Mostly Security

From commentary on current events to random musings, they chat (mostly) about security and technology topics. However, life is more than just the day job, there's always something fun to wrap up the show.

420: Two Goats 12/27/2025

420: Two Goats Eric and Jon are both fully prepped for the holiday. Flock leaves (many) cameras including control panels open and exposed to the open internet, what if more malicious npm packages worked as advertised, and Microsoft is finally disabling rc4 by default in Active Directory. For fun we have two movies for holiday watching: F1: The Movie, and Howl's Moving Castle. Enjoy! 0:00 - Introduction 11:38 - 18:09 - 23:39 - 30:38 - 33:04 - /episode/index/show/secrandom/id/39540180

419: Go Slop the Pigs 12/20/2025

419: Go Slop the Pigs Jon's car may or may not be fixed. Eric didn't go to Disneyland. Android is making in-call scam protection better. AI is creating a Blessing of Unicorns. Parked Domains keep scammers alive. Space is getting crowded. Word of the Year - Slop. 0:00 - Introduction 6:38 - 10:21 - 13:15 - 17:55 - 24:10 - /episode/index/show/secrandom/id/39475255

418: Pernicious 12/13/2025

418: Pernicious Christmas in full swing at both Eric and Jon's places. Less secure certificate validation mechanisms being deprecated, and SEO of AI chats to deploy ClickFix style lures for Stealer installation. For fun we have a shockingly good way to avoid motion sickness in VR, and a promising Leukemia treatment using gene therapy. 0:00 - Intro 9:28 - 14:45 - 21:34 - 27:42 - /episode/index/show/secrandom/id/39395630

417: Security Boffins 12/06/2025

417: Security Boffins Eric tracks hack attempts and Jon trades blood for pinball. Shai-Hulud is back, Calendly invite scam, Rust for good and evil. Giving Machines for the holiday season and Spores in Space! 0:00 - Introduction 13:48 - 16:59 - 19:11 - 24:33 - 28:00 - /episode/index/show/secrandom/id/39294635

416: Ant Honey 11/29/2025

416: Ant Honey Eric and Jon prep for Thanksgiving. Will blue and green bubbles coexist in peace and harmony? Will the airlines stop sharing flight data with the IRS? And is monitoring every car, everywhere, at all times 'unreasonable search'? ¯\_(ツ)_/¯ Have some Ozone and a Honey chaser. 0:00 - Intro 8:11 - 12:14 - 18:34 - 25:16 - 32:40 - /episode/index/show/secrandom/id/39204895

415: Crab Pots 11/22/2025

415: Crab Pots This week's roundup features a mix of personal updates, major tech news, and scientific intrigue. Eric is super late to the Minecraft party while Jon gets his bushes trimmed. In tech, a massive WhatsApp security flaw exposed data for up to 3.5 billion users, while Google announced the release of Gemini 3 Pro and the new "Deep Think" reasoning mode. Cybersecurity concerns also rose with the global spread of the TamperedChef malware, delivered via malvertising and fake software installers. On the innovation front, MIT researchers developed a new lipid nanoparticle that dramatically enhances the effectiveness of mRNA vaccines, promising cost savings and better seasonal flu shots. Finally, in a fascinating natural observation, a wild gray wolf in British Columbia was documented using a buoy line to haul a crab trap ashore, potentially marking the first documented tool use by a wild canid. This summary of today's podcast brought to you (mostly) by Gemini 3. 0:00 - Introduction 9:10 - 12:36 - 17:24 - 22:48 - 26:48 - /episode/index/show/secrandom/id/39134160

414: Fig Wasp Redux 11/15/2025

414: Fig Wasp Redux Eric goes to Nateland and Jon goes flying. Another javascript worm, and automatic license plate reader records declared public in Washington. For fun we have a repo of annual security reports and Jon suffering memory loss and search ineptitude, but fig wasps are still cool. 0:00 - Intro 17:20 - 21:50 - 28:55 - 29:26 - 30:43 - /episode/index/show/secrandom/id/39045140

413: Sidekick, not Primarykick 11/08/2025

413: Sidekick, not Primarykick Eric drills a door and Jon disagrees and commits to an electrical fix. Aisuru makes the Cloudflare Top 10. The Louvre had a bad week, while furniture trucks had a good one. Gemini used to write malware. Rivers in Alaska are orange. 0:00 - Introduction 14:11 - 16:25 - 20:03 - 24:12 - 26:45 - 28:26 - /episode/index/show/secrandom/id/38963780

412: Precondition Failed 11/01/2025

412: Precondition Failed Remote Eric Assist and Jon enjoys ... hockey(??). More prompt injections, the most damaging UK cyber event (so far), and residential proxy use for fun and training data. Will Agentic AI bring back micropayments, and how is Costco's pumpkin pie so good? 0:00 - Intro 10:47 - 16:56 - 19:32 - 24:34 - 29:49 - /episode/index/show/secrandom/id/38873650

