Security Now Ep. 1051: Amazon Sues Perplexity — Nevada's Ransomware Comeback

Podcast: Security Now (TWiT)
Host: Steve Gibson with Leo Laporte
Date: November 12, 2025

Episode Overview

This episode digs into three major themes shaking up cybersecurity and the internet:

• Amazon’s lawsuit against Perplexity over its “agentic” AI browser, raising big questions about who (or what) is allowed to interact with commercial websites and how;
• Nevada’s hands-on, ransomware comeback story—a case study in recovery without paying off the bad guys;
• Browsers, AI, and security: new features and risks, highlighted by Chrome’s controversial move to autofill government ID numbers, Microsoft’s discovery of LLM leakage via encrypted traffic, and more news from the ever-changing security landscape.

As always, Steve and Leo provide in-depth, clear explanations and engaging banter, punctuated by pragmatic security tips and wry humor.

Key Discussion Points & Insights

1. FFMPEG Assembly Language Lessons

[09:03 – 15:00]

• FFMPEG is promoting the use of assembly language for performance gains in their audio/video processing suite.

• They claim “10 to 50x” speed increases—Steve says this is only true if you’re not already using special hardware instructions available via high-level languages.

• Quote [10:27]:
  “All modern processor instruction sets have extremely powerful and fast special purpose vector and array handling streaming instructions... You don’t have to code in assembly to access these.”
  — Steve Gibson

• FFmpeg is offering assembly lessons in French, Spanish, English, which Steve recommends for anyone curious.

2. Nevada’s Ransomware Comeback: A Model Response

[15:00 – 35:34]

• Incident Summary:

  • In May 2025, a Nevada state employee downloaded malware via a malicious ad; attackers persisted for months.
  • On August 24 at 1:50am (a Sunday), the attack culminated in widespread ransomware, knocking out the state’s virtual machines and critical systems.
  • Early engagement with Mandiant and rapid internal mobilization:
    • By 7:37am: Escalated to state CIO/governor
    • By 9:51am: Restored credentials
    • By noon: Isolated infected VMs
    • By dinner: Recovery protocols underway

• No ransom was paid.

  • 90%+ data recovered
  • $1.5 million spent—mostly internal overtime, with outside vendor help under pre-negotiated contacts
  • Critical: offline backups saved the day

• Key Takeaways:

  • Hands-on recovery and in-house knowledge prevented bigger disaster/costs
  • Infected systems isolated quickly, legal/forensic/engineering mobilized
  • Security hardening and improved SOC are ongoing

• Quote [31:13]:
  “Props for Nevada. You don’t want to get hit, but if you do, you want to be able to recover yourself. Not trusting the bad guys with your data is how it should be done.”
  — Steve Gibson

3. Rounding Error Heist: $128M Drained from DeFi via Arithmetic Exploit

[35:36 – 46:50]

• Attack on Balancer (DeFi platform):

  • Exploited rounding errors in token price calculation—by using tiny unit transactions, the attacker manipulated pool invariants to artificially deflate token value then siphoned off assets.
  • $128 million stolen in 30 minutes across 6 blockchains.

• Quote [39:54]:
  “I’m not even sure I’d call this an attack… They clearly started with a theoretical concept and made it work. Maybe they earned it.”
  — Steve Gibson

• Steve’s advice: Avoid putting your money in arcane DeFi platforms you don’t understand.

4. Chrome to Auto-Fill Driver’s License & Passport Data: Why Now?

[52:16 – 59:36]

• Chrome will now store and autofill Driver’s License, Passport, and Vehicle data—not just addresses and credit cards.

• Google claims it’s “secure and encrypted”, only filled with your permission, but Steve questions the necessity and timing.

  • He points out this suggests more websites might soon require government ID online (possibly for age, identity verification), which he views as a negative development.

• Steve doesn’t want to trust browsers or password managers with this data unless necessary—and is skeptical of consumer data privacy from websites.

• Quote [55:25]:
  “Leaking is what data does. Chrome is a good browser, but it’s always patched for new zero-days. I don’t see why we’d want to hand websites our government ID more often.”
  — Steve Gibson

5. UK’s New Policy to Block Call Spoofing

[60:29 – 64:41]

• All major UK telecom providers to block inbound calls that spoof UK numbers from overseas.

• Uses call tracing technology to aid police in tracking fraudsters.

• Steve wishes the US would follow UK in this proactive, simple step.

• Quote [64:09]:
  “It’s such a simple solution... Simply examine calls entering the UK and drop spoofed numbers. Why don’t we do this in the US?”
  — Steve Gibson

6. Removing XSLT: Trimming Zombie Code from Browsers

[64:47 – 82:35]

• Major browsers (Chrome, Firefox, Safari) will deprecate and remove XSLT (an obsolete XML transformation language) in the next year.

  • Low usage, poor security, legacy code open to exploitation (memory safety bugs).
  • Steve applauds this as a necessary, if painful, part of browser evolution—old tech must die to shrink the attack surface.

• Lesson:

  • Modern web uses JSON, JS frameworks instead; better to focus on securing technologies in actual use.
  • Some rare sites will break, but it’s the right choice.

7. Firefox Offers Paid Support for Enterprises

[86:03 – 89:00]

• Mozilla introduces “Firefox Support for Organizations”, a paid plan offering:
  • Private tickets, priority troubleshooting, custom deployment help, early insights/roadmap input
• Steve suspects this was in response to real demand as organizations seek more control and support.

8. Russia Blocks Akamai, More Departures from Microsoft, Security Firm Acquisitions

[89:00 – 94:00]

• Russia disrupting foreign cloud/CDN providers (Akamai) and requiring local offices
• International criminal court & Austrian agencies move from Microsoft to open source alternatives for Office and cloud services.
• Google’s $32B purchase of Wiz Security gets US regulatory approval, expanding Google’s security offerings.

9. Cookie Banner Salvation: GDPR Reform May Finally Kill Pop-Ups

[93:43 – 96:15]

• Leaked EU GDPR amendments would allow browsers to send a once-and-for-all cookie preference, which every website must obey—no more endless pop-ups.

• Would be mandatory across the EU, effectively covering the world.

• Quote [94:42]:
  “The regulations… would finally make those cookie banners disappear. Users who care will be able to set and forget their preference in their browsers.”
  — Steve Gibson

10. Microsoft’s Whisper Leak: LLM “Side-Channel” Attack via Packet Analysis

[100:00 – 111:40]

• Microsoft discovered an attack to infer LLM/chatbot conversation topics—even over encrypted (TLS) channels—by analyzing packet sizes and timing, especially during streaming replies.

• Trained on known topics, an adversary can spot (e.g.) a money laundering conversation without decrypting packets.

• Mitigations deployed: randomizing response lengths makes this attack impractical.

• Quote [109:00]:
  “A perfect example of a side-channel attack… where only packet length and timing give away what’s going on, even through encryption.”
  — Steve Gibson

11. SpinRite in Action: Listener Feedback

[115:09 – 115:22]

• Listener David Wright saved his department’s NAS by running SpinRite on a failed drive after his predecessor set up RAID0 (no redundancy).
• Steve stresses: in many cases, SpinRite can recover data quicker and cheaper than sending a drive to a recovery shop.

12. GRC Technical Updates: DNS Benchmark & Email Anti-Spoofing

[115:24 – 131:53]

• New DNS Benchmark: supports IPv6, DNS over TLS/HTTPS, much more precise benchmarking—commercial release “soon.”
• GRC Email Security: Explains how tightening DMARC/SPF/DKIM alignment to “strict” defeated email spoofing targeting GRC.com, based on Google’s feedback charts.

