Security Now (Audio)

• An exploited iOS iMessage vulnerability Apple denies?
• The NPM repository is under siege with no end in sight.
• Were Comcast and Digital Realty compromised? Don't ask them.
• Matthew Green agrees: XChat does not offer true security.
• We may know how Russia is convicting Telegram users.
• Microsoft finally decides to block two insane Outlook file types.
• 40,000 openly available video camera are online. Who owns them?
• Running S...

• In memoriam: Bill Atkinson
• Meta native apps & JavaScript collude for a localhost local mess.
• The EU rolls out its own DNS4EU filtered DNS service.
• Ukraine DDoS's Russia's Railway DNS ... and... so what?
• The Linux Foundation creates an alternative Wordpress package manager.
• Court tells OpenAI it must NOT delete ANYONE's chats. Period! :(
• A CVSS 10.0 in Erlang/OTP's SSH library.
• Can Russia intercept Telegram? Perhap...

• Pwn2Own 2025, Berlin results.
• PayPal seeks a "newly registered domains" patent.
• An expert iOS jailbreak developer gives up.
• The rising abuse of SVG images, via JavaScript.
• Interesting feedback from our listeners.
• Four classic science fiction movies not to miss.
• How OpenAI's o3 model discovered a 0-day in the Linux kernel

Show Notes - https://www.grc.com/sn/SN-1028-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

D...

• What the status of Encrypted Client Hello (ECH)?
• What radio technology would be best for remote inverter shutdown?
• Some DNS providers already block newly listed domains.
• Knowing when not to click a link can take true understanding.
• Why can losing a small portion of a power grid bring the rest down?
• Where are we in the "AI Hype Cycle" and is this the first?
• Speaking of hype: An AI system resorted to blackmail?
• Why are ...

• Chrome to actively refuse admin privileges.
• Android Messenger is getting manual key verification.
• Pwn2Own to add AI "pwning" as in-scope attack targets.
• AI has already been found to be replicating.
• Microsoft not killing off Office on Win10 after October.
• 23andMe's asset purchaser revealed.
• Many fun talking points thanks to our listeners.
• Steve's review of "Andor", season 2.
• What's been discovered inside the U.S. powe...

• The state of Virginia passes an age-restriction law that has no chance.
• New Zealand also tries something similar, citing Australia's lead.
• A nasty Python package for Discord survived 3 years and 11K downloads.
• The FBI says it's a good idea to discard end-of-life consumer routers.
• What's in WhatsApp? Finding out was neither easy nor certain.
• The UK's Cyber Centre says AI promises to make things much worse.
• A bunch of gr...

• Microsoft to officially abandon passwords and support their deletion.
• Meta's RayBan smart glasses weaken their privacy terms.
• 30% of Microsoft code is now being written by AI.
• Google says prying Chrome from it will damage its security.
• Nearly 1,000 six-year-old eCommerce backdoors spring to life.
• eM Client moves to version 10.3
• A bunch of terrific listener feedback creates talking points.
• A little-known, insecure mess...

• Why did a mysterious empty "inetpub" directory appear after April's Patch Tuesday?
• And what new Windows Update crashing hack did this also create?
• North Korea is now creating fake US companies to lure would-be employees.
• The "Inception" attack subverts all GPT conversational AIs.
• New information about data loss in unpowered SSD mass storage.
• Lots of terrific feedback from our listeners.
• How malware has taken to hiding ...

• Enabling Firefox's Tab Grouping.
• Recalled Recall Re-Rolls out.
• The crucial CVE program nearly died. It's been given new life.
• China confesses to hacking the US (blames our stance on Taiwan).
• CISA says what Oracle still refuses to.
• Brute force attacks on the (rapid) rise.
• An AI/ML Python package rates a 9.8 (again!)
• The CA/Browser forum passed short-life certs. :(
• A wonderful crosswalk hack hits Silicon Valley.
• Andro...