Summary

Security Now 1045: "News and Listener Views"

Date: October 1, 2025
Hosts: Steve Gibson & Leo Laporte

Episode Overview

In this expansive episode, Steve and Leo tackle the latest security news, dive deep into recent incidents (from Cisco SNMP vulnerabilities to Jaguar Land Rover’s ransomware woes), and respond to a trove of insightful listener feedback. The conversation covers best practices for email authentication, browser fingerprinting protection updates, digital age verification, cheap TLS certificates, and the risks of exposed local AI services. True to the episode’s title, much of the information comes directly from listener questions and comments, reflecting the pulse and concerns of Security Now’s engaged audience.

Listener Feedback & the Importance of Engagement (05:29)
Gmail’s Spam Filtering & Email Authentication Headaches (12:00)
Safari’s New Anti-Fingerprinting Protection (29:35)
Cisco’s SNMP: A Security Disaster (41:09)
Windows 10 Extended Security Updates: Confusion and Solutions (56:13)
TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)
Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)
Viral Social App NEON Sells Your Calls to AI Companies (92:07)
Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)
Ollama & Local LLMs Exposed on the Internet (125:07)
Upcoming DNS Benchmark Release (130:26)
Listener Q&A (136:46)
Notable Quotes & Memorable Moments

1. Listener Feedback & the Importance of Engagement (05:29)

The return of the feedback episode: Steve and Leo discuss how these episodes help them understand audience concerns and inspire ongoing conversations.
- “It inspires feedback. I'm able to better direct the podcast knowing what our listeners...get wound up about.” — Steve (05:36)

2. Gmail’s Spam Filtering & Email Authentication Headaches (12:00)

Sudden changes in Gmail’s spam filtering: Listeners report previously clean emails hitting spam.
- Don Edwards from Johannesburg: "Last weekend I noticed that Gmail's spam filter rules had changed dramatically..." (11:12)
DKIM, SPF, and DMARC Practices: Steve explains in detail how these standards work, why alignment matters, and how he tweaked GRC’s records for stricter enforcement.
- “Turns out that there were people spoofing GRC because I did not have the strictest alignment...So all this work I had, it was there but it wasn't rigorously forcing rejection of anything.” — Steve (17:32)
Google's system is highly sensitive to mailing spikes and spoof attempts; GRC’s stricter DNS policies should tamp down false positives.
Advice: Email server operators should review their DMARC settings using tools like MX Toolbox.

3. Safari’s New Anti-Fingerprinting Protection (29:35)

Apple’s Privacy Upgrade: Default “advanced fingerprinting protection” in Safari starting with iOS/macOS 26 for all browsing.
- Steve tests the new protection using EFF’s Cover Your Tracks, confirming strong resistance to browser fingerprinting.
- “Your browser has a randomized fingerprint...I changed nothing about my default browser settings and Cover Your Tracks reports that I am now strongly I have strong protection against web tracking. So we know the importance—actually the critical importance—of defaults.” — Steve (32:27)
Older Safari versions (pre-iOS 26) are much more fingerprintable; update or at least set anti-tracking to ‘all browsing’.
Contrast: Firefox still produces a uniquely identifiable fingerprint according to EFF.

4. Cisco’s SNMP: A Security Disaster (41:09)

“SNMP = Security Not My Problem”: Steve dissects a decades-old protocol (“Simple Network Management Protocol”) with a long, ugly history of being fundamentally insecure and often misconfigured.
- “SNMP was thrown together quickly without any essential effective security...” (41:14)
2.3 million Cisco devices publicly exposing SNMP: A new bug renders millions of routers vulnerable; many SNMP instances are exposed to the Internet, not just LANs.
- “Unbelievable. What year is this? This is not 1988. This is 2025.” — Steve (53:00)
Takeaway: SNMP should be disabled if not in use. If needed, strictly limit access using access control lists (ACLs). Update firmware where available.

