Security Now – Episode 1037 Summary
Title: Chinese Participation in MAPP – Why Signal is Leaving Australia
Date: August 6, 2025
Host: Leo Laporte
Guest: Steve Gibson
Episode Overview
In this rich episode on cybersecurity and global technology politics, Steve Gibson and Leo Laporte dive into several urgent security issues. The main focus centers on the heightened risk posed by Chinese participation in Microsoft's secretive MAPP (Microsoft Active Protections Program), especially in the wake of the SharePoint server fiasco. The hosts discuss how vulnerabilities are pre-disclosed to “trusted” security companies—including many in China—raising questions about national security and the potential for abuse.
The episode also covers Signal's strong stance against Australia’s proposed encryption backdoors, the state of age-verification technology online, newly discovered vulnerabilities (including in popular consumer routers), and the story of a negligent Asian domain registrar.
Key Discussion Points & Insights
1. Security Now Turns 20 Years Old (00:40–02:30)
- The show celebrates its upcoming 20th anniversary, reflecting on how the world of cybersecurity has evolved and how the show’s content has grown over two decades.
2. Picture of the Week: The “Breaker Finder” (13:02–15:40)
- Steve shares a tongue-in-cheek photo of a dangerously improvised electrical “tool” meant to short-circuit a breaker. Discussion ensues on why safety best practices matter.
- Memorable quote:
"Not every solution that works should be recommended." – Steve Gibson (13:09)
- Memorable quote:
3. SharePoint Server Fiasco & China’s Role (15:50–36:21)
a. How the Vulnerability Was Exploited
- Details emerge that Microsoft used China-based engineers to patch SharePoint—a product that was recently targeted by Chinese state-sponsored hackers.
- ProPublica discovered Chinese-based engineers maintain the code for US government clients.
- Even with digital "escorts" (nominally US-based supervisors), these engineers had full access to zero-day vulnerabilities.
- Steve’s analysis: The “escort” system is a "crock" for genuinely controlling sensitive data leaks (19:45–21:10).
- Quote:
"The patch whose initially defective design caused the majority of the damage—could it have been deliberately botched by these Chinese developers? ... At the very least its significant reputational damage, but now we learn that the flawed patch didn’t really come from Microsoft—at least not directly. The bad patch actually came from China, apparently subject only to some low-level oversight by a Microsoft escort." – Steve Gibson (25:44)
b. Industry Response & Systemic Flaws
- Microsoft is now moving SharePoint development away from China.
- Discussion of the wider implications for trust and software supply chain risk, especially as the US and China enter a “cyber cold war.”
- Quote:
"China is the one attacking us, and they’re writing the software which they’re attacking." – Steve Gibson (35:50)
- Quote:
4. Russia’s Attack on Embassies via Rogue Certificates (40:49–49:48)
- Microsoft Threat Intelligence reveals Russian ISPs are intercepting embassy internet traffic by tricking users into installing a fake Kaspersky Antivirus "update," which installs a compromised root certificate and malware, enabling full man-in-the-middle attacks.
- Quote:
"The malware relaxes the victim’s firewall rules, while the new root certificate serves to legitimize malicious traffic… Russia is able to freely impersonate any remote site the compromised target may visit." – Steve Gibson (44:00)
- Quote:
5. Signal to Leave Australia Over Encryption Demands (49:50–57:12)
- Signal Foundation President Meredith Whitaker declares Signal will leave Australia if forced to break encryption.
- Stresses that mandatory backdoors compromise user security globally, and that Signal’s user base (journalists, executives, whistleblowers) especially relies on its privacy.
- Quote:
"For many people, private communication is the difference between life and death." – Meredith Whitaker (cited by Steve, 49:54) - On politicians & tech:
"The entire industry keeps telling all the politicians 'no' and they keep insisting … they assume they can ask for any feature they want and the techies will somehow figure out how to deliver it." – Steve Gibson (55:40)
- Quote:
6. YouTube’s Age Verification Heuristics (57:12–62:07)
- YouTube announces machine learning-based age estimation for US users to restrict adult content and protect teens, using viewing history and other indirect data.
- Heuristic systems aren’t perfect, but they’re a step forward until proper online age verification is standardized.
7. Chrome's New Extension Developer Security (62:09–67:00)
- Google introduces "Verified CRX Upload"—letting extension publishers use a public-private keypair to ensure only properly signed code is published.
- Empowers developers to prevent account hijacking from impacting users.
8. Negligent Domain Registrar “WebNic” Faces Termination (71:09–100:43)
- Asian registrar WebNic is close to losing its ICANN accreditation for systematically ignoring DNS abuse complaints about domains used for phishing & malware.
- ICANN's process for booting bad actors and migrating domains to "gaining registrar" is explained in detail.
