Feedback & Followups
- A timely reminder to keep your routers patched and to bin un-supported models via listener BG in the Podfeet Slack: 14,000 routers are infected by malware that’s highly resistant to takedowns — arstechnica.com/… (ASUS routers, mostly in the US, in this case)
- A timely reminder that Mac users are not immune to malware: macOS Users Should Be Careful of New Password-Stealing Malware — www.macobserver.com/…
- “Security researchers at Malwarebytes uncovered the campaign and warned that attackers rely on social engineering rather than technical exploits.”
- The two sides to AI are still on display:
- Microsoft: Hackers abusing AI at every stage of cyberattacks — www.bleepingcomputer.com/… (from Microsoft’s latest threat intelligence report on AI)
- Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model — thehackernews.com/…
Listener Questions
Passkeys Question From Ed Tobias
Ed ask if it’s possible for passkeys to replace passwords completely given passkeys are device-bound, and we need to be able to renew our devices?
TL;DR — Yes!
Fundamentally, authentication and account recovery are two completely different problems, and always have been. Replacing your device and hence losing the passkeys on it is similar to forgetting your passwords. Similar, but actually a slightly easier problem to solve in many situations.
No matter how you authenticate, it’s always possible to get locked out, so there has always been a mechanism for getting back in, and there always will be. That mechanism is completely separate from how you authenticate, and the details depend entirely on the context. Some example processes include:
- Websites often use an email loop to recover accounts
- Cellphone-number-based messaging apps like Signal, Telegram, and WhatsApp use an SMS loop
- Banks often require you to visit a branch with photo ID
- Organisations often require you to visit IT with your work or student ID
Passkeys don’t change any of this. But, passkeys do offer some nice simpler yet equally secure additional options for onboarding new devices that don’t yet have a needed passkey.
For example, if you use Entra ID (Microsoft’s identity provider for the work/school versions of Office365), a short-lived temporary access pass (TAP) can be given to the user by the service desk to allow them register a new passkey. These TAPs can be configured with very short lifetimes, and to be single-use.
However, because we generally have more than one device these days, you can often handle the need for a new passkey without needing to resort to account recovery at all, simply by using a device that does still have a valid passkey to securely authorise the generation of a new passkey on the new device. There are infinitely many ways to implement this concept, but here are some examples I seen in the real world:
- Using a passkey manager that synchronises passkeys securely between devices, for example, 1Password (how I manage all my passkeys that are not device-bound by corporate policy).
- Presentation of a QR code on an existing device to be scanned by the new device to authorise the creation of the new passkey.
- Generation of a one-time code on a logged in device with a existing passkey to authorise the creation of a new passkey on a new device.
So, in short, neither the need for device replacements nor the need for account recovery prevent the complete death of passwords in the hopefully near future 😀 Thank goodness!
❗ Action Alerts
- Microsoft Patch Tuesday, March 2026 Edition — krebsonsecurity.com/… (a relatively quiet one, but patch promptly regardless!)
- Google fixes two new Chrome zero-days exploited in attacks — www.bleepingcomputer.com/…
- Google has released the March Android security update, it patches one actively exploited zero-day — cyberinsider.com/… (If your Android phone can’t get this patch, it’s not securable and needs replacing!)
- Apple have back-ported fixes for actively exploited vulnerabilities to more old and technically un-supported iOS devices — cyberinsider.com/…
- 🇦🇺 More important iOS updates for Australian users with older iPhones — www.macobserver.com/…
- ⚠️ Star Citizen players: Star Citizen game dev discloses breach affecting user data — www.bleepingcomputer.com/…
- ⚠️ Viber Users: patch ASAP to fix TLS bug exposing supposedly private user data — cyberinsider.com/…
- ⚠️ AdGuard Home Users: AdGuard Home vulnerable to critical auth bypass allowing admin control — cyberinsider.com/…
Worthy Warnings
- A timely reminder from Matt Mullenweg: Gone (Almost) Phishin’ — ma.tt/…
- The scammers started by triggering both a real password reset and opening a real Apple Support case, pretending to be Matt
- Those actions triggered genuine emails and alerts from Apple
- Then they phoned him pretending to be Apple, and eventually tried to get him to a fake Apple page and to click a fraudulent sign-in button
- Key points to remember
- Apple never call you first! Unless you scheduled a callback, if Apple call you it’s fake
- All legitimate Apple sites are under
apple.commaybesomething.apple.com, but anything undersomething-apple.comis fake!
