Security Now 1024: Don't Blame Signal – Detailed Summary

Episode Release Date: May 7, 2025
Hosts: Leo Laporte and Steve Gibson

I. Episode Milestone and Introduction

Celebrating its 1,024th episode, "Security Now" delves into significant developments in the tech and security landscape. Steve Gibson expresses his excitement about reaching this milestone, highlighting the episode's importance beyond the numerical achievement.

Steve Gibson [01:10]: "Today's show almost has more significance, more salience for me than did, well, of course, the 1,000th show..."

II. Microsoft's Shift to Passwordless Authentication

A major topic of discussion is Microsoft's rollout of a passwordless login system, marking a pivotal move in enhancing user security. Steve Gibson applauds Microsoft for transitioning over a billion accounts to this new system, emphasizing the benefits of passkeys over traditional passwords.

Steve Gibson [07:53]: "Microsoft is officially abandoning passwords and even supporting their deletion... This is one of the most significant things to happen recently."

The hosts dissect the technical aspects of the transition, including Microsoft's adoption of the Fluent2Design language and the implementation of passkeys that leverage biometric authentication methods like fingerprints and facial recognition.

Steve Gibson [26:32]: "The new UX is optimized for passwordless and Passkey first experience."

Leo Laporte echoes the positive sentiment, recognizing the advancements as a step towards a more secure digital future.

Leo Laporte [23:19]: "Is that more secure?"

Steve Gibson [23:20]: "Oh, yes, yes, yes."

III. AI in Software Development: Microsoft's Leadership

The conversation shifts to the increasing role of Artificial Intelligence in coding, with Microsoft reporting that approximately 30% of its codebase is now generated by AI. This trend isn't isolated; other tech giants like Google and Shopify are also integrating AI into their development processes.

Steve Gibson [30:36]: "Satya Nadella... said that about 30% of Microsoft's code is now being entirely written by AI."

The discussion touches on the implications of AI-driven coding, including potential improvements in software quality and the changing landscape of programming jobs.

Steve Gibson [48:47]: "We’re on the precipice of me having a sip of coffee."

IV. Signal Controversy: TM Signal Compromise

A critical segment addresses the controversy surrounding Signal, a widely trusted encrypted messaging app. Reports emerged that the National Security Advisor was using a modified clone of Signal, known as TM Signal, which was subsequently hacked. This revelation raises concerns about the security of government communications and the implications of using modified versions of secure apps.

Steve Gibson [33:41]: "The software application Mike Waltz was using... was not actually the Signal app. It was a deliberately less secure modified clone."

The hosts analyze how Telemessage, an Israeli company, altered Signal to archive messages, inadvertently weakening its security. The breach exposed sensitive communications of high-ranking officials, demonstrating the vulnerabilities introduced by modifying secure applications.

Steve Gibson [1024:...]: "Telemessage is in the business of modifying various open source applications such as Signal... for the express purpose of adding to them long term message archiving."

Leo Laporte emphasizes the risks of such practices, noting that even with end-to-end encryption, the introduction of third-party archiving can compromise message security.

Leo Laporte [160:29]: "If you install a tap or wiretap on Signal, it's not Signal anymore. It's not secure anymore."

V. Magento Backdoor Supply Chain Attack

The episode also covers a significant supply chain attack targeting Magento's e-commerce system. Hackers had embedded secret backdoors into Magento plugins six years prior, which were recently exploited to compromise nearly 1,000 online stores.

Steve Gibson [84:00]: "Six years ago, unknown hackers arranged to plant secret backdoors inside Magento's E-commerce system plugins..."

The discussion highlights the complexities of supply chain security and the enduring threats posed by dormant malicious code within widely used software.

Steve Gibson [95:32]: "Advanced persistent threat actors that are discovered in a system might have made changes that have not been discovered."

VI. Listener Feedback and Security Practices

Listeners contribute valuable insights on various security practices. One listener discusses the merits of running SSH servers on non-standard ports to reduce unsolicited attacks, reinforcing the principle of layered security.

Steve Gibson [80:16]: "Operating Internet services on non-standard ports gets a bit of a bum rap because at first blush it suggests that the person doing so imagines that this is a means of obtaining additional needed security..."

Another listener shares experiences with identity theft, illustrating the limitations of online security measures against physical-world fraud.

Steve Gibson [89:12]: "Even with one's identity tightly locked down in cyberspace, a fake ID in the physical world can still be used for impersonation and fraud."

VII. AI Developments and Ethical Concerns

The hosts explore the rapid advancements in AI, particularly in code generation and automation. They discuss ethical concerns, such as the potential for AI to create malicious software or the challenges in ensuring AI systems remain secure and unbiased.

Steve Gibson [105:17]: "These LLMs are a double-edged sword and in my opinion will never be able to be made safe."

Leo Laporte concurs, emphasizing the need for oversight in AI development to prevent misuse.

Leo Laporte [141:35]: "These LLMs are a double-edged sword and in my opinion will never be able to be made safe."

VIII. Conclusion

In wrapping up, Steve Gibson reiterates the importance of not blaming Signal for the security breaches stemming from modified clones. Instead, the focus should be on ensuring the integrity of secure communication tools and vetting third-party modifications rigorously.

Steve Gibson [165:28]: "Don't blame Signal. ... Schmarse Marsh makes some software designed to assist law enforcement and lawyers who need to search through massive archives of data."

Leo Laporte encourages listeners to stay informed and support secure practices, highlighting the role of the "Security Now" community in promoting awareness.

Leo Laporte [166:14]: "Keep informed ... and make it better."

Notable Quotes:

• Steve Gibson [26:32]: "The new UX is optimized for passwordless and Passkey first experience."

• Leo Laporte [23:19]: "Is that more secure?"

• Steve Gibson [33:41]: "Telemessage is in the business of modifying various open source applications such as Signal... for the express purpose of adding to them long term message archiving."

• Steve Gibson [80:16]: "Operating Internet services on non-standard ports gets a bit of a bum rap..."

• Steve Gibson [165:28]: "Don't blame Signal. ... Schmarse Marsh makes some software designed to assist law enforcement and lawyers who need to search through massive archives of data."

This episode of "Security Now" provides an in-depth analysis of current security challenges, from the shift towards passwordless authentication to the vulnerabilities introduced by modified secure messaging apps. Through expert insights and listener contributions, Steve Gibson and Leo Laporte illuminate the evolving landscape of cybersecurity, emphasizing the need for vigilant and informed practices.