Main Topic Deep Dive

Amazon Sues Perplexity: The AI Agency Gray Area

[139:04 – End]

The Conflict:

• Amazon sues Perplexity AI for their “Comet” browser automating purchases and “disguising automated activity as human browsing.”
• Amazon’s Claims:
  • Perplexity accessed customer accounts covertly
  • Ignored repeated requests to stop
  • Disguised bots to avoid detection
  • Security risk for customers
  • Interferes with Amazon’s “carefully tailored shopping experience”
• Perplexity’s Position:
  • They’re innovating and giving users real choice/agency
  • Bullying by Amazon is stifling competition
  • User credentials remain on-device; agents simply act for users

Broader Issue:

• What rights do AI agents (and users) have to interact with websites? Amazon says third-party bots must identify themselves. Perplexity claims they have the same rights as human users if acting under user direction.
• TechCrunch parallel: This is like the ad blocker debate—does Amazon have the right to dictate which browser/agent users employ?
• Steve’s Analogy: What if you use a Chrome extension to automate shopping? Amazon wouldn’t know, and this blurs the agent distinction.

Steve’s Perspective:

• Ambiguous Ethics and Future:
  • “Where exactly does AI agency begin and end?”
  • “Amazon is attempting to tell the world we're unable to make our lives better and easier while purchasing stuff from them—including by using software to make our experience less ad-heavy.”
• Likely Outcome:
  • "My feeling is that user rights will ultimately prevail and that Amazon and others will be forced to grin and bear it. Much as websites have had to tolerate the presence of ad blockers."
    — Steve Gibson [155:30]

Memorable Quotes:

• Steve [147:01]:
  “Using the Comet AI browser to shop is a much more pleasant experience because you won’t be exposed to Amazon’s constant bullying and repeated come-ons.”

• Steve [159:07]:
  “We were a captive audience. Now we’ve found a way out, and you’ve become dependent upon our captivity.”

• Leo [155:59]:
  “Should a website be able to say, ‘You can’t use this browser to visit me?’ No. I mean, they technically could, but should they?”

Summary:

• This lawsuit is just the beginning of a major struggle over automation, agency, and user choice online.
• The debate draws clear parallels to ad blockers, scraping, and browser customization. The outcome will shape the web economy and digital rights.

Other Notable Moments

• Picture of the Week [09:03]:
  Emergency Phone Not Installed — “Please do not have an emergency at this location." [Humorous digression.]

• Listener PSA [33:45]:

  • “Click Fix” attacks use clipboard manipulation and social engineering to break browser containment—Steve calls for browsers/OS to track clipboard source and flag suspicious pastes.

• GRC DNS Benchmark update:

  • After a year of work and 62 releases, Steve is preparing the next big release, now with better protocol support and statistical accuracy.

Timestamps for Key Segments

• 00:00 – [Intro and rundown]
• 09:03 – [Picture of the Week, Assembly Language / FFMPEG section]
• 15:00 – [Nevada Ransomware Case Study]
• 35:36 – [DeFi Rounding Error Exploit]
• 52:16 – [Chrome Autofill Government ID]
• 60:29 – [UK Blocks Call Spoofing]
• 64:47 – [XSLT Browser Deprecation]
• 86:03 – [Firefox Paid Support]
• 89:00 – [Russia, Microsoft, Google Security acquisitions]
• 93:43 – [GDPR Cookie Banner Reforms]
• 100:00 – [Microsoft’s Whisper Leak Attack]
• 115:09 – [SpinRite Listener Feedback]
• 115:24 – [DNS Benchmark, Email Spoofing Update]
• 139:04 – [Main Topic: Amazon sues Perplexity, AI Agentic Browsers Debate]

Tone

• Informative, lively, skeptical, common-sense, sometimes wry.
• Steve carefully explains complex security issues in ways both IT pros and lay listeners can follow, usually punctuated by a chuckle or understated exasperation.

Conclusion

Security Now 1051 dissects headline-grabbing news with clarity and depth, especially focusing on the seismic shifts happening at the convergence of AI, browsers, and user digital agency. The Nevada ransomware response is a model for others, while Chrome and Amazon point toward a future where our identities and our agency on the web will be constantly re-negotiated. As always, the podcast is a must-listen for anyone invested in understanding — or trying to survive — our evolving digital world.