- Tread Carefully with Chrome’s new agentic AI features, there are known bug, including one still awaiting a patch — cyberinsider.com/… (advice at the bottom of the article)
- ⚠️ Instagram Users: Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 — thehackernews.com/… (Lesson: avoid using all social media services for secure messaging, use secure messaging apps for secure messaging!)
- ⚠️ Meta Glasses Users: Low-Wage Contractors in Kenya See What Users See While Using Meta’s AI Smart Glasses — daringfireball.net/…
Notable News
- 🇪🇺 The EU parliament has sent the EU Council of Ministers and the EU Commission a clear message that they are not OK with their so-far-failed plans to break end-to-end encryption in the name of child protection — cyberinsider.com/…
- Reminder to non-EU listeners, there are three European bodies that have to agree on all new laws for them to pass — the council of ministers (member state government ministers), the commission (an executive branch appointed by the member states), and the parliament (elected by the citizens)
- ExpressVPN says it now blocks CSAM domains without inspecting user traffic — cyberinsider.com/…
- Cleverly does so without breaking any of their privacy guarantees
- All DNS requests for known CSAM domains will be blocked at the network level at the points ExpressVPN’s networks connect to the public internet, i.e. after the traffic exists the VPN tunnels but before it reaches the public internet.
- Some nice software security improvements and developments
- BitWarden joins the list of devices with OS-level passkey integration into Windows 11 — cyberinsider.com/…
- Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys — www.bleepingcomputer.com/… (Expands OS-level passkey support via Windows Hello to personally owned devices connecting to corporate Office365 environments)
- Mullvad’s new GotaTun protocol passes first independent audit — cyberinsider.com/… (we reported on this new open-source protocol a few weeks ago when it was first published)
- Meta adds new WhatsApp, Facebook, and Messenger anti-scam tools — www.bleepingcomputer.com/…
- WhatsApp introduces parent-managed accounts for pre-teens — www.bleepingcomputer.com/…
- IBM partners with Signal to develop quantum-safe messaging encryption — cyberinsider.com/…
- The free open source (and Belgian 😀 🇧🇪) tool GitLeaks has been re-built, improved, and renamed to BetterLeaks — www.bleepingcomputer.com/…
- A tool to help find secrets like private keys accidentally committed to Git so they can be revoked and renewed as appropriate.
Palate Cleansers
- From Listener Kantor on Slack: Pride Versioning 🏳️🌈 0.3.0 — pridever.org (nice reference to SemVer discussed on PBS)
- From Allison:
- @NotMathClub on TikTok explained that the 20th President of the United States, James Garfield, developed his own proof of the Pythagorean Formula: www.tiktok.com/…
- From Bart:
- 🎧 The Grammar Girl Podcast has an episode on the history of the octothorpe. Sir Fragalot and sentence fragments. Dribzle. — podcasts.apple.com/… (Appropriate given how much hassle saying the
#character causes us on PBS 🙂) - 🎧 Learn about one of the finest female SciFi screen writers ever: Imaginary Worlds: How D.C. Fontana Helped Star Trek Live Long and Prosper — overcast.fm/…
- 🎧 The Grammar Girl Podcast has an episode on the history of the octothorpe. Sir Fragalot and sentence fragments. Dribzle. — podcasts.apple.com/… (Appropriate given how much hassle saying the
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |