Security Now #1056: "Australia"

Recorded: December 16, 2025 | Hosts: Steve Gibson & Leo Laporte

Episode Overview

This episode of Security Now focuses on the global ripple effects of Australia's new social media age restriction laws. Steve and Leo dig into the technical, social, and privacy implications of age verification, discuss its controversial rollout, and examine whether it’s a step forward or a troubling precedent. Alongside, the hosts cover several recent security news items: Home Depot’s security lapse, AI bloatware in coding, the state of open-source repositories, severe vulnerabilities (notably in React Shell), and the increasing risks tied to China’s influence over critical US infrastructure. The episode highlights major industry milestones (like Let’s Encrypt approaching a billion sites), and closes with community feedback and listener questions.

Key Discussion Points & Insights

1. Opening: Why "Australia" Is the Title (02:08)

Leo and Steve explain the single-word title: Australia’s age verification social media ban has focused the world’s attention. Steve notes, “I spent some time bringing myself current… the results were somewhat different than we thought.” (02:13)
Listeners will hear direct feedback from Australians and a broader look at whether this experiment is effective or privacy invasive.

2. News Roundup: Major Security Items

a. Home Depot’s Security Negligence (22:42)

Summary: Home Depot exposed a GitHub access token for nearly two years, giving potential write access to “hundreds of private Home Depot source code repositories.” The security researcher Ben Zimmerman was ignored for weeks—even after repeated attempts to contact the company.
Quote: “I can't imagine someone reporting this and just being blown off... Home Depot offers no way to report security flaws... Zimmerman contacted TechCrunch finally in an effort to get the exposure fixed.” (25:55)
Takeaway: Large, non-IT-centric companies are failing to take necessary security precautions, putting customer and internal systems at risk. Steve: “A company that is on the Internet cannot afford not to have an IT culture which is up to speed.” (30:11)

b. AI Bloat in Open Source Coding (36:36)

Issue: GNOME Shell Extension reviewers are dealing with poorly written, unnecessarily complex, and obviously AI-generated code submissions.
Notable Posting: “Some devs are using AI without understanding the code being produced… This has led to receiving packages with many unnecessary lines and bad practices.” (36:58)
Core Insight: Copy-pasted (and endlessly replicated) AI code can infect open-source repositories, perpetuating inefficiencies and “bloat” (46:33). Steve predicts that smarter, “truly coding” AI in the future will prune this out.
- Quote: “The crucial thing to appreciate is that AI is producing code that it does not understand. … It will continue to live and get amplified.” (53:20)

c. The Deliberate Polluting of Open Source Repositories (59:07)

Malicious activity continues to skyrocket: Malicious submissions to open repositories (like NPM) are up nearly 87% over last year.
Breakdown (per Veracode):
- Over 206,000 packages contained critical malware (62:39)
- 4,196 targeted organizations for espionage/financial theft
- Nearly a million included pre-compiled binaries—potential attack vectors
- 161,000 executed suspicious code at install time
- Over a million attempted to obfuscate code
- “The only thing developers can do is remain vigilant and inspect anything that's downloaded.” (68:23)

d. China's Involvement in US Infrastructure Vulnerabilities (74:54)

Staggering findings: Since 2010, Chinese researchers have published 2,723 papers on vulnerabilities in the US power grid, with 225 specifically exploring attack paths on US infrastructure.
Hardware risks: Nearly half of all inverters and battery energy storage systems imported into the US are from high-risk Chinese manufacturers (Huawei, CATL, and Sungrow).
Quote: “The People's Republic of China is systematically targeting America's critical infrastructure as part of a long-term strategy to gain leverage in a crisis.” (75:22)
Steve: “It sounds like science fiction, right? But no… Let's just hope that no one ever makes the mistake of pulling any triggers… This is just the way it goes now.” (82:53)

e. React-to-Shell Vulnerability Under Active Attack (83:42)

Google reports widespread exploitation by multiple actors, chiefly from China, Iran: Various malware payloads (Minocat Tunneler, Snow Light Downloader, Hisonic) have been delivered via this perfect-10 (CVSS 10.0) RCE in React servers.
Quote: “…These are not theoretical attacks, right? They are actually happening to real people and organizations.” (87:19)
Meta’s security response: Disclosure of further React vulnerabilities and ongoing patch releases as heavy scrutiny produces more discoveries.
- “One thing we know is that motivating responsible security researchers to examine code is a terrific way to get it improved.” (97:06)

f. Let’s Encrypt Approaching a Billion Certificates (101:59)

Let’s Encrypt’s role: Now issues 10 million certificates per day, on track to support over a billion active sites in 2026.
Industry anxiety: “A billion websites will all be dependent upon a single service for their certificates… if anything should happen to that service, websites will begin dropping off the air at the rate of ten million per day.” (109:08)
Browsers have deprecated extended validation, and CAs are requiring ever-shorter certificate lifetimes, intensifying the risk of a single point of failure.

3. Australia’s Social Media Age Verification Law (Main Topic) (150:31+)

a. Rollout & Public Reaction

Mechanism: Facial analysis to enforce 16+ age requirement for social media accounts; younger users must verify via camera scan.
Technical failures: Easily spoofed by makeup, scrunched faces, or having an older person authenticate (151:34).
Public sentiment: Mixed; some teens and parents are relieved, others frustrated. “If they could be involved in the social media rat race, they needed to be, but they are not unhappy now to be off the hook…” (152:37)
- Some adults didn’t have to verify age at all—likely due to account heuristics.

b. Listener Feedback & On-the-Ground Perspective

Bruce French (Adelaide): “Firstly, this small part of the world has not stopped functioning. It just has not been a huge deal.” (155:56)
- No evidence of mass outrage or disruption.
- “Essentially, [the law is] driven by the people, just implemented by the government.”
- There’s “very little pushback other than from the media companies.”
- A general willingness in Australia to accept mild restrictions for societal good.
Relief among some affected users: Not all teens are distressed; some are grateful to escape social media peer pressure (152:53).

c. Privacy Concerns & Compromises

Jane (Listener): Strong criticism of Apple/Google as age verification brokers, arguing that all such mechanisms (even privacy-preserving) pose severe risks of exclusion, surveillance, and potential for government overreach (161:31).
- “The biggest loss of privacy [is] having to have invasive Google services privileged in the system… Age confirmation is likely to be treated as strictly as identity documents or banking, thus effectively excluding people like me.”
Steve’s response: Absolute privacy as the norm is finished; governments are moving to enforce control, for better or worse (164:05).
Technological ideal: A one-time, private age assertion proxy could minimize long-term privacy loss, but Steve is clear: “If we can get that, it will be a lot. It should be the industry’s goal… But the question is no longer whether or not Internet users are going to be able to continue to enjoy completely unfettered access. They’re not. That’s over.” (164:05, 169:28)
Leo’s Counterpoint: “Doesn’t mean we have to accept it… And I’m not going to disconnect. I’m going to resist.” (170:28)
Tension: Steve advocates for technical minimalism in privacy loss under political pressure, Leo insists on the right to resist and organize against government/corporate encroachment.

4. Listener Q&A Highlights

On age group leaks: “...reaching certain ages will trigger different ads. Driving age... triggers car ads... drinking age triggers alcohol ads...” (120:34)
On false positives in botnet IP reputation: “If your IP changes often, this test would be inaccurate in both directions... IP reputation is a subtle thing, but useful for static or long-lived addresses.” (123:34)
On router “stealth mode”: Should routers reply to pings by default? Steve says “no”—stealth is safer, even if it offends the original Internet “graybeards.” (143:57)

