Security Now (TWiT) - Episode 1059: "MongoBleed – Code Signing Under Siege"

Air Date: January 7, 2026
Hosts: Steve Gibson & Leo Laporte

Overview

The first Security Now episode of 2026 is a densely packed exploration of pressing security topics:

The critical MongoBleed vulnerability affecting tens of thousands of MongoDB servers world-wide
A controversial and industry-shaking reduction in code signing certificate lifespans
The encroachment of cloud-based, subscription-model code signing and its implications for software developers
Newsworthy updates on ChatGPT's ad-insertion plans, Bitlocker hardware acceleration, security developments in the Python Package Index, and even a (cheeky) discussion on Raspberry Pi bans
Health science detour covering magnesium's often-overlooked importance
A recommendation of "The Lazarus Project," a sci-fi series with rave reviews

While covering dire flaws and growing pressures on independent devs, Steve’s signature style balances deep technical insight, skepticism, and the occasional rant—with a few moments of genuine enthusiasm and humor.

Key Topics & Insights

1. The Code Signing Catastrophe: Lifetimes Slashed, Subscription Cloud Looms

[15:51–54:18]

Shortening Code Signing Certificate Lifetimes

The CA/B (Certificate Authority/Browser) Forum has voted to drastically reduce the maximum validity of code signing certificates from 39 months (just over 3 years) to 15 months (1 year and 3 months), effective March 1, 2026.
This follows a trend already seen in TLS certificate lifespans, which will soon shrink to 200 days.
Steve's View: This move is not genuinely about improving security, as mandatory hardware-based key storage (since 2023) already prevents remote compromise. The real winners are certificate authorities, who stand to earn more from more frequent renewals.
Quote (Steve):

"Today's code must be signed. So code authors have no recourse other than to pay an annual tribute to the certificate gods in order to qualify for the privilege." [33:44]
Subscription-Model Cloud Signing: Short certificate lifecycles with no industry standard for automated renewal are pushing developers towards cloud-based code signing, where CAs hold users' private keys and charge fees (limits on the number of signings, often $1,000+ per year for 1,000 signatures).
This “cabal” (Steve's word) results in fewer, more consolidated, and more expensive certificate authorities. The alternative for hobbyists and small-time devs? “Go Linux, or go home.”
Quote (Steve):

“What has been slowly growing and evolving is a cabal… We've been witnessing a consolidation of certificate authorities over the past decade as the bigger fish swallowed up the littler fish, while also not surprisingly, raising their rates. ... Because they can." [32:31]
Impact on Independent Devs: Even freeware/charity projects are increasingly locked out, as the “unsigned app” path is now virtually impossible outside of Linux.
On Homegrown Code:

“The only way I could do it was by whitelisting the entire tree on my system… The code I assemble and link into an EXE is immediately deleted from the hard drive." [37:58]

The Future: Diminishing Returns & Loss of Computing Spirit

Steve rails against "diminishing returns"—more technology, more regulation, more inconvenience for diminishing improvements to security, with the result being that the hobbyist, tinkerer, and even small commercial dev is forced out of the ecosystem.

Quote (Leo):

“If you can’t write your own software, it's not your computer.” [39:19]
Quote (Steve):

“All of this original PC hobby control, which you could argue built this industry, is going commercial and is being taken away from us.” [38:58]
The “Because We Can” Security Heuristic: Modern systems, driven by a wish to apply "fancy technology," are reaching for levels of control and restriction that create more problems than they solve—for users, not attackers. [4:45–05:03]

2. MongoBleed: A Modern Heartbleed-Level Flaw in MongoDB

[159:38–189:50]

The Flaw

Name: MongoBleed (CVE-2025-14847)
Scope: All versions since MongoDB 3.6 (2017)—over eight years—are affected; more than 87,000 internet-exposed servers.
Nature: A request can declare a much larger decompression buffer than the actual uncompressed payload. The server trusts this value, pulls memory via C's malloc (which returns uninitialized memory), and then returns not only the decompressed payload but also megabytes of uninitialized server memory to the attacker—without authentication.

