This week, Leo and I discuss the "CloudBleed" incident; another project zero 90-day timer expires for Microsoft; this week's IoT head-shaker; a New York airport exposes critical server data for a year; another danger created by inline third party TLS-intercepting "middleboxes"; more judicial thrashing over fingerprint warrants; Amazon says no to Echo data warrant; a fun drone-enabled proof on concept is widely misunderstood; another example of A/V attack surface expansion; some additional Crypto education pointers and miscellany... and, finally, what does Google's deliberate creation of two SHA-1-colliding files actually mean?