Notable Quotes & Memorable Moments

On Home Depot’s lax attitude:
“A company that is on the Internet cannot afford not to have an IT culture which is up to speed...” (30:11)
On AI’s code bloat:
“The crucial thing to appreciate is that AI is producing code that it does not understand. […] It will continue to live and get amplified.” (53:20)
On China’s grid research:
“It sounds like science fiction, right? But no… Let’s just hope that no one ever makes the mistake of pulling any triggers… This is just the way it goes now.” (82:53)
On privacy and adult resistance:
“Doesn’t mean we have to accept it… I’m going to resist.” — Leo (170:28)
On technological “ideal” verification:
“None of the children who are staring into an iPhone in Australia should need to be scrunching up their faces or applying makeup and having their phones sent, their photos sent to third party services. Not when Apple could entirely solve this problem without breaking a sweat.” (166:35)

Timestamps for Important Segments

| Timestamp | Segment | |------------|-------------------------------------------------------------------------------------------------------------------------------------------------| | 02:08 | Main Episode Theme—Australia’s Age Verification Law | | 22:42 | Home Depot’s Security Lapse | | 36:36 | AI-Generated Code Bloat in Open Source | | 59:07 | Malicious Pollution of Open Source Package Repositories | | 74:54 | China’s Focused Hacking Research into the US Power Grid | | 83:42 | React Shell Exploits (Perfect 10 RCE), Active Attacks, Google & AWS Insights | | 101:59 | Let’s Encrypt’s Growth, Single-Point-of-Failure Worries | | 150:31 | Australia’s Age Verification Law—Public Reaction, Listener Feedback | | 155:56 | Listener Bruce French: Australia Responds to Age Limiting | | 161:31 | Listener Jane: Privacy and Political Concerns about Age Verification | | 164:05 | Steve on “lost cause” of absolute privacy | | 170:28 | Leo’s Call for Resistance against Privacy Erosion |

Episode Tone

The conversation oscillates between irreverent humor (“maybe I want my dragon with 64GB of RAM,” 09:57), deep technical analysis, and sober reflection on how technology, governance, and security are intersecting at painful friction points. Steve and Leo offer both pragmatic and idealistic viewpoints, especially when discussing privacy, resistance, and the prospects for future technological fixes.

Summary

If you want a comprehensive overview of the technological, societal, and political battle now taking place over user privacy, age verification, and security—even as the technical community struggles under a deluge of AI slop and hostile state actors—this episode offers an authoritative, nuanced, and often entertaining guide. Australia's experiment is a bellwether for the world, and by bringing in live feedback, critical technical analysis, and plenty of frank opinion, Steve and Leo make clear that the story is only just beginning.

Security Now #1056: "Australia"

Recorded: December 16, 2025 | Hosts: Steve Gibson & Leo Laporte

Episode Overview

Key Discussion Points & Insights

1. Opening: Why "Australia" Is the Title (02:08)

Leo and Steve explain the single-word title: Australia’s age verification social media ban has focused the world’s attention. Steve notes, “I spent some time bringing myself current… the results were somewhat different than we thought.” (02:13)
Listeners will hear direct feedback from Australians and a broader look at whether this experiment is effective or privacy invasive.

2. News Roundup: Major Security Items

a. Home Depot’s Security Negligence (22:42)

Summary: Home Depot exposed a GitHub access token for nearly two years, giving potential write access to “hundreds of private Home Depot source code repositories.” The security researcher Ben Zimmerman was ignored for weeks—even after repeated attempts to contact the company.
Quote: “I can't imagine someone reporting this and just being blown off... Home Depot offers no way to report security flaws... Zimmerman contacted TechCrunch finally in an effort to get the exposure fixed.” (25:55)
Takeaway: Large, non-IT-centric companies are failing to take necessary security precautions, putting customer and internal systems at risk. Steve: “A company that is on the Internet cannot afford not to have an IT culture which is up to speed.” (30:11)

b. AI Bloat in Open Source Coding (36:36)

Issue: GNOME Shell Extension reviewers are dealing with poorly written, unnecessarily complex, and obviously AI-generated code submissions.
Notable Posting: “Some devs are using AI without understanding the code being produced… This has led to receiving packages with many unnecessary lines and bad practices.” (36:58)
Core Insight: Copy-pasted (and endlessly replicated) AI code can infect open-source repositories, perpetuating inefficiencies and “bloat” (46:33). Steve predicts that smarter, “truly coding” AI in the future will prune this out.
- Quote: “The crucial thing to appreciate is that AI is producing code that it does not understand. … It will continue to live and get amplified.” (53:20)

c. The Deliberate Polluting of Open Source Repositories (59:07)

