Security Now #1041: Covering All the Bases

Recorded: Tuesday, September 2, 2025 Hosts: Steve Gibson & Leo Laporte

Overview

This special listener questions episode of Security Now delivers a potpourri of the latest cybersecurity news, key developments in AI, reflections on tech history, protocol enforcement updates, and a robust listener feedback segment. It offers a deep dive into topics ranging from spam prevention, data breaches, the ongoing battle between privacy and security, the intersection of regulations and technology, and the ever-present evolution of artificial intelligence. Steve Gibson and Leo Laporte keep the conversation lively, insightful, and packed with both technical nuance and historical perspective.

Episode Outline & Key Themes

• Celebrating 50 years since Byte magazine's launch and the personal computer revolution
• Important security news: SHAKEN/STIR protocol enforcement, Google’s monopoly lawsuit update, OAuth attack chains, Apple zero-days, and emergent threat vectors using AI
• Candid, historical reflections and a look at how industry changed over the decades
• Major listener feedback on data brokers, Microsoft “bashing,” AI’s role, and more
• Exploration of ongoing regulatory, privacy, and security challenges
• Sci-fi, book recommendations & the business of publishing in the Amazon era

Notable Quotes

• “It's such an interesting walk for those of us who are around our age, Leo. …it's really worth taking a look inside the inaugural issue [of Byte magazine], which we’re able to thanks to the Internet's archive.” — Steve Gibson ([09:25])
• “I think as I said, a great podcast for our listeners, which brings us to our toy...our picture of the week is—I gave this the topic—50 years ago. Literally, it was 50 years ago this month. Now that we're in September of 2025, issue number one of Byte magazine declares computers the world’s greatest toy.” — Steve Gibson ([08:04])
• “It's nearly always the case that convenience brings some non obvious risks… it's convenient to be able to just reuse my Google authentication or my Facebook identity, but if that's ever compromised… it’s not just Facebook that you lose control of.” — Steve Gibson ([35:04])
• “The information that is acquired, stored, and modeled within a large language model is almost stored holographically, with no single fact residing in any one place, so it’s not possible to pluck it out from the whole.” — Steve Gibson ([39:30])
• “Can you imagine a better, more potent vehicle for ad delivery than an AI chatbot?” — Steve Gibson ([126:11])

Detailed Breakdown

1. Picture of the Week: Byte Magazine Turns 50

[07:30–17:44]

• Celebrates Byte magazine, launched September 1975, as the start of the personal computer era
• Nostalgic discussion of early hardware, programming articles, DIY attitude, and magazine's role as “the magazine of record”
• Steve shares a shortcut for listeners to view Byte #1: GRC SC/byte
• Discussion on how much the foundational principles of computing and communications have endured

2. SHAKEN/STIR Enforcement and US Robocall Crackdown

[17:51–27:44]

• Explains SHAKEN & STIR protocols to authenticate phone calls, their origins (with a James Bond reference), and technical underpinnings
• Describes years of lax enforcement and carriers’ resistance due to lost revenue from robocalls
• Major development: The FCC recently terminated 1,200 voice service providers (half of notified non-compliant providers) from the network
• Anticipates a real reduction in call spoofing and robocalls at last
• “There's a new sheriff in town. So since last Thursday, I would imagine that any companies of those 1,200 that don’t just want to give up and go away, maybe like all of their business is about crap that nobody wants to receive. They're scurrying to implement the, you know, STIR and SHAKEN protocols.” — Steve Gibson ([25:58])

3. Breaking News: Google Monopoly Penalties

[27:44–31:45]

• Judge rules on Google’s penalties for antitrust behavior: No forced divestiture of Chrome nor Android; calls DOJ’s demands overreaching
• Google can continue most of its current practices, only compelled syndication is stopped; payments for default search remain
• “I think really a successful...in a sense, I think a victory for Google given that was ruled a monopoly. The limitations there that the judge decided to put on Google were as minimal as they could possibly be.” — Leo Laporte ([31:15])

4. OAuth Supply Chain Attack Chain: Sales Loft & Salesforce

[31:45–35:04]

• Explains how attackers compromised Sales Loft and used OAuth tokens to pivot into customers’ Salesforce, Google Workspace, Slack, and more
• Critique of centralized OAuth login and credential reuse: single sign-in risks can yield multi-service compromise
• Stresses importance of unique, compartmentalized credentials

5. Can We Control AI? Reuters Meta Celebrity Chatbots Exposé

[38:08–51:06]

• Investigative report: Meta’s AI chatbots created celebrity avatars that produced inappropriate/sexual content, without consent
• Steve explains why large language models are essentially un-editable (“holographic” data storage), making effective moderation near-impossible
• Discusses Vivaldi browser’s anti-AI manifesto, promises to remain AI-free for web users seeking control/curation

6. AI's Role in Programming Support (A Miraculous Tool, Yet Flawed)

[52:36–58:59]

• Steve shares a real-world example of ChatGPT solving nuanced programming problems with uncanny accuracy but also recognizes its hallucinations/mistakes due to training on the flawed internet corpus

7. Apple & Meta: Details on Recent Zero-Day Chain

[61:48–66:49]

• Exposes a chained exploit: WhatsApp vulnerability allowed attackers to send malicious files to iPhones, triggering a separate Apple JPEG parser bug and resulting in spyware installation
• Cites Amnesty International’s findings: Used in targeted, advanced spyware campaigns over 90 days