5. Windows 10 Extended Security Updates: Confusion and Solutions (56:13)

Microsoft’s inconsistent ESU rollout: Many users haven’t received enrollment prompts for the next year's free updates.
Workaround shared: AskWoody forum details how to force ESU enrollment (see Show Notes for GRC’s shortcut link).
Good news for the EU: Because of regulatory pressure, European Economic Area users will continue to get Windows 10 updates automatically and unconditionally.
- “For them, Windows 10 updates will be truly and completely free with no strings attached. Due to pressure from...Euro Consumers...” — Steve (69:31)
Warning: Non-enterprise users should act soon; business/enterprise terms are separate.

6. TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)

CheapSSLWeb.com as a practical stopgap: While Let’s Encrypt/ACME is the long-term way, for now, Steve found $6-per-year DV certs (two years for $12) trusted by major browsers.
Rapid shortening of max certificate lifetime: Manual enrollment feasible for only a few more years as the industry heads to full automation (eventually 47-day max validity in 2029).
- “I would not want to be in that business in a couple years, but it’s still there.” — Steve (78:58)
Buy now, while you still can manage certs manually if needed.

7. Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)

Catastrophic attack: JLR halted for nearly a month, resulting in massive losses, supply chain damage, and a government-backed bailout.
Root problem: Company lacked cyber insurance and had a flat, non-segmented internal architecture—no resilience to lateral movement.
- “The fact that the company was not carrying any insurance...and that whatever happened was able to so deeply and so thoroughly nuke its operational capabilities...suggests management of Jaguar Land Rover was not taking the reality of today’s cyber attacks seriously enough.” — Steve (87:24)
Lesson: Cybersecurity investment/insurance is no longer optional.

8. Viral Social App NEON Sells Your Calls to AI Companies (92:07)

Stunning new privacy risk: NEON, the #2 social app in the App Store, pays users up to $30/day for granting access to their call data, which is then sold to AI companies for training.
- “There is now some subsection of the market seemingly willing to exchange their privacy for pennies, regardless of the larger cost to themselves or society.” — TechCrunch cited by Steve (94:37)
Extreme permissions: NEON’s Terms of Service grant irrevocable, worldwide rights to all your recorded audio.
Potential for voice impersonation fraud, lack of safeguards for call recipients, unclear payout structure: All major red flags.
Steve’s stance: “I would have a big problem with not being informed that my voice was being surreptitiously recorded and sold...” (104:22)

9. Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)

BlueSky and age verification laws: Blocks adult content in states with new requirements, using Kids Web Services (KWS) for user age verification.
KWS approach: Offers verification via government ID, facial scan, payment card, and more—not a BlueSky invention, but a third-party solution (now owned by Epic Games).
“One of the reasons this system was so appealing to BlueSky and will likely be appealing to many others is that it is 100% free of charge regardless of the usage volume.” — Steve (120:26)
Discussion: Prospects for state-issued digital IDs for anonymous age assertion—potential future, but legislative pressure is outpacing solutions.

10. Ollama & Local LLMs Exposed on the Internet (125:07)

Over 10,000 Ollama LLM instances exposed: These local AI servers are often accidentally made public.
- “Large language models are so hot right now...with this ease of use also comes ease of misuse. Like many other technologies on the web, security is an afterthought...” — Steve (126:11)
Risks: Without authentication, anyone can send queries to your LLM instance (and possibly exfiltrate sensitive data).

11. Upcoming DNS Benchmark Release (130:26)

After 10 months of work, Steve’s new commercial DNS Benchmark is almost ready: Freeware version still solid, but new edition will be even more robust and user-tested.

12. Listener Q&A (136:46)

a) Android/ARM MTE & Apple’s Custom Security (136:46)

Android chips now have MTE, but only Apple’s hardware uses full synchronous protection due to performance trade-offs; others use it mainly for debugging.

b) Passkeys: Convenience vs. Security (143:19)

Listener Mick finds passkeys more cumbersome than passwords in an enterprise context (esp. with MS Authenticator). Steve and Leo note passkey usability can depend on configuration; for many it’s easier, but enterprise workflows lag behind.

c) Age Verification Responsibility (149:14)

Listener Chris suggests age restrictions might move to be enforced on the client (per-user account verification), akin to household liquor cabinet rules.
Steve agrees and expands: browser-level, privacy-preserving age assertions could eventually become standardized.

d) Neural Network Learning Resources (155:48)

Recommended YouTube resources:
- 3Blue1Brown Neural Networks
- Andrej Karpathy’s “Deep Dive Into LLMs” (YouTube)

e) Liveness in Age Verification (157:40)

Listener Ryan cautions that mechanisms must ensure that identity artifacts correspond to actual present users, or kids will easily bypass.
Steve: Biometric or liveness checks are indeed required for robust solutions.

f) Blocking Browser Access to Localhost (158:53)

Listener Lee shares how uBlock Origin can block websites from accessing localhost ports.

g) Windows 10 Support for Enterprises (162:07)

Joey recommends 0patch for sustained, affordable patching after Microsoft support ends—cheaper than official ESUs.

Notable Quotes & Memorable Moments

On SNMP Insecurity:
“Any time the name of a widely used ancient Internet protocol begins with the word simple, you can bet that the S would never be confused with standing for security.” — Steve (41:14)
On the NEON Social App:
“There is now some subsection of the market seemingly willing to exchange their privacy for pennies.” — Steve via TechCrunch (94:37)
On Cheap Certs:
“Six bucks sure beats 326, which is what Digicert wanted to charge me...” — Steve (71:39)
On Security Evolution:
“The attack landscape…has truly and significantly increased the cost of doing business. This means that one way or another, today's enterprises are going to pay — either in advance for preemptive protection and cyber insurance or in the form of post-attack ransoms, possibly serious downtime, and reputational harm.” — Steve (87:24)
On Listener Feedback Episodes:
"It inspires feedback. I'm able to better direct the podcast knowing what our listeners...get wound up about." — Steve (05:36)
Reflecting on Windows Upgrades:
“First we didn’t want it, now we don’t want to not have it.”—Steve (10:31), discussing user attitudes about Windows updates

Episode Timestamps for Key Segments

Listener Feedback Introduction: 05:29
Gmail Email Filtering/DKIM/SPF/DMARC Explanation: 12:00 – 27:00
Safari's Fingerprinting Protection: 29:35 – 38:07
Cisco SNMP Disaster: 41:09 – 56:07
Windows 10 ESU Troubleshooting: 56:13 – 71:07
CheapSSLWeb TLS Certificates Walkthrough: 74:41 – 87:24
Jaguar Land Rover Ransomware Case: 87:24 – 92:07
NEON Social App and AI Data Sales: 92:07 – 113:16
BlueSky and Kids Web Services Age Verification: 113:16 – 125:07
Ollama LLM Public Exposure: 125:07 – 130:26
Upcoming DNS Benchmark: 130:26 – 131:40
Listener Q&A: 136:46 – end

Final Thoughts

This episode is a rich, listener-powered journey into the evolving realities of security, privacy, and the challenges posed by both legacy protocols and modern AI applications. With detailed answers to tough audience questions and trenchant commentary on industry failings, Steve and Leo continue to make Security Now indispensable for security professionals and privacy-minded users alike.

Summary

Security Now 1045: "News and Listener Views"

Date: October 1, 2025
Hosts: Steve Gibson & Leo Laporte

Episode Overview

Listener Feedback & the Importance of Engagement (05:29)
Gmail’s Spam Filtering & Email Authentication Headaches (12:00)
Safari’s New Anti-Fingerprinting Protection (29:35)
Cisco’s SNMP: A Security Disaster (41:09)
Windows 10 Extended Security Updates: Confusion and Solutions (56:13)
TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)
Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)
Viral Social App NEON Sells Your Calls to AI Companies (92:07)
Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)
Ollama & Local LLMs Exposed on the Internet (125:07)
Upcoming DNS Benchmark Release (130:26)
Listener Q&A (136:46)
Notable Quotes & Memorable Moments

1. Listener Feedback & the Importance of Engagement (05:29)

The return of the feedback episode: Steve and Leo discuss how these episodes help them understand audience concerns and inspire ongoing conversations.
- “It inspires feedback. I'm able to better direct the podcast knowing what our listeners...get wound up about.” — Steve (05:36)

2. Gmail’s Spam Filtering & Email Authentication Headaches (12:00)

Sudden changes in Gmail’s spam filtering: Listeners report previously clean emails hitting spam.
- Don Edwards from Johannesburg: "Last weekend I noticed that Gmail's spam filter rules had changed dramatically..." (11:12)
DKIM, SPF, and DMARC Practices: Steve explains in detail how these standards work, why alignment matters, and how he tweaked GRC’s records for stricter enforcement.
- “Turns out that there were people spoofing GRC because I did not have the strictest alignment...So all this work I had, it was there but it wasn't rigorously forcing rejection of anything.” — Steve (17:32)
Google's system is highly sensitive to mailing spikes and spoof attempts; GRC’s stricter DNS policies should tamp down false positives.
Advice: Email server operators should review their DMARC settings using tools like MX Toolbox.

3. Safari’s New Anti-Fingerprinting Protection (29:35)

Apple’s Privacy Upgrade: Default “advanced fingerprinting protection” in Safari starting with iOS/macOS 26 for all browsing.
- Steve tests the new protection using EFF’s Cover Your Tracks, confirming strong resistance to browser fingerprinting.
- “Your browser has a randomized fingerprint...I changed nothing about my default browser settings and Cover Your Tracks reports that I am now strongly I have strong protection against web tracking. So we know the importance—actually the critical importance—of defaults.” — Steve (32:27)
Older Safari versions (pre-iOS 26) are much more fingerprintable; update or at least set anti-tracking to ‘all browsing’.
Contrast: Firefox still produces a uniquely identifiable fingerprint according to EFF.

4. Cisco’s SNMP: A Security Disaster (41:09)

“SNMP = Security Not My Problem”: Steve dissects a decades-old protocol (“Simple Network Management Protocol”) with a long, ugly history of being fundamentally insecure and often misconfigured.
- “SNMP was thrown together quickly without any essential effective security...” (41:14)
2.3 million Cisco devices publicly exposing SNMP: A new bug renders millions of routers vulnerable; many SNMP instances are exposed to the Internet, not just LANs.
- “Unbelievable. What year is this? This is not 1988. This is 2025.” — Steve (53:00)
Takeaway: SNMP should be disabled if not in use. If needed, strictly limit access using access control lists (ACLs). Update firmware where available.

5. Windows 10 Extended Security Updates: Confusion and Solutions (56:13)

Microsoft’s inconsistent ESU rollout: Many users haven’t received enrollment prompts for the next year's free updates.
Workaround shared: AskWoody forum details how to force ESU enrollment (see Show Notes for GRC’s shortcut link).
Good news for the EU: Because of regulatory pressure, European Economic Area users will continue to get Windows 10 updates automatically and unconditionally.
- “For them, Windows 10 updates will be truly and completely free with no strings attached. Due to pressure from...Euro Consumers...” — Steve (69:31)
Warning: Non-enterprise users should act soon; business/enterprise terms are separate.

6. TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)

CheapSSLWeb.com as a practical stopgap: While Let’s Encrypt/ACME is the long-term way, for now, Steve found $6-per-year DV certs (two years for $12) trusted by major browsers.
Rapid shortening of max certificate lifetime: Manual enrollment feasible for only a few more years as the industry heads to full automation (eventually 47-day max validity in 2029).
- “I would not want to be in that business in a couple years, but it’s still there.” — Steve (78:58)
Buy now, while you still can manage certs manually if needed.

7. Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)

Catastrophic attack: JLR halted for nearly a month, resulting in massive losses, supply chain damage, and a government-backed bailout.
Root problem: Company lacked cyber insurance and had a flat, non-segmented internal architecture—no resilience to lateral movement.
- “The fact that the company was not carrying any insurance...and that whatever happened was able to so deeply and so thoroughly nuke its operational capabilities...suggests management of Jaguar Land Rover was not taking the reality of today’s cyber attacks seriously enough.” — Steve (87:24)
Lesson: Cybersecurity investment/insurance is no longer optional.

8. Viral Social App NEON Sells Your Calls to AI Companies (92:07)

Stunning new privacy risk: NEON, the #2 social app in the App Store, pays users up to $30/day for granting access to their call data, which is then sold to AI companies for training.
- “There is now some subsection of the market seemingly willing to exchange their privacy for pennies, regardless of the larger cost to themselves or society.” — TechCrunch cited by Steve (94:37)
Extreme permissions: NEON’s Terms of Service grant irrevocable, worldwide rights to all your recorded audio.
Potential for voice impersonation fraud, lack of safeguards for call recipients, unclear payout structure: All major red flags.
Steve’s stance: “I would have a big problem with not being informed that my voice was being surreptitiously recorded and sold...” (104:22)

9. Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)

BlueSky and age verification laws: Blocks adult content in states with new requirements, using Kids Web Services (KWS) for user age verification.
KWS approach: Offers verification via government ID, facial scan, payment card, and more—not a BlueSky invention, but a third-party solution (now owned by Epic Games).
“One of the reasons this system was so appealing to BlueSky and will likely be appealing to many others is that it is 100% free of charge regardless of the usage volume.” — Steve (120:26)
Discussion: Prospects for state-issued digital IDs for anonymous age assertion—potential future, but legislative pressure is outpacing solutions.

10. Ollama & Local LLMs Exposed on the Internet (125:07)

Over 10,000 Ollama LLM instances exposed: These local AI servers are often accidentally made public.
- “Large language models are so hot right now...with this ease of use also comes ease of misuse. Like many other technologies on the web, security is an afterthought...” — Steve (126:11)
Risks: Without authentication, anyone can send queries to your LLM instance (and possibly exfiltrate sensitive data).

11. Upcoming DNS Benchmark Release (130:26)

After 10 months of work, Steve’s new commercial DNS Benchmark is almost ready: Freeware version still solid, but new edition will be even more robust and user-tested.

12. Listener Q&A (136:46)

a) Android/ARM MTE & Apple’s Custom Security (136:46)

Android chips now have MTE, but only Apple’s hardware uses full synchronous protection due to performance trade-offs; others use it mainly for debugging.

b) Passkeys: Convenience vs. Security (143:19)

Listener Mick finds passkeys more cumbersome than passwords in an enterprise context (esp. with MS Authenticator). Steve and Leo note passkey usability can depend on configuration; for many it’s easier, but enterprise workflows lag behind.

c) Age Verification Responsibility (149:14)

Listener Chris suggests age restrictions might move to be enforced on the client (per-user account verification), akin to household liquor cabinet rules.
Steve agrees and expands: browser-level, privacy-preserving age assertions could eventually become standardized.

d) Neural Network Learning Resources (155:48)

Recommended YouTube resources:
- 3Blue1Brown Neural Networks
- Andrej Karpathy’s “Deep Dive Into LLMs” (YouTube)

e) Liveness in Age Verification (157:40)

Listener Ryan cautions that mechanisms must ensure that identity artifacts correspond to actual present users, or kids will easily bypass.
Steve: Biometric or liveness checks are indeed required for robust solutions.

f) Blocking Browser Access to Localhost (158:53)

Listener Lee shares how uBlock Origin can block websites from accessing localhost ports.

g) Windows 10 Support for Enterprises (162:07)

Joey recommends 0patch for sustained, affordable patching after Microsoft support ends—cheaper than official ESUs.