Malicious activity continues to skyrocket: Malicious submissions to open repositories (like NPM) are up nearly 87% over last year.
Breakdown (per Veracode):
- Over 206,000 packages contained critical malware (62:39)
- 4,196 targeted organizations for espionage/financial theft
- Nearly a million included pre-compiled binaries—potential attack vectors
- 161,000 executed suspicious code at install time
- Over a million attempted to obfuscate code
- “The only thing developers can do is remain vigilant and inspect anything that's downloaded.” (68:23)

d. China's Involvement in US Infrastructure Vulnerabilities (74:54)

Staggering findings: Since 2010, Chinese researchers have published 2,723 papers on vulnerabilities in the US power grid, with 225 specifically exploring attack paths on US infrastructure.
Hardware risks: Nearly half of all inverters and battery energy storage systems imported into the US are from high-risk Chinese manufacturers (Huawei, CATL, and Sungrow).
Quote: “The People's Republic of China is systematically targeting America's critical infrastructure as part of a long-term strategy to gain leverage in a crisis.” (75:22)
Steve: “It sounds like science fiction, right? But no… Let's just hope that no one ever makes the mistake of pulling any triggers… This is just the way it goes now.” (82:53)

e. React-to-Shell Vulnerability Under Active Attack (83:42)

Google reports widespread exploitation by multiple actors, chiefly from China, Iran: Various malware payloads (Minocat Tunneler, Snow Light Downloader, Hisonic) have been delivered via this perfect-10 (CVSS 10.0) RCE in React servers.
Quote: “…These are not theoretical attacks, right? They are actually happening to real people and organizations.” (87:19)
Meta’s security response: Disclosure of further React vulnerabilities and ongoing patch releases as heavy scrutiny produces more discoveries.
- “One thing we know is that motivating responsible security researchers to examine code is a terrific way to get it improved.” (97:06)

f. Let’s Encrypt Approaching a Billion Certificates (101:59)

Let’s Encrypt’s role: Now issues 10 million certificates per day, on track to support over a billion active sites in 2026.
Industry anxiety: “A billion websites will all be dependent upon a single service for their certificates… if anything should happen to that service, websites will begin dropping off the air at the rate of ten million per day.” (109:08)
Browsers have deprecated extended validation, and CAs are requiring ever-shorter certificate lifetimes, intensifying the risk of a single point of failure.

3. Australia’s Social Media Age Verification Law (Main Topic) (150:31+)

a. Rollout & Public Reaction

Mechanism: Facial analysis to enforce 16+ age requirement for social media accounts; younger users must verify via camera scan.
Technical failures: Easily spoofed by makeup, scrunched faces, or having an older person authenticate (151:34).
Public sentiment: Mixed; some teens and parents are relieved, others frustrated. “If they could be involved in the social media rat race, they needed to be, but they are not unhappy now to be off the hook…” (152:37)
- Some adults didn’t have to verify age at all—likely due to account heuristics.

b. Listener Feedback & On-the-Ground Perspective

Bruce French (Adelaide): “Firstly, this small part of the world has not stopped functioning. It just has not been a huge deal.” (155:56)
- No evidence of mass outrage or disruption.
- “Essentially, [the law is] driven by the people, just implemented by the government.”
- There’s “very little pushback other than from the media companies.”
- A general willingness in Australia to accept mild restrictions for societal good.
Relief among some affected users: Not all teens are distressed; some are grateful to escape social media peer pressure (152:53).