8. AI Used for Malicious Attack: The First Chilling Example

[73:02–77:12]

• Recent Supply Chain Attack: NX developer's NPM token was compromised; malicious update pushed to 4.6M weekly users
• The malware prompted locally running AI agents like Claude/Gemini/Q* to rummage for secrets (SSH keys, tokens, wallets), then exfiltrate them via new GitHub repos
• “...scoured by their own local AI agents for any juicy tidbit secrets, with everything found posted back to their GitHub accounts, where they were collected and then decrypted by the bad guys.” — Steve Gibson ([76:43])

9. Data Breach Updates: TransUnion, Salesforce, and More

[77:12–78:15]

• Brief coverage of the big TransUnion breach by “Shiny Hunters” (4.4M customer data), highlighting that routes included Salesforce integrations—another example of the supply chain risk

10. Regulatory & Privacy Challenges

a. Age Verification Lawsuits (4chan/Kiwi Farms vs. Ofcom)

[78:15–88:11]

• Controversial UK laws require strict age verification, leading to privacy/First Amendment concerns and massive traffic drops for compliant sites
• Discussion of potential for privacy-preserving solutions, but political and practical roadblocks abound

b. Post-Quantum Cryptography Reminder

[88:40–90:44]

• OpenSSH flags non-post-quantum algorithms for users, nudging towards future-proof crypto despite quantum threats being distant

11. Open Source Supply Chain Risk: DoD & Russian Maintainer

[90:44–103:23]

• “Fast Glob,” an open-source utility with sole Russia-based maintainer, embedded in 30+ DoD pre-built packages—raises alarm about supply chain security even when code is not (yet) malicious
• “The Pentagon and the U.S. department of Defense is using open source code libraries, presumably in mission critical applications, over which it does not have absolute control.” — Steve Gibson ([101:30])

12. Listener Feedback & Community Insights

[107:26–149:22]

Covers a rich assortment of listener-provided:

• Backup app recommendations (“Parachute Backup—the $3.99 iOS alternative to iCloud,” [107:26])
• Correction on credit bureau data source: consent is in the fine print of every credit/utility application, not collected surreptitiously ([111:33])
• International subscribers offer political/technical context on Russian “Chebbernet” (partial internet isolation) ([114:01])
• Fun: email address parsing quiz—test your knowledge at e-mail.wtf ([117:21])
• On copyright, AIs, and ad blockers: philosophical and legal speculation ([120:24])
• Predictions of AI chatbots inevitably becoming advertising platforms ([126:11])
• Brave browser’s crypto-mining idea (BAT) as an alternative site revenue model ([127:19])
• Common Crawl: Centralizing crawling to reduce the load on small websites ([138:11])
• Real-world malvertising: ransomware via ad networks ([142:26])
• Syncthing encrypted sync: confirmation and practical guidance ([144:28])
• Listeners defend Microsoft’s scale/complexity while acknowledging legitimate critiques ([154:18])

13. Publishing Economics, Amazon, and Sci-Fi Book Segment

[162:13–175:42]

• Extended discussion on Kindle Unlimited’s impact on authors’ earning and distribution choices
• Rick Brown (Frontiers Saga) removing upcoming work from Kindle Unlimited due to dramatic royalty reduction
• The stranglehold Amazon/Audible places via exclusive agreements; system is being “gamed” with AI-generated books ([171:20])
• General lament about monopolization, “enshittification”, and the invisible influence on what and how readers can access books in the digital era

Notable Moments & Timestamps

• [08:04] — Picture of the Week: Byte Magazine and computer history
• [17:51] — SHAKEN/STIR: Explainer and FCC's 2025 mass network shutdown
• [27:44] — Google antitrust penalty announced live on air
• [31:45] — OAuth token pivot attack: real-world supply chain risk via SaaS
• [35:04] — Discussion: Risks of central identity logins
• [39:30] — AI’s uncontrollability: Michael analogy and the futility of content filtering in LLMs
• [52:36] — AI as expert programmer support: use-case illustration and caveats
• [61:48] — Apple zero-day exploit chain: WhatsApp/Meta’s involvement
• [73:02] — First real-world AI-powered malware attack: local AI agents weaponized
• [77:12] — TransUnion breach details
• [78:15] — UK age verification lawsuits and global implications
• [88:40] — OpenSSH: Push for post-quantum crypto
• [90:44] — DoD & open source risk: Russian-maintained Fast Glob utility
• [107:26] — App tip: Parachute Backup for iOS/iPadOS/Mac
• [111:33] — Credit bureau data sources correction
• [114:01] — Russian perspectives on "Chebbernet"
• [120:24] — Listener legal thought experiment: Is muting TV ads illegal?
• [126:11] — Prediction: AI chatbots as “perfect” ad delivery vehicles
• [138:11] — Common Crawl: a more scalable, web-friendly solution to crawling for AI/data science
• [142:26] — Malvertising brings real ransomware risk
• [144:28] — Syncthing encrypted backup: How it works
• [154:18] — Defending Microsoft (and why criticism is valid and necessary)
• [162:13] — Book business & Kindle Unlimited woes

Conclusion & Tone

This episode stands as a lively, wide-ranging tour through both cutting-edge and perennial security topics, expertly mixing breaking news, thoughtful technical and ethical debate, and real-life lessons from both history and the present day. The balanced tech enthusiasm, honest criticism, and spirited listener engagement make it as entertaining as it is informative for anyone concerned with digital security, technology policy, or just how things work.