Security Now 1059: "MongoBleed"

Recorded January 7, 2026
Host: Leo Laporte
Guest: Steve Gibson

Episode Overview

The year’s first Security Now is a classic "jam-packed" installment, full of deep tech analysis, opinionated rants, important security news, and even a few side trips into British TV and magnesium supplements. Steve Gibson opens 2026 by exploring major shifts and troubling trends in security, focusing especially on the new MongoBleed vulnerability, the tightening code-signing certificate landscape, cloud service risks, the prospect of ads in generative AI, and more. Both host and guest frequently reference the growing tensions between security measures, usability, and end-user freedoms, with lively, sometimes philosophical engagement.

Key Topics & Discussion Points

1. Philosophical Reflections on Security Trends

• Diminishing Returns in Security (02:00–05:29)
  • Steve observes the security industry’s increasing limitations on user agency under the belief that “fancy technology” can stop all bad outcomes. He analogizes overregulation in security to the inability to build light rail in California: “We can't build light rail because we have so overregulated ourselves on the off chance that something bad might happen... The presence of that technology creates a bigger problem than what it is trying to solve.”
    • (Steve Gibson, 03:09)
  • Upcoming changes in Windows 11 and code-signing policies exemplify this trend.
  • Positive note: Linux appears ever more attractive as other platforms become increasingly locked down.

2. Code Signing Certificate Lifetime Rant

• Drastic Reduction in Certificate Lifespans (17:17–51:27)
  • Starting March 1, 2026, CA/B Forum mandates code-signing certs shrink from 39 months to 15 months.
  • Steve’s Rant: He’s incensed, calling the move unjustified since hardware-based security for certs (introduced in 2023) already killed certificate theft. The real effect: “actively discouraging code signers from obtaining and managing their own code signing certificates,” moving toward a subscription-and-cloud-based model.
    • “What has been slowly growing and evolving is a cabal... a diminishing number of increasingly large select few signers who are pretty much free to then charge whatever they wish for the privilege.”
      (Steve Gibson, 32:28)
  • Opaque voting: Only CAs voted yes on the measure.
  • Problems for indie developers, open source, and small software producers.
  • Limits for cloud code signing (e.g., DigiCert caps signings per year).
  • User experience insight: “The code I assemble and link into an .exe is immediately deleted from the hard drive.”
    (Steve, 37:58)
  • Linux remains the only major platform where unsigned software can run freely.

3. ChatGPT & the Coming of Ads to AI

• OpenAI Mulls Embedded Advertising (61:45–75:50)
  • OpenAI is considering ads as a new revenue stream to offset massive costs—forecasted annual losses by 2028 are $74 billion.
  • Ads might be highly targeted, given how well chatbots “know” users.
  • Potential for Abuse: “Nobody wants a skewed reply from an AI that's trying to lead its user down one commercial path because of a hidden kickback that the AI receives.”
    (Steve, 71:53)
  • Leo: Some ad integration isn’t necessarily bad if clearly labeled (e.g., sponsored shopping links), but deceptive blending is dangerous.
  • Both agree they’d pay significantly more to keep AI ad-free.

4. Security News Roundup

A. PYPI (Python Package Index)

• Massive scale: 3.9 million new files in 2025 alone, 81,000 requests/second.
• Security focus: Now urges/discourages only TOTP second factor for login—adding an email verification step even atop TOTP because of growing phishing/fraud.

B. BitLocker Hardware Acceleration News

• Windows 11 soon adds BitLocker hardware acceleration—major speedup for full-disk encryption on new Intel chips.
  • “If anyone has a BitLocker-encrypted NVMe drive which they encrypted out of the box just because, why not... it might be worth considering de-BitLockering any high-speed NVMe drives you might be using.”
    (Steve, 100:38)
• Current software BitLocker on NVMe is a huge performance drag.

C. NYC Inauguration Bans Raspberry Pi and Flipper Zero

• The only named devices on the public ban list; policies target specific "hacker" devices—but ignore the far more potent smartphones everyone carries.
• Steve: Banning Flipper Zero is maybe reasonable (it is a hacking tool), but Raspberry Pi is absurd.

Memorable Quotes & Moments

• “You don't have to wait for the code to arrive. It does speed up the login process.”
  (Steve, on the infamous 2FA code leak image – 17:13)
• “It’s not your computer if you can’t write your own software.”
  (Leo, 39:19)
• “This is in shit. Exactly.”
  (Leo, 32:28)
• “Why would the CA/B Forum feel the need to reduce the life of absolutely theft-proof code signing certificates? What benefit could there possibly be to them?”
  (Steve, 28:43)
• “You could just take more of that [magnesium].”
  (Steve, 159:08 – on supplementing and finding tolerance)
• “Curiosity, it seems, is now contraband. There is a cultural cost to banning brand names like Raspberry Pi.”
  (Adafruit article quoted by Steve, 117:07)
• “Why was even a single instance of MongoDB publicly exposed? ...That way of thinking is obviously defective and wrong.”
  (Steve, 187:40)

[Feature Segment] Deep Dive: MongoBleed Vulnerability

What is MongoBleed?

