Security Now Episode 1048: "Mic-E-Mouse – AWS Goes Down Hard"

Podcast: Security Now (TWiT)
Hosts: Steve Gibson & Leo Laporte
Date: October 22, 2025

Episode Overview

This episode delivers a rich mix of security news, policy updates, and astonishing technical research. Steve and Leo dissect the Texas SB2420 age verification law (and its challenges), NIST’s long-overdue password policy overhaul, the wide-reaching AWS outage, a fresh "side-channel" mouse eavesdropping attack (the titular "Mic-E-Mouse"), and much more. The discussion is lively, ranging from legal nuances to deep tech, with Steve’s signature clarity and Leo’s wit throughout.

Key Discussion Points & Insights

1. Texas SB2420: Age Verification Law Under Siege

[17:02]–[37:00]

Legal Challenges: Both big tech (by CCIA, representing Apple/Google) and youth advocacy groups have sued Texas over the law, calling it a "broad censorship regime" violating the First Amendment.
- Quote: “The Texas App Store Accountability act imposes a broad censorship regime on the entire universe of mobile apps.” – Ars Technica as cited by Steve [17:14]
Law Explained: Requires app stores to verify age for all users in Texas, obtain parental consent for minors for ANY app or in-app purchase, and forces detailed age-rating with reporting for all app updates.
Potential Overreach: Law includes a vast range of apps/services (from messaging to educational and news apps), potentially restricting access or demanding burdensome processes for developers and users alike.
Supreme Court Dynamics: Recent SCOTUS decisions seem to support age verification, even if they curtail anonymous access for adults:
- Quote: “Adults have no First Amendment right to avoid age verification” [29:04]
Google Play & Apple Impact: Both companies preparing to comply with APIs and tools for developers to handle age verification and parental consent.
Monoculture – Systemic Risks: Leo and Steve lament how centralizing app distribution makes such legal impositions feasible, highlighting the risk of regulatory "choke points" where app stores are leveraged for broad policy enforcement.

2. NIST Modernizes Password Policy – At Last!

[44:02]–[56:45]

Goodbye, Forced Complexity and Resets:
- Minimum 15 characters for single-factor, 8 for MFA; complexity requirements (symbols/capitals/numbers) are discouraged in favor of length.
- No more scheduled resets—only reset after compromise!
- Security questions and password hints discouraged in favor of secure, code-based recovery.
- Password blocklists are recommended.
Advocacy Vindicated: Steve notes that his "Password Haystacks" insight—prioritizing length over complexity—has been officially recognized by NIST after 13 years.
- Quote: “The only thing that mattered was the password’s length. This could be summed up in the time-honored way: Size Does Matter.” — Steve [44:49]
Historical Blunder: They discuss the origin of the old, punitive policies (thanks to Bill Burr) as a cautionary tale about unexamined best practices.

3. AWS Outage Highlights Cloud Monoculture Risks

[91:14]–[103:32]

Incident Recap: Outage took down major services (IMDB, Snap, Ring, banks, even hospital beds) due to a single-point-of-failure in AWS East US-1; traced to a DNS/configuration issue.
Dependency Peril: The episode uses the event to emphasize dangers when too much infrastructure is concentrated in a handful of vendors.
- Quote: “With Amazon Web Services down, we’ve seen the lights go out across the modern economy from banking to communications.” — Quoting Corey Kreider [97:32]
Blame Distribution: The hosts challenge the notion of victimhood, noting that many businesses choose AWS out of convenience and cost but pay the price when centralization collapses.

