedown of quantum factorization.
• Notepad++ signs its own code signing certificate.
• Dennis Taylor has Bobiverse Book 6 on his lap.
• Crypto/ATM machines flat out outlawed.
• Signal vs WhatsApp: Encryption in flight and at rest.
• A close look at browser fingerprinting metrics.
• Rewriting interpreters in memory-safe languages.
• An introduction to zero-knowledge proofs

Show Notes - https://www.grc.com/sn/SN-1034-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• joindeleteme.com/twit promo code TWIT
• bigid.com/securitynow
• threatlocker.com for Security Now
• uscloud.com

• Another Israeli spyware vendor surfaces.
• Win11 to delete restore points more quickly.
• The EU accelerates its plans to abandon Microsoft Azure.
• The EU sets timelines for Post-Quantum crypto adoption.
• Russia to create a massive IMEI database.
• Canada and the UK create the "Common Good Cyber Fund".
• U.S. states crack down on Bitcoin ATMs amid growing scams.
• Congressional staffers cannot use WhatsApp on gov devices.
• LibXML2 and the problems with commercial use of OSS.
• A(nother) remote code execution vulnerability in WinRAR.
• Have-I-Been-Pwned gets a cool data visualization site.
• How is ransomware getting in?
• Windows to offer "safe" non-kernel endpoint security?
• Proactive age verification coming to porn sites. How?
• Canada (also) says "bye bye" to Hikvision.
• Germany will be banning DeekSeek. The whole EU may follow.
• Cloudflare throttled in Russia?
• What must the U.S. do to compete in global exploit acquisition?

Show Notes - https://www.grc.com/sn/SN-1033-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• expressvpn.com/securitynow
• Melissa.com/twit
• 1password.com/securitynow
• hoxhunt.com/securitynow
• canary.tools/twit - use code: TWIT

• Let's Encrypt drops its long-running email notifications.
• Microsoft's new "Unexpected Restart Experience".
• Microsoft's response to last year's massive CrowdStrike outage.
• Windows 10's extended service updates will sort of be free.
• Russia-sold iPhones MUST include the RuStore app.
• Lyon, in France, says bye-bye to Windows. Hello to Linux.
• The US Gov gets more serious about memory-safe languages.
• A new unbelievable AI malware scanner evaSion technique.
• A new pair of Cisco 9.8 and 10.0 vulnerabilities.
• The current state of post-Elon government cybersecurity.
• PNGv3, Swift on Android, and the Samsung email purge.
• Andy Weir's "Hail Mary" movie trailer.
• And a close look at the pervasiveness of web browser tracking fingerprinting.

Show Notes - https://www.grc.com/sn/sn-1032-notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• go.acronis.com/twit
• bitwarden.com/twit
• threatlocker.com/twit
• joindeleteme.com/twit promo code TWIT

• China's Salt Typhoon claims another victim (or two).
• State healthcare portals are tracking and leaking. No kidding.
• Apple adopts FIDO's Passkeys and other credentials transport.
• Facebook gets Passkey logon.
• TikTok continues ticking for at least another 90 days.
• Canadian telco admits they were infiltrated by Salt Typhoon.
• Microsoft to remove unwanted (and hopefully unneeded) hardware drivers.
• The Austrian government legislates court-warranted message decryption.
• I (Steve) finally get full clarity on what today's "AI" means.
• A deep dive into the Salt Typhoon's operation and how they got in

Show Notes - https://www.grc.com/sn/SN-1031-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• 1password.com/securitynow
• hoxhunt.com/securitynow
• outsystems.com/twit
• bigid.com/securitynow
• zscaler.com/security

• An exploited iOS iMessage vulnerability Apple denies?
• The NPM repository is under siege with no end in sight.
• Were Comcast and Digital Realty compromised? Don't ask them.
• Matthew Green agrees: XChat does not offer true security.
• We may know how Russia is convicting Telegram users.
• Microsoft finally decides to block two insane Outlook file types.
• 40,000 openly available video camera are online. Who owns them?
• Running SpinRite on encrypted drives.
• An LLM describes Steve's (my) evolution on Microsoft security.
• What do we know about the bots that are scanning the Internet?

Show Notes - https://www.grc.com/sn/SN-1030-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• joindeleteme.com/twit promo code TWIT
• bitwarden.com/twit
• material.security
• drata.com/securitynow
• bigid.com/securitynow