• CVE-2025-14847, affects all MongoDB versions since 3.6 (released Nov 28, 2017).
• Allows unauthenticated attackers to read arbitrary heap memory from the database server via a protocol/compression flaw.
  • Public scan: 87,000+ vulnerable internet-accessible instances.

How the Bug Works (164:02–177:50)

• MongoDB’s protocol supports compressed client requests, specifying the expected decompressed size.
• Server trusts the user’s unverified “decompressed” length, allocates a big chunk, decompresses far less actual data—never checks real decoded size.
• When the server replies, it returns the full (over-allocated, underutilized) buffer — which contains leftover database memory, with plaintext passwords, tokens, session data, and more.
• Root cause: Trusting user input for buffer sizing—not zeroing memory—a classic C programming issue.
  • “Trusting user provided input would definitely be right up there near the top, if not perhaps in first place, since even buffer overflows typically result from the similar mistake of trusting and using something that a malicious user deliberately provided.”
    (Steve, 174:15)
• No authentication required; trivial to script and automate.
• Exploit proof-of-concept widely available.

Implications and Lessons

• Mass data exfiltration now ongoing for untold organizations.
• Even with authentication, attackers can leak memory: “The decompression of the message is pre-authentication and never requires any form of authentication for its exploitation.”
  (Steve, 186:53)
• Final lesson: “Authentication does not work... It cannot be absolutely depended upon to work... This is perhaps the single most important thing that has to change in today’s Internet-networked world.”
  (Steve, 188:37)

Supplement Corner: Magnesium and Vitamin D Absorption

(133:02–159:00)

• New study links magnesium levels to whether vitamin D supplementation is effective.
• Most Americans are magnesium deficient; magnesium is needed in 400+ enzymatic reactions.
• Effective absorption: Glycinate/lysinate or biglycinate forms are best—others are poorly absorbed and act mostly as laxatives.
• Practical advice: Find “bowel tolerance” level—max supplementation before experiencing laxative effects, then back off.
• Book reference: “The Magnesium Miracle” by Carolyn Dean.

Bonus: Steve’s British TV Pick – The Lazarus Project

(124:30–132:08)

• Steve effusively recommends the sci-fi time travel show “The Lazarus Project” (Netflix, Apple TV, Amazon Prime).
  • “I have never, and I really mean never, seen a more compelling, astonishingly clever and gripping time travel concept and plot.”
    (Steve, 127:45)
• Urges attentive, binge watching—plot is complex and rewarding.

Timestamps for Key Segments

• 02:00 – Philosophical framework: The limitations and overregulation of security
• 17:17 – Gibson’s code signing certificate rant
• 32:28 – Cloud code signing and cost explosion (“This is in shit. Exactly.”)
• 37:58 – How unsigned code is now instantly deleted in Windows 11
• 61:45 – Ads are coming to ChatGPT (and AI more broadly)
• 81:02 – PYPI: Security improvements, scale, and supply chain risk
• 91:12 – BitLocker’s performance woes and hardware acceleration
• 114:16 – NYC bans Flipper Zero and Raspberry Pi at inauguration
• 124:30 – The Lazarus Project: Sci-fi recommendation
• 133:02 – Magnesium, vitamin D, and supplementation details
• 159:38 – MongoBleed deep dive (core feature segment)
• 164:02–177:50 – Technical explanation of the MongoBleed exploit
• 187:40 – The need to “fix” exposure & rethink authentication

Final Thoughts

Steve and Leo close with sharp reminders that the industry's focus is often in the wrong place (“lifetime of certificates”), while the real existential risks to IT come from persistent misconfigurations, poor defaults, and bad incentives. The MongoBleed incident is not just another bug—it’s a symbol of what happens when basics are overlooked in a mad dash for security showmanship elsewhere.

Hosts:

• Steve Gibson
• Leo Laporte

Show notes, materials, and transcripts are available at GRC.com and TWiT.tv/SN.

“If you can’t write your own software, it’s not your computer.”
– Leo Laporte, 39:19

“Authentication cannot be absolutely depended upon. ... The world depends on it, but it keeps failing.”
– Steve Gibson, 188:37

For IT and security practitioners, the MongoBleed fallout is a critical call to audit exposure and rethink network trust assumptions—before the next “bleed” leads your data out the door.