4. Satellite Insecurity Exposed

[71:46]–[86:46]

Stunning Research: University teams exposed that ~50% of all geostationary satellite traffic is broadcast unencrypted, including:
- Cellular backhaul (calls, SMS, encryption keys)
- Corporate/government internal comms
- Aircraft data and in-flight Wi-Fi
- Financial and retail records
- Critical infrastructure (utilities, pipelines)
Security through Obscurity Fails: The panel calls this a classic, dangerous reliance on "obscurity"—no one checked if anyone was listening. With cheap hardware, any hobbyist can now "tune in."
- Quote: “Obscure, kinda secure. Not even a little bit.” — Steve [72:15]
Law Considerations: Leo raises the question—is merely listening to unencrypted satellite traffic legal? Turns out, it is.

5. Mic-E-Mouse: Optical Mice as Spy Devices

[143:12]–[161:51]

Breakthrough Attack: Researchers demonstrate that modern high-res optical mice can pick up room vibrations from voices and, using clever AI (modified OpenAI Whisper models), reconstruct speech passively from mouse movement data—with up to 65% word accuracy in testing.
- Quote: “Modern optical mouse sensors, with their advanced precision and high responsiveness, possess an often overlooked vulnerability… can be exploited for side channel attacks.” — Steve reading from the paper [146:16]
Software Risk: Since mouse coordinates are freely accessible to software and potentially even web apps, a compromised app (or even malicious website) could "listen" with your mouse to nearby conversations.
Historical Reference: The team reminisces about Scotty in Star Trek IV trying to talk into a mouse—now, a science reality.

Notable Quotes & Memorable Moments

On Password Complexity:
“It made no difference what characters those passwords contained, since they would all be checked eventually anyway. The only thing that mattered was the password’s length.” — Steve [44:49]
Supreme Court on Age Verification:
“Adults have no First Amendment right to avoid age verification.” [29:04]
On Centralization:
“This points out the real issue with having these app stores as the only place you can get an app… Now they’re a choke point for the government.” — Leo [34:10]
On Satellite Insecurity:
“Obscure, kinda secure. Not even a little bit.” — Steve [72:15]

Additional Segments and Listener Feedback

Listener Insights on the Realities of Age Verification

[119:05]–[126:16]

Multiple listeners note workable bypasses—from siblings sharing devices, to just using a parent’s birthdate, acquiring prepaid cards, and so on.
"This Older Brother Loophole… makes the whole exercise futile from the start" — Duncan from Sydney [120:47]
Steve & Leo discuss the practical impossibility of foolproof digital age-gating, especially as kids become more technically adept.

NSA Caught Hacking China’s National Time Center?

[62:44]–[68:22]

For the first time, Chinese government accuses the US (NSA) of infiltrating their critical time services.
Steve: “I'm not unhappy to finally hear Chinese authorities complaining that the NSA has similarly been crawling around inside their networks for many years.” [65:52]

Timestamps for Significant Segments

17:02 – Texas App Store Law legal fight detailed
29:04 – Supreme Court rationale for age verification
44:02 – NIST modernizes password guidance; Steve’s vindication
71:46 – Satellite broadcast insecurity revealed
91:14 – AWS Outage: monoculture and cloud risk examined
119:05 – Listener feedback on underage circumvention and parental struggles
143:12 – Mic-E-Mouse: Mouse eavesdropping research explained

Show Tone and Style

Lively, deeply technical, and gently skeptical of authorities (legal, technical, and corporate). Steve and Leo intersperse serious analysis with banter and listener-driven asides, bringing rigorous context to even the most esoteric research.

Concluding Thoughts

This episode is a must-listen for anyone who wants to stay abreast of how policy, law, and unexpected technical realities are colliding in today's security landscape. Steve and Leo illuminate how security "best practices" evolve, the limits of legal maneuvers, and how technology’s progress opens new doors for both defenders and attackers alike.

Resources

Mic-E-Mouse Research & Code
NIST Password Guidelines (SP 800-63B)
Satellite Security Paper (ACM CCS 2025) (link in show notes)

For show notes, transcripts, and more, visit GRC.com/securitynow.

