Is the U.S. on the verge of legalizing "hack back" missions, turning private companies into sanctioned cyber warriors? Steve and Leo unpack Google's plan for a cyber disruption unit and why the lines between defense and digital retaliation are suddenly blurring.

• My experience with 'X' vs email.
• Google TIG blackmailed to fire two security researchers.
• 1.1.1.1 DNS TLS certificate mis-issued.
• Artists blackmailed with threats of training AI on their art.
• Firefox extended end-of-life for Windows 7 to next March.
• Is the renewal of cybersecurity info sharing coming soon.
• Should security analysis be censored due to vibe-coding.
• UK versus Apple may not be settled after all.
• Another very serious supply chain attack.
• Can the software supply-chain ever be trustworthy.
• Why did BYTE Magazine die.
• What happens if Google and others go on the attack

Show Notes - https://www.grc.com/sn/SN-1042-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• uscloud.com
• canary.tools/twit - use code: TWIT
• bigid.com/securitynow
• zscaler.com/security
• expressvpn.com/securitynow

When even the Department of Defense can't properly vet its software dependencies, what chance do the rest of us have? Steve Gibson reveals how "fast-glob" became a case study in supply chain blindness, explores whether AI can ever truly be controlled after Meta's celebrity chatbot disaster, and celebrates BYTE Magazine's 50th anniversary with a look at how far we've come (and how vulnerable we still are).

• A look back at issue #1 of BYTE magazine exactly 50 years ago
• The enforcement of the SHAKEN & STIR Telecom protocols
• Breaking: Judge rules against forced Google divestitures in monopoly case
• The inherent danger of consolidating authentication
• Can AI be controlled?
• Vivaldi says a big "no" to AI-enhanced web browsers
• How WhatsApp figured into Apple's recent 0-day attacks
• Leveraging AI as an attack aid
• The latest TransUnion data breach
• Two scummy websites sue the UK over age requirements
• OpenSSH reminds its users to adopt post-quantum crypto
• The DOD uses open source maintained by a Russian national
• Much great feedback from our terrific listeners
• Sci-Fi news from "The Frontiers Saga" Ryk Brown

Show Notes - https://www.grc.com/sn/sn-1041-notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• go.acronis.com/twit
• threatlocker.com/twit
• bitwarden.com/twit
• bigid.com/securitynow
• joindeleteme.com/twit promo code TWIT

Alarm bells are ringing over a supposed browser zero-day, but is the threat as bad as it sounds? Steve reveals why "clickjacking" might be more whac-a-mole than breaking news, and what that really means for your passwords.

• Germany may soon outlaw ad blockers
• What's happening in the courts over AI
• The U.K. drops its demands of Apple
• New Microsoft 365 tenants being throttled
• Is Russia preparing to block Google Meet?
• Bluesky suspends its service in Mississippi
• How to throttle AI
• A tricky SSH-busting Go library
• Here comes the Linux desktop malware
• Apple just patched a doozy of a vulnerability
• A trivial Docker escape was found and fixed
• Why the recent browser 0-day clickjacking is really just whac-a-mole

Show Notes - https://www.grc.com/sn/sn-1040-notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• 1password.com/securitynow
• zscaler.com/security
• bigid.com/securitynow
• uscloud.com

• What AI website summaries mean for Internet economics.
• Time to urgently update Plex Servers (again).
• Allianz Life stolen data gets leaked.
• Chrome test Incognito-mode fingerprint script blocking.
• Chrome 140 additions coming in 2 weeks.
• Data brokers hide opt-out pages from search engines.
• Secure messaging changes in Russia.
• NIST rolls-out lightweight IoT crypto.
• SyncThing moves to v2.0 and beyond.
• Alien:Earth -- first take.
• What can we learn from another critical vulnerability?

Show Notes - https://www.grc.com/sn/SN-1039-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• threatlocker.com/twit
• bitwarden.com/twit
• go.acronis.com/twit
• joindeleteme.com/twit promo code TWIT
• vanta.com/SECURITYNOW

• CISA's Emergency Directive to ALL Federal agencies re: SharePoint.
• NVIDIA firmly says "no" to any embedded chip gimmicks.
• Dashlane is terminating its (totally unusable) free tier.
• Malicious repository libraries are becoming even more hostile.
• The best web filter (uBlock Origin) comes to Safari.
• The very popular SonicWall firewall is being compromised.
• >100 models of Dell Latitude and Precision laptops are in danger.
• The significant challenge of patching SharePoint (for example).
• A quick look at my DNS Benchmark progress.
• Does InControl prevent an important update.
• An venerable Sci-Fi franchise may be getting a great new series.
• What to do about the problem of AI "website sucking"

Show Notes - https://www.grc.com/sn/SN-1038-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• zscaler.com/security
• canary.tools/twit - use code: TWIT
• uscloud.com
• go.acronis.com/twit

• A follow-up to the SharePoint server patch mess.
• How Russia arranges to spy on other country's local embassies.
• "Dropbox Passwords" manager app is ending in October.
• Signal will leave Australia rather than help spy.
• YouTube deploys viewing history age-estimation heuristics.
• Chrome adds clever lightweight extension signing to prevent abuse.
• A domain registrar is coming close to losing its rights.
• A TP-Link router that doesn't encrypt its configuration.
• What is "TruAge" and might it be useful for age verification.
• An update on "Artemis".
• With U.S.-China tensions on the rise, should Chinese security companies receive weeks of advance notice of forthcoming Microsoft flaw patches?

Show Notes - https://www.grc.com/sn/SN-1037-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• bigid.com/securitynow
• joindeleteme.com/twit promo code TWIT
• Melissa.com/twit
• threatlocker.com for Security Now

• Brave randomizes its fingerprints.
• The next Brave will block Microsoft Recall by default.
• Clorox sues its IT provider for $380 million in damages.
• 6-month Win10 ESU offers are beginning to appear.
• Warfare has significantly become cyber.
• Allianz Life loses control of 125 million customers' data.
• The CIA's Acquisition Research Center website was hacked.
• The Pentagon says the SharePoint RCE didn't get them.
• A look at a DPRK "laptop farm" to impersonate Americans.
• FIDO's passkey was NOT bypassed by a MITM after all.
• Is our data safe anywhere?
• The UK is trying to back-pedal out of the Apple ADP mess.
• Meanwhile, the EU resumes its push for "Chat Control".
• Microsoft fumbled the patch of a powerful Pwn2Own exploit

Show Notes - https://www.grc.com/sn/SN-1036-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• canary.tools/twit - use code: TWIT
• threatlocker.com for Security Now
• bitwarden.com/twit
• uscloud.com

• Bypassing all passkey protections.
• The ransomware attacks just keep on coming.
• Cloudflare capitulates to the MPA and starts blocking.
• The need for online age verification is exploding.
• Microsoft really wants Exchange Servers to subscribe.
• Russia (further) clamps down on Internet usage.
• The global trend toward more Internet restrictions.
• China can inspect locked Android phones. Use a burner.
• Web shells are the new buffer overflow.
• An age verification protocol sketch.
• What Cloudflare did to create an outage of 1.1.1.1

Show Notes - https://www.grc.com/sn/SN-1035-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

• zscaler.com/security
• 1password.com/securitynow
• go.acronis.com/twit