Security Now 1042: Letters of Marque

Date: September 9, 2025
Host: Leo Laporte
Guest: Steve Gibson

Episode Overview

This episode delves into several significant topics in security and technology, with a central focus on the evolving conversation about offensive cyber operations by private industry (the “letters of marque” concept). Steve and Leo discuss supply chain software attacks, the mishandling of TLS certificates by a certificate authority, AI’s role in malware and cybersecurity, artist blackmail threats involving AI, and the broader implications of allowing private companies to “hack back” against adversaries. The episode’s tone is both technical and philosophical, highlighting the challenges, risks, and ethical dilemmas posed by modern cyber warfare.

Key Discussion Points & Insights

1. What Are Letters of Marque? (02:38, 132:57)

• Definition & Historical Context: Letters of marque were official government licenses that allowed private parties to attack enemy ships during wartime, turning pirates into legal “privateers.”
• Relevance to Cybersecurity: There is current discussion (especially within the U.S. government and tech industry) about modern equivalents—in effect, granting corporations legal authority to hack back at foreign adversaries or criminal groups.

“Some have recently pushed a version of the idea where the President would issue letters of marque, like those for early USC privateers, to companies authorizing them to legally conduct offensive cyber operations currently forbidden under US law.”
—Steve Gibson (134:32)

Key Issues Highlighted

• Legal ambiguity: U.S. Constitution gives Congress—not the President—the explicit power to grant such letters.
• Potential for escalation: Retaliatory actions in cyberspace could have unpredictable and dangerous global ramifications.
• Industry’s evolving stance: Major companies like Google are establishing cyber disruption units, exploring proactive and possibly offensive defense operations.

2. Google’s Extortion Attempted by Hacker 'Supergroup' (03:29, 20:32)

• Incident: Google’s Threat Intelligence Group (TIG) faces extortion demands from a coalition of known hacking groups (Scattered Spider, Lapsus$, Shiny Hunters). The attackers threaten to leak sensitive data unless Google fires two researchers and halts investigations.
• Assessment: No evidence so far that Google’s own infrastructure was breached, but serves as a warning about the increasing organization and boldness of cybercriminals.

"I cannot imagine that Google could possibly capitulate in any way to this group. The proper response would be to turn up the heat on the various members of the group to cause them to regret ever floating the threat."
—Steve Gibson (23:37)

3. TLS Certificate Authority Failure – The FINA/1.1.1.1 Affair (05:05, 24:09, 40:13)

• Breach: FINA CA, a subordinate certificate authority in the Microsoft Root program, issued 12 unauthorized TLS certificates for Cloudflare’s DNS (1.1.1.1) between Feb 2024 and Aug 2025.
• Root Causes:
  • FINA apparently used public keys for internal testing, a severe breach of protocol.
  • Automatic publication in certificate transparency logs was ignored by both Cloudflare and Microsoft for months.
• Impact:
  • Only Microsoft (Windows) platforms trusted the certificates; Google, Mozilla, and Apple did not.
  • Potential for man-in-the-middle attacks against DNS over HTTPS/TLS on Windows clients if an attacker also hijacked traffic.

"The lesson here is that the certificate authority industry has gone, you know, to great lengths to assure that certificates are never misissued, given that revocation remains challenging and a MIS issuance is avoided at all costs. The news of three certificates being misissued, and it turns out it was more than three...is both surprising and worrisome."
—Steve Gibson (25:23)

Memorable Analogy:

"The CA ecosystem is a castle with many doors. The failure of one CA can cause the security of the whole castle to be compromised."
—Cloudflare, as quoted by Steve

4. Massive Supply Chain Attack on npm Ecosystem (103:40, 104:39, 115:02)

• Discovery: ErrorEx, a tiny but ubiquitous npm package (~47 million downloads/week), was compromised via phishing of its maintainer, with an obfuscated malicious version 1.3.3 published for ~1 day.
• Amplified Impact: At least 18 popular npm packages (e.g., Chalk, Debug, Chalk-template) with billions of aggregate weekly downloads were compromised in the same way.
• Malware Objective: Intercepted cryptocurrency wallet activity in browsers, rewrote destinations of web3 payments to attacker accounts.
• Vector: Maintainers were sent convincing phishing emails mimicking npm security requests, pushing them to update 2FA on a new, fake npm domain.

"The fate of many hundreds of millions of users of this handful of 18 npm packages critically depends upon the package maintainers not falling for basic phishing attacks. Basically, this is...similar to the certificate authority model, but instead of a few, you have a guy in Nebraska…" —Steve Gibson (122:51)

5. Artists Blackmailed with AI Threats (57:00)

• Ransomware group Lunalock hacked an artist commission website, then threatened to leak and submit stolen artworks to AI companies for training unless paid $50K.
• Reflects new vectors of extortion exploiting public anxieties about AI’s use of copyrighted works.

