Security Now 1033: Going on the Offensive — The Digital Arms Race

Podcast: Security Now (Audio)
Host: Leo Laporte
Guest/Co-host: Steve Gibson
Date: July 8, 2025
Episode Description: Steve Gibson and Leo Laporte break down the hottest topics in security, focusing this week on offensive cyber operations, the global zero-day arms race, Israeli spyware targeting European journalists, age verification rulings in the US, updates on major vulnerabilities, and a detailed look at what the US must do to compete in global exploit acquisition.

Overview

In this episode, Security Now takes a rare turn from defense to offense, diving deep into the cyber arms race and the evolving tactics, challenges, and ethical quandaries surrounding offensive cybersecurity, especially as global tensions rise. Steve and Leo analyze a groundbreaking policy paper on how the US can sharpen its offensive hacking edge against China, discuss the proliferation of Israeli spyware targeting European journalists, legal and technical implications of age verification mandates, and a round-up of vulnerabilities and news from the industry.

Key Topics & Insights

1. Israeli Spyware and Journalist Targeting

Timestamps: 18:20–37:02

• Rise of Israeli Offensive Spying Tech

  • Five major Israeli spyware vendors: Celebrite, NSO Group (Pegasus), Quadream (Rain), Candiru, and the newly revealed Paragon (Graphite).
  • Citizen Lab's forensic analysis confirmed Paragon spyware targeted two European journalists via a zero-click iMessage exploit (zero-day).
  • Apple indicated this attack was mitigated in iOS 18.1.18 (CVE-2025-43200).

• WhatsApp Vulnerability Also Used

  • WhatsApp zero-day was exploited to target journalists, leveraging a Free Type vulnerability via PDF files—patched on server-side.
  • Citizen Lab: “Paragon is known for developing sophisticated exploits that do not require any interaction from the targeted user.”

• Notable Quotes:

  • Steve: “This is a zero-day vulnerability that Apple did not know about, that this Paragon group used. Because at the end of this podcast we’re going to be talking all about zero-day vulnerabilities, which is what it turns out everything today comes down to in the field of offensive cyber war.” (24:45)
  • Leo: “Maybe it was the Italian government… They might have been writing exposes on the corrupt Italian government.” (29:29)

• Ethical and Political Implications

  • Paragon customers (likely Italian government) targeted journalists exposing links between politicians and neo-Nazi groups.
  • Discussion of safeguards (“We only sell to responsible governments”) being more PR than reality.

2. Global Vulnerability and Zero-Day Arms Race

Timestamps: 139:52–177:50

• The Digital Arms Race: US vs China

  • In-depth review of Atlantic Council’s policy report:
    • US offensive cyber supply chain is fragmented and risk-averse compared to China’s centralized, aggressive approach.
    • China’s strategy: buyers funnel zero-days into state use, cut off western access, and augment domestic supply with talent from across Asia.
    • US process hampered by trust, middlemen, feast-or-famine payouts for hackers, and a focus on defense over offense.

• The Exploit Marketplace

  • 50% of detected exploited zero-days in the wild come from commercial vendors to governments.
  • Middlemen inflate exploit prices; original researchers may earn $100K for bugs that sell to governments for $750K–$1M.
  • “The system by which zero-day vulnerabilities are acquired is horrendously inefficient and broken.” (Quoted from DoD official, 176:07)

• Recruitment and Training

  • Global “live hacking” competitions and bug bounties serve as recruitment pipelines for both defense and offense.
  • Most bug hunters are young (58% under 25), self-taught, and non-US; US faces shortages and trust barriers.

• Recommendations for US Policy

  • Invest in domestic hacking talent.
  • Streamline purchasing zero-days directly, cut out exploit brokers.
  • Offer hackers legal protections and more profit.
  • Recognize the digital arms race is won with the best, most plentiful supply of working zero-days.