Notable Quotes & Memorable Moments

On SNMP Insecurity:
“Any time the name of a widely used ancient Internet protocol begins with the word simple, you can bet that the S would never be confused with standing for security.” — Steve (41:14)
On the NEON Social App:
“There is now some subsection of the market seemingly willing to exchange their privacy for pennies.” — Steve via TechCrunch (94:37)
On Cheap Certs:
“Six bucks sure beats 326, which is what Digicert wanted to charge me...” — Steve (71:39)
On Security Evolution:
“The attack landscape…has truly and significantly increased the cost of doing business. This means that one way or another, today's enterprises are going to pay — either in advance for preemptive protection and cyber insurance or in the form of post-attack ransoms, possibly serious downtime, and reputational harm.” — Steve (87:24)
On Listener Feedback Episodes:
"It inspires feedback. I'm able to better direct the podcast knowing what our listeners...get wound up about." — Steve (05:36)
Reflecting on Windows Upgrades:
“First we didn’t want it, now we don’t want to not have it.”—Steve (10:31), discussing user attitudes about Windows updates

Episode Timestamps for Key Segments

Listener Feedback Introduction: 05:29
Gmail Email Filtering/DKIM/SPF/DMARC Explanation: 12:00 – 27:00
Safari's Fingerprinting Protection: 29:35 – 38:07
Cisco SNMP Disaster: 41:09 – 56:07
Windows 10 ESU Troubleshooting: 56:13 – 71:07
CheapSSLWeb TLS Certificates Walkthrough: 74:41 – 87:24
Jaguar Land Rover Ransomware Case: 87:24 – 92:07
NEON Social App and AI Data Sales: 92:07 – 113:16
BlueSky and Kids Web Services Age Verification: 113:16 – 125:07
Ollama LLM Public Exposure: 125:07 – 130:26
Upcoming DNS Benchmark: 130:26 – 131:40
Listener Q&A: 136:46 – end

Security Now 1045: News and Listener Views

Summary

Security Now 1045: "News and Listener Views"

Episode Overview

Table of Contents

1. Listener Feedback & the Importance of Engagement (05:29)

2. Gmail’s Spam Filtering & Email Authentication Headaches (12:00)

3. Safari’s New Anti-Fingerprinting Protection (29:35)

4. Cisco’s SNMP: A Security Disaster (41:09)

5. Windows 10 Extended Security Updates: Confusion and Solutions (56:13)

6. TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)

7. Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)

8. Viral Social App NEON Sells Your Calls to AI Companies (92:07)

9. Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)

10. Ollama & Local LLMs Exposed on the Internet (125:07)

11. Upcoming DNS Benchmark Release (130:26)

12. Listener Q&A (136:46)

a) Android/ARM MTE & Apple’s Custom Security (136:46)

b) Passkeys: Convenience vs. Security (143:19)

c) Age Verification Responsibility (149:14)

d) Neural Network Learning Resources (155:48)

e) Liveness in Age Verification (157:40)

f) Blocking Browser Access to Localhost (158:53)

g) Windows 10 Support for Enterprises (162:07)

Notable Quotes & Memorable Moments

Episode Timestamps for Key Segments

Final Thoughts

Summary

Security Now 1045: "News and Listener Views"

Episode Overview

Table of Contents

1. Listener Feedback & the Importance of Engagement (05:29)

2. Gmail’s Spam Filtering & Email Authentication Headaches (12:00)

3. Safari’s New Anti-Fingerprinting Protection (29:35)

4. Cisco’s SNMP: A Security Disaster (41:09)

5. Windows 10 Extended Security Updates: Confusion and Solutions (56:13)

6. TLS Certificates for $6: Manual Management in a Changing Landscape (74:41)

7. Jaguar Land Rover Ransomware Attack: Organizational Lessons (87:24)

8. Viral Social App NEON Sells Your Calls to AI Companies (92:07)

9. Decentralized Social and Age Verification: BlueSky & Kids Web Services (113:16)

10. Ollama & Local LLMs Exposed on the Internet (125:07)

11. Upcoming DNS Benchmark Release (130:26)

12. Listener Q&A (136:46)

a) Android/ARM MTE & Apple’s Custom Security (136:46)

b) Passkeys: Convenience vs. Security (143:19)

c) Age Verification Responsibility (149:14)

d) Neural Network Learning Resources (155:48)

e) Liveness in Age Verification (157:40)

f) Blocking Browser Access to Localhost (158:53)

g) Windows 10 Support for Enterprises (162:07)

Notable Quotes & Memorable Moments

Episode Timestamps for Key Segments

Final Thoughts