Real-World Impact

Attackers can exfiltrate memory directly, unearthing passwords, tokens, configs, customer data, and more (“megabytes of a server’s data that is assumed to be utterly private internal working data”).
No Authentication Needed: The exploit is fully pre-auth.
Compared to "Heartbleed," but at the database/application layer.

Why Did So Many Servers Fall Prey?

Steve is scathing about the 87,000+ instances found exposed to the public Internet: “Why was even a single instance of MongoDB publicly exposed?” [181:35]
MongoDB shouldn’t be internet-accessible; it should always live behind an application server or firewall.
Quote (Steve):

“This erroneous reliance upon remote authentication… does not work. … If we cared to, we could fix it.” [188:44]
Moral: Don’t trust user input, don’t trust pre-auth code, and never (ever) expose an internal database directly to the internet.

Notable Quote:

Kevin Beaumont (cited):

"Expect high likelihood of mass exploitation and related security incidents. ... Advice would be to keep calm and patch Internet facing assets."
Steve's Summary:

"The massive sweep of today's MongoBleed vulnerability is the direct consequence of that wrong way of thinking. ... The world depends upon and turns on the strength of authentication. So I obviously don't mean that it can't work. What I mean is that it cannot be absolutely depended upon to work." [187:25]

3. ChatGPT and the Coming Era of AI Advertising

[61:47–75:47]

OpenAI is allegedly planning to integrate ads directly into ChatGPT responses and/or sidebars, with new models of targeted advertising based on users’ historical chat data.
Possible approaches: sponsored insertion in dialogue, sidebars, or links triggered by “shopping-like” queries.
Steve and Leo worry about erosion of user trust and the risk of biased or monetized answers confusing users.
Quote (Steve):

"Nobody wants a skewed reply from an AI that's trying to lead its user down one commercial path because of a hidden kickback." [71:23]
The business model reality: AI is expensive, OpenAI is currently running at a loss, and ad revenue is a time-tested, if ambivalent, fix.

4. Security Updates and Fun Oddities

Python Package Index (PYPI) Security [81:02–85:21]

Over 52% of package submitters now have non-phishable 2FA enabled.
Multi-factor authentication now includes an emailed link in addition to TOTP codes, since time-based OTP is now easily phishable due to large validity windows.

Bitlocker Gets Hardware Acceleration (But… Only on New Hardware!) [91:12–108:35]

Hardware-accelerated Bitlocker (encryption/decryption offloaded to a crypto engine) is coming—first, only to new Intel Panther Lake CPUs.
Current users of Bitlocker on NVMe drives face severe (often 4x) performance hits due to CPU-bound encryption.
Users who don't need it now may consider deactivating Bitlocker to regain lost performance until hardware support arrives.

Raspberry Pi and Flipper Zero Banned from NYC Mayoral Inauguration [114:16–123:23]

List of banned items included two specific brands: Raspberry Pi and Flipper Zero.
Criticized as ignorant and arbitrary, overlooking that smartphones are far more capable/“dangerous” devices.
Quote (Steve, summarizing Adafruit's take):

“Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy. Curiosity, it seems, is now contraband.” [119:48]

5. Health Detour: Magnesium & Vitamin D [133:03–159:38]

Recent studies show magnesium is crucial for balancing vitamin D, as magnesium deficiency can hinder vitamin D uptake—common in the U.S.
Many forms of magnesium supplements exist; only certain “chelated” (dipeptide-bound) forms are well absorbed.
Steve recommends magnesium glycinate/lysinate or biglycinate, emphasizing that absorption and dosage tolerance will vary—find your limit and back off.
Not medical advice, but a well-researched, science-forward health tangent for aging geeks.

6. Recommended: “The Lazarus Project”

[124:30–133:02]

British time-travel series with top marks from Steve and high praise from critics/audience alike.
Complex, clever, and not for background watching.
Quote (Steve):

“I have never, and I really mean never, seen a more compelling, astonishingly clever and gripping time travel concept and plot. There is new stuff here. The Lazarus Project is truly remarkable science fiction.” [124:30]

Notable Quotes

On code signing CABAL:

“Why would the CA browser forum feel the need to reduce the life of absolutely theft proof code signing certificates? What benefit could there possibly be to them? … The light bulb lit for me ... The future of code signing will be the establishment of a subscription relationship.” (Steve, 28:45–29:56)
On Security’s Diminishing Returns:

“We can apply our fancy technology to solve problems, but the presence of that technology creates a bigger problem than what it is trying to solve.” (Steve, 03:07)
On MongoBleed Exposure:

“Why can I access their [MongoDB] data? I have no need or purpose. I shouldn't be able to even see it. I shouldn't know that it exists.” (Steve, 190:49)
On AI’s Future:

“I don't ever want to lose access to it [AI]. No, it is really phenomenal. ... But if I lose that, I don't know what I'm going to do.” (Steve and Leo, 62:49–63:08)
On “free” service models:

“You've got to pay for the stuff you use. You just do. That’s just the way it is. Nothing's… It’s not free.” (Leo, 74:59)

Timestamps for Major Segments

| Topic | Timeframe | |------------------------------------------------|--------------------| | Code Signing Rant (lifespans, subscription) | [15:51–54:18] | | ChatGPT Advertising Model | [61:47–75:47] | | Python Package Index Security Improvements | [81:02–85:21] | | Bitlocker Hardware Acceleration | [91:12–108:35] | | Raspberry Pi Ban at NYC Event | [114:16–123:23] | | TV Series: The Lazarus Project | [124:30–133:02] | | Magnesium/Vitamin D Health Segment | [133:03–159:38] | | MongoBleed Deep Dive | [159:38–189:50] |

Memorable Moments

Classic Steve Gibson Rant: “All of the commercial platforms now require code to be signed. And a very small and shrinking group of increasingly powerful commercial authorities have decided to follow the TLS model of continually shortening the lifetime of those code signing certificates… Why? Because they can. They all voted for it because there's no one to stop them.” [35:34–37:54]
“Because we can” Security Mindset: Steve likens escalating security restrictions and loss of user control to California’s regulatory gridlock: “It's like it's diminishing returns. It's the belief that we can apply our fancy technology to solve problems that where the, where the presence of that technology creates a bigger problem than what it is trying to solve.” [03:07]
On Hobbyist Computing Spirit:

“All of this original PC hobby control, which you could argue built this industry, is going commercial and is being taken away from us.” [38:58]
MongoBleed Explanation: Straightforward, with an excellent, jargon-free breakdown of a critically important memory leak.

Final Takeaways

For developers:
- Secure and renew those code signing certificates NOW (while longer-term ones are still available), and keep an eye out for cloud-based signing “locks.”
- Manage your database exposure—never make your backends public, and always patch critical vulnerabilities quickly.
For IT/Security Professionals:
- Don’t trust authentication as your sole line of defense.
- Beware the creeping cost and control of security infrastructure shifting to subscription/cloud, especially if you value independence and user control.
For everyone:
- Expect to see AI’s “clean” interface increasingly commercialized via advertising and personalization.
- Diminishing returns apply: More security isn’t always better—and may have serious downsides for user flexibility, privacy, or openness.
Honorable mention: “The Lazarus Project” is a must for sci-fi fans.

Summary prepared by AI (but, as Steve and Leo would note, thoughtfully and with considerable human context).

Security Now (TWiT) - Episode 1059: "MongoBleed – Code Signing Under Siege"

Air Date: January 7, 2026
Hosts: Steve Gibson & Leo Laporte

Overview

The first Security Now episode of 2026 is a densely packed exploration of pressing security topics:

The critical MongoBleed vulnerability affecting tens of thousands of MongoDB servers world-wide
A controversial and industry-shaking reduction in code signing certificate lifespans
The encroachment of cloud-based, subscription-model code signing and its implications for software developers
Newsworthy updates on ChatGPT's ad-insertion plans, Bitlocker hardware acceleration, security developments in the Python Package Index, and even a (cheeky) discussion on Raspberry Pi bans
Health science detour covering magnesium's often-overlooked importance
A recommendation of "The Lazarus Project," a sci-fi series with rave reviews

