Security Now #1044: The EU’s Online Age Verification – Consumer Reports vs. Microsoft

Date: September 24, 2025
Hosts: Steve Gibson and Leo Laporte
Podcast: Security Now (TWiT Network)

Overview

This episode sees Steve Gibson and Leo Laporte dive deep into several crucial cybersecurity and tech policy developments. Key themes include emerging privacy-preserving online age verification in the EU (with Spain leading the charge), Consumer Reports’ call for Microsoft to extend Windows 10 support, and a look at deliberate code flaws induced by Chinese AI. They also break down the persistent vulnerabilities of DDR5 memory (Rowhammer), alarming developments in cloud authentication security, the latest browser news, and feedback on phishing defense in enterprise environments.

Episode Highlights and Key Discussion Points

1. The EU’s Online Age Verification: Spain’s Privacy-Respecting System

• Timestamps: [02:30], [143:34], [148:21], [153:57]
• Main point: Spain, ahead of the curve in the EU, is implementing a privacy-preserving, cryptographically strong age verification system using W3C Verifiable Credentials.
• How does it work?
  • Users download a government-backed age verification app.
  • Identity/age is verified via a national document, bank identity, or e-passport.
  • Only the age assertion (e.g., “over 18”) is stored in the app—no personal info is shared.
  • Access to adult content requires presenting this credential, typically by scanning a QR code at the content site.
• Notable Insight:

  “Significantly, nowhere anywhere in the credential is there anything that identifies the individual...So, when the app is used … without revealing anything other than the assertion of their age, [users] prove that to the site and then are permitted in. I’m very impressed. They got it right.”
  – Steve Gibson [161:53]

• Broader context:
  The W3C and IAB are hosting a workshop on technical frameworks for online age gating, while Spain is moving ahead with an actual, deployable system using W3C standards ([148:21]).
• Listener context:
  National ID cards at birth in Spain make this system practical [161:11].
• Concerns raised:
  Pushback from users worried about privacy and censorship (“1984 should be a warning, not a blueprint”), but Steve points out the legal and societal shift: the internet is catching up with real-world age restrictions.

2. Consumer Reports vs. Microsoft: The Windows 10 Support Controversy

• Timestamps: [13:08] – [31:26]
• Main point:
  Consumer Reports, represented by podcast alum Stacy Higginbotham, published an open letter urging Microsoft to extend free security updates for Windows 10, particularly given that many users can’t upgrade to Windows 11 due to hardware limits.
• Key arguments from Consumer Reports:
  • Millions of users with relatively new PCs (sold as recently as 2022–2023) can’t upgrade.
  • Microsoft long fostered an expectation of 10+ years of support.
  • Charging $30 for one year of extra support is “hypocritical” as extolled security benefits of Windows 11 come at the cost of literally making hundreds of millions of machines less secure as they’re left behind.
• Memorable Quote:

  “Arguing that Windows 11 is an essential upgrade to boost cybersecurity while also leaving hundreds of millions of machines more vulnerable to cyber attacks is hypocritical, especially while charging consumers $30 for a mere one year extension to preserve their machine security.”
  – Stacy Higginbotham, Consumer Reports [18:34]

• Steve’s take:
  The hardware limitations for Windows 11 are largely artificial. Backwards compatibility has historically underpinned Microsoft’s user trust; forcibly obsoleting millions of systems is environmentally and financially wasteful.
• Likely outcome:
  Both Steve and Leo predict that Microsoft may be pressured into extending free security updates, given the mounting public outcry.

  “I suspect they're going to cave and they are going to do that. It seems like the writing's on the wall.”
  – Leo Laporte [27:09]

3. Deep Seek and the Politics of AI-Driven Code

• Timestamps: [40:07] – [42:04]
• Main point:
  Research reveals that Deep Seek—a leading Chinese AI code generation platform—deliberately returns flawed, less secure code, or even refuses to help, when the requestor is associated with groups or regions disfavored by Beijing (e.g., Falun Gong, Tibet, Taiwan).
• Steve’s reaction:

  “In a report that's both sad and predictable... Deep Seek AI engine returns code with security flaws if it determines that the coder is associated with a specific minority group... Sad, but not surprising.”
  – Steve Gibson [41:36]

• Broader implication:
  Potential for AI systems to be weaponized or politicized, underscoring the need for transparency and independent verification.

4. Tech News Briefs

• DDR5 Remains Vulnerable to Rowhammer Attacks ([77:15])

  • Summary: Latest generation DRAM (DDR5) is still susceptible to Rowhammer attacks despite new protections (ECC, TRR). Google-funded research shows that with deep subsystem knowledge, attackers can bypass mitigations. No structural fix is in sight.
  • Quote:
    “If your solution is to add hardware counters into your DRAM memories, word line activations as a means of detecting when someone may be yanking your line with malicious intent…what a mess.”
    – Steve Gibson [78:57]

• Major Entra ID (Azure AD) Cloud Authentication Bug ([55:14]–[60:56])

  • Summary: A recently-patched vulnerability allowed cross-tenant “impersonation tokens” that could enable global admin access to any Entra ID (Azure AD) tenant. No indication of exploitation, but the potential was “as bad as it could get.”
  • Quote:
    "Effectively this means that with a token I requested in my lab tenant I could authenticate as any user, including global admins in any other tenant."
    – (Describing researcher findings) [59:05]

• Browsers: Firefox 143, WebAssembly 3.0, Chrome Zero Day ([42:06], [47:24], [53:57])

  • New Privacy and UX features: Firefox 143 introduces web app pinning, COPILOT sidebar integration, improved camera permission UI, and expanded fingerprinting protection—though not fully effective vs. EFF’s cover your tracks.
  • WebAssembly’s new standards adoption: Chrome and Firefox are keeping up, Safari lags.
  • Chrome Zero-Day: Google impresses by patching a live-exploited V8/WebAssembly flaw within a day of discovery.

