Is there any such thing as truly free privacy? What has Elon done now? What's the latest new tactic in post-breach cyber-extortion? Has Europe finally come to their senses over old and creaky proprietary radio encryption? What new forthcoming iPhone communications feature took everyone by surprise? What discovery did I make for super-secure code signing? Just how sticky are those barnacles? What's a good way to measure USB drive speed? Is the EU's proposed eIDAS 2.0 QWACs system as bad as it seems? And if it passes into law as-is, CAN companies realistically say no? What's my favorite little PC platform for building security gateways? Why couldn't we just use the good part of a fake drive? What should ex-LassPass users watchout for in their credit card statements? And, finally, we recognize the 50th birthday of Ethernet and look back at the history of its creation.

Is your lack of privacy badgering you? And if so what can you do about it? What's the latest on last week's bombshell news of the EU's Article 45 in eIDAS 2.0? Who's lost how much money in online cryptocurrency? And is using seed phrases for your wallet that to get from a seed phrase suggestion site a good idea? Has there finally been a truly devastating and effective speculative execution flaw discovered in Intel's processors? Could it be their Downfall? What country has decided to ban all VPNs? And how bad are the two flaws found in OpenVPN? Why have I stopped working on SpinRite? What's the best backup for a large NAS? Should vulnerability researchers learn the assembly language of their target processors? If quantum computers threaten asymmetric crypto, why not return to symmetric crypto? Could someone explain exactly why Article 45 is a bad thing? What in the world is a Windshield Barnacle and why don't you want one? What's my latest Sci-Fi book series discovery? And just how bad could it be if a cosmic ray flipped a bit at just the wrong time?

Where was Microsoft storing their Azure keys? What four new 0-day flaws has Microsoft declined to repair? and what happens next? What's this week's latest mass-casualty event for publicly-exposed Internet servers? And do we have any news on last week's Citrix Bleed fiasco? What comes after CVSSv3.1 and why? What happened to Google's WebDRM proposal? And what about the earlier Cisco IOS XE mass-casualty mess? And what's the new Security Now! podcast slogan to emerge from it? Our favorite password manager just announced their support for Passkeys! Now what? That guy with the badly messed-up SSD shared the results of using SpinRite 6.1. I'll share and explain what happened. And then, after entertaining some great feedback from our listeners, we're going to look into the next big looming battle between conservative tech and rapacious governments. All that and more during this week's Security Now! podcast #947 ... and counting.

What caused last week's connection interruption? Is it possible to create and maintain an Internet whitelist? What's the latest on LastPass vault decryptions? How do you know of a remote correspondent adds a new device to their Apple account that it's really them? Might there be more life left in Windows 10 than we thought? What's foremost in the minds of today's bug bounty hunters? What new free and open source utility has CISA released? Could it be that SpinRite 6.1 is finished? Is TLS 1.2 ready for retirement? And what about IPv4? How can open source projects get their code signed? And then we're going to take a really interesting deep dive into the Internet's latest mass-casualty disaster.

How do fake drives keep being sold by Amazon? If you don't already know it, is VBScript worth learning today? NTLM authentication is 30 years old; will it see 40? What startling flaw was just found in cURL, and what should you do about it? Vulnerabilities with a CVSS score of 10.0 are blessedly rare, but today the industry has another. And also, asked by our listeners, how should "lib" be pronounced? How is SpinRite's 6.1 pre-release run? Is passkey export on the horizon? Doesn't a server's IP address make encrypting the client hello superfluous? Is there such a thing as encryption preemption? Are fraudulent higher-end drives possible? What's Privacy Badger and why did I just install it? And finally, within any enterprise, few things are more important than managing user and device access privileges. As highlighted by the NSA's and CISA's experiences, we're going to examine the need for taking privilege management more seriously than ever during this week's Security Now! Episode #945 - The Power of Privilege.

How have valiDrive's first ten days of life been going and what more have we learned about the world of fraudulently fake USB thumb drives? Should passkeys be readily exportable or are they better off being kept hidden and inaccessible? Why can't a web browser be written from scratch? Can Security Now listeners have SpinRite v6.1 early?... like... now? What was that app for filling a drive with crypto noise and what's my favorite iOS OPT app? And couldn't Google Docs HTML exported links being redirected for user privacy? After we address those terrific questions posed by our listeners we're going to take a look at the surprise emergence of a potent new HTTP/2-specific DDoS attack. Is it exploiting a 0-day vulnerability as Cloudflare claims, or is that just deflection?

How many people have downloaded GRC's latest freeware so far? Do we believe what 23andMe have told the world about the leak of their customers' personal and private data? What are the stats regarding all aspects of cyberattacks? How's the Brave Browser doing? Where and when is Google surreptitiously embedding tracking links into Google Docs exports? What high profile enterprise was also compromised by the Progress Software MOVEit SQL injection? What additional web browser just added and announced its support for Encrypted ClientHello? What change did Google just make with the release of their Pixel 8 family of smartphones? What cyber initiative did the U.S. Congress just overwhelming pass? What's "DwellTime" and why do we care? And that's just the news. We'll also be entertaining many of our listeners' questions, then starting into the first part of our examination of a really terrific document that was just published by the NSA and CISA.

Just how irresponsible have the developers of the most popular eMail server on Earth been shown to be? What nefarious intent has infiltrated AI dialog? Windows 11 now supports passkeys. But what does that mean for the browsers and add-ons that already do? The tech press is warning about a new password stealing attack against users of public Wi-Fi. How does it work? Are they right? And just how worried should we be? Why isn't there a Nobel prize for math? Was it due to a jealous husband? Is our eMail address the only way for the LastPass vault decryptors to target their victims? Is there any way to keep AI models from training on our website's content? Does anyone have a shortcut for learning SyncThing? Is it best not to keep lithium-ion batteries fully changed? Where's a clever place to keep encrypted data offline and what happens to old mathematicians? After we answer those questions and more we're going to look at the hoops the Internet's designers have had to go through to keep eavesdroppers from learning which sites we visit. Welcome to the Security Now! podcast number #942 for October 3rd, 2023.

This week we're chock full of questions! Why is my new ValiDrive freeware not published yet? Why did Apple quietly remove PDF rendering from the Mac after 39 years? Has the NSA been hacking China? What mistake did Microsoft recently make that would require the use of a bigger hard drive? Why did Signal just announce their use of post-quantum crypto? What's the big hurry? Is it possible to create a new web browser from scratch? And if not, why not? Does public key crypto really go both ways? Can pure math generate pure random numbers? One of our listeners believes he has. Could encrypting an entire hard drive then throwing away the key be used in place of the random noise wiping I'm a big fan of? Why hasn't the Unix time problem been fixed yet? Or has it? Will all of the stolen LastPass vaults eventually be decrypted? Am I really leaving Twitter? And, finally... why in the world is this episode titled "We Told You So!" ? The answers to those questions and more will be revealed by the time we're done here today. Welcome to episode #941 of TWiT's Security Now! podcast.

This week, after quickly filling Leo in on last week's two most important pieces of news, guided by some great questions and comments from our listeners, we're going to look into the operating of hardware security modules (HSMs), fast file hash calculations, browser identity segregation, the non-hysterical requirements for truly and securely erasing data from mass storage, a cool way of monitoring the approaching end of UNIX time, my plans to leave Twitter, and what I think will be a very interesting deep dive into cryptographic hashes and the value of deliberately creating hash collisions.