Security Now - 16k MP3

/ Germany may soon outlaw ad blockers. / What's happening in the courts over AI. / The U.K. drops its demands of Apple. / New Microsoft 365 tenants being throttled. / Is Russia preparing to block Google Meet. / Bluesky suspends its service in Mississippi. / How to throttle AI / A tricky SSH-busting Go library. / Here comes the Linux desktop malware. / Apple just patched a doozy of a vulnerability. / A trivial Docker escape was found and fixed. / Why the recent browser 0-day clickjacking is really just whac-a-mole.

/ What AI website summaries mean for Internet economics. / Time to urgently update Plex Servers (again). / Allianz Life stolen data gets leaked. / Chrome test Incognito-mode fingerprint script blocking. / Chrome 140 additions coming in two weeks. / Data brokers hide opt-out pages from search engines. / Secure messaging changes in Russia. / NIST rolls-out lightweight IoT crypto. / SyncThing moves to v2.0 and beyond. / Alien:Earth -- first take. / What can we learn from another critical vulnerability?

/ CISA's Emergency Directive to ALL Federal agencies re: SharePoint. / NVIDIA firmly says "no" to any embedded chip gimmicks. / Dashlane is terminating its (totally unusable) free tier. / Malicious repository libraries are becoming even more hostile. / The best web filter (uBlock Origin) comes to Safari. / The very popular SonicWall firewall is being compromised. / >100 models of Dell Latitude and Precision laptops are in danger. / The significant challenge of patching SharePoint (for example). / A quick look at my DNS Benchmark progress. / Does InControl prevent an important update. / An venerable Sci-Fi franchise may be getting a great new series. / What to do about the problem of AI "website sucking".

/ A follow-up to the SharePoint server patch mess. / How Russia arranges to spy on other country's local embassies. / "Dropbox Passwords" manager app is ending in October. / Signal will leave Australia rather than help spy. / YouTube deploys viewing history age-estimation heuristics. / Chrome adds clever lightweight extension signing to prevent abuse. / A domain registrar is coming close to losing its rights. / A TP-Link router that doesn't encrypt its configuration. / What is "TruAge" and might it be useful for age verification. / An update on "Artemis". / With U.S.-China tensions on the rise, should Chinese security companies receive weeks of advance notice of forthcoming Microsoft flaw patches?

/ Brave randomizes its fingerprints. / The next Brave will block Microsoft Recall by default. / Clorox sues its IT provider for $380 million in damages. / 6-month Win10 ESU offers are beginning to appear. / Warfare has significantly become cyber. / Allianz Life loses control of 125 million customers' data. / The CIA's Acquisition Research Center website was hacked. / The Pentagon says the SharePoint RCE didn't get them. / A look at a DPRK "laptop farm" to impersonate Americans. / FIDO's passkey was NOT bypassed by a MITM after all. / Is our data safe anywhere? / The UK is trying to back-pedal out of the Apple ADP mess. / Meanwhile, the EU resumes its push for "Chat Control". / What happened after Microsoft fumbled the patch of a powerful Pwn2Own exploit?

/ Bypassing all passkey protections. / The ransomware attacks just keep on coming. / Cloudflare capitulates to the MPA and starts blocking. / The need for online age verification is exploding. / Microsoft really wants Exchange Servers to subscribe. / Russia (further) clamps down on Internet usage. / The global trend toward more Internet restrictions. / China can inspect locked Android phones. Use a burner. / Web shells are the new buffer overflow. / An age verification protocol sketch. / What Cloudflare did to create an outage of 1.1.1.1.

/ A glorious takedown of quantum factorization. / Notepad++ signs its own code signing certificate. / Dennis Taylor has Bobiverse Book 6 on his lap. / Crypto/ATM machines flat out outlawed. / Signal vs WhatsApp: Encryption in flight and at rest. / A close look at browser fingerprinting metrics. / Rewriting interpreters in memory-safe languages. / An introduction to zero-knowledge proofs.

/ Another Israeli spyware vendor surfaces. / Win11 to delete restore points more quickly. / The EU accelerates its plans to abandon Microsoft Azure. / The EU sets timelines for Post-Quantum crypto adoption. / Russia to create a massive IMEI database. / Canada and the UK create the "Common Good Cyber Fund". / U.S. states crack down on Bitcoin ATMs amid growing scams. / Congressional staffers cannot use WhatsApp on gov devices. / LibXML2 and the problems with commercial use of OSS. / A(nother) remote code execution vulnerability in WinRAR. / Have-I-Been-Pwned gets a cool data visualization site. / How is ransomware getting in? / Windows to offer "safe" non-kernel endpoint security? / Proactive age verification coming to porn sites. How? / Canada (also) says "bye bye" to Hikvision. / Germany will be banning DeekSeek. The whole EU may follow. / Cloudflare throttled in Russia? / What must the U.S. do to compete in global exploit acquisition?