411: Fantastic Turn Of Phrase 10/23/2025

411: Fantastic Turn Of Phrase Travel Adventures, AI Advancements (and Challenges), Satellite Security Concerns, Machine Learning Insights, and De-Extinction Efforts for the Giant Moa. 0:00 - Introduction 4:49 - 9:15 - 14:41 - 20:02 - /episode/index/show/secrandom/id/38761170

410: Gone 10/18/2025

410: Gone Family weekends for Eric and Jon. A new side channel for pixel sniffing on Android, malware abusing github + steganography for configuration, and Apple doubles many of its security bounties. For fun, long live(d) the naked mole rat, and warp drives move from the irrational (negative energy ftw!) to the theoretically possible. 0:00 - Intro 8:55 - 12:59 - 16:16 - 23:08 - 27:15 - /episode/index/show/secrandom/id/38630015

409: Menacing Missives 10/11/2025

409: Menacing Missives This was almost "The Quiet Episode" after some audio challenges, amazing what technology can hide... Eric gets back in town just in time to leave town. Jon goes to a bookstore. The UK is still trying to get Apple to create a backdoor. OpenAI talked about malicious use of AI. ShinyHunters are back. Pristine Stars are a thing and Powell's City of Books is cool. 0:00 - Introduction 3:04 - 5:51 - 15:32 - 22:59 - 26:00 - /episode/index/show/secrandom/id/38547445

408: Request Timeout 10/04/2025

408: Request Timeout Eric is traveling and Jon is repairing. Coordinated arrests of scammers across Africa, the world's first malicious MCP server (is super simple), the release of the Sony CD player 43 years ago, and CRISPR modified yeast to create pollen substitute for the bees. 0:00 - Intro 10:27 - 17:13 - 23:02 - 27:02 - /episode/index/show/secrandom/id/38465470

407: Vampires 09/25/2025

407: Vampires This past weekend, Eric was forgetfully productive. Meanwhile, Jon moved a child into the dorms and battled some radiator problems. On other fronts, AI agents got duped, and self-replicating worms made their way through NPM. Good news: Entra ID tenants dodged a major security event. For a bit of nostalgia, Eric whipped up some lemon bars, and Jon chowed down on pizza. 0:00 - Introduction 9:05 - 13:56 - 18:01 - 22:55 - 25:10 - /episode/index/show/secrandom/id/38358170

406: Triple Square 09/20/2025

406: Triple Square Eric paints and Jon does something I'm sure. Void proxy tackles the complexity of breaking MFA, and Bitcoin ATMs for Scammers. How about a bit of neuromodulation on Pythagorean Triple Square Day. 0:00 - Intro 13:19 - 16:54 - 21:24 - 24:33 - /episode/index/show/secrandom/id/38291420

405: Method Not Allowed 09/12/2025

405: Method Not Allowed Eric updates the mostlysecurity.com vibe. Jon jars honey. Plex asks users to change their passwords. iPhone 17 has new security features. Not to be outdone numerically, 18 Javascript packages were compromised. Eric plays with epoxy and glitter, while Jon reminisces of Perl. 0:00 - Introduction 15:33 - 20:09 - 25:58 - 30:04 - Epoxy and Glitter 33:04 - /episode/index/show/secrandom/id/38204210

404: Not Found 09/06/2025

404: Not Found Eric returns and Jon has a flat tire. Kuiper achieves a gigabit, Google releases fixes for 84 vulns in android, and prompt injection in Comet, Perplexity's AI browser. The Pixel 10 has a crazy good camera, and the third interstellar object ever discovered. 0:00 - Intro 10:02 - 13:13 - 16:00 - 25:57 - 33:04 - /episode/index/show/secrandom/id/38113505

403: Forbidden 08/29/2025

403: Forbidden Eric plays with epoxy resin, Jon has a new calf. Cybersabotage on your ex-employer will get you 4 years. There are 1200 fewer robocallers thanks to the FCC. Password manager plugins for web browsers can be fooled. The Commodore 64 is back and really old honey is discovered in Italy. 0:00 - Introduction 8:53 - 10:22 - 12:57 - 18:39 - 22:47 - /episode/index/show/secrandom/id/38022605

402: Payment Required 08/23/2025

402: Payment Required Eric prints and Jon fixes washer. The Noodlophile stealer propagates via legal infringement claims, and portal auth issues allow control of connected cars. For fun we have book four of the Lady Astronaut series, and using generative AI to create targeted antibiotics for drug resistant diseases. 0:00 - Intro 12:32 - 16:51 - 23:39 - 27:33 - /episode/index/show/secrandom/id/37930460

401: Unauthorized 08/16/2025

401: Unauthorized Eric makes it home from vacation, Jon goes fishing. Tough time to be graduating in Computer Science. DrawAFish.com security incident. AOL discontinues down dial up service. Mendenhall Glacier makes the local news. 0:00 - Introduction 8:24 - 14:34 - 21:48 - 25:06 - /episode/index/show/secrandom/id/37847255