Key Topics & Insights

1. The Code Signing Catastrophe: Lifetimes Slashed, Subscription Cloud Looms

[15:51–54:18]

Shortening Code Signing Certificate Lifetimes

The CA/B (Certificate Authority/Browser) Forum has voted to drastically reduce the maximum validity of code signing certificates from 39 months (just over 3 years) to 15 months (1 year and 3 months), effective March 1, 2026.
This follows a trend already seen in TLS certificate lifespans, which will soon shrink to 200 days.
Steve's View: This move is not genuinely about improving security, as mandatory hardware-based key storage (since 2023) already prevents remote compromise. The real winners are certificate authorities, who stand to earn more from more frequent renewals.
Quote (Steve):

"Today's code must be signed. So code authors have no recourse other than to pay an annual tribute to the certificate gods in order to qualify for the privilege." [33:44]
Subscription-Model Cloud Signing: Short certificate lifecycles with no industry standard for automated renewal are pushing developers towards cloud-based code signing, where CAs hold users' private keys and charge fees (limits on the number of signings, often $1,000+ per year for 1,000 signatures).
This “cabal” (Steve's word) results in fewer, more consolidated, and more expensive certificate authorities. The alternative for hobbyists and small-time devs? “Go Linux, or go home.”
Quote (Steve):

“What has been slowly growing and evolving is a cabal… We've been witnessing a consolidation of certificate authorities over the past decade as the bigger fish swallowed up the littler fish, while also not surprisingly, raising their rates. ... Because they can." [32:31]
Impact on Independent Devs: Even freeware/charity projects are increasingly locked out, as the “unsigned app” path is now virtually impossible outside of Linux.
On Homegrown Code:

“The only way I could do it was by whitelisting the entire tree on my system… The code I assemble and link into an EXE is immediately deleted from the hard drive." [37:58]

The Future: Diminishing Returns & Loss of Computing Spirit

Quote (Leo):

“If you can’t write your own software, it's not your computer.” [39:19]
Quote (Steve):

“All of this original PC hobby control, which you could argue built this industry, is going commercial and is being taken away from us.” [38:58]
The “Because We Can” Security Heuristic: Modern systems, driven by a wish to apply "fancy technology," are reaching for levels of control and restriction that create more problems than they solve—for users, not attackers. [4:45–05:03]

2. MongoBleed: A Modern Heartbleed-Level Flaw in MongoDB

[159:38–189:50]

The Flaw

Name: MongoBleed (CVE-2025-14847)
Scope: All versions since MongoDB 3.6 (2017)—over eight years—are affected; more than 87,000 internet-exposed servers.
Nature: A request can declare a much larger decompression buffer than the actual uncompressed payload. The server trusts this value, pulls memory via C's malloc (which returns uninitialized memory), and then returns not only the decompressed payload but also megabytes of uninitialized server memory to the attacker—without authentication.

Real-World Impact

Attackers can exfiltrate memory directly, unearthing passwords, tokens, configs, customer data, and more (“megabytes of a server’s data that is assumed to be utterly private internal working data”).
No Authentication Needed: The exploit is fully pre-auth.
Compared to "Heartbleed," but at the database/application layer.

Why Did So Many Servers Fall Prey?

Steve is scathing about the 87,000+ instances found exposed to the public Internet: “Why was even a single instance of MongoDB publicly exposed?” [181:35]
MongoDB shouldn’t be internet-accessible; it should always live behind an application server or firewall.
Quote (Steve):

“This erroneous reliance upon remote authentication… does not work. … If we cared to, we could fix it.” [188:44]
Moral: Don’t trust user input, don’t trust pre-auth code, and never (ever) expose an internal database directly to the internet.