/ Let's Encrypt drops its long-running email notifications. / Microsoft's new "Unexpected Restart Experience". / Microsoft's response to last year's massive CrowdStrike outage. / Windows 10's extended service updates will sort of be free. / Russia-sold iPhones MUST include the RuStore app. / Lyon, in France, says bye-bye to Windows. Hello to Linux. / The US Gov gets more serious about memory-safe languages. / A new unbelievable AI malware scanner evasion technique. / A new pair of Cisco 9.8 and 10.0 vulnerabilities. / The current state of post-Elon government cybersecurity. / PNGv3, Swift on Android, and the Samsung email purge. / Andy Weir's "Project Hail Mary" movie trailer. / And a close look at the pervasiveness of web browser tracking fingerprinting.

/ An exploited iOS iMessage vulnerability Apple denies? / The NPM repository is under siege with no end in sight. / Were Comcast and Digital Realty compromised? Don't ask them. / Matthew Green agrees: XChat does not offer true security. / We may know how Russia is convicting Telegram users. / Microsoft finally decides to block two insane Outlook file types. / 40,000 openly available video camera are online. Who owns them? / Running SpinRite on encrypted drives. / An LLM describes Steve's (my) evolution on Microsoft security. / What do we know about the bots that are scanning the Internet?

/ In memoriam: Bill Atkinson. / Meta native apps & JavaScript collude for a localhost local mess. / The EU rolls out its own DNS4EU filtered DNS service. / Ukraine DDoS's Russia's Railway DNS ... and... so what? / The Linux Foundation creates an alternative Wordpress package manager. / Court tells OpenAI it must NOT delete ANYONE's chats. Period! :( / A CVSS 10.0 in Erlang/OTP's SSH library. / Can Russia intercept Telegram? Perhaps. / Spain's ISPs mistakenly block Google sites. / Reddit sues Anthropic. / Twitter's new encrypted DM's are as lame as the old ones. / The Login.gov site may not have any backups. / Apple explores the question of recent Large Reasoning Models "thinking".

/ Pwn2Own 2025, Berlin results. / PayPal seeks a "newly registered domains" patent. / An expert iOS jailbreak developer gives up.

/ What's the status of Encrypted Client Hello (ECH)? / What radio technology would be best for remote inverter shutdown? / Some DNS providers already block newly listed domains. / Knowing when not to click a link can take true understanding. / Why can losing a small portion of a power grid bring the rest down? / Where are we in the "AI Hype Cycle" and is this the first? / Speaking of hype: An AI system resorted to blackmail? / Why are we so quick to imbue AI with awareness? / ChatGPT's latest o3 model ignored the order to shutdown. / Copilot may not be making Windows core code any better. / Venice.AI is an unfiltered and unrestrained LLM.

/ Chrome to actively refuse admin privileges. / Android Messenger is getting manual key verification. / Pwn2Own to add AI "pwning" as in-scope attack targets. / AI has already been found to be replicating. / Microsoft not killing off Office on Win10 after October. / 23andMe's asset purchaser revealed. / Many fun talking points thanks to our listeners. / Steve's review of "Andor", season 2. / What's been discovered inside the U.S. power grid.

/ The state of Virginia passes an age-restriction law that has no chance. / New Zealand also tries something similar, citing Australia's lead. / A nasty Python package for Discord survived 3 years and 11K downloads. / The FBI says it's a good idea to discard end-of-life consumer routers. / What's in WhatsApp? Finding out was neither easy nor certain. / The UK's Cyber Centre says AI promises to make things much worse. / A bunch of great feedback from our great listeners, then: / Is true end-to-end encryption possible when records must be retained?

/ Microsoft to officially abandon passwords and support their deletion. / Meta's RayBan smart-glasses weaken their privacy terms. / 30% of Microsoft code is now being written by AI. / Google says prying Chrome from it will damage its security. / Nearly 1,000 six-year old eCommerce backdoors spring to life. / eM Client moves to version 10.3 / A bunch of terrific listener feedback creates talking points. / A little known insecure message archiving service comes to light.

/ Enabling Firefox's Tab Grouping.

/ Enabling Firefox's Tab Grouping.

/ Android to get "Lockdown Mode". / What's in the new editions of Chrome and Firefox? / Why did Apple silently re-enable automatic updates? / My new iPhone 16, Chinese tariffs and electronics. / Dynamic "hotpatching" coming to Win11 Enterprise & Edu. / Why is it so difficult for Oracle to fess up? / Another multi-year breach inside US Treasury. / An Apple -vs- the UK update. / "Thundermail" (Can't someone come up with a better name?) / The (in)Security of Programmable Logic Controllers. / When LLM's write code and hallucinate non-existent packages. / Wordpress core security and PHP gets an important audit. / Device-Bound Session Credentials update session cookie technology.