• Other Briefs:

  • Samsung refrigerators now display unsolicited ads (!!) on their built-in screens [86:33].
  • China bans Nvidia chips; ongoing supply chain and national security back-and-forth [89:46].
  • NPM repo hit by another 300+ malicious packages; supply chain threats persist [91:57].
  • US DoD “cyber” org bloat: 61,000 staff plus redundant training; efforts underway at consolidation [31:26].

5. Security Practice Deep-Dives and Listener Feedback

• ZeroPatch for Post-Windows 10 Support:

  • Free patches only until Microsoft provides one.
  • Subscription-based model: agent checks license, patches unapplied if you unsubscribe [93:51].

• Phishing: Email Link Dilemma in the Real World ([100:04], [104:42])

  • Listener Nick Nidenbach:
    “It doesn't surprise me that the training was proving ineffective as I regularly see employers send emails with links that the employee often has to click on… 'don't click on links in emails' is an impossible, nonsense recommendation.”
  • Steve’s synthesis:
    Principles of least privilege and technical protection are the real solution—users are required to click links, so networks must be resilient against inevitable mistakes.
  • Glenn Hochberg:
    Details of enterprise solutions that rewrite all email links through a trusted filtering gateway for real-time malicious link analysis and blocking.

• Backup Strategies: ([105:57])

  • On large drives/RAID: Redundant, automated backups (with versioning) trump periodic manual copy to a pile of external drives.

• Apple Security Architecture: ([116:08])

  • Listener asks if Android can match Apple’s new always-on memory integrity enforcement.
  • Steve:

    “Nothing that Apple has done would be impossible to replace or duplicate. But Apple has a huge advantage…because they control all of their system's hardware, its OS, and much of their devices supporting applications.”

  • Google/Android’s approach is less aggressive—security is “good enough” for most users, but not “paranoid perfect.”

Memorable Quotes & Moments

• On Deep Seek:
  “Sad, but not surprising.” – Steve Gibson [41:36]
• On Microsoft & Windows 10:
  “You know, we've watched as Microsoft's previous decisions on this matter have, have shifted over time. So I'd say it's reasonable to hope they might simply allow all Windows 10 machines to continue receiving security updates for the next three years. All they need to do is not flip that cutoff switch in Redmond and that'll keep happening.” [24:21]
• On Rowhammer and Memory Technology:
  “It's too bad that the word desperation has too many letters to serve as the abbreviation for some means of solving this problem, since desperation is what it's come down to.” [78:57]
• On Age Verification:
  “I'm very impressed. They, they, they got it right… Spain is simply… using this thing they refer to as an overage token credential… Presumably sites that don't do this are subject to fine of not $9.344 million or 10% of a site's annual revenue.” [161:53]
• On the Broader Shift to Online Regulation:
  “The Internet has been a cyber world exception from the laws and responsibilities of the real world. And, you know, cyber is finally catching up.” [157:03]

Timestamps for Key Segments

• [02:30] – Introduction to the episode’s main stories
• [13:08] – [31:26] – Consumer Reports’ letter to Microsoft re: Windows 10
• [40:07] – [42:04] – Deep Seek AI and government-influenced code
• [55:14] – [60:56] – Entra ID cloud authentication vulnerability
• [77:15] – DDR5 and Rowhammer attack landscape
• [86:33] – Samsung refrigerator advertising
• [93:51] – ZeroPatch and post-Windows 10 patching model
• [100:04], [104:42] – Phishing defense: impossible user training & tech mitigations
• [116:08] – Apple’s security hardening vs. Android
• [143:34], [148:21] – Age verification: EU & W3C context
• [153:57] – Spain’s privacy-protecting age verification demo & explainer
• [161:53] – Steve’s wrap-up: technical details of verifiable credentials
• [177:24] – Reflections on regulatory shifts, practicalities, and the future

Summary

This episode brings a unique blend of technical, regulatory, and real-world consumer issues—from the nitty-gritty of memory vulnerabilities and cloud authentication, to the emerging solutions for online privacy and age verification, with a healthy dose of critique directed at Microsoft’s support policies and the state of open-source supply chains.

Steve and Leo stress that while regulation is playing catch-up—sometimes clumsily—the right technological solutions can respect privacy and security. As Spain’s age verification implementation shows, user privacy and lawmakers’ requirements need not be at odds, as long as standards-based, transparent solutions are prioritized.

For more, listen to the full episode or check the transcript. Want to explore the Spain age verification system? See: grc.sc/1044 for the demo video and more technical info.