Notable Quote:

Kevin Beaumont (cited):

"Expect high likelihood of mass exploitation and related security incidents. ... Advice would be to keep calm and patch Internet facing assets."
Steve's Summary:

"The massive sweep of today's MongoBleed vulnerability is the direct consequence of that wrong way of thinking. ... The world depends upon and turns on the strength of authentication. So I obviously don't mean that it can't work. What I mean is that it cannot be absolutely depended upon to work." [187:25]

3. ChatGPT and the Coming Era of AI Advertising

[61:47–75:47]

OpenAI is allegedly planning to integrate ads directly into ChatGPT responses and/or sidebars, with new models of targeted advertising based on users’ historical chat data.
Possible approaches: sponsored insertion in dialogue, sidebars, or links triggered by “shopping-like” queries.
Steve and Leo worry about erosion of user trust and the risk of biased or monetized answers confusing users.
Quote (Steve):

"Nobody wants a skewed reply from an AI that's trying to lead its user down one commercial path because of a hidden kickback." [71:23]
The business model reality: AI is expensive, OpenAI is currently running at a loss, and ad revenue is a time-tested, if ambivalent, fix.

4. Security Updates and Fun Oddities

Python Package Index (PYPI) Security [81:02–85:21]

Over 52% of package submitters now have non-phishable 2FA enabled.
Multi-factor authentication now includes an emailed link in addition to TOTP codes, since time-based OTP is now easily phishable due to large validity windows.

Bitlocker Gets Hardware Acceleration (But… Only on New Hardware!) [91:12–108:35]

Hardware-accelerated Bitlocker (encryption/decryption offloaded to a crypto engine) is coming—first, only to new Intel Panther Lake CPUs.
Current users of Bitlocker on NVMe drives face severe (often 4x) performance hits due to CPU-bound encryption.
Users who don't need it now may consider deactivating Bitlocker to regain lost performance until hardware support arrives.

Raspberry Pi and Flipper Zero Banned from NYC Mayoral Inauguration [114:16–123:23]

List of banned items included two specific brands: Raspberry Pi and Flipper Zero.
Criticized as ignorant and arbitrary, overlooking that smartphones are far more capable/“dangerous” devices.
Quote (Steve, summarizing Adafruit's take):

“Naming a short list of familiar gadgets reads less like safety planning and more like anxiety fossilized into policy. Curiosity, it seems, is now contraband.” [119:48]

5. Health Detour: Magnesium & Vitamin D [133:03–159:38]

Recent studies show magnesium is crucial for balancing vitamin D, as magnesium deficiency can hinder vitamin D uptake—common in the U.S.
Many forms of magnesium supplements exist; only certain “chelated” (dipeptide-bound) forms are well absorbed.
Steve recommends magnesium glycinate/lysinate or biglycinate, emphasizing that absorption and dosage tolerance will vary—find your limit and back off.
Not medical advice, but a well-researched, science-forward health tangent for aging geeks.

6. Recommended: “The Lazarus Project”

[124:30–133:02]

British time-travel series with top marks from Steve and high praise from critics/audience alike.
Complex, clever, and not for background watching.
Quote (Steve):

“I have never, and I really mean never, seen a more compelling, astonishingly clever and gripping time travel concept and plot. There is new stuff here. The Lazarus Project is truly remarkable science fiction.” [124:30]

Notable Quotes

On code signing CABAL:

“Why would the CA browser forum feel the need to reduce the life of absolutely theft proof code signing certificates? What benefit could there possibly be to them? … The light bulb lit for me ... The future of code signing will be the establishment of a subscription relationship.” (Steve, 28:45–29:56)
On Security’s Diminishing Returns:

“We can apply our fancy technology to solve problems, but the presence of that technology creates a bigger problem than what it is trying to solve.” (Steve, 03:07)
On MongoBleed Exposure:

“Why can I access their [MongoDB] data? I have no need or purpose. I shouldn't be able to even see it. I shouldn't know that it exists.” (Steve, 190:49)
On AI’s Future:

“I don't ever want to lose access to it [AI]. No, it is really phenomenal. ... But if I lose that, I don't know what I'm going to do.” (Steve and Leo, 62:49–63:08)
On “free” service models:

“You've got to pay for the stuff you use. You just do. That’s just the way it is. Nothing's… It’s not free.” (Leo, 74:59)

