Podcast Summary: Security Now 1006: Best of 2024

Introduction

December 23, 2024

In the milestone episode 1006 of "Security Now," hosted by Leo Laporte and featuring regular contributor Steve Gibson, the show commemorates its 20th anniversary by revisiting the most significant security topics and discussions of 2024. The episode focuses on three main areas: a potential backdoor in Apple’s iPhones, the evolving landscape of online advertising in the wake of Google’s Privacy Sandbox, vulnerabilities in Microsoft’s BitLocker encryption, and Microsoft’s controversial new feature, Recall.

1. The Mysterious Backdoor in Apple’s iPhones

Timestamp: [00:00] - [13:58]

The episode kicks off with an exploration of a potentially significant security flaw in Apple’s iPhones. Steve Gibson delves into the debate surrounding a supposed backdoor that might exist within Apple’s A12 to A16 chipsets. He posits that Apple may have intentionally integrated a secure backdoor to allow emergency access to devices under dire circumstances, such as national security threats.

Notable Quotes:

• Steve Gibson [03:28]: “If Apple believed that they could design and field a truly and totally secure last resort backdoor means of accessing their devices, I believe that they did deliberately and purposefully for their own needs.”

• Steve Gibson [12:00]: “The human factor becomes the lowest hanging fruit. Just ask LastPass how they feel about the human factor which bit them badly.”

Gibson discusses the implications of such a backdoor, including the potential for misuse if compromised by malicious actors. He underscores the challenges in maintaining plausible deniability for Apple and the increased pressure from law enforcement seeking access to encrypted devices.

2. Google’s Privacy Sandbox and the Future of Online Advertising

Timestamp: [15:15] - [31:55]

Steve Gibson offers a critical analysis of Google’s Privacy Sandbox initiative, which aims to phase out third-party cookies and enhance user privacy. He explains how Google is shifting the responsibility of ad targeting to the user's browser, yet highlights the resistance from the advertising industry. The discussion includes Amazon’s recent deal with UK publisher Reach to access first-party contextual data as an alternative to third-party cookies.

Notable Quotes:

• Steve Gibson [16:00]: “Google clearly understands that their economic model is endangered due to the fundamental tension that exists between advertisers and those concerned about privacy.”

• Steve Gibson [25:00]: “The advertising industry is not going to let go without a fight. They want to continue to know everything they possibly can about everyone.”

Gibson predicts a move towards requiring users to create accounts on websites to facilitate ad targeting, raising significant privacy concerns. He emphasizes the potential loss of anonymity and the increased burden on users to manage multiple online identities.

3. BitLocker Vulnerabilities and Encryption Security

Timestamp: [33:31] - [50:11]

The conversation shifts to Microsoft's BitLocker encryption and its vulnerabilities. Gibson reveals that PCs using separate TPM (Trusted Platform Module) chips outside the main CPU are susceptible to physical attacks that can compromise encryption keys. He explains that integrating TPM functions into the CPU could mitigate these risks, a practice adopted by newer Intel and AMD processors.

Notable Quotes:

• Steve Gibson [40:03]: “The fundamental weakness in the design is that the TPM's key storage and the consumer of that stored key are located in separate components whose communication pins are readily accessible.”

• Steve Gibson [49:18]: “BitLocker suffers a little bit from the monoculture effect of everybody having it and it just being built in.”

Gibson advises users to enhance BitLocker’s security by adding a PIN requirement at startup, providing an additional layer of protection against physical attacks. He contrasts BitLocker with VeraCrypt, noting that while BitLocker offers convenience, VeraCrypt remains a stronger option for those seeking enhanced security.

4. Microsoft’s Recall Feature: Privacy Concerns and Security Implications

Timestamp: [51:19] - [127:13]

A significant portion of the episode is dedicated to Microsoft’s new feature for Windows 11 ARM-based PCs called Recall. This AI-powered feature continuously takes encrypted snapshots of the user’s screen, storing them locally to enable users to search and retrieve past activities. Gibson raises substantial privacy concerns, questioning the potential for misuse and the security implications of having such detailed records accessible on a device.

Notable Quotes:

• Steve Gibson [74:50]: “We call that, we call Watch porn button now. So, yeah, press the porn button.”

• Steve Gibson [108:00]: “Everything you're seeing here really is a small portion of the larger topics Steve delves into every Tuesday on our network.”

Gibson critiques the potential for abuse, including unauthorized access by malicious actors or intrusive government surveillance. He highlights the technical details of how Recall operates, including its reliance on SQL databases for storing snapshots and the encryption measures Microsoft claims to have in place. The discussion underscores the delicate balance between innovative features and user privacy.

5. The CrowdStrike Update Incident and Its Ramifications

Timestamp: [127:59] - [133:38]

Gibson unpacks a significant security incident where a faulty update from CrowdStrike’s Falcon endpoint detection and response (EDR) software led to widespread system outages. The update inadvertently triggered blue screens of death across millions of Windows systems, affecting critical infrastructure such as hospitals, airports, and financial institutions.

Notable Quotes:

• Steve Gibson [131:15]: “I think we're just going to need to live with this thing for a while. We're going to need to see whether this is a capability desperately searching for a need, or whether once people get used to having this new thing, they start thinking, how did I ever live without this?”

• Steve Gibson [123:38]: “CrowdStrike is not unique or new. Stuff like this tends to happen, and quite a lot.”

Gibson analyzes the fallout from the incident, including the critique of CrowdStrike’s update deployment processes and the broader implications for enterprise security practices. He references listener feedback detailing the chaos caused by the outage and explores potential regulatory and market impacts on CrowdStrike and similar security vendors.

Conclusion

Timestamp: [133:51] - [135:11]

As the episode wraps up, Leo Laporte and Steve Gibson reflect on the podcast’s journey, expressing gratitude to their listeners and team. They acknowledge the complexities of covering deep technical topics while making them accessible to a broad audience. The hosts express optimism for future episodes, emphasizing their commitment to providing insightful and comprehensive coverage of security issues.

Notable Quotes:

• Leo Laporte [133:11]: “It's been a lot of work, but I'm happy to do it.”

• Steve Gibson [134:35]: “And I'm so glad that you, Leo, thought to ask me 20 years ago whether I might be interested in spending around 20 minutes a week to discuss various topics of Internet security.”

The episode concludes with well-wishes for the holidays and anticipation for continued discussions in 2025, solidifying "Security Now" as a pivotal resource for technology enthusiasts and professionals alike.

Final Thoughts

"Security Now" episode 1006 encapsulates a year of significant developments in technology and cybersecurity. From potential vulnerabilities in leading smartphone devices to major shifts in online advertising and the introduction of invasive new features in operating systems, the hosts provide a thorough analysis of the evolving landscape. The detailed discussions and critical insights make this episode a valuable listen for anyone interested in understanding the complexities and challenges of modern security practices.