Security Now Episode 1048: "Mic-E-Mouse – AWS Goes Down Hard"

Podcast: Security Now (TWiT)
Hosts: Steve Gibson & Leo Laporte
Date: October 22, 2025

Episode Overview

Key Discussion Points & Insights

1. Texas SB2420: Age Verification Law Under Siege

[17:02]–[37:00]

Legal Challenges: Both big tech (by CCIA, representing Apple/Google) and youth advocacy groups have sued Texas over the law, calling it a "broad censorship regime" violating the First Amendment.
- Quote: “The Texas App Store Accountability act imposes a broad censorship regime on the entire universe of mobile apps.” – Ars Technica as cited by Steve [17:14]
Law Explained: Requires app stores to verify age for all users in Texas, obtain parental consent for minors for ANY app or in-app purchase, and forces detailed age-rating with reporting for all app updates.
Potential Overreach: Law includes a vast range of apps/services (from messaging to educational and news apps), potentially restricting access or demanding burdensome processes for developers and users alike.
Supreme Court Dynamics: Recent SCOTUS decisions seem to support age verification, even if they curtail anonymous access for adults:
- Quote: “Adults have no First Amendment right to avoid age verification” [29:04]
Google Play & Apple Impact: Both companies preparing to comply with APIs and tools for developers to handle age verification and parental consent.
Monoculture – Systemic Risks: Leo and Steve lament how centralizing app distribution makes such legal impositions feasible, highlighting the risk of regulatory "choke points" where app stores are leveraged for broad policy enforcement.

2. NIST Modernizes Password Policy – At Last!

[44:02]–[56:45]

Goodbye, Forced Complexity and Resets:
- Minimum 15 characters for single-factor, 8 for MFA; complexity requirements (symbols/capitals/numbers) are discouraged in favor of length.
- No more scheduled resets—only reset after compromise!
- Security questions and password hints discouraged in favor of secure, code-based recovery.
- Password blocklists are recommended.
Advocacy Vindicated: Steve notes that his "Password Haystacks" insight—prioritizing length over complexity—has been officially recognized by NIST after 13 years.
- Quote: “The only thing that mattered was the password’s length. This could be summed up in the time-honored way: Size Does Matter.” — Steve [44:49]
Historical Blunder: They discuss the origin of the old, punitive policies (thanks to Bill Burr) as a cautionary tale about unexamined best practices.

3. AWS Outage Highlights Cloud Monoculture Risks

[91:14]–[103:32]

Incident Recap: Outage took down major services (IMDB, Snap, Ring, banks, even hospital beds) due to a single-point-of-failure in AWS East US-1; traced to a DNS/configuration issue.
Dependency Peril: The episode uses the event to emphasize dangers when too much infrastructure is concentrated in a handful of vendors.
- Quote: “With Amazon Web Services down, we’ve seen the lights go out across the modern economy from banking to communications.” — Quoting Corey Kreider [97:32]
Blame Distribution: The hosts challenge the notion of victimhood, noting that many businesses choose AWS out of convenience and cost but pay the price when centralization collapses.

4. Satellite Insecurity Exposed

[71:46]–[86:46]

Stunning Research: University teams exposed that ~50% of all geostationary satellite traffic is broadcast unencrypted, including:
- Cellular backhaul (calls, SMS, encryption keys)
- Corporate/government internal comms
- Aircraft data and in-flight Wi-Fi
- Financial and retail records
- Critical infrastructure (utilities, pipelines)
Security through Obscurity Fails: The panel calls this a classic, dangerous reliance on "obscurity"—no one checked if anyone was listening. With cheap hardware, any hobbyist can now "tune in."
- Quote: “Obscure, kinda secure. Not even a little bit.” — Steve [72:15]
Law Considerations: Leo raises the question—is merely listening to unencrypted satellite traffic legal? Turns out, it is.