- Quote:
"It's a privilege [to be a registrar], not a right—and it's a privilege that can be withdrawn and lost." – Steve Gibson (71:57)
- Quote:
9. TP-Link Archer C50 Router Vulnerability (104:26–106:14)
- Users are warned to replace end-of-life TP-Link Archer C50 routers, which use outdated DES-ECB encryption for device settings.
- Best Practice: Five-year hardware lifecycle recommended; retire old routers for security.
10. Digital Driver’s Licenses & Truly Private Age Verification (107:43–124:07)
- Emerging state programs (California’s “MDL,” TrueAge) now allow digital, biometric driver’s licenses.
- TrueAge system praised for privacy, but Steve uncovers that it does ultimately tie age tokens to identity (license #), albeit only retrievable under court order.
- W3C (web standards body) is incorporating these methods—possibly moving privacy-respecting age-checking closer to reality.
- Quote:
"None of this, you know, I mean, sure, maybe if you’re buying tobacco or alcohol at a retail point, this is better than revealing your full driver’s license… but it doesn’t do what we want for minimal information disclosure." – Steve Gibson (114:55)
- Quote:
11. China, Microsoft, and MAPP: Is Trust Possible? (135:54–160:53)
a. How MAPP Works and the Risks
- Microsoft's MAPP program pre-shares vulnerability details up to two weeks before public disclosures to "trusted" partners—to help advance defensive products.
- Many Chinese firms with state ties are in MAPP and may be legally required to relay vulnerabilities to Beijing.
- China’s 2021 regulation mandates reporting new zero-days to authorities within 48 hours.
- These firms can gain prestige and financial reward for such disclosures.
b. Documented Leaks & Case Studies
- In the 2021 Exchange Server hacks, attackers exploited vulnerabilities days after proof-of-concept code was shared with MAPP members.
- Crowdstrike observed SharePoint vulnerabilities being exploited before public patches, likely aided by MAPP leaks.
- The analysis concludes that due to systemic incentives, Chinese partners cannot be trusted with pre-release info.
- Quote:
"Given that US intelligence agencies have firmly concluded that US interests are under constant cyberattack from Chinese threat actor groups … how can it possibly remain rational for Microsoft to be willfully providing Chinese researchers—and indirectly the Chinese government—with the very means to attack us, perhaps devastatingly?" – Steve Gibson (159:55)
- Quote:
Notable Quotes & Moments
- On China’s SharePoint Patch:
- "The bad patch actually came from China, apparently subject only to some low-level oversight by a Microsoft escort." (25:44)
- On Signal’s Refusal to Compromise:
- "If you let the gangrene spread, you poison the body." – Meredith Whitaker (via Steve, citing Information Age, 49:48)
- On YouTube’s AI Age Estimation:
- "Heuristics are inherently fuzzy ... but they’re more responsible than doing nothing." (57:50)
- On Registrars and Security:
- "It's a privilege [to be a registrar], not a right." (71:57)
- On Microsoft’s MAPP Risks:
- "Chinese APT groups are known for their speed and coordination in exploiting such vulnerabilities. Once a vulnerability has been successfully weaponized, it often circulates rapidly among operators." (155:00)
- Episode Conclusion:
- "Given the facts … I for one sincerely hope that Microsoft is seriously at this point reconsidering the trusting relationship they have long enjoyed with China's security firms." (159:55)
Timestamps of Key Segments
| Topic/Segment | Timestamp | |--------------------------------------------------------------------------|-------------| | Show Open / 20th Anniversary | 00:40–02:30 | | Picture of the Week | 13:02–15:40 | | SharePoint fiasco & China’s role | 15:50–36:21 | | Russia’s embassy attack | 40:49–49:48 | | Signal threatening exit from Australia | 49:50–57:12 | | YouTube’s new age verification heuristics | 57:12–62:07 | | Chrome Verified CRX Upload | 62:09–67:00 | | ICANN and the rogue registrar WebNic | 71:09–100:43| | TP-Link Archer C50 router vulnerability | 104:26–106:14| | Digital driver’s licenses, “TrueAge,” and W3C directions | 107:43–124:07| | Deep-dive: Chinese companies and Microsoft’s MAPP program | 135:54–160:53|
Tone and Style
Engaging, sometimes wry but always incisive, the episode is full of the trademark Gibson-Laporte interplay— equal parts analysis, incredulity, and expertise. Steve’s technical depth is complemented by Leo’s clear, lay-focused questioning, making the show accessible and relevant for professionals and general listeners alike.
Conclusion
This episode is a must-listen for anyone concerned with global software supply chain security, the limits of trust in international partnerships, and the practical realities of protecting users amid rising geopolitical friction. The deep analysis of MAPP is paired with practical cybersecurity tips, warnings about real-world vulnerabilities, and coverage of the ongoing fight for privacy rights in the face of government intervention.