"Artists are being blackmailed with threats of training AI on their art because that would be bad."
—Steve Gibson (03:45)

6. AI and the 'Prompt Kitties' Problem for Security (77:59)

• Trend Micro Report: AI code generation ("Vibe coding") makes it easier for attackers to create malware prototypes based on published security research/blogs; uncensored models can bypass intended safety guardrails.
• Implications:
  • Non-experts (“prompt kitties”) are now able to stitch together effective attacks.
  • Obscures attribution: Malware written by AI erodes unique coder “fingerprints,” making it harder for defenders to trace attacks to groups.
  • Publishing technical threat research remains vital, but needs greater caution as the AI threat grows.

"LLM-generated code from blogs is a good start for an attacker, but it's not perfect. Publishers should factor in the ways that LLMs could possibly be misused during the publication process and test how their detailed descriptions might be exploited."
—Steve Gibson, summarizing Trend Micro (83:19)

7. Cybersecurity Law & Info Sharing Issues (68:54)

• CISA Expiring: The Cybersecurity and Information Sharing Act (2015) is at risk of lapsing; private industry could lose liability protection when sharing breach/threat info.
• Current status: Extension working through Congress with political concerns about CISA ‘censoring’ free speech.
• Industry view: Losing these protections would dry up vital cyber intelligence sharing overnight.

8. Firefox, Windows 7/8 Support Extended (59:26)

• Mozilla will support Firefox ESR 115 on Win 7, 8, 8.1, and older macOS through March 2026, citing desire to reduce "unnecessary obsolescence."
• Steve notes personal appreciation, as he still uses Windows 7!

9. Update: Apple vs. UK Government & Cloud Privacy (93:28)

• Situation: Dispute over UK government’s technical capability notice asking Apple for broad iCloud access, possibly including password/keychain data.
• Confusion: Media and tweets claim the battle is over, but FT reporting and tribunal filings show it is ongoing, with Apple under strict gag order.

10. Byte Magazine – A Bit of History (124:48)

• Steve shares a listener note about discovering Spinrite via Byte Magazine, and a link to former editor Tom R. Halfhill’s FAQ detailing Byte's 1998 demise.

Notable Quotes & Memorable Moments

• On cyberwar escalation:

  "It's one thing for Google to disrupt an adversarial attacker's illegal operation...But it's another thing entirely to use the threat of wholesale unfocused reprisal as a deterrent, which is also being discussed."
  —Steve Gibson (137:55)

• On the future risks:

  "I suspect that the next five years, and we'll be here to report it, there will be an incident and created by a nation state that will be dramatic and very provocative and perhaps cause loss, great loss of life. That will be considered an act of war, just as 9/11 was."
  —Leo Laporte (170:19)

• On private cyber offense:

  "We should, just as we don't give private companies nuclear weapons and tanks, we should...not give letters of marque." —Leo Laporte (167:52)

Timestamps for Key Segments

| Time(HH:MM:SS) | Topic/Quote | |----------------|------------| | 00:00 | Episode kickoff, main topics outlined | | 03:29 | Steve outlines incidents: Google blackmailed, Cert issue, AI/artist blackmail, Cyberwarfare/Letters of Marque preview | | 20:32 | Google being extorted by hacker coalition | | 24:09 | 1.1.1.1 certificate misissuance and CA system problems | | 40:13 | Certificates, browser/platform CA trust implications | | 56:50 | Artists blackmailed with AI training threat | | 59:26 | Mozilla extends Firefox ESR support for legacy OS | | 68:54 | Cybersecurity Information Sharing Act expiring, impact on info sharing | | 77:59 | Trend Micro: AI code gen, “Prompt Kitties,” security risks | | 93:28 | Apple-UK iCloud dispute ongoing, not resolved | | 103:40 | npm supply chain attack: ErrorEx, 18 popular packages targeted | | 124:48 | Byte Magazine history and its impact | | 132:57 | Deep dive: Letters of Marque, hacking back, US cyberwar strategy | | 162:29 | Discussion: Risks and ethics of cyberoffense, escalation scenarios | | 170:19 | Leo's prediction of a future nation-state cyber incident as act of war |

Conclusion

This episode provides an in-depth look at both the technical vulnerabilities and geopolitical tensions defining the contemporary cybersecurity landscape. From nuanced supply chain attacks to the ethical considerations of “cyber privateers,” Steve and Leo dissect the complexities facing governments, industry, and individuals alike. The tensions between defense and offense, transparency and secrecy, and progress and risk are all explored with clarity and depth.

For further reading and references, see Steve’s show notes and links at GRC.com.