5. Mic-E-Mouse: Optical Mice as Spy Devices

[143:12]–[161:51]

Breakthrough Attack: Researchers demonstrate that modern high-res optical mice can pick up room vibrations from voices and, using clever AI (modified OpenAI Whisper models), reconstruct speech passively from mouse movement data—with up to 65% word accuracy in testing.
- Quote: “Modern optical mouse sensors, with their advanced precision and high responsiveness, possess an often overlooked vulnerability… can be exploited for side channel attacks.” — Steve reading from the paper [146:16]
Software Risk: Since mouse coordinates are freely accessible to software and potentially even web apps, a compromised app (or even malicious website) could "listen" with your mouse to nearby conversations.
Historical Reference: The team reminisces about Scotty in Star Trek IV trying to talk into a mouse—now, a science reality.

Notable Quotes & Memorable Moments

On Password Complexity:
“It made no difference what characters those passwords contained, since they would all be checked eventually anyway. The only thing that mattered was the password’s length.” — Steve [44:49]
Supreme Court on Age Verification:
“Adults have no First Amendment right to avoid age verification.” [29:04]
On Centralization:
“This points out the real issue with having these app stores as the only place you can get an app… Now they’re a choke point for the government.” — Leo [34:10]
On Satellite Insecurity:
“Obscure, kinda secure. Not even a little bit.” — Steve [72:15]

Additional Segments and Listener Feedback

Listener Insights on the Realities of Age Verification

[119:05]–[126:16]

Multiple listeners note workable bypasses—from siblings sharing devices, to just using a parent’s birthdate, acquiring prepaid cards, and so on.
"This Older Brother Loophole… makes the whole exercise futile from the start" — Duncan from Sydney [120:47]
Steve & Leo discuss the practical impossibility of foolproof digital age-gating, especially as kids become more technically adept.

NSA Caught Hacking China’s National Time Center?

[62:44]–[68:22]

For the first time, Chinese government accuses the US (NSA) of infiltrating their critical time services.
Steve: “I'm not unhappy to finally hear Chinese authorities complaining that the NSA has similarly been crawling around inside their networks for many years.” [65:52]

Timestamps for Significant Segments

17:02 – Texas App Store Law legal fight detailed
29:04 – Supreme Court rationale for age verification
44:02 – NIST modernizes password guidance; Steve’s vindication
71:46 – Satellite broadcast insecurity revealed
91:14 – AWS Outage: monoculture and cloud risk examined
119:05 – Listener feedback on underage circumvention and parental struggles
143:12 – Mic-E-Mouse: Mouse eavesdropping research explained

wavePod

SN 1048: Mic-E-Mouse - AWS Goes Down Hard

Powered by Wave AI

Summary

Security Now Episode 1048: "Mic-E-Mouse – AWS Goes Down Hard"

Episode Overview

Key Discussion Points & Insights

1. Texas SB2420: Age Verification Law Under Siege

2. NIST Modernizes Password Policy – At Last!

3. AWS Outage Highlights Cloud Monoculture Risks

4. Satellite Insecurity Exposed

5. Mic-E-Mouse: Optical Mice as Spy Devices

Notable Quotes & Memorable Moments

Additional Segments and Listener Feedback

Listener Insights on the Realities of Age Verification

NSA Caught Hacking China’s National Time Center?

Timestamps for Significant Segments

Show Tone and Style

Concluding Thoughts

Resources

Summary

Security Now Episode 1048: "Mic-E-Mouse – AWS Goes Down Hard"

Episode Overview

Key Discussion Points & Insights

1. Texas SB2420: Age Verification Law Under Siege

2. NIST Modernizes Password Policy – At Last!

3. AWS Outage Highlights Cloud Monoculture Risks

4. Satellite Insecurity Exposed

5. Mic-E-Mouse: Optical Mice as Spy Devices

Notable Quotes & Memorable Moments

Additional Segments and Listener Feedback

Listener Insights on the Realities of Age Verification

NSA Caught Hacking China’s National Time Center?

Timestamps for Significant Segments

Show Tone and Style

Concluding Thoughts

Resources