Timestamps for Major Segments

Memorable Moments

Classic Steve Gibson Rant: “All of the commercial platforms now require code to be signed. And a very small and shrinking group of increasingly powerful commercial authorities have decided to follow the TLS model of continually shortening the lifetime of those code signing certificates… Why? Because they can. They all voted for it because there's no one to stop them.” [35:34–37:54]
“Because we can” Security Mindset: Steve likens escalating security restrictions and loss of user control to California’s regulatory gridlock: “It's like it's diminishing returns. It's the belief that we can apply our fancy technology to solve problems that where the, where the presence of that technology creates a bigger problem than what it is trying to solve.” [03:07]
On Hobbyist Computing Spirit:

“All of this original PC hobby control, which you could argue built this industry, is going commercial and is being taken away from us.” [38:58]
MongoBleed Explanation: Straightforward, with an excellent, jargon-free breakdown of a critically important memory leak.

Final Takeaways

For developers:
- Secure and renew those code signing certificates NOW (while longer-term ones are still available), and keep an eye out for cloud-based signing “locks.”
- Manage your database exposure—never make your backends public, and always patch critical vulnerabilities quickly.
For IT/Security Professionals:
- Don’t trust authentication as your sole line of defense.
- Beware the creeping cost and control of security infrastructure shifting to subscription/cloud, especially if you value independence and user control.
For everyone:
- Expect to see AI’s “clean” interface increasingly commercialized via advertising and personalization.
- Diminishing returns apply: More security isn’t always better—and may have serious downsides for user flexibility, privacy, or openness.
Honorable mention: “The Lazarus Project” is a must for sci-fi fans.

Summary prepared by AI (but, as Steve and Leo would note, thoughtfully and with considerable human context).

SN 1059: MongoBleed - Code Signing Under Siege

Powered by Wave AI

Summary

Security Now (TWiT) - Episode 1059: "MongoBleed – Code Signing Under Siege"

Overview

Key Topics & Insights

1. The Code Signing Catastrophe: Lifetimes Slashed, Subscription Cloud Looms

Shortening Code Signing Certificate Lifetimes

The Future: Diminishing Returns & Loss of Computing Spirit

2. MongoBleed: A Modern Heartbleed-Level Flaw in MongoDB

The Flaw

Real-World Impact

Why Did So Many Servers Fall Prey?

Notable Quote:

3. ChatGPT and the Coming Era of AI Advertising

4. Security Updates and Fun Oddities

Python Package Index (PYPI) Security [81:02–85:21]

Bitlocker Gets Hardware Acceleration (But… Only on New Hardware!) [91:12–108:35]

Raspberry Pi and Flipper Zero Banned from NYC Mayoral Inauguration [114:16–123:23]

5. Health Detour: Magnesium & Vitamin D [133:03–159:38]

6. Recommended: “The Lazarus Project”

Notable Quotes

Timestamps for Major Segments

Memorable Moments

Final Takeaways

Summary

Security Now (TWiT) - Episode 1059: "MongoBleed – Code Signing Under Siege"

Overview

Key Topics & Insights

1. The Code Signing Catastrophe: Lifetimes Slashed, Subscription Cloud Looms

Shortening Code Signing Certificate Lifetimes

The Future: Diminishing Returns & Loss of Computing Spirit

2. MongoBleed: A Modern Heartbleed-Level Flaw in MongoDB

The Flaw

Real-World Impact

Why Did So Many Servers Fall Prey?

Notable Quote:

3. ChatGPT and the Coming Era of AI Advertising

4. Security Updates and Fun Oddities

Python Package Index (PYPI) Security [81:02–85:21]

Bitlocker Gets Hardware Acceleration (But… Only on New Hardware!) [91:12–108:35]

Raspberry Pi and Flipper Zero Banned from NYC Mayoral Inauguration [114:16–123:23]

5. Health Detour: Magnesium & Vitamin D [133:03–159:38]

6. Recommended: “The Lazarus Project”

Notable Quotes

Timestamps for Major Segments

Memorable Moments

Final Takeaways