• Notable Quotes:

  • “Offensive cyber warfare is 100% about penetrating into one’s perceived adversaries’ networks. That’s it. And, in turn, that’s all about leveraging exploitable zero-day, which is to say currently unknown vulnerabilities.” – Steve (177:50)
  • “It’s clear that the US government itself needs to emerge from the shadows. It needs to become a well-advertised, high value, explicit buyer of zero-day exploits.” – Steve (full commentary, ~180:30)

3. US Supreme Court Upholds Age Verification for Adult Sites

Timestamps: 114:12–123:08

• Texas HB 1181 Upheld

  • 6–3 decision: States can enforce age checks for adult sites (e.g., Pornhub), requiring visitors to prove they're over 18.
  • No technology exists for anonymous, unspoofable age verification.
  • Dissent: It places unconstitutional burdens on adults’ free speech rights. (Justice Kagan quoted at 114:23)

• Technical and Privacy Concerns

  • VPN usage likely to rise as users seek to circumvent geoblocks, but VPNs may also soon be required to enforce state residency.
  • Risk of mission creep—could extend to other types of content.

• Panel Remarks:

  • Leo: “Age verification is inherently a privacy violation… the definition of what is adult material is very flexible.” (120:48)
  • Steve: “On the Internet, no one knows how old you are.” (121:15)

4. Fresh Security News Flashes & Quick Hits

Timestamps: 40:46–112:44

• Restore Points in Windows 11 now last 60 days (down from 90).
• EU Accelerates Shift Away from Microsoft Azure and sets timeline for post-quantum cryptography (migration by 2030/35).
• Russia to build national IMEI database—massive surveillance concerns.
• Canada/UK launch Common Good Cyber Fund: supporting underfunded nonprofit internet security infrastructure ($5.7M initial funding).
• US states crack down on crypto ATMs due to scams targeting elderly; ATM providers see massive profits (20% margins).
• Congress bans WhatsApp for official devices due to lack of on-device encryption/hazy data handling (Meta disagrees).
• LibXML2 “Open Source Burnout”: single unpaid German maintainer may stop prioritizing security issues, calls out “big tech guilt trips.”
• WinRAR (pre-7.12) affected by directory traversal RCE. Update recommended.
• HaveIBeenPwned.watch: New open-source visualization tool using HIBP data.
• Sophos: Main ransomware roots—exploited vulnerabilities and compromised credentials.

5. Other Notable Segments and Quotes

• On Quantum-Resistant Crypto

  • “Somewhere amid all the chaos... there are good people calmly planning the evolution of the world's networking.” – Steve (47:09)

• On Open Source Burnout (LibXML2):

  • Maintainer: "All the best practices... are just an attempt by big tech companies to guilt trip OSS maintainers and make them work for free." (77:33)
  • “If these companies stopped using it... it’d be better for the health of this project.” (78:55)

Memorable Moments

• Elevator Cautionary Sign, Picture of the Week (16:34)

  • A sign posted: "Please make sure elevator is there before stepping in." Discussion about the real-world consequences and the ad-hoc way humans handle risk (and humor).

• Sidetracks: Health & Science

  • Steve and Leo discuss health gadgets, continuous glucose monitors, and how semiglutide drugs help with hunger (04:51–07:51).
  • Andy Weir’s novels (Project Hail Mary, Artemis) and science fiction recommendations (127:35–134:01).

Detailed Timeline of Key Segments

| Segment | Timestamps | |-----------------------------------------------|--------------------| | Israeli Spyware Paragon—Journalist Attacks | 18:20–37:02 | | Quick Security News Roundup | 40:46–112:44 | | Windows/Crowdstrike Aftermath/Kernels | 107:20–114:12 | | Supreme Court—Adult Site Age Verification | 114:12–123:08 | | More Int’l Security News (Hickvision, Cloudflare in Russia) | 123:08–127:35 | | Open Source Burnout—LibXML2 | 77:17–89:50 | | US Offensive Cyber Policy—Zero Day Market | 139:52–177:50 | | Closing—Thoughts on Cyber Arms Race | 177:50–181:07 |

Conclusion

Security Now #1033 delivers a packed, insightful episode, pulling back the curtain on the world of offensive cybersecurity. Steve and Leo blend technical detail, clear-eyed policy critique, and moments of humor, all while highlighting how the global race for cyber dominance is increasingly about money, talent, and exploiting the vulnerabilities of the digital world—zero days above all.

Final Takeaway:

“Offensive cyber warfare is 100% about penetrating into one's perceived adversaries' networks. That’s it. And in turn, that’s all about leveraging exploitable zero-day, which is to say currently unknown vulnerabilities...”
— Steve Gibson (177:50)

For full links, references, and Steve's show notes and mailing list, visit grc.com/sn.