400: Dredge Operator 08/09/2025

400: Dredge Operator Eric's on vacation and Jon wrangles cows. Cloudflare accuses perplexity of stealth scraping tactics, Google tweaks their disclosure policy, Microsoft studies AI impact on jobs, and OpenAI shared chats disclose a little (lot) too much. For fun, how about a hike in the Tetons, and Potatoes from Tomatoes. 0:00 - Intro 11:55 - 16:24 - 20:29 - 29:49 - 39:42 - 41:56 - /episode/index/show/secrandom/id/37743155

399: Cut the Black Wire 08/01/2025

399: Cut the Black Wire Eric has a problem with "smart" smoke alarms. Jon feeds happy cows round bales of hay (but not the fermented kind). Debian making 64 bit time work with 32 bits. A woman is unaware she is working for North Korea. Eric plays tower defense with CSS. Jon finds scarecrow spiders. 0:00 - Introduction 11:31 - 17:30 - 23:21 - 25:14 - /episode/index/show/secrandom/id/37631895

398: Beautiful Bird Songs 07/26/2025

398: Beautiful Bird Songs Eric publishes a book, and Jon is trepidacious. The National Nuclear Security Administration is affected by the Sharepoint attack, and DNS is used as a file transfer system. Amazon buys Bee (Echo, coming soon to a wrist near you), and we're one step closer to a universal cancer vaccine. 0:00 - 14:29 - 18:54 - 26:26 - 30:07 - /episode/index/show/secrandom/id/37561670

397: Schrödinger’s Myrmecophagy 07/19/2025

397: Schrödinger’s Myrmecophagy Eric gets new doors (almost) and Jon gets A/C. Amazon launches more Kuiper satellites with the help of SpaceX. You can use Passkeys to encrypt files and Android get's Gemini whether the user wants it or not. GPS is not the only location game in town and lots of mammals evolved into ant eaters? 0:00 - Introduction 12:22 - 14:56 - 18:13 - 23:11 - 29:10 - /episode/index/show/secrandom/id/37466555

396: Gnawing on Wax 07/12/2025

396: Gnawing on Wax A 4th of July was had by both. An extension hijacking campaign that infected as many as 2.3 million users and software to protect the small web from AI scrapers with computational overhead. For fun we have car tipping (off a cliff!?), and evidence for even more water on Mars. 0:00 - Intro 13:06 - 16:33 - 22:41 - 25:41 - /episode/index/show/secrandom/id/37384080

395: Alliteration is Fun 07/04/2025

395: Alliteration is Fun Hay is Jon's nemesis and Eric has pictures taken. Cloudflare blocks AI Bots by default. After 7 years, Ubuntu disables Spectre protections. ERYAT (Eric reserves yet another truck) and stumbles nostagically across Make Magazine. Jon finds a 4,800 year old Egyptian. 0:00 - Introduction 6:27 - 11:19 - 18:05 - 21:48 - 24:29 - /episode/index/show/secrandom/id/37284555

394: Whether The Weather 06/29/2025

394: Whether The Weather Eric paints and Jon drives. SparkKitty is a new mobile malware searching photo libraries for crypto passphrases, and when is a 16 billion password breach not a breach. Honda has been quietly working on its own rocket, and the JWST images its first new exoplanet. 0:00 - Intro 7:55 - 12:06 - 16:09 - 19:02 - /episode/index/show/secrandom/id/37206155

393: Less Need for Me Right Now 06/20/2025

393: Less Need for Me Right Now Ex? Un? Post? Father's Day activities and Eric tries Vibe Coding. Gemini 2.5 is out of beta. Phone wallets can(?) be hacked. Italy loses its Paragon license. Spaceballs 2! A microbe may be evolving into virus. 0:00 - Introduction 10:34 - 14:03 - 17:58 - 23:53 - 26:54 - /episode/index/show/secrandom/id/37091810

392: Vibe Coding 06/14/2025

392: Vibe Coding Summer is here. WWDC has ... liquid glass? And many android features, evidently. Vibe coding is the "remarkably insecure" inevitable future, and a simple (dumb?) github policy bypass. For fun there's a new season of Phineas and Ferb on Disney+, and researchers discover a way to fully expose HIV in white blood cells. 0:00 - Intro 8:09 - 13:08 - 18:34 - 26:32 - 30:46 - /episode/index/show/secrandom/id/37010455

391: Potentially Being the Operative Word 06/07/2025

391: Potentially Being the Operative Word Graduation and Spring Cleaning. Solar Power systems on the internet. Oregon bans the sale of user's (precise) location data. IRS Direct File both in limbo and on GitHub. A Japanese company sets itself up for "third times a charm" landing on the moon and a brain-computer interface is tested on humans. 0:00 - Introduction 10:53 - 13:56 - 16:00 - 22:58 - 25:20 - /episode/index/show/secrandom/id/36901675

Mostly Security

TOPICS