c. Privacy Concerns & Compromises

Jane (Listener): Strong criticism of Apple/Google as age verification brokers, arguing that all such mechanisms (even privacy-preserving) pose severe risks of exclusion, surveillance, and potential for government overreach (161:31).
- “The biggest loss of privacy [is] having to have invasive Google services privileged in the system… Age confirmation is likely to be treated as strictly as identity documents or banking, thus effectively excluding people like me.”
Steve’s response: Absolute privacy as the norm is finished; governments are moving to enforce control, for better or worse (164:05).
Technological ideal: A one-time, private age assertion proxy could minimize long-term privacy loss, but Steve is clear: “If we can get that, it will be a lot. It should be the industry’s goal… But the question is no longer whether or not Internet users are going to be able to continue to enjoy completely unfettered access. They’re not. That’s over.” (164:05, 169:28)
Leo’s Counterpoint: “Doesn’t mean we have to accept it… And I’m not going to disconnect. I’m going to resist.” (170:28)
Tension: Steve advocates for technical minimalism in privacy loss under political pressure, Leo insists on the right to resist and organize against government/corporate encroachment.

4. Listener Q&A Highlights

On age group leaks: “...reaching certain ages will trigger different ads. Driving age... triggers car ads... drinking age triggers alcohol ads...” (120:34)
On false positives in botnet IP reputation: “If your IP changes often, this test would be inaccurate in both directions... IP reputation is a subtle thing, but useful for static or long-lived addresses.” (123:34)
On router “stealth mode”: Should routers reply to pings by default? Steve says “no”—stealth is safer, even if it offends the original Internet “graybeards.” (143:57)

Notable Quotes & Memorable Moments

On Home Depot’s lax attitude:
“A company that is on the Internet cannot afford not to have an IT culture which is up to speed...” (30:11)
On AI’s code bloat:
“The crucial thing to appreciate is that AI is producing code that it does not understand. […] It will continue to live and get amplified.” (53:20)
On China’s grid research:
“It sounds like science fiction, right? But no… Let’s just hope that no one ever makes the mistake of pulling any triggers… This is just the way it goes now.” (82:53)
On privacy and adult resistance:
“Doesn’t mean we have to accept it… I’m going to resist.” — Leo (170:28)
On technological “ideal” verification:
“None of the children who are staring into an iPhone in Australia should need to be scrunching up their faces or applying makeup and having their phones sent, their photos sent to third party services. Not when Apple could entirely solve this problem without breaking a sweat.” (166:35)

Security Now 1056: Australia

Powered by Wave AI

Summary

Security Now #1056: "Australia"

Episode Overview

Key Discussion Points & Insights

1. Opening: Why "Australia" Is the Title (02:08)

2. News Roundup: Major Security Items

a. Home Depot’s Security Negligence (22:42)

b. AI Bloat in Open Source Coding (36:36)

c. The Deliberate Polluting of Open Source Repositories (59:07)

d. China's Involvement in US Infrastructure Vulnerabilities (74:54)

e. React-to-Shell Vulnerability Under Active Attack (83:42)

f. Let’s Encrypt Approaching a Billion Certificates (101:59)

3. Australia’s Social Media Age Verification Law (Main Topic) (150:31+)

a. Rollout & Public Reaction

b. Listener Feedback & On-the-Ground Perspective

c. Privacy Concerns & Compromises

4. Listener Q&A Highlights

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Episode Tone

Summary

Summary

Security Now #1056: "Australia"

Episode Overview

Key Discussion Points & Insights

1. Opening: Why "Australia" Is the Title (02:08)

2. News Roundup: Major Security Items

a. Home Depot’s Security Negligence (22:42)

b. AI Bloat in Open Source Coding (36:36)

c. The Deliberate Polluting of Open Source Repositories (59:07)

d. China's Involvement in US Infrastructure Vulnerabilities (74:54)

e. React-to-Shell Vulnerability Under Active Attack (83:42)

f. Let’s Encrypt Approaching a Billion Certificates (101:59)

3. Australia’s Social Media Age Verification Law (Main Topic) (150:31+)

a. Rollout & Public Reaction

b. Listener Feedback & On-the-Ground Perspective

c. Privacy Concerns & Compromises

4. Listener Q&A Highlights

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Episode Tone

Summary